Computer Crime Research Center

library/Natali.jpg

Peculiarities of search tactics during investigation of computer crimes

Date: October 15, 2003
Source: Computer Crime Research Center
By: Natalia Ahtirskaya

Page 1 2 3 Next
... criminals settle down after the first search and persons, who were deposited temporarily certain evidences, try to return them as fast as possible to their direct owners.


The first feature is to draw in an expert in searching. As a rule, the inspector does not have wide experience and knowledge in the field of computers and information technologies. And so, without the specialist’s help he can commit further incorrigible errors while examining the technical equipment, detecting necessary information and/or withdrawing it.


The interrogation of inspectors and experts in the field of computing equipment showed that only 14% of inspectors work at computers as users, 56% know nothing about principles of computer operation. On the other hand 92% of interrogated programmers think that at the modern level of the development of computing machinery it is very difficult to find information “hidden” in the computer without the expert’s assistance.


The participation of experts or persons well-informed about circumstances of the investigated event in the inquiry actions also as a rule is unexpected for those, who oppose the investigation, and favors establishing the thruth since their presence makes it difficult to give false or inexact information, uphold taken position, convinces of the uselessness of any attempts to delude the investigation. It is proved by the interrogation of convicted persons in 17% of cases they were surprised by the circle of persons taking part in the investigatory actions.


At the same time, enlisting an expert, the inspector should make sure of his competence. The fact is that in spite of the wide-spread contrary opinion there is no notion of “expert in computers”. One can say only that there is an expert who knows concrete computer systems. So, for example, an expert in MS DOS operating system does not always know Windows NT, whereas a skilled user of the personal computer cannot handle big computing complexes.


Therefore the necessary knowledge of a specific expert should be proven depending on purposes and targets of the inspection with regard for initial information on the nature of a crime.


Let us also pay attention to that, as it was mentioned before, people experienced in computers should take part in the examination of these objects as witnesses. It is obvious that their participation is required during the given investigatory action to exclude afterwards the possible statements of concerned persons about changes made by the inspector while examining information contained in the computer and on the magnetic carriers.


On his arrival at the place of examination the inspector has to begin with barring all the persons working there from access to the computing equipment. Then he should take measures of revealing and withdrawing finger-prints remained on the drive latches, power supply switches, body sections near the screws fastening the case cover, keyboard and mouse, port connections and network cards, as well as printing device buttons. The criminals usually leave their finger-prints in these places. In addition, unauthorized persons can, penetrate into the premises where computers are installed by breaking and entering, selecting keys, as well as passwords to the electronic locks, which can also keep some finger-prints. While examining cable circuit connections it is necessary to make sure of their integrity as well as that there are no signs of supernumerary connection.


In view of the possibility of committing crimes through telecommunication and local computer networks it is necessary to establish the location of all computers in the network, specific purpose of every computer, availability of the server, place of cable laying , telecommunication devices (modems, fax-modems), their location and connection with the phone communication channels.


It is also necessary to ascertain the availability of special means of protection from unauthorized access to information, take measures of establishing keys(passwords). Let us pay attention to that the suddenness of actions often has a decisive importance since computer information can be quickly destroyed (as well as through network), therefore in the case of combining computers into the system a group search-inspection should be organized simultaneously in all the premises where they are installed.


During the inspection of computing equipment its direct objects can be separate computers which are not a constituent part of local or global networks; work stations (computers) forming a system; file-server, i.e. network central computer; network lines of communication; connecting cables; printers; modems; scanners and so on.


During the direct inspection of a computer, a system block should be examined to determine which external devices are connected with it at the given moment and which could be linked earlier (the availability of connectors on the rear side of the system block points out it). Further this information will help putting more exact questions to the expert while setting an examination, show a search direction and, probably, facilitate it. So, the availability of a modem means that the computer is linked with the network, i.e. it has an e-mail program and that to work with Internet; the presence of a scanner and connector to link up it means that computer memory can keep graphic files which contain a scanned image or text; the availability of the sound card stands for the possibility of processing sound information and storing sound files, the presense of floppy drive points out that it is necessary to look for soft magnetic discs containing some information; analogously – the availability of compact-disk drive sign
ifies the necessity of searching after laser disks; the presence of electronic key (compact electronic attachment measuring a match-box, which can be mounted on the parallel or consecutive port (computer connector) and protect information.


Further let us pay attention to the peculiarities of search of working and non-working computers.


While searching and inspecting the working computer it is necessary:


- to establish which program is performed at the present moment. The image on the monitor screen should be studied and described minutely in the record. If necessary a photographing and videotape recording of the image on the display screen can be carried out;


- to stop the program and fix the results of actions in the record, reflect changes happened on the computer screen;


- to determine if the computer has external devices – information stackers on hard magnetic disks (Winchester), floppies and ZIP devices, virtual disk (temporary one created at the launch of the computer to accelerate its work), as well as reflect the obtained data in the record;


- to determine if the computer has external devices of the remote access to the system and estimate their condition, the linkage with a local network, availability of modem) after that disconnect the computer and switch off the modem, as well as reflect the results of actions in the record. The electronic key allows using protected program and data only at its presence.


- to save programs and files which were created on the virtual disk (if there are some of them), on the magnetic carrier or computer hard disk as a separate directory;


- to save all information that is stored on the hard disk, on the portable disk of extremely high capacity of DVD type or even extra hard disk for the further research in the laboratory conditions. All actions on connecting a disk of extremely high capacity of DVD type or supplementary hard disk, saving information are fixed in the record. To study information saved on soft magnetic disks it is also necessary to make copies of them. The exact copy can be obtained with a command from DOS diskcopy. Its accomplishment results in creating an actually identical floppy. Later on it is necessary to work with information copies. The work with information copies allows keeping initial information inviolable that, first,to some extent is a means of protection from forgery and secondly there are some situations when even very experienced users lose information, for example, owing to sudden disconnection of electricity and so while carrying out examination the part of information can be lost unintentionally; and thirdl
y, gives an opportunity to carry out afterwards a repeated or additional examination if necessary;


- switch off the computer and go on searching.


Before cutting off power supply it requires to complete correctly all programs carrying out at the given moment, as far as possible save all intermediate information (texts, data on condition, content of clipboards and other) in special files, if possible – on separate floppies, otherwise – on the computer hard disk. It requires to indicate names of these files, kind of information saved in each, arrangement of files (floppy name and marking or a logical disk and catalogue on computer Winchester); switch off the computer, which was influenced, and if there is a network – turn off all computers in the network. If it is impossible because of the peculiarities of the system operation, all measures should be taken to exclude an access to information of the given computer, as far as possible make copy of it and take steps of fixing all information changes which will happen afterwards.


While examining a non-working computer it is necessary:


- to...
Page 1 2 3 Next
Add comment  Email to a Friend

Copyright © 2001-2024 Computer Crime Research Center
CCRC logo