Some problems of investigating cybercrimes
Date: November 04, 2003Source: Computer Crime Research Center
By:
There are many research works on investigating crimes committed by using computers, their systems and networks. Those written by N.Akhtirskaya, P.Bilenchuk, V.Gavlovsky, M.Gutsalyuk, V.Lukashevich, G.Matusovsky, R.Kalyuzhny, M.Saltevsky, O.Snigeryov, V.Tsimbalyuk and others ought to be emphasized among them. However, much attention should be paid now to the problem of devising and employing investigative action tactics to investigate computer crimes.
This acute issue requires to be theoretically grounded by the criminalistics. Law enforcement agencies need scientifically grounded recommendations on investigating crimes committed by using electronic computers, their systems and networks. There are no complete and scientifically grounded recommendations on investigating such offences that would take into consideration manners of their commitment and concealment, as well as typical investigative and organizational situations.
Articles 361, 362, 363 from Ukraine’s Criminal Code specify crimes committed by using electronic computers, their systems and networks.
M. Gutsalyuk notes that the integration into the European Community and Europe’s Convention on Cybercrimes of November 23, 2001 that clearly specifies computer crimes and ways of joining efforts of international law enforcement bodies to fight such offences should be taken into consideration to improve Ukraine’s current legislation. The fact that global information networks have no international frontiers should be taken into account to prevent and fight cybercrimes [1].
The Legislation Committee at the European Council recommends unifying criminal laws on computer crimes and envisaging penalty for the following offences:
- Unauthorized access to computer information;
- Illegal interception of data by technical means or computer emanation;
- Unlawful destruction, modification or copying of computer data;
- Interrupting the work of computer systems;
- Manufacture and distribution of criminal devices;
- Computer falsifications;
- Computer frauds;
- Intervention into the work of information systems to derive economic benefits;
- Distribution of child porno;
- Copyright infringements.
It should be noted that the Convention also provides for the necessity to settle some procedural questions of revealing and documenting computer crimes. The new methodology of pre-trail investigation should be worked through to fight cybercrimes. For example, Article 16 of the Convention specifies that every party should take any legislative measures to save computer data in an urgent way, especially, when they are easy to lose or modify.
Gathering and analyzing evidences in cases of cybercrimes is a crucial problem to be solved. It requires not only special tactics of investigative and organizational actions but also particular knowledge of computer hardware and software.
N.Akhtirskaya thinks that investigative situations form a dynamic system constantly changed under the influence of objective and subjective factors. Objective factors depend on investigative actions that change the situation whereas subjective ones resulted from actions and behavior of the investigation participants and other persons involved into the legal process to some extent. The analysis of the cybercrime detection and investigation practice shows that typical initial investigative situations considerably depend on facts to be established and proved [2].
P. Bilenchuk asserts that law enforcement officers should establish circumstances of an unauthorized access to computer system information in the following way:
- Establishing the fact of illegal access to computer system information;
- Fixing the place of unauthorized access to computer system information;
- Fixing the time of illegal access to computer system data;
- Establishing the manner of unlawful access to information;
- Identifying persons that obtained an unauthorized access to computer system information (establishing their guilt and criminal motives);
- Judging harmful consequences and social danger of the crime;
- Determining the reliability of information protective means;
- Revealing circumstances of the crime [3].
According to V. Gavlovsky, the illegal access to computer information or its preparation is characterized by the following circumstances: false computer data; continuously non-renewed computer system codes or passwords; frequent computer, system or network failures; no valid reasons for a computer system or network employee to stay after work or to decline a leave; unexpected purchases of very expensive things on the part of an official; no good reasons to make frequent re-recording of certain information; over-interest in printed listings on the part of particular persons and so on [4].
The illegal penetration into electronic computers, their systems and networks has direct, intermediate and mixed forms of access. The direct access means to issue illegal commands directly to the target computer that result in destroying, blocking, modifying, copying information or interrupting the work of electronic computers, their systems and networks. The intermediate (remote) access means to issue illegal commands to the target computer from another electronic machine through the network. The direct and electromagnetic interceptions belong to the remote computer data access. The mixed access includes the direct and remote ways of penetrating into the target computer.
Manners of committing cybercrimes determine ways of concealing their traces. At the direct access to computer information, restoring the primary crime situation i.e. destroying any evidences makes it possible to conceal traces of a crime. In itself, the offence perpetrated by obtaining a remote access to the target computer is very difficult to reveal. In other words, the manner of committing a remote access cybercrime complicates the way of revealing its evidences.
There are also special means of obtaining direct (machine data carriers, tools of overcoming information protecting systems) and remote (network equipment, telephone connection, modem) unauthorized accesses, cybercriminals widely exploiting the Internet to get admittance to computer information.
It is necessary to distinguish traditional (handwritten notes, file and finger prints, microparticles, etc.) and informational (any unlawful influence that results in destroying, modifying, copying or blocking computer data) traces of the illegal intervention into the work of electronic computers, their systems and networks.
The motives of cybercrimes depend on the criminal personality and in most cases such offences pursue mercenary objects.
Criminal proceedings against those committing computer crimes are often taken on the grounds of complaints lodged by organization authorities (about 42%) and private persons (nearly 33%), the following investigative situations taking place:
- Illegal access was fixed when an unauthorized user was spreading (confidential) computer information;
- Legal user fixed an unauthorized penetration into the work of electronic computers, their systems and networks but a wrongdoer was not identified;
- Legal user established the fact of an unauthorized access and identified a breaker;
- Programmer, operator or another person fixed an unauthorized access by catching a wrongdoer in the act.
When a non-identified person illegally intervened into the work of electronic computers, their systems and networks, certain investigative actions should be taken to establish grounds for initiating criminal proceedings. Among them are to get explanations, inspect a site of crime, ask for necessary materials, take operative and search measures.
It is expedient to receive explanations from engineers engaged in developing and maintaining computer software and hardware; system programmers; communication and telecommunication engineers; experts in computer system security and others.
Before arriving upon a scene, it is necessary to invite related experts and attesting witnesses with the knowledge of electronic computers and their software, prepare special equipment, instruct investigation members and consult specialists. On arrival, it is required to:
- Fix a current crime situation;
- Give bystanders and investigation participants no possibility of touching the outfit;
- Determine whether scene computers are connected to the local network, telephone or phone lines;
- Clear up if site electronic machines are linked to externally located hardware;
- Specify programs launched on computing machines.
The next recommendations should be adopted to withdraw computer information;
- It is necessary to block a site of examination and switch off electronic hardware;
- Magnetic data carriers should be stored in special sealed and shielded containers or in standard cases to eliminate electromagnetic and direct radiation impacts;
- Computer information ought to be copied on physical carriers by means of standard software;
Taking criminal proceedings also requires the availability of the computer hardware failure journal; labor time logbook; working register; material data carriers (otherwise computer software); network administrator file displaying the entire network...
Next
Add comment
Email to a Friend
