Typical inquiry situations and expert ways of their settlement
Date: November 05, 2003Source: Computer Crime Research Center
By:
Crimes are investigated in the specific conditions of time, place, environment, interconnections with other objective activity processes, conduct of persons who found themselves in the sphere of legal proceedings, and under the influence of other factors sometimes unknown for the inspector. As a result, this difficult system of interactions forms the concrete atmosphere where the inspector and investigation participators work and the particular act of inquiry proceeds. In the science of crime detection, it was generally called “inquiry situation”.
The inquiry situation totally forms a dynamic system constantly changed under the influence of objective and subjective factors. The objective factors are reasons independent of the investigation participators, which cause changes in the situation; the subjective factors are generated by actions and conduct of the investigation participators and other persons involved to some extent into the legal proceedings.
The analysis of detecting and investigating crimes committed by using computers showed that typical reference inquiry situations considerably depended on facts to be established and proved. The following groups of inquiry situations can be distinguished according to this principle.
The first group combines crimes, which subject is a computer. Typical expert objectives are to make both a complex diagnosing of the computer system and separate examination of hardware, software and dataware. As an example, some facts and circumstances should be established: 1) actions connected with the unauthorized access to data and performed in respect to computer information stored in the autonomous computers and their networks; 2) actions performed in respect to computer information stored in the built-in and integrated computer means (credit cards, portable phones or cash registers).
The subject and object of the crime commitment in the second group is a computer. Expert objectives are to reveal and examine software functions, make a diagnosing of algorithms and the actual program condition. As an example, some facts and circumstances of producing and spreading detrimental programs should be established.
The third group combines inquiry situations where the computer is a subject of committing and/or concealing a crime. Expert objectives are to make diagnosing of software, determine features and conditions of dataware. Characteristic examples of expert examinations are to detect and investigate crimes committed by using computers (swindle, money counterfeit, false business and others).
The fourth group includes inquiry situations where the computer is a source of information meaningful for experts in crime detection. The main expert objectives are to make a diagnosing of computer information, study its original condition and chronology of influencing it. Typical examples are to establish facts and circumstances of crimes where computers were not used to commit them but presented carriers with important information.
The expert examination of software, hardware or dataware should be made to obtain full data on facts to be established and proved.
How can facts and circumstances of the unauthorized access to computer information stored in the personal computers and networks be established?
1. Two officials from one of the depositary companies formed a criminal group to draw the large join-stock company securities from the accounts of physical persons. They illegally penetrated into the company computer network taking stock of shareholders and their shares. The accomplices modified accounts containing the company shares through illegal manipulations (introduction of data on the availability of negative number of shares on the physical person accounts). Then the criminals transferred stolen and fictitious shares to the new accounts in the other depositary establishments and sold them. Examinations of the computer network and database with bookkeeping information on the physical person account shares allowed establishing evidences of unauthorized changes of the share number on stockholder accounts, introduction of negative accounts and so on.
2. The joint-stock company “City telephone network” received some complaints from its Internet clients about increased payments. The preliminary investigation and searching activity showed that Mr. S. had used Internet at the expense of officially registered users. During the domiciliary visit, Mr. S. was withdrawn compact disks and system block from his personal computer. The expert searched evidences of the remote access to the network in the Winchester files. Some of them turned out to be modem-connecting records of the remote network access. These files contained information on connection date, time, phone numbers, rate, received and sent data. The study of revealed information made it possible to prove the participation of Mr. S. in obtaining an access to Internet at the expense of officially registered users. The expert examination of compact disks fixed the availability of programs selecting and breaking users’ names and passwords of Internet access.
The facts and circumstances of the unauthorized access to computer information are established by examining pagers, portable phones (integrated systems) and cash registers, immobilizers or cruise-controllers (built-in systems on the base of microcircuit controllers).
1. Mr. M. purchased some cell phones and modified them with special program microcircuits that allowed obtaining illegal access to computer information of the cell connection company and copying personal and subscriber phone numbers of its legal users. This re-equipment allowed Mr. M. and his accomplice to copy 60 legal users’ phone numbers of the well-known CTC Company. Then Mr. M. often obtained an unauthorized access to this company data, freely spoke over the telephone and gave such an opportunity to the third persons. Some technical devices were withdrawn during the investigation. The objects of expert examination were both cell phones with automatic scan, cell cashboxes (combination of scan, computer and cell phone) and personal computers with expert revealed data on stolen individual numbers, connection layouts of reequipping portable phones, instructions on inputting/outputting users’ individual numbers into/from the electronic notebook of the cell phone. Results of the expert examination were on great importance while brining accusations against the suspected persons.
2. Every day from 5 till 7pm by prior arrangement, Mrs. T. and K., officials from a privately owned enterprise, connected a home-made microcomputer to the special jacks of cash registers. It allowed obtaining an access to data on conducting financial operations through cash registers during the current shift. The expert examination of this homemade device showed that the whole information on previous financial operations including purchase number and shift earnings had been destroyed when connecting the device to the cash register buffer storage. After this manipulation, sale outlets of this privately owned enterprise kept on their work accumulating information on financial operations till 9pm in the buffer storage. After that, understated data on shift earnings were entered in the fiscal memory of devices. The expert examination established the principle of homemade device operation. It consists in that the device microcircuit sends the single chip computer of the cash control unit a command to “clear” the fields of operative memory with all money and operation registers, as well as operative data on the current shift. The expert’s conclusions made it possible to prove the fact of the unauthorized access to law protected fiscal information stored in the cash register.
Model situations with evidences of manufacturing, using and spreading detrimental programs can be as follows: 1. The most typical situation is connected with fixing the availability of detrimental programs on the computer compact disks that cause illegal destruction, blocking, modification or copying of information, interference with the work of electronic computers and so on. These disks are sold on the radio-markets or privately spread. Thus, Mr. P. was arrested in one of the pedestrian subways when selling compact disks “99 Hacker Pro”. During the domiciliary visit, he was withdrawn some compact disks “Super Hacker”, “Internet Free Access”, as well as personal computer with CD-RW. The expert examination of these dicks established the availability of many Trojan-viruses that allow obtaining an unauthorized access to official fields of computer hard disks and copying Winchester sectors, damaging CMOS-memory parameters and so on. The study of possibilities to produce CD-R established the identity of withdrawn CD-RW and the device that helped to manufacture these disks. The investigation and expert practice knows situations of spreading viruses in the electronic networks. Mr. F used his home computer and modem, as well as corresponding software of electronic advertisement board and data exchange with remote users to spread through the city phone network some viruses downloaded from Internet. These files were placed on the advertisement board as unique service utilities, patches for well-known programs. The expert examination of withdrawn computing means allowed establishing facts and circumstances of producing and spreading virus programs. The detailed examination made it possible to restore most files that the criminal tried to damage through physical destruction of the computer hard disk. The technically correct investigation materials including expert examination results allowed...
Next
Add comment
Email to a Friend
| Discussion is closed - view comments archieve |
| 2005-09-02 01:11:57 - Good blog Anelia |
| Total 1 comments |
