Peculiarities of search tactics during investigation of computer crimes
Date: October 15, 2003Source: Computer Crime Research Center
By:
... it is necessary:
- to establish and reflect in the record and scheme applied to it: the location of the computer and its external devices (printer, modem, keyboard, monitor) description of every device (name, serial number); integration (the availability and type of drives, network cards, connectors); the presence of connection with local computing networks and(or) those of communication; device condition (intact or with traces of opening);
- to describe exactly an order of interconnection of the mentioned devices, if necessary mark connecting cables and ports of their linkage, after that disconnect computer devices;
- while inspecting the computer it requires to determine with the expert’s assistance if there are some supernumerary devices inside the computer, microcircuits are removed or external power supply source (accumulator) is disconnected;
- to pack (indicating in the record the place where they were found) magnetic carriers. Both special case for floppies and usual paper or cellophane packets, which prevent operating surfaces of the floppy or magnetic tape from dust (dirtying), can be used for packing;
- to pack every computer device and connecting cables. To exclude unauthorized person’s access, it is necessary to seal up system block – to seal up with a protective tape a computer switch on button and a jack for electrical cable connection, as well as places of connecting side surfaces with front and rear panels.
If during the inspection and withdrawal of computing equipment there arises the necessity of switching on the computer, it should be launched from the loading floppy prepared beforehand thereby excluding the start of user programs.
The search record must reflect:
- the number and scheme of arrangement of working places, computing equipment and places for storing information machine carriers;
- the location of the given room in the office, availability of alarm, condition of window openings and doorways (technical condition, damages), locking advices, screening means of protection;
- the position of switches on blocks and devices of the computers;
- the places of external device connection (for example: connecting cable between communication ports of the printer and computer system block), screws fastening case cover, surfaces under the system block, monitor and other devices. These places usually have a lot of dust and so there can be left some traces, their character or absence being reflected in the record;
- the availability and condition of all marks, seals, special signs and stickers (inventory numbers), on the cases and computer devices as well as dirtying, mechanical damages and their localization;
- the condition of indicating lamps and data displayed on the monitor (if the computer is switched on); it is necessary to take into consideration that special static pictures – screen savers which can be protected with a password – are used to prevent screens in most computers from burning out. The type of this saver must be fixed in the record as well;
- the availability and content of notes concerning the work of computing equipment. They can contain information on procedures of computer system input/output, access passwords and so on;
- the presence of supernumerary equipment and various advices inside the computers;
- traces of disturbance in information protecting system and other signs of influence on the electronic equipment (mechanical damages);
- the place of detection of every computer information carrier; character of its package (envelopes, special box-case for storing floppies, foil and others); stickers and inscriptions on the package; type and size (in inches); manufacturer and type of the computer, which the detected carrier is intended for; attributes (condition of means of protection from deletion scratches, cuttings and various damages).
In addition to the record, except for making a plan of arrangement of computers and external devices in the premises and connection of computers in the network it is advisable to fix information on the monitor screen, indicating lamps of all devices in the computer system by means of videofilming and photographing, the results being entered on the records.
Carriers of information connected with the investigated event can be withdrawn during the inspection observing an order set by the Criminal Code. It is necessary to remember that such carriers of machine information as hard magnetic disks (Winchesters), optical disks, floppies and so on should be handled very carefully: do not touch the working surface of disks with hands; do not expose them to the electromagnetic impact; do not bend and do not store without proper package; make no marks with a fountain-pen or hard pencil (it is admissible to make explanatory notes with a soft-tip pen on the sticker); do not punch holes in the magnetic carriers or stamp them.
CH, which the inspector did not consider necessary to withdraw during the examination, should be sealed up by gluing up a sheet of paper with signatures of the inspector and witnesses on the connectors of power supply and the case, or the whole system block should be sealed up. It should be done to exclude the possibility of switching on and using the computer for some time which the inspector requires with regard for concrete circumstances of the investigated case, as well as an access to the external part of the system block.
It is advisable to sum up systems of tactical ways used while searching. According to its structure the system of methods is characterized by the availability of corresponding elements. So, within the framework of the tactical way system, which is directed at communicating with the searched person, such tactical combinations are worth to single out:
1) which favors removing obstacles and counteractions of the searched person;
2) which stimulates the searched person to talk with the inspector;
3) which favors establishing a psychological contact with the searched person and obtaining from him information sought for.
The tactical combination, which stimulates the searched person to talk with the inspector, covers:
1) wordy reconnaissance;
2) drawing the searched person in the activity;
3) putting “neutral questions”;
4) putting “more precise questions”;
5) showing definite objects of search.
The tactical method system, which is directed at carrying out search actions, includes:
1) study of a search object;
2) analysis of situation in the search place;
3) direction of attention towards professional skills of the searched person;
4) use of opportunities of standard analogues;
5) analysis of signs of a search object;
6) comparison of a search object with various objects in the search place;
7) analysis of the place/locality;
8) analysis of detected evidences.
Interrogation of inspectors from Ukraine Office of Public Prosecutor and Ministry of Internal Affaires showed that, in their opinion, tactical ways, which favor the effectiveness of search, include:
- direction of attention towards professional skills of the searched person (62%);
- study of a search object (48%);
- analysis of revealed evidences (46%);
- use of opportunities of standard analogues (38%).
The analysis of the problem of search tactics, while investigating computer crimes, gives some reason to determine the necessity of introducing into Ukraine Criminal Code some amendments which regulate an order of consolidating and withdrawing evidences in the sphere of computer information, professional skill demands made of an expert who takes part in the search, and fix a circle of witnesses, or, taking into account the specific character of a crime, exclude their participation.
1.Panteleev I.F. Erroneous recommendations in theory of criminal trial and criminalistics//Soc.law. – 1977. - ยน 7, - P.54
2.Cony A.F. Selected works- V.1., 1959. – P.167
Add comment
Email to a Friend
