Computer Crime Problems Research Center

Vasiliy Polivanyuk


Special knowledge implementation in the criminal cases investigation on crimes,

committed in the computer technology use


Nowadays computers are widely used for information storage and processing. They are also used in criminal activity. During larceny or embezzlement investigation, economic crimes in financial-banking sphere there are computers, which serve either as object of a criminal encroachment or served as instruments for committing crimes and possess criminal action trace. Thus, during investigation actions such as examination or inspection (article 190 CPC of Ukraine), search (article 190 CPC of Ukraine), seizure (article 197 CPC of Ukraine), reconstitution of conditions and circumstances (article 194 CPC of Ukraine) on different categories of criminal cases, during investigation of computer information sphere, a new object of investigation and research can be identified computer technique, and object of a search can be identified as information stored in the computer memory or external carriers disks, diskettes etc. It is important to implement specialized knowledge for obtaining full and complete information concerning committed crime.

The use of special knowledge and technical methods by investigator, prosecutor-criminalist and by court differs from other forms of their implementation by its remedial and criminalistic orientation on collecting, recording, research, and use of actual database of a specific crime circumstances and of guilty persons involved in it, remedial order of investigatory actions. Investigator (prosecutor-criminalist) applies his professional criminalistic knowledge, methods, techniques and criminalistic techniques means with the purpose of finding, recording and seizure of evidence. Conditions and result of their implementation are recorded in the investigatory actions minutes and by criminalistic methods of recording (such as photographs, moulds, sound and video recordings etc.), which together with the minutes are the remedial source of established facts.

The form of special knowledge use by investigators on pre-judicial trial has its peculiarities. The difference is in its direct, clear cognitive orientation on crimes disclosing and revealing those who are involved in it, complete ascertainment of case circumstances according to the subject of proof (articles 23,64 CPC of Ukraine).

While investigating a certain crime, alongside with professional knowledge, all different kinds of

knowledges in law ascertained order of investigatory actions conducting, and in carrying out a personal investigation of ascertained facts are used.

The necessity of the complex use of different kinds of special knowledge is explained by investigators remedial functions and law demands on complete, thorough and objective investigation of case circumstances and proves that ascertain them (articles 22,67 CPC of Ukraine).

According to the profession and remedial functions an investigator must possess special knowledge, methods and scientific-and technical means that are necessary for circumstances ascertainment, which constitute a case subject. With these purposes he has the right to apply special knowledge within his commission during the whole investigating period. The investigator studies all the crime circumstances, collects, verifies and evaluates actual data that ascertain them, determines ways for further investigation, makes necessary decisions for defining and instituting criminal proceedings against guilty persons, and elimination of those reasons and conditions that contribute to committing a crime.

Crime investigation is a cognitive process of perception, accumulation, processing and using of criminal information. It is a mediate cognition, which is based the subjects study that contain information about past objects and events. The investigation result is a completed criminal case, which is a well-ordered model of the investigated crime. The whole investigation is a process of the model formation. The information obtained during investigatory actions is evaluated by her proving meaning and has its own place in this model.

Realization of any investigatory action requires thorough preparation that is explained by computer means peculiarities. The site crime survey includes: a) preparatory; b) working and c) final stages, which have their own goals and tasks.

It is very important to get the following data during the preparatory stage of survey or search: IBM configuration; organization of a local network or connecting to the global network (such as Internet); information safety service availability; data protection from unauthorized access with the purpose of automated information deleting, which can be deleted during opening of a computer body, of a room where computer is located or under other circumstances; conditions of a water supply system of the premises where computer engineering is installed, users qualifications, and correlation among those employees who operate the technique. It is necessary to make out a plan of survey conducting on preparatory stage

A high level of computer protection can be characterized by a special information protection system from an unauthorized access or certified means of protection; permanent territory and premises guarding and security where the computer system is located: by technical means and specially trained staff, strict pass procedure, special premises equipment, information protection service, normal functioning and control of the work.

Low level of protection determined by a casual algorithm of access limitation (database is protected by a password), its easy to obtain data on how to get through the password so its not necessary to apply special access techniques.

Site crime survey gives the investigator a chance to identify the crime itself, time and place of intrusion into a system, methods of intrusion and infringement in the system work.

The characteristic feature of such survey is that the place of actual criminal actions and the place where its results may materialize can be located at a long distance (for example, in different states). Thus, during the illegal intervention in the computers operation, systems and their networks investigatory picture includes:

a) Traces on magnetic carriers, which were used by a criminal;

b) Traces on "transit" magnetic carriers through which the criminal directly established connection with information resources;

c) Traces on magnetic carriers of information system in which illegal access was carried out.

Besides site crime survey (premises, computers location. Crime was committed with the help of those computers), computer equipment, which served as an instrument for committing a crime, is examined, or database, components and documents, which became crime objects are examined.

If the place examination has gone successfully and its tactics doesnt differ from premises examination investigating other kinds of crimes, examination of computer equipment and its components, search for computer information, which may serve as evidence, requires special training of the staff, who conduct the examination, observance of special regulations of computer engineering operation and maintenance.

Therefore, to crime investigation and, in particular, to the site crime examination, search, seizure or a representation of conditions and circumstances of the event, with the purpose of obtaining of the most effective results to participation in investigatory actions according to article 128-1 CPC of Ukraine, it is necessary to involve those persons who possess necessary special knowledge and skills - the expert in computer science and computer techniques field, and also it is desirable to involve the expert - criminalist because there may be hand prints on the computer devices , metal-working tools, elements of the manual soldering on internal elements of computer devices. Also it is necessary to involve experts from computer safety and network technologies (if local computer networks or the Internet were used during committing a crime). As it is understood it is necessary to involve those persons who are professional in the computer technologies operation [4, 38].

In the systems where the critical factor is information storage, systems of uninterrupted power supply are used, and also reserve file servers, which contain copies of all files (copying is carried out by the system automatically through the given time intervals). The lattest can take, as trespassers are not always capable to delete a copy of system information on additional servers. For safety reasons this information is encrypted and stored in the passages inaccessible for users, so there is a possibility to define the method for protection overpassing and additional information obtaining, which will help to identify a trespasser.

Tactics of search of the computer information is chosen, from data security, functioning of the computer and its peripheral equipment conditions at the moment of investigatory action realization. It is necessary to define whether computer technique means is connected to local network or to the main computer - server where investigatory action is carried out. A casual computer, not the main one, may also contain information.

It is necessary to know that when you erase information from magnetic carriers, physically it doesnt really get erased it changes its status. It becomes invisible and is stored until new information is recorded instead. Thus, there is a possibility to renew it completely using special utilities, and partially when new information is recorded instead.

During examination, search, seizure and conditions and circumstances representation it is necessary to isolate premises, people who have nothing to do with examination, and to avoid unauthorized access to the computer both by those who are present and through the network connected to the computer. For this purpose it is necessary to disconnect network cables on the back panel of the system block and if access to a network is carried out on a computational telephone line - disconnect modem power supply or feeding, and in case when the modem is built in the computer - disconnect a telephone cable from the socket, it is necessary to provide a uninterrupted feeding of investigated techniques.

It is necessary to quit programs operation, which work at the moment of the examination, preliminary having written down all system messages on the status of the program at the moment of a halt. It is necessary to save active documents with new names, leaving their original versions unchanged. It is reasonable to take a picture of a monitor according to criminalistic photographs regulations, and to record it if possible.

Computer manipulations on evidence information search should be given to an expert, if an investigator doesnt possess necessary knowledge and skills. It is recorded in the minutes what actions are committed, their consequence and order, software used for information search. The goal and content of every action is explained. Most of the text and financial programs store a list of the lattest session operation and can render them immediately, if they are not erased or moved to another place. The user usually keeps documents in catalogues on the computer disk with standard names: MY DOCUMENTS, DOCUMENTS, DOCS, ARCHIVE and so forth. Document files have characteristic specification ("expansion"), that is a part of the name which stands after a dot in the file name: *.doc, *.txt and so forth. All computer files keep date of the last change or alteration, and after some programs - date of a file recording.

Popular software package Microsoft Office after installation on the computer conducts the private file - minutes where the date and time of all computer plugs in are recorded. Programs of connection and network operation store addresses of many Internets - contacts of the user, documents of email with addresses of the sender [3,15].

The results of the search are stored in electronic version on the variable magnetic carrier and are printed and are draw up like a supplement to the minutes.

There is no need to limit the search of information by computer. It is necessary to look through all the documentation including scraps of paper, as programmers dont rely on their memory and make notes passwords, system configurations changes, peculiarities of making out a computer information database. . Many of users keep file recordings on diskettes, in order to prevent their loss at computer failure. That is why any revealed data carriers should be withdrawn and studied.

In special cases at realization of the investigatory actions it is necessary to search for hiding places where variable computer data carriers may be stored; with the expert help open cases of hardware of computer engineering and techniques to reveal specially switched - off internal data carriers, for example, an additional hard disk.

When experts are not involved it is reasonable to conduct seizure procedure in order to avoid accidental or deliberate information alterations in the computer. Characteristic features, specifications and quantity of the seizured equipment are recorded in the minutes.

It is necessary to follow basic regulations on computer operation and maintenance to avoid failures on hardware and program levels:

-          Equipment is not supposed to subject to vibrations and hits;

-          Do not connect and disconnect peripheral devices during computer operation (exceptions are: devices which are connected to serial ports 1/2; mouse; modem;

- It is possible to take out and install motherboards extensions in the computer when it is off;

- To keep away magnetic carriers of information from influence of electromagnetic radiation, exceedingly high and low temperatures, liquids, and mechanical influence;

-To switch off the computer following the procedure of switching off. Nonobservance of this regulation will lead to errors both in the software operation and to partial or complete loss of information on magnetic carriers and to software failure.

It is unacceptable and invalid to record that the computer is being seizured. If the computer sealed with the manufacturer, it is necessary to note its serial number and to withdraw or seizure the documentation on it. In case when serial number is absent or a seal of the manufacturer damaged, it is necessary to establish a hardware configuration of the computer:

- Type and model of the central processor (information is issued during the preceding launching testing of hardware;

- The operative memory volume - is given in the next line after the information about the type of the central processor;

- Information on type and model of magnetic disks storages magnetic disks (it is given during computer launching after the memory test, or is installed on devices labels.

After this procedure it is necessary to mark all sockets and cables on the back panel of the system block (it will help to reconstruct connection of devices in the future).

At the hardware examination attention is paid on type and model of the microschemes or microcurcuits on motherboards, motherboards name, and serial numbers and model storages.

During motherboards examination it is forbidden to touch contacts and microschemes with metal items and hands. The latest ones are very sensitive to the static electricity and can go out of order. Thus, before examination of the computer central units it is necessary to remove from yourself static charge, holding a central heating pipe or water supply pipe.

Together with the computer magnetic data carriers are withdrawn or seizured (diskettes, cartridges to streamers, demountable "winchesters" on which the information is stored, that will allow to reconstruct a system condition to the non-authorized intervention in its operation and to determine the way and consequences of such intervention).

Withdrawing computer equipment, find out from responsible persons or network manager passwords and codes of access to computer resources.

Magnetic carriers are numbered beforehand by diskette labels and are packed into the sealed packages. They are kept and transported in special containers or in standard diskette or other aluminium cases of factory production which exclude destroying action of different electromagnetic fields and indirect radiation, including as a metal detectors affect that are used for luggage check at the airports. It is not necessary to put computers on each other, or to place other subjects on them. Computers should be kept in a dry, warm premise where there are no cockroaches, spiders, ants, rodents that may cause malfunction of the equipment and damage of information carriers [2, 193].

The literature recommends withdrawing or seizure all means of computer engineering revealed at realization of the examination, search, reconstruction of conditions and circumstances of events. But it is impossible to agree with this idea completely.

Programs play a significant role in the computer, and document just a part of it. Besides technical difficulties there also economic ones: in case of failure of the COMPUTER the bank may "hold on" no more than two days, a wholesale firm- 3-5, the insurance company - 5-6 days. In this situation claims are possible on the part of the organization that suffered losses [3, 14].

Duly withdrawal and seizure of the computer information and computer equiopment and their correct withdrawal contribute to the efficiency of the subsequent computer - technical expert examination which is appointed with the purpose of reception of the information which is stored on magnetic carriers, and identifying traces of criminal activity.

Special knowledge in the sphere of information science and computer engineering (computer technologies and software) are the basis of the expertise.

The subject of the computer-technical expertise is tendency of forming and research of computer systems and computer information circulation, facts research and circumstances on manifestation of the tendency on the orders of investigatory and judicial bodies.

Computer-technical expertise solves both identification and diagnostic (nonidentification) problems. According to the research goal within the computer-technical expertise the following expertise are defined: technical expertise of computers and their components and software expertise. The first one studies constructive features and computer condition, its peripheral equipment, magnetic information carriers etc., computer network, and the reasons of deviations in the computer operation.

Software expertise is appointed to study information, which is stored in the computer, on magnetic carriers.

Other kinds of expertise can be appointed on these cases: trasological - for breaking in traces research, dactyloscopic - traces of hands on external in internal surfaces of computers and their components; judicial - economic: financial and economic, accounting, economic - statistical and so forth, when a crime in sphere of the computer information movement connected to crimes in financial sphere; technical-criminalistic - examination of documents - when the computer is used as means for counterfeit documents, false money and so forth; phonoscopic - diskettes contain recordings of the person's language which needs to be identified with the suspected which concerns the committed crime.


1. Criminal-Procedure Code of Ukraine. - : Atika, 2001. - 208 p.

2. Bilenchuk P.D., Zimbalyuk V.C. Computer Crime. Studybook. - .: Atika, 2002. - 240 p.

3. Komissarov V., Gavrilov M., Ivanov A. Search with computer information extraction. // Legality. 1999 3, p.12-15.

4. Selivanov N.A. Problems of fighting with computer crime. //Legality. 1993 8, .36-40.


Home | What's New | Articles | Links
Library | Staff | Contact Us

Copyright Computer Crime Research Center, 2001-2002 All Rights Reserved.
Contact the CCRC Office at 380-612-735-907