Computer Crime Research Center

library/gva2.jpg

Some problems of investigating cybercrimes

Date: November 04, 2003
Source: Computer Crime Research Center
By: Vladimir Golubev

Page 1 2
... network administrator file displaying the entire network operation (testing results, irregular situation records); a system block and portable data storage elements; file information on attempts of computer misuse and illegal network connection; antiviral inspection results including hash totals of stored files; lists of authorized persons and their identification passwords; technical means of user authentication (magnetic cards, interlocking keys and so on) to limit an access to computers during the inspection and etc.
The initial investigation features the following typical situations:

- Illegal intervention into the work of electronic computers, their systems and networks is fixed;

- Incontrovertible evidences are obtained and the suspect gives trustworthy testimonies;

- Fact of unlawful penetration into electronic computers, their systems and networks is established.

- Identifying evidences are presented but the suspect denies the criminal charge;

- Fact of unauthorized intervention into the work of computing machines, their systems and networks is established.

- Persons that could do it by abusing their official position are identified but there are no evidences of their open guilt;

- Fact of illegal access to computer information is established. Certain or interested persons are suspected in it.
The search of premises carried out to investigate the unlawful intervention into the work of electronic computers, their systems and networks can have the following stages:

- Preparatory (obtaining information on type and quantity of computers available in the premises to be searched as well as their auxiliary devices; inviting experts in computer systems; preparing related electronic hardware; learning computer owner’s personality and professional skills; specifying measures of confidential search; forecasting data to be found and their role in conducting an operative and effective search; determining information to be studied on site and that to be withdrawn for further examination);

- Initial (abruptly entering the premises to be searched and providing supervision of computers; fixing a current crime situation; giving bystanders and investigation participants no possibility of touching the outfit; determining whether scene computers are connected to the local network, telephone or phone lines; clearing up if site electronic machines are linked to externally located hardware; specifying programs launched on computing machines; specifying information that can favor the effective search);

- Intermediate or “detailed” (taking special measures to check the premises and computer(s) or the availability of, for example, hiding places with important information);

- Final (making up a protocol and relevant descriptions; drawing plans and schemes of searched premises; carrying out additional photography and videotape recording).
The investigation of illegal penetration into the electronic computers, their systems and networks is also characterized by the following typical investigative situations:

- Suspect admits an offence and gives trustworthy testimonies;

- Suspect admits guilt but does not give accomplices;

- Suspects admit a crime but all criminal episodes are not established;

- Suspects deny the participation in a crime and furnish divergent testimonies.
The next expert examinations should be made to investigate unauthorized interventions into the work of electronic machines, their systems and networks:

- Technical expert examination of electronic computers and their peripheral devices;

- Technical expertise of computer information protecting equipment;

- Examination of computer software and machine data;

- Technical expertise of computer network data and software.
The following identification signs of computer information should be reflected in the protocol of expert examination: contents, form, attributes, carriers, names and sizes of files, date and time of their creation, type, point-type, interline, indention, heading, printing, fields, page numeration; purpose, function, interface and etc.
When investigating the illegal intervention into the work of electronic computers, their systems and networks, the investigative experiment should be run to check possibilities of penetrating into the premises, connecting electronic hardware and obtaining a direct access to computer information, penetrating into closed areas through the selection of passwords and identification codes, linking to the computer network; intercepting information, performing unauthorized operations by means of specific computing equipment within a definite period; establishing a time interval to connect to the computer network, putting the information protecting system out of action, modifying or copying computer information.
To our opinion, the above recommendations will allow officers from law enforcement bodies to investigate computer crimes in a more effective way.

M. Gutsalyuk Fighting cybercrimes. - http://www.crime-research.ru/library/Gutcaluk0701.html.

N. Akhtirskaya Typical investigative situations and expert examinations. http://www.crime-research.org/library/Akhtirsk0205.html

P. Bilenchuk, B. Romanyuk, V. Tsimbalyuk Cybercrimes. Manual. – Kiev: Attica, 2002. – P.193-194.

V. Gavlovsky Procedures of detecting hi-tech crimes committed by criminal groups. - http://www.crime-research.org/library/Gavl2.html.
Page 1 2
Add comment  Email to a Friend

Copyright © 2001-2024 Computer Crime Research Center
CCRC logo