Tactical features of inquiry actions at computer crime investigation
Date: October 15, 2003Source: Computer Crime Research Center
By:
... />
Next- Prepare corresponding computer technique that will be used to read out and store withdrawn information;
- Study the personality of a computer owner, his knowledge of computer technique;
-Establish search time and measures assuring its confidentiality;
- Forecast the character of information to be probably in the computer, its role in the quick and effective search. Establish what information should be studied on spot and what information should be withdrawn for further investigation.
First, the guard of computers should be organized on the initial stage of the search. None in the room can be allowed to them. It is worth knowing that the change or destruction of data can be caused not only by working with keyboard but also switching on/off the computer. Therefore, if the computer was switched on when coming into the room, it should remain turned on until the expert examines it. All the attempts to make any manipulations with the computer or keyboard (including computer turn on/off) should be viewed as a try to destroy information in the electronic computer and they have to be fixed in the record.
On the examination phase of search, it is necessary to:
1) Find out if the computers in the room are connected with the local electronic network;
2) Establish whether the computer is connected with the equipment or computer technique beyond the searched room;
3)Elucidate if the computer is connected with the modem;
4) Find out if any programs are launched in the electronic computer and what ones. The screen image should be studied and described in more details in the record for this purpose. The indication that the computer does not waits for the next command but completes earlier specified instructions can be as follows:
à) The availability of information in the screen that characterizes the program action. It can be a message “Testing” marked with color or brightness or a singled-out item of the menu offered in the screen;
b) A special image that is changed in the screen (running row, moving sign and so on);
c) A blinking indicator of hard, CD-ROM and flexible disks (this LED is always on the front panel and its turned-on and blinking conditions prove the exchange of information with a carrier), a distinctive crackling and rustling noise of CD-ROM and magnetic carriers. The same signs of the working storages are typical for external ones with a separate case. If the fact of launching any programs in the computer is proved when carrying out inquiry actions, the expert should take measures on suspending them;
5) Establish if the computer contains information that can favor the investigation. Only the expert can competently perform this action by examining information that is stored on hard disk.
The detailed stage of search is very laborious and requires high experience from not only an expert in computer systems but also the entire investigating group. In addition to special actions with the computer, it is necessary to organize search measures on revealing hiding-places with usual documents and things. The computer can be viewed as such a cache.
Most of information stored and processed by computer can be always copied onto portable information carriers – flexible magnetic floppies. If the expert has no opportunity to look through floppies on spot, they should be withdrawn with keeping all the procedural rules for further investigation.
In addition to floppies, CD-ROM (laser) disks and tapes can be used to store information. Laser disks do not differ from audio- and videodisks in form and it makes possible to keep them among music and video-collection.
The same concerns the tape recorder and videocassettes. In most cases tapes for recording computer information has quite non-standard sizes – something average between audio- and videocassette. However, there are some tape recorders (in the sphere of computer technique they are called streamers) that record information in the computer format onto the standard audio- or videocassettes.
The search of hiding-places with magnetic carriers (floppies, CD-disks or tapes) becomes also complicated by the impossibility to use a metal detector or X-ray apparatus because their application can cause destroying data on the carriers. Magnetic carriers are usually stored in the metal protective boxes to prevent accidental deletion.
Information carriers can be withdrawn and added to the criminal case as material evidences with observing Criminal Procedural Code-established order.
If the computer remained turned on when searching, programs and data files stored on its virtual disk or in operative memory should be copied onto the magnetic carrier.
When it is impossible to analyze quickly a great amount of computer information, it should be withdrawn for further investigation. Information can be copied onto the hard disk in the personal computer of the investigating group.
Data can be copied onto the CD-disk by means of CD-RW.
Carriers with copied information should be properly wrapped and sealed up.
If the investigating group has no personal computer with CD-RW, it suffices to withdraw a hard disk (-s) from the revealed computer with keeping all the procedural rules. The withdrawal should be video recorded.
If the investigating group has no expert in computer technique who is capable of disassembling competently a hard disk, the whole system block should be withdrawn from the computer. In some cases, it is possible to withdraw a printer but unlike the printing machine the identification of printed information is quite difficult even in the case of a needle printer. According to M.G.Sharukhnov, this analysis is practically impossible for laser or jet printers [5].
If there are not many computers in the place of search or the expert has his doubts as to the possibility of investigating computer information at the withdrawal of only a system block, the whole computer should be withdrawn. In addition, it is necessary to describe exactly an order of computer device interconnection, wrap accurately every device and connecting cables, as well as photograph computer system
On the final phase of the investigation the record and account are formed, the searched room plan and scheme are drawn and additional photographing and video recording are made.
Various expert examinations including criminalistical, economic or evidentiary ones are assigned and made on the initial stage of investigating illegal interference with the work of electronic computers, systems and computer networks. It is not difficult to assign and make the above expert examinations. The computer technical expert examination belongs to a new sort of professional examinations and its realization has some specific features. It can be explained by the lack of corresponding experts and developed procedures of making some particular kinds of this examination.
The complex of expert examinations assigned at the investigation of illegal interference with the work of electronic computers, systems and computer networks can be changed and depend on the way and mechanism of committing a crime.
When considering computer-technical expert examination as an independent kind of court examinations that belong to the class of technical ones, E.R.Rossinskaya distinguishes two its kinds: technical expert examination of computers and their accessories and that of data and software [6]. The technical expert examination of computers and their accessories is made to study design features and state of the computer, its periphery devices, magnetic carriers, computer networks and reasons of malfunctions of the mentioned equipment. The data and software expert examination is made to study information stored in the computer and magnetic carriers.
We can single out the next kinds of computer-technical expert examinations, which are assigned at the investigation of crimes committed by using electronic computers, systems and computer networks:
- Technical expert examinations of computers and periphery devices. It is assigned and made to study technical features of the computer and its periphery devices, technical parameters of computer networks and causes of malfunctions of the computer technique;
- Technical expert examination of the computer information protecting devices. It is made to study information protecting technical devices used at this enterprise, organization, establishments or firm;
- Expert examination of electronic computer data and software. It is made to study information stored in the computer and magnetic carriers including program methods of protecting computer information;
- Expert examination of data program used in the computer network. It is made to study information processed by means of computer networks used by the enterprise, institution, firm or company.
During the primary investigation or hearing special knowledge in the field of computer system firmware can become necessary. This necessity can emerge when analyzing non-standard hardware or software designed by the criminal without any assistance.
Studying the foreign and home investigation the court practice gives cause for asserting that the widely used kinds of expert examinations made during the primary investigation are as follows:
- Court and bookkeeping expert examination of documents;
- Program and technical expert examination;
- Technical and criminalistical expert...
Add comment
Email to a Friend
