Legal expertise in investigating cybercrime
The most important form of using special knowledge during the preliminary and judicial investigation is an expert examination, which purpose is provided by Ukraine’s CPC Article 75. “The examination is scheduled when scientific, technical or another special knowledge is required to resolve some problems during the investigation” [1,73]. The judicial expert examination helps the inspector to study traces and other material evidences, establish the psychic condition of the criminal process participants, determine reasons of the victim’s death, incident, accident and answer other questions representing the inspector’s interests.
“Judicial expertise” means a form of using special knowledge, an inquiry action, procedure of studying objects and documents – the expert’s conclusion. Ukraine’s Law “Judicial expertise” and Criminal Procedural Code , Ukraine’s Supreme Court Plenary Session Decision “Judicial expertise in the criminal and civil cases”  establishes rules of scheduling and conducting expert examinations. According to Ukraine’s Law “Judicial expertise”, the expert uses special knowledge to examine material objects, phenomena and processes containing information on facts of a criminal case that is under preliminary or judicial investigation.
Special knowledge in such a form can be used when the circumstances to be proved in the criminal case are difficult to investigate with the help of other means listed in Ukraine’s CPC Article 66.
The judicial expertise is a scientific, technical and other special knowledge-based studying of particular circumstances and issues. The expert carries out the examination in the law established order to fix facts connected with the case, he presenting it as a conclusion for the preliminary and judicial investigation . Problems to be solved by the expert examination can be referred to any field of scientific and practical knowledge.
When estimating the expert’s conclusion, the inspector (court) studies and compares it with other evidences , establishes its validity, completeness and observation of law provided rules of scheduling and conducting the expert examination. These rules regulate the expert’s activity, characteristics of his status, legal nature of his conclusions and the attitude of the inspector, attorney, court, suspect, victim towards him and his conclusions.
There is a problem of carrying out the criminalistical expertise in the specialized objective field of computer technologies. There are no appropriate theoretical and practical procedures of conducting the examination, as well as establishing its tasks, objects and identification characteristics. New objects of criminalistical investigation – documentary and computer information stored on the machine carriers – have not been studied enough yet.
However, the investigation results obtained by describing the inquest picture of particular information crimes allowed classifying criminalistical investigation tasks to be performed in the expert way as well.
The computer-technical expertise is scheduled to examine computers, their accessories and stored information.
This examination is based on special knowledge in information science and computing technique (computer technologies and software).
The computer-technical expertise objective is to examine computer systems and computer information traffic.
The objects of computer expert examination are as follows:
- Computers, devices, their system blocks, display, printer, modem, keyboard, scanner, manipulator, disk drives^;
- Communication equipment of computers and their network, information magnetic carriers, copies of program and text files, vocabularies of system searching features, classifiers^; and
- Other technical documentation such as technical tasks and reports, electronic notebooks, pagers, other electronic carriers with text or digital information, their technical documentation.
The computer-technical expert examination settles both identification and diagnostic questions. According to its objective, the computer expertise can be divided into two types: 1) expert examination of computers and their accessories and 2) that of software. The expert examination of computers studies characteristics and condition of computers, their external equipment, information magnetic carriers, computer network and reasons of their malfunctions.
The expertise of software is scheduled to examine information stored in the computer and on the magnetic carriers. The computer examination should settle the following questions:
1. What is the model of examined computer? What is the technical characteristic of its system block and external devices? What are the technical characteristics of the computer network?
2. Where and when were the computer and its accessories manufactured and assembled? Was the computer assembled at the factory or in a homemade way?
3. Do the internal and external devices of the computer correspond to the applied technical documentation? Was it modified (for example, use of additional devices, hard disks, increase of operating memory or some configuration changes)?
4. Are the computer and its accessories in the working condition? What is their wearing? What are the reasons of the computer and its external device malfunctions? Do the information magnetic carriers have any physical defects?
5. Was the computer adapted for specific users (left-handed person or that with weak eyesight)?
6. What are the technical characteristics of other devices that accept, store and transfer information (pagers, electronic notebook, and phone server)? Do they work? What are the reasons of their malfunctions?
The computer-technical expert examination can also settle some questions of the identification character:
1. Do the computer accessories (printing chips, magnetic carriers, disk drives and so on) have a single source of manufacture?
2. Did a particular person write the computer program? (The computer-technical expert examination and copyright one settle these questions in a complex manner.)
The data and software expertise settles the following questions:
1. What operating system does the computer use?
2. What information including software is stored on the external and internal magnetic carriers? What is the purpose of that software?
3. How much time does it take from inputting data to outputting results during the work of the computer program, database? Are they licensed products, unauthorized copies or original programs?
4. Were the system product programs modified (in what way) to change some operations (what ones)?
5. Does the original computer product correspond to its technical purpose? Does it operate in a proper way? Were the password, particular file or protecting program used to limit the access to information? What do hidden data include? Were there any attempts to crack passwords and obtain an unauthorized access?
6. Is it possible to restore erased files and defective maganetic carriers with information? What do the restored files contain?
7. What is the mechanism of losing information in the local computer system, Internet and extended databases?
8. Do the computer or particular programs have any malfunctions? What are their reasons?
9. Did the virus (what one) cause the computer malfunctions? Did it affect most of programs or just particular ones? Is it possible to restore the full operation of the virus damaged program or text file? When was the file corrected or software installed last time? What professional training in computer hardware and software does the suspect have?
The following expert examinations can be also scheduled to investigate those crimes:
1. Traceologic (crack traces)^;
2. Dactyloscopic (finger-prints on the external and internal surfaces of the computer and its accessories)^;
6. Technical-criminalistical (when computers were used to forge documents, money and so on).
The expert examination of objects withdrawn during the inquest actions plays an important role in proving circumstances of crimes committed by using computer technologies.
When preparing the above expert examinations, the inspector should realize the possible mechanism of committing computer crimes and their consequences, as well as potentialities of the particular expertise.
1. Ukraine’s Criminal-Procedural Code (with amendments and additions of September 15, 2001). – Kharkov: “Grif”, 2001. – 320p.
2. Ukraine’s Law “Judicial expert examination” // Ukraine’s Parliament Gazette. – 1994. - ¹28.
3. Ukraine’s Supreme Court Plenary Session Decision 8 of May 30, 1997.
4. S. Didkovskaya, N. Klimenko, V. Lisichenko “Preparing and carrying out particular expert examinations”. – K., 1977. – P.7^; A. Shlakhov: “Organizing and conducting judicial expertise”. – M.: Juridical Literature, 1979. – 164p.
5. V. Lisichenko “Features of checking and judging expertise conclusions during preliminary investigation and in court” // Criminal law and judicial expertise. – K.: High School, 1982, Issue 24. – P.30.
6. M. Saltevsky “Principles of investigating crimes committed by using electronic computers: Teaching aid. –Kharkov, 2000. - 35p.
^macro[showdigestcomments;^uri;Legal expertise in investigating cybercrime]