Computer Crime Research Center

library/gva2.jpg

Tactical features of inquiry actions at computer crime investigation

Date: October 15, 2003
Source: Computer Crime Research Center
By: Vladimir Golubev

The specific and comparatively new object of investigation – data stored in the computing technique means or processed by them, stipulates tactical features of inquiry actions (examination, search, withdrawal or expert examination) to reveal and research material sources of criminalistical information. However, there is a lack of full and scientific recommendations developed with the regard for ways of committing and concealing computer crimes and typical organizational or inquiry situations to investigate them.

V.Vekhov, V.Kozlov, V.Krilov, M.Selivanov, V.Rogozin and other authors devoted their works to criminalistical problems of investigating computer crimes.

Establishing main lines of investigation and tactical features of particular inquiry actions depends on the character of output data. In this connection, many attempts have been made in the juridical literature to systematize output data. It resulted in the concept of output inquiry situation [1]. This means information environment formed objectively on the initial stage of investigation, as well as situation and conditions of carrying out it.

Different inquiry situations can be formed during the investigation of crimes committed by using electronic computers, their systems and networks depending on the character of output data. While considering the initial stage of information crime investigation, I.M.Shumilov singles out five types of inquiry situations subject to the character of output data:

- Proceedings are instituted through inspecting materials involving indications of corpus delicti in the sphere of information security:

- Proceedings are instituted through physical or juridical person’s application or appeal;

- Proceedings are instituted through materials of the press, other mass media or public addresses;

- Proceedings are instituted through the fact of technological consequences connected with causing material damages and/or human deaths;

- Proceedings are instituted against a person (-s) arrested when fulfilling actions containing signs of information crimes [2].

V.Krilov marks out three inspecting situations and calls them typical inquiry ones:

1. The owner of information system has revealed independently the violation of (confidential) information integrity in the system, a guilty person and informed law enforcement bodies about it.

2. The owner has revealed without any assistance the mentioned violations in the system but could not discover a guilty person and informed law enforcement bodies about it.

3.Data on the violation of (confidential) information integrity in the information system and a guilty person have become generally known or directly revealed by inquiry agencies (for example, when taking search measures for the other case) [3].

The above things do not exhaust the whole variety of inspecting situations because the fact of crime commitment can be revealed not only by the owner of information but also, for example, an operator. However, it does not point out that the fact of access has become generally known.

To settle inquiry situations formed after instituting proceedings the following inquiry actions are carried out: interrogation of witnesses, search of rooms, questioning of the suspected person, expert examination, inspection through inquiry, search and criminalistical information.

The specific character of using, accumulating and storing computer information on the different carriers establishes features of particular inquiry actions. It is worth emphasizing those containing maximum information density from the standpoint of obtaining the largest amount of evidentiary information.


Obligatory preparing measures taken before going to the place of inquiry actions are as follows:

- Finding out crime details (where, when, what evidences point at the computer crime that has been already committed or is being currently committed, who has revealed these indications and who has informed about this offence);

- Informing about the crime and sending for officials from corresponding interested services (USS, MIA and so on);

- Taking measures on maintaining environment, integrity of computer system, preventing from penetration into examined rooms (refusal of help offered by officials of suffered organization, blocking and guarding rooms and so on);

- Inviting specialists preferably from another organization, an expert and attesting witness. The list of experts who can really help the investigation should be made out beforehand;

- Explaining to attesting witnesses their duties (Ukraine’s CPC Article 127) and warning them not to divulge known data on the primary investigation (Ukraine’s CPC Article 121);

- Explaining to experts who takes part in the examination their rights and duties (Ukraine’s CPC Articles 128, 128-1), warning them about the responsibility for refusal or evasion from their duties.


Scientific-technical means should include portable computers to browse operatively machine carriers of information. Up-to-date technical means give an opportunity to make video-recording and photos at the same time converting them to digital (computer) form, the image quality and maintenance remaining fixed, i.e. not becoming obsolete during reusable copying. Thus, specially selected software is also an integral part of scientific-technical means required to carry out these inquiry actions.

- Checking the effectiveness of blocking and guarding rooms, making unauthorized persons go out;

- Clearing up the quantity of rooms with computer technique, its location and sharing in the different rooms;

- Interrogating eyewitnesses, persons who revealed consequences of computer crime or officials of Computer security service (if available);

- Planning the examination (establishing sequence and order of own actions and those of examination participants).

In our opinion, depending on specific characteristics of these crimes and according to procedural regulations it is worth considering interrogation of a victim (or his representative), suspected person and expert. We think that interrogations can give more information on committed computer crime on the initial stage of investigation.

Taking decision to interrogate a concrete person as a witness, the inspector must predict in advance, what information (including that of a technical character) the interrogated person can give him. According to it, the complex of questions should be thought over in advance.

During the preparation for questioning the inspector can use the help of the expert in computer technique. To our mind, it will favor understanding the essence of the investigated crime, establishing the circle of circumstances to be proved, preparing material evidences and other materials that require following special conditions and rules of storage, transport and further treatment that will minimize the risk of damaging or losing them when carrying out inquiry actions. At the preparation for planning interrogation steps, it is necessary to:

- Clear up specific character of the case and, especially, technical aspects of preparing and realizing delinquent motives;

- Establish circumstances that require specifying information. This can be data on the suffered side, technical and design features of computer systems that were influenced, means of computing technique that was used by the criminal and interrogated person (victim, suspect and so on);

- Formulate the most difficult questions, no slips of the tongue being admitted.

- In such a specific field of knowledge as computer technique when freely using special terminology, a criminal can easily conceal his competence or vice-versa show himself more experienced than he is in reality. Questions to be put and their sequence should be so that an interrogating person can control the authenticity of obtained answers. Thus, an expert, for example, in software and hardware computer means can be very useful on the stage of preparing questions;

- Prepare evidentiary and other materials to present if necessary and protect them properly;

- Prepare scientific-technical means to fix the course of inquiry action.

The real investigation situation can help choosing place and time of the interrogation and its sequence relative to the other inquiry actions.

The law distinguishes three types of search: in rooms, in the locality and personal one. Before and during the search of rooms with computer technique the specific character of computer information should be taken into account. Let us cite specific tactical ways, which, in our opinion, assure the effectiveness of searching and withdrawing computer information when carrying out the above inquiry actions.

According to V.V.Agaphonov, in the process of preparation for the search [4] (before leaving for the place of search) it is necessary to:

- Clear up what computer technique is in the place of search and its quantity;

- Find out if the device of autonomous or uninterrupted power supply is applied together with computer technique and what consequences the interruption of electric power can cause;

- Invite an expert in computer systems because his knowledge can be useful when preparing for the search, as well as analyzing operatively information and withdrawing it skillfully from the computer;

- Prepare corresponding computer...
Page 1 2 3 Next
Add comment  Email to a Friend

Copyright © 2001-2024 Computer Crime Research Center
CCRC logo