Some problems of investigating cybercrimes
There are many research works on investigating crimes committed by using computers, their systems and networks. Those written by N.Akhtirskaya, P.Bilenchuk, V.Gavlovsky, M.Gutsalyuk, V.Lukashevich, G.Matusovsky, R.Kalyuzhny, M.Saltevsky, O.Snigeryov, V.Tsimbalyuk and others ought to be emphasized among them. However, much attention should be paid now to the problem of devising and employing investigative action tactics to investigate computer crimes.
This acute issue requires to be theoretically grounded by the criminalistics. Law enforcement agencies need scientifically grounded recommendations on investigating crimes committed by using electronic computers, their systems and networks. There are no complete and scientifically grounded recommendations on investigating such offences that would take into consideration manners of their commitment and concealment, as well as typical investigative and organizational situations.
Articles 361, 362, 363 from Ukraine’s Criminal Code specify crimes committed by using electronic computers, their systems and networks.
M. Gutsalyuk notes that the integration into the European Community and Europe’s Convention on Cybercrimes of November 23, 2001 that clearly specifies computer crimes and ways of joining efforts of international law enforcement bodies to fight such offences should be taken into consideration to improve Ukraine’s current legislation. The fact that global information networks have no international frontiers should be taken into account to prevent and fight cybercrimes .
The Legislation Committee at the European Council recommends unifying criminal laws on computer crimes and envisaging penalty for the following offences:
- Unauthorized access to computer information^;
- Illegal interception of data by technical means or computer emanation^;
- Unlawful destruction, modification or copying of computer data^;
- Interrupting the work of computer systems^;
- Manufacture and distribution of criminal devices^;
- Computer falsifications^;
- Computer frauds^;
- Intervention into the work of information systems to derive economic benefits^;
- Distribution of child porno^;
- Copyright infringements.
It should be noted that the Convention also provides for the necessity to settle some procedural questions of revealing and documenting computer crimes. The new methodology of pre-trail investigation should be worked through to fight cybercrimes. For example, Article 16 of the Convention specifies that every party should take any legislative measures to save computer data in an urgent way, especially, when they are easy to lose or modify.
Gathering and analyzing evidences in cases of cybercrimes is a crucial problem to be solved. It requires not only special tactics of investigative and organizational actions but also particular knowledge of computer hardware and software.
N.Akhtirskaya thinks that investigative situations form a dynamic system constantly changed under the influence of objective and subjective factors. Objective factors depend on investigative actions that change the situation whereas subjective ones resulted from actions and behavior of the investigation participants and other persons involved into the legal process to some extent. The analysis of the cybercrime detection and investigation practice shows that typical initial investigative situations considerably depend on facts to be established and proved .
P. Bilenchuk asserts that law enforcement officers should establish circumstances of an unauthorized access to computer system information in the following way:
- Establishing the fact of illegal access to computer system information^;
- Fixing the place of unauthorized access to computer system information^;
- Fixing the time of illegal access to computer system data^;
- Establishing the manner of unlawful access to information^;
- Identifying persons that obtained an unauthorized access to computer system information (establishing their guilt and criminal motives)^;
- Judging harmful consequences and social danger of the crime^;
- Determining the reliability of information protective means^;
- Revealing circumstances of the crime .
According to V. Gavlovsky, the illegal access to computer information or its preparation is characterized by the following circumstances: false computer data^; continuously non-renewed computer system codes or passwords^; frequent computer, system or network failures^; no valid reasons for a computer system or network employee to stay after work or to decline a leave^; unexpected purchases of very expensive things on the part of an official^; no good reasons to make frequent re-recording of certain information^; over-interest in printed listings on the part of particular persons and so on .
The illegal penetration into electronic computers, their systems and networks has direct, intermediate and mixed forms of access. The direct access means to issue illegal commands directly to the target computer that result in destroying, blocking, modifying, copying information or interrupting the work of electronic computers, their systems and networks. The intermediate (remote) access means to issue illegal commands to the target computer from another electronic machine through the network. The direct and electromagnetic interceptions belong to the remote computer data access. The mixed access includes the direct and remote ways of penetrating into the target computer.
Manners of committing cybercrimes determine ways of concealing their traces. At the direct access to computer information, restoring the primary crime situation i.e. destroying any evidences makes it possible to conceal traces of a crime. In itself, the offence perpetrated by obtaining a remote access to the target computer is very difficult to reveal. In other words, the manner of committing a remote access cybercrime complicates the way of revealing its evidences.
There are also special means of obtaining direct (machine data carriers, tools of overcoming information protecting systems) and remote (network equipment, telephone connection, modem) unauthorized accesses, cybercriminals widely exploiting the Internet to get admittance to computer information.
It is necessary to distinguish traditional (handwritten notes, file and finger prints, microparticles, etc.) and informational (any unlawful influence that results in destroying, modifying, copying or blocking computer data) traces of the illegal intervention into the work of electronic computers, their systems and networks.
The motives of cybercrimes depend on the criminal personality and in most cases such offences pursue mercenary objects.
Criminal proceedings against those committing computer crimes are often taken on the grounds of complaints lodged by organization authorities (about 42%) and private persons (nearly 33%), the following investigative situations taking place:
- Illegal access was fixed when an unauthorized user was spreading (confidential) computer information^;
- Legal user fixed an unauthorized penetration into the work of electronic computers, their systems and networks but a wrongdoer was not identified^;
- Legal user established the fact of an unauthorized access and identified a breaker^;
- Programmer, operator or another person fixed an unauthorized access by catching a wrongdoer in the act.
When a non-identified person illegally intervened into the work of electronic computers, their systems and networks, certain investigative actions should be taken to establish grounds for initiating criminal proceedings. Among them are to get explanations, inspect a site of crime, ask for necessary materials, take operative and search measures.
It is expedient to receive explanations from engineers engaged in developing and maintaining computer software and hardware^; system programmers^; communication and telecommunication engineers^; experts in computer system security and others.
Before arriving upon a scene, it is necessary to invite related experts and attesting witnesses with the knowledge of electronic computers and their software, prepare special equipment, instruct investigation members and consult specialists. On arrival, it is required to:
- Fix a current crime situation^;
- Give bystanders and investigation participants no possibility of touching the outfit^;
- Determine whether scene computers are connected to the local network, telephone or phone lines^;
- Clear up if site electronic machines are linked to externally located hardware^;
- Specify programs launched on computing machines.
The next recommendations should be adopted to withdraw computer information^;
- It is necessary to block a site of examination and switch off electronic hardware^;
- Magnetic data carriers should be stored in special sealed and shielded containers or in standard cases to eliminate electromagnetic and direct radiation impacts^;
- Computer information ought to be copied on physical carriers by means of standard software^;
Taking criminal proceedings also requires the availability of the computer hardware failure journal^; labor time logbook^; working register^; material data carriers (otherwise computer software)^; network administrator file displaying the entire network operation (testing results, irregular situation records)^; a system block and portable data storage elements^; file information on attempts of computer misuse and illegal network connection^; antiviral inspection results including hash totals of stored files^; lists of authorized persons and their identification passwords^; technical means of user authentication (magnetic cards, interlocking keys and so on) to limit an access to computers during the inspection and etc.
The initial investigation features the following typical situations:
- Illegal intervention into the work of electronic computers, their systems and networks is fixed^;
- Incontrovertible evidences are obtained and the suspect gives trustworthy testimonies^;
- Fact of unlawful penetration into electronic computers, their systems and networks is established.
- Identifying evidences are presented but the suspect denies the criminal charge^;
- Fact of unauthorized intervention into the work of computing machines, their systems and networks is established.
- Persons that could do it by abusing their official position are identified but there are no evidences of their open guilt^;
- Fact of illegal access to computer information is established. Certain or interested persons are suspected in it.
The search of premises carried out to investigate the unlawful intervention into the work of electronic computers, their systems and networks can have the following stages:
- Preparatory (obtaining information on type and quantity of computers available in the premises to be searched as well as their auxiliary devices^; inviting experts in computer systems^; preparing related electronic hardware^; learning computer owner’s personality and professional skills^; specifying measures of confidential search^; forecasting data to be found and their role in conducting an operative and effective search^; determining information to be studied on site and that to be withdrawn for further examination)^;
- Initial (abruptly entering the premises to be searched and providing supervision of computers^; fixing a current crime situation^; giving bystanders and investigation participants no possibility of touching the outfit^; determining whether scene computers are connected to the local network, telephone or phone lines^; clearing up if site electronic machines are linked to externally located hardware^; specifying programs launched on computing machines^; specifying information that can favor the effective search)^;
- Intermediate or “detailed” (taking special measures to check the premises and computer(s) or the availability of, for example, hiding places with important information)^;
- Final (making up a protocol and relevant descriptions^; drawing plans and schemes of searched premises^; carrying out additional photography and videotape recording).
The investigation of illegal penetration into the electronic computers, their systems and networks is also characterized by the following typical investigative situations:
- Suspect admits an offence and gives trustworthy testimonies^;
- Suspect admits guilt but does not give accomplices^;
- Suspects admit a crime but all criminal episodes are not established^;
- Suspects deny the participation in a crime and furnish divergent testimonies.
The next expert examinations should be made to investigate unauthorized interventions into the work of electronic machines, their systems and networks:
- Technical expert examination of electronic computers and their peripheral devices^;
- Technical expertise of computer information protecting equipment^;
- Examination of computer software and machine data^;
- Technical expertise of computer network data and software.
The following identification signs of computer information should be reflected in the protocol of expert examination: contents, form, attributes, carriers, names and sizes of files, date and time of their creation, type, point-type, interline, indention, heading, printing, fields, page numeration^; purpose, function, interface and etc.
When investigating the illegal intervention into the work of electronic computers, their systems and networks, the investigative experiment should be run to check possibilities of penetrating into the premises, connecting electronic hardware and obtaining a direct access to computer information, penetrating into closed areas through the selection of passwords and identification codes, linking to the computer network^; intercepting information, performing unauthorized operations by means of specific computing equipment within a definite period^; establishing a time interval to connect to the computer network, putting the information protecting system out of action, modifying or copying computer information.
To our opinion, the above recommendations will allow officers from law enforcement bodies to investigate computer crimes in a more effective way.
M. Gutsalyuk Fighting cybercrimes. - http://www.crime-research.ru/library/Gutcaluk0701.html.
N. Akhtirskaya Typical investigative situations and expert examinations. http://www.crime-research.org/library/Akhtirsk0205.html
P. Bilenchuk, B. Romanyuk, V. Tsimbalyuk Cybercrimes. Manual. – Kiev: Attica, 2002. – P.193-194.
V. Gavlovsky Procedures of detecting hi-tech crimes committed by criminal groups. - http://www.crime-research.org/library/Gavl2.html.
^macro[showdigestcomments;^uri;Some problems of investigating cybercrimes]