Vladimir A. Golubev
PhD in Law, Associate Professor,
Computer Crime Problems Research Center
Initial investigating actions related to detecting cyber crimes
Like other similar revolutionary tech≠nologies, Internet brings huge potential as for progress as for abuses, attacks in the net, fraud, software pirates, industrial espionage, children pornography trade -they are only some crimes committed in the global net.
Initial investigating actions related to detecting transnational computer crimes (cyber crimes), cause special difficulties, that is connected with many problems.
The results and analysis of conducted researches of law-enforcement organs practical activity concerning investigating computer crimes testify that computer equipment study SHOULD to be carried out in criminalistical laboratory conditions, when professionals with necessary training will do this work.
Let us consider some typical mistakes that are often made while carrying out inquiry actions related to computer information and computers themselves. Several rules of
working with computers, expropriated when investigating crimes in computer infor≠mation sphere, can be distinguished, we also can propose general recommendations which may be useful when processing computer evidence in DOS or Windows operational systems.
Error #1. Erroneous work with a computer.
First and general rule that to be mandatory implemented is: never and under any conditions not to work on the seized computer. This rule considers a seized computer as an object for professionals' studying. That is why one should not even turn it on until transferring to experts, as it is absolutely prohibited to run any programs on such a computer without using necessary safety measures (e.g. protection from modification or creating backup files). If computer has a protection on run up system (e.g. -password), then turning the computer on can cause destroying the information on hard disk. Turning such computer on, using its own operational system is not allowed.
This is explained simple enough: a criminal has no difficulty in installing a program for wiping the information off on hard or floppy disk, recording such "traps" by operational system modification. For example, simple DIR command used for displaying disk's catalogue can be changed to format hard disk.
Then the data and the destroying program itself are deleted nobody can tell for sure whether the "suspected" computer was specially equipped with these programs or this was a result of negligence in handling computer evidence.
Error #2. Letting access of computer owner or user to computer .
Admitting an owner of computer that is being studied for helping in its work is a serious mistake. Many foreign sources describe cases when suspected on a questioning, concerning computer evi≠dence was granted an access to seized computer. Later on they told their friends as they coded files in the policemen's presence and policemen did not even suspect anything. Considering these
consequences, quite quickly computer specialists started to create back up files of computer information before granting access to it.
Error #3. Absence of computer scanning for viruses and macro-viruses.
To scan a computer for viruses and macro-viruses, it is necessary to load a computer not from operational system in it, but from prepared in advance floppy disk, or from experts' hard disk. All information carriers - floppy disk, hard disk, some others are subjected to check up. Specialist attracted to inquiry actions using special software should do this work.
It is necessary not to allow the court to accuse the investigator: in special viruses infection of a computer, or in incompetence when carrying out inquiry actions or just in negligence, because it is hardly possible to prove that the virus existed in the computer before its examining, such an accu≠sation will doubt the expert's work and probability his conclusions. These are the most typical errors when examining computer in investigating computer crimes. But described list does not include all mistakes that are possible in the process of extracting and studying computer in-formation. This is easily explained: lack of experience in investigating similar cases in our country. At the same time Western Europe countries, the USA especially, has rich experience in investigating complicated computer crimes. This experience should be more thoroughly studied to avoid many mistakes.
To prevent errors in carrying out the inquiry actions at the first investigation stage which can cause losing or destroying computer information one should keep to some preventive measures as:
Recommendation 1: First, one should make a reserve copy of information.
When searching and seized computer, magnet carriers (hard disk, floppy disk), and information there are some common
problems connected with specific character of seized technical means. It is necessary to foresee safety measures, which criminal takes to destroy computer information. For example, he can use special equipment, which under special conditions create strong magnetic field and thus delete magnet records.
During the search all electronic evidence in computer or computer system should be collected so that later the court would admit them. World practice testifies that in many cases under the pressure of defense lawyers in court electronic evidence are not taken into account. To guarantee their recognition as evidence, one should strictly keep to criminal-procedural legislation require≠ments standard methods of extracting them.
As a rule, computer evidence is kept creating an exact copy from original (primary evidence) before somehow analyzing it. But it is not enough to make computer files copies using only standard programs of reserve copying. Physical evidence can exist as deleted or hidden files, and data, connected with these files, can be saved only with the help of special software, they can be Safe Back type programs, for floppy disks DOS Disk copy may be enough.
Magnetic carries which are intended for copying the information should be prepared in advance (you should be sure they do not contain any information). Carriers should be kept in special wrapping or wrapped in clean paper. You should remember that information could be completely spoilt by humidity, temperature or electrostatic (magnetic) fields.
Recommendation 2. Find and copy temporary files.
Many text editors and databases software create temporary files as software normal work by-product. Most computer users do not realize the importance of creating such files, as the program in the end of work usually deletes them. But the data inside these deleted files may be most useful. Files could be recovered especially if an output file was coded or a document was typed.
Recommendation 3. Check Swap File.
Microsoft Windows popularity brought some additional means for studying computer information. Swap File works as disk memory or huge database, many different temporary information pieces or even all the document text may be found in this Swap File.
Recommendation 4. Compare duplicates of text documents.
Duplicates of text files may often be found on hard disk or floppy disk. These may be slightly changed version of one document that may have value as evidence. These divergences can be easily identified with the help of modern text editors.
Recommendation 5. Check and analyze computer network.
Computers may be linked with each at other in computer network (e.g. local network), that in its turn may be linked to global computer networks (e.g. Internet). That is why there is possible that certain information (which can be used as evidence) can be transferred through the net to another place. This place can be situated abroad or on the territory of several countries.