Interrogation of Suspects in Investigating Computer Crime
Interrogations during computer crimes investigation are carried out according to tactical recommendations developed in criminalistics . Basic tactical tasks of such interrogations are:
revealing components of a crime^;
establishing circumstances, place and time of actions significant for investigation^; ways and motives of their fulfillment and concurrent, features of the persons participating in it^;
defining subject of criminal offence^;
defining extent of caused damage^;
establishing other witnesses and persons involved in crime .
Primary detection of illegal actions with computer information is carried out, as a rule, by employees of information system proprietor and users. Description of attributes of these actions may be found in evidence of eyewitnesses.
Preparation for interrogation and comprehensive studying of the interrogated is getting special value here. It is expedient to find as much information on suspect as possible. For this purpose it is reasonable to collect data on him from places of residence, study, work, leisure. Tax inspectors, law enforcement officers, co-workers, neighbours, familiars can provide such data. Important data may be received from personal file at work. Thus it is necessary to take into account that witnesses of the given category are often persons with higher education, possessing high intelligence, they know special terminology which is not always intelligible for investigator. In this connection it is necessary to get more detailed evidence from interrogated by asking specifying questions revealing the contents of terms and definitions used by him. Description of systems or schemes of information flows is extremely useful along with hand-written schemes drawn by the interrogated . Investigator can invite expert in field of computer facilities for participating in interrogation (at least, preliminary coordination of asked questions formulating is necessary).
In order to solve the specified tasks investigator during interrogation of witnesses has to find out whether:
someone showed interest to computer information, software, computer facilities of the given enterprise, organization, institution or company^;
outsiders had access to rooms where computer facilities are located^;
cases of official position abusing occurred^;
failures in software operation took place^;
theft of data carriers and other computer devices occurred^;
failures in operation of hardware, networks, means of computer information protection took place.
Investigator should also establish:
how often software is checked for viruses^;
results of recent checks^;
how often software is updated^;
where and by whom software is purchased^;
where and by whom hardware is purchased^;
how its enhancement and service is carried out^;
what are the rules of work with information^;
what is the way of its processing, transferring^;
who else is the user of computer network of the enterprise, organization, institution or company^;
how this networks are accessed^;
users that have the right to use this network and their authorities^;
how computer information security is carried out^;
what are the means and methods of information protection, etc^;
whether cases of illegal access to computer information took place, if they did, then how often^;
whether the arisen consequences are the result of careless action of the person or of fails in operation of computer, computer system, software, etc.^;
what is the character of changes in information^;
who is the proprietor (the owner or the lawful user) of the copied (destroyed, modified, blocked) information, etc.
At initial stage of illegal access investigating it is necessary to interrogate citizens of various categories (computer operators, programmers, officials responsible for information safety, managers, officials engaged in service, heads of computer centers or enterprises (organizations). There is a certain subject of interrogation for each of these categories .
It is necessary to consider features of the given crimes and, first of all, criminalistic characteristic of the suspected person before preparing, planning and carrying out of interrogations of accused of committing computer crimes. It is important to pick a group of belonging for suspected or accused during preparation. Then it is significant to establish tactics of interrogation according to this fact. At initial interrogation it is necessary to find out while inducing the person to active repentance what changes have been made in work of computer systems, what viruses were used, opportunity of quick removal or reducing the harm caused by unauthorized penetration into system, what data and where it was transferred .
At initial stage of interrogation it is important to find out circumstances of general character interesting for investigation, data concerning:
skills and operational experience with computers and specialized software^;
usage of legal access to computers and software at workplace^;
concrete operations with computer information, which the suspected (accused) carries out at workplace, or at computers of familiars^;
legal access and work in the Internet^;
using of identification codes and passwords for accessing computer network at work.
Establishing of pre-crime circumstances is of great value:
when did intention to commit a crime arise, who or what affected this decision^;
why did the criminal choose the given object for a criminal encroachment (organization, institution where the criminal had been working or other company, enterprise)^;
what are the motives of committing a crime (the overwhelming majority - more than 70% - are committed on lucrative impulse)^;
what is the purpose of computer crime: whether it lies in its commitment only, or computers were only means, ways of committing other traditional crimes: theft, tax evasion, industrial espionage, etc. At initial interrogations suspected quite often name the "harmless" purposes: curiosity to check abilities and other in order to extenuate their guilt, or to avoid the criminal liability for committed. Especially, it happens when the criminal intent is not finished yet (the copied information is not sold, the money prepared for theft are not received, etc.) [6, 68].
Serial crimes committed repeatedly are necessarily accompanied by actions on concealment. They are usually high-skilled experts involved in organized criminal groups and communities, perfectly equipped (often with special operational facilities).
When the crime is committed by group of persons, it is necessary to establish during interrogation:
case of collusion with other persons and who these persons are^;
who is the initiator^;
time, place and other details of criminal collusion^;
distribution of roles between accomplices to a crime^;
what concrete actions on preparation of a crime were performed: preliminary study of object for criminal encroachment, confirmation of presence of the information interesting for accomplices, measures taken for illegal obtaining of identification codes, passwords for access to network, disclosure of false companies or accounts in non-existent banks, getting credit cards (transactions with the stolen money, etc.).
Intrusions into computer networks of suffered organizations from outside make half of computer crimes. Therefore, at interrogations of suspected (accused), it is very important to specify "technology" of the crime committed, receive available data or electronic and any tangible traces of committed when it is possible, find information interesting for investigation.
It is necessary to ask the following questions if suspected (accused) committed illegal access to computer information:
about a place of illegal penetration into computer system (network): inside the suffered organization (special commands typed at computer where information is stored, etc.) or outside^;
about ways of penetration into room, where the computer equipment is placed and illegal access to computer system, network^;
about methods allowing to overcome information security: picking up keys and passwords (login to system, network using login and password of legal users, software modifying data, etc.)^; keys and passwords theft (visual interception of information, displayed on the monitor or entered from keyboard, about passwords, identifications and procedures of access^; interception of passwords by connecting to the channel during communication session^; electronic interception with use of electromagnetic ray^; collecting and analysis of the used listings of documents, also containing data on passwords and procedures of access, etc.)^; deactivating, destruction of protection means^; use of security lacks^;
about sources of data on measures of information security obtained by suspected (accused) and ways of security overcoming^;
about used means: hardware, software, data carriers, combined (with use of mentioned above)^;
about other technical tricks and ruses used for illegal access: reading of information by connecting to a cable of local network^; interception of electromagnetic ray from displays of servers or workstations of a local network for reading and copying of information^; copying of data from machine data carriers left without supervision or stolen from places of their storage^; reading of information from hard disks and floppies (including the rests of erased data and temporary files), magnetic tapes at copying data from equipment of suffered organization^; theft of laptops, portable machine carriers for the purpose of getting access to information contained in them, etc.^;
about ways of illegal access concealment (software indication of the false data on the person who has committed this access^;
about amount of the facts of illegal intrusion into information databases^;
about use of official position for illegal access and how particularly it became apparent, etc. .
Analysis of criminal cases shows that at investigating of illegal interference with work of computers, systems and networks there can appear the following investigatory situations depending on how the accused admits his guilt :
1. Accused admits own guilt and gives the full truthful evidence.
2. Accused admits own guilt in part, but denies participation of criminal activity in the basic episodes.
3. Accused admits own guilt, but all episodes of criminal activity are not established.
4. Accused (when the crime is committed by group of persons on preliminary collusion or by the organized group) deny participation in a crime, give inconsistent evidence.
5. Accused admits own guilt, but does not name accomplices.
For successful interrogation it is necessary to study carefully all materials on the case, peculiarities of the accused, ways of crime commitment, proofs assigning guilt of the concrete person, etc. By the moment of accusing the person, investigation should have all categories of proofs. The first is the proof of circumstances, testifying that investigated incident (act) has taken place. Then if the given act was accomplished by the accused person, and it corresponds to components of a crime defined in Article 361 of the Criminal Code of Ukraine. As a whole it is necessary to note, that accused give truthful evidence in cases when he is sure that investigation has established all facts.
 V. Shepitko, Theoretical Problems of Tactical Methods Systematization in Criminalistics - Kharkiv: 1995^; P. Bilenchuck, A. Gel, Criminalistic Tactics Bases: course of lectures, Vinnitza: MAUP, 2001^; Criminalistics / Textbook, edited by P. Bilenchuck, Kyiv: Ataka, 2001.
 Criminalistics: Textbook, edited by N. Yablokov - Moscow: Urist, 2001.
 A. Volynski, T. Averyanova, I. Alexandrova, Criminalistics / Textbook for colleges, edited by A. Volynski - Moscow: Zakon i pravo, 1999.
 U. Gavrilin, Investigating of Illegal Access to Computer Information / School book, edited by N. Shuruhnov - Moscow: 2001.
 T. Averyanova, R. Belkin, U. Koruhov, E. Rossinkaya, Criminalistics / Textbook for colleges, edited by R. Belkin - Moscow: Norma, 2002.
 B. Andreev, P. Pak, V. Horst, Computer Crime Investigation - Moscow: 2001.
 V. Golubev, Investigating Computer crime / Monograph - Zaporozhye: University of Humanities ZIGMU, 2002.
^macro[showdigestcomments;^uri;Interrogation of Suspects in Investigating Computer Crime]