Computer Crime Research Center

library/Polivanuk.jpg

Some questions of specialists’ involvement into computer crime investigation

Date: November 05, 2003
Source: Computer Crime Research Center
By: Vasiliy Polivanjuk

Page 1 2 3 Next
... (on behalf of an investigator);

c) technical and other kinds of help to the investigator;

d) special examination made by officials;

e) legal evaluation;

f) documentary audit;

g) examinations made by employees of different institutions and inspections (auditors, auto inspectors, technical instructors);

h) operative examination (beyond expert) of objects (corpse, material evidence etc.).

Specialist’s advice may concern tactics, the way and the time of carrying out a procedural action, its participants, scientific-technical and criminal means. Sometimes such recommendations are called organizationally-tactical.

During the investigation of crimes committed with use of computer technologies it’s necessary to involve specialists in the fields of information technology and computers, and also it is possible to find finger-prints on the computer devices, signs of instruments, elements of hand soldering on the internal elements of computer devices. It is also necessary to involve specialists of computer security net technologies (if the crime was committed with the help of local computer net or Internet). As witnesses it is advisable to involve people who are knowledgeable about the work of appropriate computer technologies.

In system where information security is a critical factor, system of constant supply is used, and also backup file servers on which they keep copies of all files (copying is carried out by the system automatically in set periods of time). The last thing may be very useful as criminals are often unable to destroy the copy of system information on additional servers. Following precautions it is coded and hidden in inaccessible for users parts, and the way of overcoming the security system and to get additional information which will help to identify the offender.

The tactic of computer information search is chosen taking into consideration the level of data security, the condition of the computer and its peripheral hardware for the moment of the investigation. It’s necessary to find out whether computer technologies means which are located on the object where the investigation takes place are united into local computer net and whether the managing computer is the server. It’s necessary to pay special attention to the server because more information is kept in it. Though in an ordinary computer of the net private information may be found as well.

It’s obligatory to know that after wiping of the information from magnetic carriers really it is not wiped off physically, it only changes its status. It becomes “invisible” and is kept until new information is recorded on its place. That’s why there is a possibility to restore it thoroughly with the help of special technologies, and after new information had been already recorded on its place it’s possible to restore it partly.

During examination, withdrawal process, restoring of circumstances of the events, first of all, it’s necessary to isolate the room, to remove those people who have nothing to do with investigation and to take actions to exclude the possibility of non-authorized access to computer or computers of the present persons, so of those through the net to which the computer is networked. For this it’s necessary to disconnect net cables on the back panel of the system block, and if the access to the net is possible through switchboard telephone line it is necessary to cut off modem supply. If modem is installed into computer the expert should disconnect telephone cable and power point, it is necessary to provide constant supply of investigative equipment.

An investigator should stop all the programs working for the moment of examination, but to write down all system information on the status of the program for the moment of stopping beforehand. Active documents should be kept in files under new titles, remaining the original versions without changes. It’s advisable to make a photo of the monitor according to the rules of making criminal photos, if it is possible to make a video-record.

The examination of the computer should be made by a specialist, if the investigator himself is not properly knowledgeable about this sphere. In any case in the record it is indicated what actions were taken, their sequence and what results they had, what software was used for information search. The aim and the sense of every step is explained to witnesses.

In most cases textual and financial programs keep the list of documents of the last works and can easily restore them, if they are not wiped off or not moved to another place. On the computer disk the user usually keeps documents in catalogues with standard titles: My documents, documents, DOCS, archive etc. Documents files have in their titles a characteristic elaboration, i.e. a part of the title which stands after the dot: *.doc, *.txt etc. All computer files keep the date of the last change, and after some programs the date of file recording.

A popular program package “Microsoft office” keeps a secret file record with data and time of all switching on to the computer. Programs of communication and work with net memorize the addresses of many Internet contacts of a user, documents of e-mail with addresses of a sender.

The results of search are kept in electronic form on a magnetic carrier and if it is possible are printed and formed as an application to the reports.

It is useless to look for information only in computer, it is necessary to examine attentively all the documents in reality, even the pieces of papers, because often programmers don’t rely on their own memory and make notes with pass-words, changes in system configuration, particularities of information computer base structure. A lot of users have files on diskettes in order to keep them secure. That’s why any discovered information carrier should be withdrawn and examined.

In some cases during investigation it is necessary to look for a hiding place where computer information carriers can be kept. Frames of hardware should be opened only by a specialist in order to discover disconnected internal information carriers.

In order to avoid casual or malevolent information changes in computer and when it is impossible to involve specialists it is advisable to withdraw the computer. In the records the type and the quantity of withdrawn technologies are indicated.

During examination and withdrawal of computer technologies it is necessary to follow elementary rules of computer use what will help to avoid failures on hardware and software levels.

It is not right just to indicate that the computer is withdrawn. If the computer is sealed by producer it is necessary to indicate its serial number and to withdraw its documentation. If there is no serial number or the producer’s lead is damaged it is necessary to define hardware configuration of the computer.

After this it is necessary to mark all cables on the back panel of the system block (it will help to reconstruct the switching of devices in the future).

During hardware examination it is obligatory to pay attention to the type and the model of microcircuit, serial numbers and models of storages.

Magnetic information carrier (diskettes, detachable winchester on which information may be kept, what will help to reconstruct the system state before unauthorized intrusion in its work and to find out the way and the results of such intrusion) are examined and withdrawn.

While withdrawal of computer technologies a manager or executives should report passwords and codes of access to computer resources.

Magnetic carriers are numbered by previously prepared labels for diskettes and are packed in packages which are sealed. They are kept and transported in special containers or in standard diskette or other aluminium cases which exclude destroying influence of electromagnetic fields and indirect radiation, including the results of the activity of metal-detectors which are used in airports for luggage examination.

In literature it is possible to find recommendations to withdraw all computer hardware discovered in the process of investigation. But it is not always right.

Comparing with programs, documents have a less considerable part in the computer database. Except technical there are economical difficulties: in case of computer failure a bank can “hold out” not more than 2 days, wholesale firm- 3-5 days, insurance company – 5-6 days. That’s why it is possible to receive complaints from damaged organizations.

Timely and correct withdrawal of computer information assist to make the next computer expertise more effective. Such expertise is made to obtain information that is kept in magnetic carriers what will help to find the tracks of a crime.

1. Galkin V. M. Means of proving in the Soviet Criminal Code, p.2. –
M., 1968. – p. 8

2. Socolovskiy Z. M. The definition of special knowledge//
Criminology and judicial expertise. – K., 1969, ยน6. – p. 202

3. Asman A. A. Experts’ conclusion (structure and scientific base). –
M., 1967. – p. 91

4. Nudgorniy M. Gnoseological aspects of the definition “special
knowledge”// Criminology and judicial expertise. – K., 1980. – p. 39

5. Sorocotaygin I. N. Structural characteristic of special knowledge and
forms of their use in the struggle against criminals// Special
knowledge...
Page 1 2 3 Next
Add comment  Email to a Friend

Copyright © 2001-2024 Computer Crime Research Center
CCRC logo