THE TRAINING OF EXPERTS IN INVESTIGATION OF COMPUTER CRIMES
Like many other progressive technologies computer know-how gives boundless opportunities both to progress and crime. Attacks against networks, fraud, software piracy, technical espionage and distribution of child pornography are only some crimes committed in global information network ²nternet.
Criminal groups get scientifically and technically armed. This is an objective reason for law enforcement to apply modern information technologies and new secret tools of operative detection to combat crime. For example, PC disks of drug and arms dealers can contain financial data on deliveries and clients. When a criminal use information technologies to plan or commit a crime it is possible to withdraw the plan of murder or theft form the criminal’s computer.
To take off computer information lawfully the requisites are special hardware tools, law’s provision to install such tools and appropriate training of operative detection teams.
Difficulties mainly emerge at the initial stage of transnational cyber crime investigation .
The results obtained by the Center of the Study of Computer Crime and the analysis of law enforcement practice on computer crimes are evident that detected at the scene computer equipment should be examined in the criminalistic laboratory only by suitably trained experts.
The other question arises here. Where can such experts be found if no Ukrainian higher educational establishment trains them? Thus, it is urgent concern to train and retrain law enforcement teams to combat cyber crime.
As is well known Donetsk Law Institute, the Ministry of Interior of Ukraine, has already taken step forward. On September 1, 2001 Humanitarian University, Zaporozhzhye Institute of State and Municipal Management, started teaching the Methods of computer crimes investigation to its students.
II. Main Part
The curriculum of the cited above course provides for 8 themes in sum of 81 hours including 16 hours for lectures, 18 - for practical training and 47 - for self-training. The purpose of the course «Methods of cyber crime investigation» is to teach the notions and essence of computer information, main means of storage and protection including “Criminal law characteristics of computer crimes”, “Criminalistic characteristic of computer crimes”, “Peculiarities of the initial cyber crime investigation stage”, “Cyber crime investigation at post-initial stages”, “Cyber crime prevention” and “The Methods of prevention and investigation of transnational cyber crimes”.
Theme #1, Subject and Key Notions deals with the subject and key notions of the course including confidentiality, integrity and accessibility of information; reasons for computer crime increase; the role of information security; law enforcement activity to detect and investigate cyber crimes; national policy as to information protection in the automated systems.
Theme #2, Notion and Essence of Computer Information, Main Means of Its Storage and Protection is devoted to the essence of computer information and its difference from other kinds of information; main means for its storage; main transmission mediums; basic means and methods of computer information protection.
Theme #3, Criminal Law Characteristic of Computer Crimes concerns the criminal law criminalistic characteristic of computer crimes including the object and subject of computer crimes; the objective element of computer crimes; the subjective element of computer crimes and its subject; aggravating circumstances in computer crimes; differences of compute crimes from adjacent corpus delicti.
Theme #4, Criminalistic Characteristic of Computer crimes deals with the ways of committing computer crimes and their mechanisms; the ways of concealing computer crimes; instruments (means) of computer crimes; situation and scene of computer crime; traces of computer crimes; data on the subject of a criminal encroachment; data on individuals committing computer crimes.
Theme #5, Peculiarities of Computer Crimes Investigation at the Initial Stage is, to my mind, the key theme of the course as law enforcement practitioners make mistakes mostly at this stage. It is devoted to control situations, the procedure of obtaining explanations and examining the scene; typical mistakes made under detective activities within computer crime investigation. We pay great attention to the following mistakes:
1. Inexpert use of computer.
Any investigator must conform to the hard and fast rule lying in the following: never and under no circumstances don’t work on a seized computer. This rule presupposes that a seized computer is first of all a subject of expert examination. That’s why till handing over à computer it is advisable not even to switch on the former as it is forbidden to carry out any programs on a seized computer without undertaking precautionary measures (for example, protecting log or making copies). If the protection is installed on the computer’s exit then the switched on the computer may cause its information destroyed. Nobody must load such computer or launch his own operational system on the former.
The cited above measures are of urgent need as it easy for a criminal to provide his computer with the program aimed to destroy the hard disk content or with special files by installing programs-traps in the PC or by modification of the operational system. For example, a usual command DIR (document information retrieval) used for representing a disk catalog can be easily modified in order to reformat a hard disk.
After both the data and destructive program destroyed nobody can say for sure if the cited above programs have been purposefully installed in the «suspected» computer or negligence has caused the destruction under processing computer-based evidence.
2. Access of an owner (a user) to the examined computer.
A serious error is when an investigator admits a user to the examined computer to assist with servicing. According to many foreign sources there are some cases when the suspected persons were admitted to the seized computers during the interrogation as to the computer evidence. Afterwards they told to their acquaintances how they had coded files ‘right under policemen’s nose’ while they even had no idea what was going on. Nevertheless it does not always work now. Computer experts make several copies of the information before they admit the suspected to the computer.
3. Not examining a computer as to viruses and program beetles.
After loading a computer with the operational system from the expert’s diskette or stand computer the first thing to do is to conduct a virus and beetles test. All the examined diskettes and hard disk are subjected to the cited above test. Engaged in the investigation an expert should test the computer by appropriate software.
It cannot be allowed that the defence has an opportunity to charge the investigation with infecting intentionally the computer with viruses and with incompetence at conducting investigative actions or simply with negligence as it is impossible to prove that the virus has been in the computer before the examination. Such a charge will raise a doubt of the expert’s efforts and reliability of the opinion.
Proceeding from experience these are the most typical errors made under examining a computer in the investigation of cyber crimes. There is no doubt that the list cited above does not include all mistakes made under withdrawing and examining computer information.
Students study appropriate methods and means for avoiding mistakes of the initial investigation stage, which can cause computer information lost or destroyed.
Theme # 6, Computer Crime Investigation at Post-Initial Stages is devoted to the methods of interrogation of the accused and witnesses; confrontation; the prescribing of expert examinations.
Theme # 7, Prevention of Cyber Crimes covers circumstances conducive to computer crimes and ways and means of computer crime prevention.
Theme #8, Methods of Prevention and Investigation of Transnational Computer Crimes involves the problems of transnational computer crime prevention and investigation. It is a usual thing that the area of law is closely connected with the technical one, i.e. the use of internet shields to protect computer systems. The theme also includes Strasbourg Convention on Cyber-crime  and international laws on transnational-cyber-crime investigation. You can obtain more detailed information on the work program and curriculum on the Methods of computer crimes investigation at our Website .
No doubt, along with other crimes transnational cyber crime poses great threat to people. To my mind, at the same time the Ukrainians are not fully aware of the threat. However, even our little experience and, all the more, foreign achievements unambiguously testify that any nation is vulnerable to attack. Moreover, transnational cyber crime has no bounds because attacks against any information system in the world do not require the attacker to be physically present at the site of the attack. As a rule, such crimes transgress the bounds of traditional ones and very often criminals go unidentified and unpunished. Special concern is the investigation of crimes, which traces are destroyed or concealed by attackers. Investigation of these crimes can take a week or even a month that gives an attacker opportunity to do away with traces and escape from punishment.
Here I make some remarks as to the content of practical trainings. The course provides for 4 practical lessons in computer classes. The subject of the first lesson is “Protection MS WORD files under using access parameters”. Students are supposed to become acquainted with and learn to use in practice standard Microsoft Word methods to protect files by means of passwords and to identify passwords by means of Msofpass.exe utilities to open files for reading and correcting.
Practical Lesson 2 is devoted to protection of archival quality files by means of password and respective actions to prevent passwords identified and files dearchived.
Based on well-known Folder Guard 4.08f program Practical Lesson 3 involves studying the use of modern software to allocate the rights of access to logical drives, files and catalogs.
During Practical Lesson 4 students work in the Internet and apply methods of computer stenography. You can obtain information on the guidelines of conducting practical trainings, “the Methods of cyber crime investigation”, at our Website - http://www.crime-research.org/eng/library.html
Thus, to our mind, under developing the course of the Methods of cyber crime investigation we have taken into account all drawbacks in the professional training of law enforcement staff specializing in cyber crime prevention and investigation.
So not only is responding to fast-growing attacks difficult technically, but also many of the accepted methods for practicing law enforcement are ineffective. An effective solution can only come in the form of organic balance between criminal law and criminalistic strategies to combat cyber crime. At that, under rapid development and adoption of modern computer technologies it is of paramount importance to train and retrain law enforcement experts.
Summarizing all the cited above it is necessary to note that other law educational establishments of Ukraine should also take a quick and positive decision as to training experts in cyber crime investigation. Establishing the respective specialization at the existing training courses can be a first and immediate step in this direction. At that another important requirement is the conditions created for developing new specializations and training experts and, first of all, faculty staff and experts able to draw up methods, recommendations, textbooks and other.
1. V.A.Golubev, V.D.Govlovsky, V.S.Scymbuluke. Information security: the issues as to the struggle against transnational cyber crime. Monograph. Zaporozhzhye: Prosvita Publishing House, 2001. – pp. 198 – 201.
2. Draft Convention on Cyber-crime. STRASBOURG, April 27, 2000 - COUNCIL OF EUROPE. http://www.crime-research.org/library/Draft27.html.
3. Carriculum of the Course “Methods of computer crimes investigation”, http://www.crime-research.org/library/Rabprog.htm.