Tactical Features of Inquiry Actions at Computer Crime Investigation
The specific and comparatively new object of investigation – data stored in the computing technique means or processed by them, stipulates tactical features of inquiry actions (examination, search, withdrawal or expert examination) to reveal and research material sources of criminalistical information. However, there is a lack of full and scientific recommendations developed with the regard for ways of committing and concealing computer crimes and typical organizational or inquiry situations to investigate them.
V.Vekhov, V.Kozlov, V.Krilov, M.Selivanov, V.Rogozin and other authors devoted their works to criminalistical problems of investigating computer crimes.
Establishing main lines of investigation and tactical features of particular inquiry actions depends on the character of output data. In this connection, many attempts have been made in the juridical literature to systematize output data. It resulted in the concept of output inquiry situation . This means information environment formed objectively on the initial stage of investigation, as well as situation and conditions of carrying out it.
Different inquiry situations can be formed during the investigation of crimes committed by using electronic computers, their systems and networks depending on the character of output data. While considering the initial stage of information crime investigation, I.M.Shumilov singles out five types of inquiry situations subject to the character of output data:
- Proceedings are instituted through inspecting materials involving indications of corpus delicti in the sphere of information security:
- Proceedings are instituted through physical or juridical person’s application or appeal^;
- Proceedings are instituted through materials of the press, other mass media or public addresses^;
- Proceedings are instituted through the fact of technological consequences connected with causing material damages and/or human deaths^;
- Proceedings are instituted against a person (-s) arrested when fulfilling actions containing signs of information crimes .
V.Krilov marks out three inspecting situations and calls them typical inquiry ones:
1. The owner of information system has revealed independently the violation of (confidential) information integrity in the system, a guilty person and informed law enforcement bodies about it.
2. The owner has revealed without any assistance the mentioned violations in the system but could not discover a guilty person and informed law enforcement bodies about it.
3.Data on the violation of (confidential) information integrity in the information system and a guilty person have become generally known or directly revealed by inquiry agencies (for example, when taking search measures for the other case) .
The above things do not exhaust the whole variety of inspecting situations because the fact of crime commitment can be revealed not only by the owner of information but also, for example, an operator. However, it does not point out that the fact of access has become generally known.
To settle inquiry situations formed after instituting proceedings the following inquiry actions are carried out: interrogation of witnesses, search of rooms, questioning of the suspected person, expert examination, inspection through inquiry, search and criminalistical information.
The specific character of using, accumulating and storing computer information on the different carriers establishes features of particular inquiry actions. It is worth emphasizing those containing maximum information density from the standpoint of obtaining the largest amount of evidentiary information.
Obligatory preparing measures taken before going to the place of inquiry actions are as follows:
- Finding out crime details (where, when, what evidences point at the computer crime that has been already committed or is being currently committed, who has revealed these indications and who has informed about this offence)^;
- Informing about the crime and sending for officials from corresponding interested services (USS, MIA and so on)^;
- Taking measures on maintaining environment, integrity of computer system, preventing from penetration into examined rooms (refusal of help offered by officials of suffered organization, blocking and guarding rooms and so on)^;
- Inviting specialists preferably from another organization, an expert and attesting witness. The list of experts who can really help the investigation should be made out beforehand^;
- Explaining to attesting witnesses their duties (Ukraine’s CPC Article 127) and warning them not to divulge known data on the primary investigation (Ukraine’s CPC Article 121)^;
- Explaining to experts who takes part in the examination their rights and duties (Ukraine’s CPC Articles 128, 128-1), warning them about the responsibility for refusal or evasion from their duties.
Preparation of scientific- technical means
Scientific-technical means should include portable computers to browse operatively machine carriers of information. Up-to-date technical means give an opportunity to make video-recording and photos at the same time converting them to digital (computer) form, the image quality and maintenance remaining fixed, i.e. not becoming obsolete during reusable copying. Thus, specially selected software is also an integral part of scientific-technical means required to carry out these inquiry actions.
After arriving at the place of crime commitment the following measures should be taken:
- Checking the effectiveness of blocking and guarding rooms, making unauthorized persons go out^;
- Clearing up the quantity of rooms with computer technique, its location and sharing in the different rooms^;
- Interrogating eyewitnesses, persons who revealed consequences of computer crime or officials of Computer security service (if available)^;
- Planning the examination (establishing sequence and order of own actions and those of examination participants).
In our opinion, depending on specific characteristics of these crimes and according to procedural regulations it is worth considering interrogation of a victim (or his representative), suspected person and expert. We think that interrogations can give more information on committed computer crime on the initial stage of investigation.
Taking decision to interrogate a concrete person as a witness, the inspector must predict in advance, what information (including that of a technical character) the interrogated person can give him. According to it, the complex of questions should be thought over in advance.
During the preparation for questioning the inspector can use the help of the expert in computer technique. To our mind, it will favor understanding the essence of the investigated crime, establishing the circle of circumstances to be proved, preparing material evidences and other materials that require following special conditions and rules of storage, transport and further treatment that will minimize the risk of damaging or losing them when carrying out inquiry actions. At the preparation for planning interrogation steps, it is necessary to:
- Clear up specific character of the case and, especially, technical aspects of preparing and realizing delinquent motives^;
- Establish circumstances that require specifying information. This can be data on the suffered side, technical and design features of computer systems that were influenced, means of computing technique that was used by the criminal and interrogated person (victim, suspect and so on)^;
- Formulate the most difficult questions, no slips of the tongue being admitted.
- In such a specific field of knowledge as computer technique when freely using special terminology, a criminal can easily conceal his competence or vice-versa show himself more experienced than he is in reality. Questions to be put and their sequence should be so that an interrogating person can control the authenticity of obtained answers. Thus, an expert, for example, in software and hardware computer means can be very useful on the stage of preparing questions^;
- Prepare evidentiary and other materials to present if necessary and protect them properly^;
- Prepare scientific-technical means to fix the course of inquiry action.
The real investigation situation can help choosing place and time of the interrogation and its sequence relative to the other inquiry actions.
The law distinguishes three types of search: in rooms, in the locality and personal one. Before and during the search of rooms with computer technique the specific character of computer information should be taken into account. Let us cite specific tactical ways, which, in our opinion, assure the effectiveness of searching and withdrawing computer information when carrying out the above inquiry actions.
According to V.V.Agaphonov, in the process of preparation for the search  (before leaving for the place of search) it is necessary to:
- Clear up what computer technique is in the place of search and its quantity^;
- Find out if the device of autonomous or uninterrupted power supply is applied together with computer technique and what consequences the interruption of electric power can cause^;
- Invite an expert in computer systems because his knowledge can be useful when preparing for the search, as well as analyzing operatively information and withdrawing it skillfully from the computer^;
- Prepare corresponding computer technique that will be used to read out and store withdrawn information^;
- Study the personality of a computer owner, his knowledge of computer technique^;
-Establish search time and measures assuring its confidentiality^;
- Forecast the character of information to be probably in the computer, its role in the quick and effective search. Establish what information should be studied on spot and what information should be withdrawn for further investigation.
First, the guard of computers should be organized on the initial stage of the search. None in the room can be allowed to them. It is worth knowing that the change or destruction of data can be caused not only by working with keyboard but also switching on/off the computer. Therefore, if the computer was switched on when coming into the room, it should remain turned on until the expert examines it. All the attempts to make any manipulations with the computer or keyboard (including computer turn on/off) should be viewed as a try to destroy information in the electronic computer and they have to be fixed in the record.
On the examination phase of search, it is necessary to:
1) Find out if the computers in the room are connected with the local electronic network^;
2) Establish whether the computer is connected with the equipment or computer technique beyond the searched room^;
3)Elucidate if the computer is connected with the modem^;
4) Find out if any programs are launched in the electronic computer and what ones. The screen image should be studied and described in more details in the record for this purpose. The indication that the computer does not waits for the next command but completes earlier specified instructions can be as follows:
à) The availability of information in the screen that characterizes the program action. It can be a message “Testing” marked with color or brightness or a singled-out item of the menu offered in the screen^;
b) A special image that is changed in the screen (running row, moving sign and so on)^;
c) A blinking indicator of hard, CD-ROM and flexible disks (this LED is always on the front panel and its turned-on and blinking conditions prove the exchange of information with a carrier), a distinctive crackling and rustling noise of CD-ROM and magnetic carriers. The same signs of the working storages are typical for external ones with a separate case. If the fact of launching any programs in the computer is proved when carrying out inquiry actions, the expert should take measures on suspending them^;
5) Establish if the computer contains information that can favor the investigation. Only the expert can competently perform this action by examining information that is stored on hard disk.
The detailed stage of search is very laborious and requires high experience from not only an expert in computer systems but also the entire investigating group. In addition to special actions with the computer, it is necessary to organize search measures on revealing hiding-places with usual documents and things. The computer can be viewed as such a cache.
Most of information stored and processed by computer can be always copied onto portable information carriers – flexible magnetic floppies. If the expert has no opportunity to look through floppies on spot, they should be withdrawn with keeping all the procedural rules for further investigation.
In addition to floppies, CD-ROM (laser) disks and tapes can be used to store information. Laser disks do not differ from audio- and videodisks in form and it makes possible to keep them among music and video-collection.
The same concerns the tape recorder and videocassettes. In most cases tapes for recording computer information has quite non-standard sizes – something average between audio- and videocassette. However, there are some tape recorders (in the sphere of computer technique they are called streamers) that record information in the computer format onto the standard audio- or videocassettes.
The search of hiding-places with magnetic carriers (floppies, CD-disks or tapes) becomes also complicated by the impossibility to use a metal detector or X-ray apparatus because their application can cause destroying data on the carriers. Magnetic carriers are usually stored in the metal protective boxes to prevent accidental deletion.
Information carriers can be withdrawn and added to the criminal case as material evidences with observing Criminal Procedural Code-established order.
If the computer remained turned on when searching, programs and data files stored on its virtual disk or in operative memory should be copied onto the magnetic carrier.
When it is impossible to analyze quickly a great amount of computer information, it should be withdrawn for further investigation. Information can be copied onto the hard disk in the personal computer of the investigating group.
Data can be copied onto the CD-disk by means of CD-RW.
Carriers with copied information should be properly wrapped and sealed up.
If the investigating group has no personal computer with CD-RW, it suffices to withdraw a hard disk (-s) from the revealed computer with keeping all the procedural rules. The withdrawal should be video recorded.
If the investigating group has no expert in computer technique who is capable of disassembling competently a hard disk, the whole system block should be withdrawn from the computer. In some cases, it is possible to withdraw a printer but unlike the printing machine the identification of printed information is quite difficult even in the case of a needle printer. According to M.G.Sharukhnov, this analysis is practically impossible for laser or jet printers .
If there are not many computers in the place of search or the expert has his doubts as to the possibility of investigating computer information at the withdrawal of only a system block, the whole computer should be withdrawn. In addition, it is necessary to describe exactly an order of computer device interconnection, wrap accurately every device and connecting cables, as well as photograph computer system
On the final phase of the investigation the record and account are formed, the searched room plan and scheme are drawn and additional photographing and video recording are made.
Various expert examinations including criminalistical, economic or evidentiary ones are assigned and made on the initial stage of investigating illegal interference with the work of electronic computers, systems and computer networks. It is not difficult to assign and make the above expert examinations. The computer technical expert examination belongs to a new sort of professional examinations and its realization has some specific features. It can be explained by the lack of corresponding experts and developed procedures of making some particular kinds of this examination.
The complex of expert examinations assigned at the investigation of illegal interference with the work of electronic computers, systems and computer networks can be changed and depend on the way and mechanism of committing a crime.
When considering computer-technical expert examination as an independent kind of court examinations that belong to the class of technical ones, E.R.Rossinskaya distinguishes two its kinds: technical expert examination of computers and their accessories and that of data and software . The technical expert examination of computers and their accessories is made to study design features and state of the computer, its periphery devices, magnetic carriers, computer networks and reasons of malfunctions of the mentioned equipment. The data and software expert examination is made to study information stored in the computer and magnetic carriers.
We can single out the next kinds of computer-technical expert examinations, which are assigned at the investigation of crimes committed by using electronic computers, systems and computer networks:
- Technical expert examinations of computers and periphery devices. It is assigned and made to study technical features of the computer and its periphery devices, technical parameters of computer networks and causes of malfunctions of the computer technique^;
- Technical expert examination of the computer information protecting devices. It is made to study information protecting technical devices used at this enterprise, organization, establishments or firm^;
- Expert examination of electronic computer data and software. It is made to study information stored in the computer and magnetic carriers including program methods of protecting computer information^;
- Expert examination of data program used in the computer network. It is made to study information processed by means of computer networks used by the enterprise, institution, firm or company.
Court expert examinations
During the primary investigation or hearing special knowledge in the field of computer system firmware can become necessary. This necessity can emerge when analyzing non-standard hardware or software designed by the criminal without any assistance.
Studying the foreign and home investigation the court practice gives cause for asserting that the widely used kinds of expert examinations made during the primary investigation are as follows:
- Court and bookkeeping expert examination of documents^;
- Program and technical expert examination^;
- Technical and criminalistical expert examination of documents. Among the enumerated expert examinations, it is the most specific kind because in this case the expert works with documents stored not on the usual paper carrier but on the machine one.
There is a need to assign the complex expert examination in some cases.
During the preparation for the court expert examination, it is necessary to establish facts, which should be cleared up wit the expert opinion, namely:
- Qualification of events – breakdown in access to the system resources, program malfunction, operator’s mistake or computer crime^;
- Causes that resulted in violating access to the computer system resources, reasons of work interruption^;
- Object and way of committing a crime when it takes place^;
- Circumstances that favored the computer crime commitment, as well as place, time and criminal (-s)^;
- Size and type of inflicted damage. Not only theft of money, programs, services, information but also moral detriment should be taken into account.
When preparing this inquiry action, it is necessary to take complex measures:
- Determine, examine and protect objects that are sent for expert examination. They can be account or other documents, means of computer technique, carriers of machine information^;
- Choose an expert office or a specialist.
It should be pointed out that some programs of a criminal character developed by criminals are very sophisticated. Therefore, an invited expert should be ready to resolve various difficult problems from the professional standpoint. When choosing an expert office or a specialist, the specific character of future investigations should be taken into consideration. For example, when dealing with enciphered information, the expert in cryptography should be called. These can be representatives from MIA and USS special departments.
Services of electronics engineers should be used to study odd elements of computer technique. Program engineers should be engage in examining software and computer system hardware. Experts in radio- and electric connections can give competent advices when determining features of the interconnection between local and global computer networks.
In addition to technical experts, the assistance of specialists who possess knowledge in that or other field of using computer technique can be useful as well. In this case, the inspector has to be ready for the complex expert examination. He needs making out a list of questions, which are addressed to the expert (-s) according to his (their) profession. The possibility of effective interaction between experts in various spheres should be paid special attention to. Then it is required to prepare technical means and additional equipment for uninterrupted investigation and record of obtained results.
The enumerated requirements aim to get and record concrete data on the origin of material evidences and their distinctive features thereby creating conditions to elucidate their connection with the investigated case and authenticity of gained information. The law provided procedural order of fixing material evidences must ensure the authenticity of material evidences used in the case and impossibility of their substitution and falsification.
The complex use of scientific and technical means, personal electronic computers and video-recording can considerably facilitate the procedural registration of inquiry actions as a protocol and can help avoiding mistakes at the further study of video-materials on the part of persons who did not participate directly in the inquiry actions. It should be noted that comments of an expert who took part in the inquiry actions could play an important role in estimating those events where he had to be a spectator, he being questioned as a witness in this case.
On the initial phase of investigating computer crimes, the inspector has to take into consideration offered recommendations because they will favor:
- Correct assessment of information on events^;
- Optimal choice of immediate inquiry actions^;
- Rational use of special knowledge and scientific and technical means.
Solving only tactical and technical problems on the preparation stage does not suffice to conduct successfully inquiry actions. The inspector should be ready for taking into account some features established by:
- Specific conditions of inquiry action course^;
- Order and rules of conducting them^;
- Specific character of evidentiary information obtained during the primary investigation.
It can be generally concluded that the initial phase of investigating crimes committed by using electronic computers is not exhausted with the enumerated inquiry actions. However, the conducted research showed that they were the most difficult for practical officials who were engaged in investigating computer crimes. The presented tactical features of particular inquiry actions (examination of crime commitment place, interrogation of witnesses, search of rooms, questioning of suspected persons) and checking measures (receiving of explanations, demanding of materials) at the investigation of these offences make it possible to increase its effectiveness and obtain larger amount of evidentiary information.
R. Belkin “Criminalistics course in three volumes”. – V.3. – Ch.6. – M., 1997. – P.129-148^;
I. Luzguin “Methods of studying, estimating and solving reference inquiry situations” // Reference inquiry situations and criminalistical ways of settling them: Collection of scientific works. – M., 1991. – P.10-21.
I. Shumilov “Criminalistical aspects of information security”. Dissertation of Candidate of Juridical Science. - St-P., 1997. – P.108-114.
V. Krilov “Investigation of information crimes”. – M., 1998. – P.235.
V. Agaphonov, A. Philipov “Criminalistics. Questions and answers”. – M., 2000. – P.92.
N. Shurukhnov, I. Levchenko, I. Luchin “Specific character of search at the withdrawal of computer information” // Actual problems of improving DIA activity under the new economic and social conditions. – M., 1997. – P.28/
E. Rossinskaya “ Court expert examination in the criminal, civil and arbitrary processes”. – M., 1996. – P.173.
^macro[showdigestcomments;^uri;Tactical features of inquiry actions at computer crime investigation]