Some questions of specialists’ involvement into computer crime investigation
During the investigation of thefts, economic crimes in the credit-banc system – crimes committed with the help of IT – it’s possible to find computer equipment which either served as the object of criminal attempt, or was the means of committing crimes and had the evidence of criminal activity. Taking this into consideration during the investigative actions such as examination (art. 190 Ukraine's Code of Criminal Procedure), search (art. 178 CCP of Ukraine), withdrawal (art. 179 CCP of Ukraine), reconstruction of the situation and circumstances of events (art. 194 CCP of Ukraine) one can shift the attention to a new object of investigation – means of computer equipment, and also the object of search – information is in the computer memory or in the external carriers – diskettes, disks etc.
The examination of the place where the crime was committed gives the examiner a possibility to find out the time and the place of the intrusion into the system, the way of intrusion and breakage of system operation.
A typical peculiarity of such examination is the fact that between the place of the direct criminal actions and the place, where their results can be materialized can be a great distance (for example, in different countries). That’s why in case of unauthorized intrusion into computer work, systems and computer nets, the investigation includes:
a) traces on the magnetic carriers used by the criminal^;
b) traces on the “transit” magnetic carriers through which the criminal directly contacted the informational resources^;
c) traces on the magnetic carriers of informational system which was intruded.
Except the examination of the place of the crime (rooms where computer equipment is installed, and with the help of which the crime was committed) it is necessary to examine computer equipment which became the instrument of the crime, or the database of which became the object of the crime, and also its documents.
If the examination of rooms doesn’t have any difficulties and its tactic doesn’t differ from the examination of other crimes, the examination of computer equipment and its parts, and the search of information, which is kept in electronic form, demands a special training from people engaged in this process. It is necessary to follow some rules of electronic equipment use.
That’s why in order to achieve the most effective results people with special knowledge (SK) and skills should be involved into crime investigation, according to the ar.128-1 CCP of Ukraine.
Law doesn’t indicate what one should understand as SK. Though, in the literature it was paid enough attention to the definition of this word. And though there is no common point of view, the majority of authors associate its interpretation with the term “speciality”.
Here are several formulations, which, in general, reflect this point of view. “The knowledge of professional experience is considered as SK.” “As SK one should understand total knowledge obtained at the end of professional training what gives its owner the possibility to solve problems in a definite sphere.”
“Special knowledge – it is not popular or well-known knowledge which is widely spread, but in plain words, it is knowledge which has a limited group of specialists.” Such interpretation of the idea of SK coincides with the general notion of an expert as a representative of a certain speciality, and a certain field of knowledge.
Technical knowledge as well as scientific one is considered to be a SK.
Technical knowledge transformation into a special form of knowledge is connected with the first industrial revolution and the following development of technologies. But for quite a long period of time technical knowledge was not the object of research. Now the situation has changed and there are series of new works in which its specification is studied.
Technical knowledge includes as elements of scientific so elements of practical knowledge. Scientific elements are represented in it by different scientific-technical theories, which are based on nature-scientific laws, and practical elements of the knowledge are based on receptive rules, which consist of the main contest of technological process descriptions, individual kinds of work etc.
Specialists in crime detection have not yet agreed on one general point of view concerning the definition of SK. Some authors think, that SK is that one which have or doesn’t have the prosecution (detectives, judges etc.), others are sure that this knowledge is not well-known and popular, but it is obtained as a result of education in a special sphere or professional experience.
I.V.Postika thinks that special knowledge is whole knowledge in a definite field with the modern level of its development. It may seem that this definition limits, to some extent, the sphere of usage of SK because it excludes non-process form of its usage. G.E.Morozov gives his definition: SK is the knowledge, which a person has in a certain sphere – chemistry, biology, mathematics or physics, pedagogies or linguistics.
V.I.Shikanov marks that the term SK is used to define any possible knowledge (practical experience, skills), except well-known knowledge, (i.e. that which is obligatory) and knowledge in the sphere of law (but one should not take training and practical skills connected with criminal asses of real circumstances of events and the decision of the questions of process character).
To our mind, SK is a system of modern knowledge in a definite sphere of science, technology, art and trade. It is obtained as a result of special training or professional experience and is used to investigate a crime, to take operatively researching measures, to carry out expert and judicial investigation.
SK also includes experience and skills. Skills are actions which can be fulfilled perfectly, quickly, economically and correctly (for example, an investigator has skills of photo-camera use, measuring and searching equipment). Experience is a capability of a man to work in new and sometimes extreme conditions quickly, effectively and properly.
Speaking about forms of applying of SK in the science of criminology there are no common opinions. For example, V.D.Arsenev and A.M.Goldmun think that in criminal code there are only two forms of SK applying: examination and specialist’s involvement in the investigation.
G.G.Zuykov defines independent forms:
a) direct applying of SK in science, technology, art and trade by the investigator^;
d) consulting help of a specialist without his direct participation in the investigation^;
e) specialist’s involvement into investigation.
V.Y.Koldin and B.G.Goncharenko indicate 3 processing forms of SK use – by investigator, specialist and expert.
Studying forms of SK use in criminology authors, as a rule base their theories on the norms which define rights and duties of the subjects which participate in the investigation. To our mind, it’s important to take into consideration both the aim of SK use and way of its realization. These two characteristics form the difference between processing forms of their applying during the first part of the investigation and trial, and also indication of rights and duties of subjects, which use them.
Specialists may be persons who have knowledge in different fields of science, technology, art and trade, including colleagues from expert institutions. As for the method of SK realization there are two kinds of specialist’s participation: obligatory and optional. Sometimes a specialist is involved into the investigation only in case of necessity. His main duty is to use his professional knowledge and skills to help an investigator to find evidence. Procedural form of SK use is defined by law and determines the relations between an investigator and a specialist in the process of prejudicial investigation. It is the most effective way of SK use because when a specialist is directly involved into the investigation it is possible to discover a lot of important details.
A successful investigation of a crime, as a rule, is provided by concentration of procedural and non-procedural forms of specialists’ knowledge use.
The Criminal Code of Ukraine doesn’t limit specialist’s actions and doesn’t forbid him to carry out legal evaluation. As investigator can involve a specialist to the preparations of the investigation, to instruct him to take necessary measures, a specialist can give professional advice to an investigator. Specialist’s consultations and explanations don’t have any proving meaning and should not be fixed into the records of the search.
Some authors define non-procedural forms of SK use. V.G.Goncharenko suggested a division of the use of natural and scientific sciences in the criminal legal proceedings in procedural (investigative, judicial, expert) and non-procedural (operative and individual examination of materials by an investigator or a judge).
Non-procedural involvement of specialists in crime investigation are not regulated by the norms of Criminal Code. It includes:
a) consultations of an investigator with specialists on those questions which require SK^;
b) inquiry activity of a specialist (on behalf of an investigator)^;
c) technical and other kinds of help to the investigator^;
d) special examination made by officials^;
e) legal evaluation^;
f) documentary audit^;
g) examinations made by employees of different institutions and inspections (auditors, auto inspectors, technical instructors)^;
h) operative examination (beyond expert) of objects (corpse, material evidence etc.).
Specialist’s advice may concern tactics, the way and the time of carrying out a procedural action, its participants, scientific-technical and criminal means. Sometimes such recommendations are called organizationally-tactical.
During the investigation of crimes committed with use of computer technologies it’s necessary to involve specialists in the fields of information technology and computers, and also it is possible to find finger-prints on the computer devices, signs of instruments, elements of hand soldering on the internal elements of computer devices. It is also necessary to involve specialists of computer security net technologies (if the crime was committed with the help of local computer net or Internet). As witnesses it is advisable to involve people who are knowledgeable about the work of appropriate computer technologies.
In system where information security is a critical factor, system of constant supply is used, and also backup file servers on which they keep copies of all files (copying is carried out by the system automatically in set periods of time). The last thing may be very useful as criminals are often unable to destroy the copy of system information on additional servers. Following precautions it is coded and hidden in inaccessible for users parts, and the way of overcoming the security system and to get additional information which will help to identify the offender.
The tactic of computer information search is chosen taking into consideration the level of data security, the condition of the computer and its peripheral hardware for the moment of the investigation. It’s necessary to find out whether computer technologies means which are located on the object where the investigation takes place are united into local computer net and whether the managing computer is the server. It’s necessary to pay special attention to the server because more information is kept in it. Though in an ordinary computer of the net private information may be found as well.
It’s obligatory to know that after wiping of the information from magnetic carriers really it is not wiped off physically, it only changes its status. It becomes “invisible” and is kept until new information is recorded on its place. That’s why there is a possibility to restore it thoroughly with the help of special technologies, and after new information had been already recorded on its place it’s possible to restore it partly.
During examination, withdrawal process, restoring of circumstances of the events, first of all, it’s necessary to isolate the room, to remove those people who have nothing to do with investigation and to take actions to exclude the possibility of non-authorized access to computer or computers of the present persons, so of those through the net to which the computer is networked. For this it’s necessary to disconnect net cables on the back panel of the system block, and if the access to the net is possible through switchboard telephone line it is necessary to cut off modem supply. If modem is installed into computer the expert should disconnect telephone cable and power point, it is necessary to provide constant supply of investigative equipment.
An investigator should stop all the programs working for the moment of examination, but to write down all system information on the status of the program for the moment of stopping beforehand. Active documents should be kept in files under new titles, remaining the original versions without changes. It’s advisable to make a photo of the monitor according to the rules of making criminal photos, if it is possible to make a video-record.
The examination of the computer should be made by a specialist, if the investigator himself is not properly knowledgeable about this sphere. In any case in the record it is indicated what actions were taken, their sequence and what results they had, what software was used for information search. The aim and the sense of every step is explained to witnesses.
In most cases textual and financial programs keep the list of documents of the last works and can easily restore them, if they are not wiped off or not moved to another place. On the computer disk the user usually keeps documents in catalogues with standard titles: My documents, documents, DOCS, archive etc. Documents files have in their titles a characteristic elaboration, i.e. a part of the title which stands after the dot: *.doc, *.txt etc. All computer files keep the date of the last change, and after some programs the date of file recording.
A popular program package “Microsoft office” keeps a secret file record with data and time of all switching on to the computer. Programs of communication and work with net memorize the addresses of many Internet contacts of a user, documents of e-mail with addresses of a sender.
The results of search are kept in electronic form on a magnetic carrier and if it is possible are printed and formed as an application to the reports.
It is useless to look for information only in computer, it is necessary to examine attentively all the documents in reality, even the pieces of papers, because often programmers don’t rely on their own memory and make notes with pass-words, changes in system configuration, particularities of information computer base structure. A lot of users have files on diskettes in order to keep them secure. That’s why any discovered information carrier should be withdrawn and examined.
In some cases during investigation it is necessary to look for a hiding place where computer information carriers can be kept. Frames of hardware should be opened only by a specialist in order to discover disconnected internal information carriers.
In order to avoid casual or malevolent information changes in computer and when it is impossible to involve specialists it is advisable to withdraw the computer. In the records the type and the quantity of withdrawn technologies are indicated.
During examination and withdrawal of computer technologies it is necessary to follow elementary rules of computer use what will help to avoid failures on hardware and software levels.
It is not right just to indicate that the computer is withdrawn. If the computer is sealed by producer it is necessary to indicate its serial number and to withdraw its documentation. If there is no serial number or the producer’s lead is damaged it is necessary to define hardware configuration of the computer.
After this it is necessary to mark all cables on the back panel of the system block (it will help to reconstruct the switching of devices in the future).
During hardware examination it is obligatory to pay attention to the type and the model of microcircuit, serial numbers and models of storages.
Magnetic information carrier (diskettes, detachable winchester on which information may be kept, what will help to reconstruct the system state before unauthorized intrusion in its work and to find out the way and the results of such intrusion) are examined and withdrawn.
While withdrawal of computer technologies a manager or executives should report passwords and codes of access to computer resources.
Magnetic carriers are numbered by previously prepared labels for diskettes and are packed in packages which are sealed. They are kept and transported in special containers or in standard diskette or other aluminium cases which exclude destroying influence of electromagnetic fields and indirect radiation, including the results of the activity of metal-detectors which are used in airports for luggage examination.
In literature it is possible to find recommendations to withdraw all computer hardware discovered in the process of investigation. But it is not always right.
Comparing with programs, documents have a less considerable part in the computer database. Except technical there are economical difficulties: in case of computer failure a bank can “hold out” not more than 2 days, wholesale firm- 3-5 days, insurance company – 5-6 days. That’s why it is possible to receive complaints from damaged organizations.
Timely and correct withdrawal of computer information assist to make the next computer expertise more effective. Such expertise is made to obtain information that is kept in magnetic carriers what will help to find the tracks of a crime.
1. Galkin V. M. Means of proving in the Soviet Criminal Code, p.2. – M., 1968. – p. 8
2. Socolovskiy Z. M. The definition of special knowledge// Criminology and judicial expertise. – K., 1969, ¹6. – p. 202
3. Asman A. A. Experts’ conclusion (structure and scientific base). – M., 1967. – p. 91
4. Nudgorniy M. Gnoseological aspects of the definition “special knowledge”// Criminology and judicial expertise. – K., 1980. – p. 39
5. Sorocotaygin I. N. Structural characteristic of special knowledge and forms of their use in the struggle against criminals// Special knowledge applying in the struggle against criminals. – Sverdlovsk, 1983. – p. 6-7
6. Arsenev V. D. The base of the theory of evidence in the Soviet criminal process. – Irkutsk: Irc. Institute, 1970. – p. 82
7. Zuykov G. G. General questions of special knowledge use in the process of previous investigation// Criminological expertise. – M., 1966, ¹1. – p. 116
8. Koldin V. Y. Complex examination in judicial proving// State and Law, 1971, ¹7. – p. 108^; Goncharenko V. I. The use of natural technical data in the criminal process. – K.: High School, 1980. – p. 112-113
9. Goncharenko V. I. The use of natural and technical data in the criminal process. – K.: High School, 1980. – p.109
10 . Maha V.N. Specialist’ involvement in the investigation. Auto-essay. – M ., 1972. – p. 10-11
11. Selivanov N.A. Problems of computer crime struggle// Law. 1993, ¹ 8. – p. 38
12. Komissarov V., Gavrilov M., Ivanov A. Search with withdrawal of computer information// Legality. 1999, ¹ 3. – p. 15
13. Bilenchuk P.D., Romanyuk B.V., Cumbalyuk V.S. Computer crime. Educational supply. – K.: Atika, 2002. – p. 193
14. Komissarov V., Gavrilov M., Ivanov A. Search with computer information withdrawal// Legality. 1999, ¹ 3. – p. 14
^macro[showdigestcomments;^uri;Some questions of specialists’ involvement into computer crime investigation]