^macro[html_start;Some aspects of investigating computer crimes;Some aspects of investigating computer crimes;Some aspects of investigating computer crimes] ^macro[pagehead;img/library.gif] ^macro[leftcol] ^macro[centercol;


Andrey Belousov
Crime-research.org

Some aspects of investigating computer crimes

Andrey Belousov One of the top-priority goals of the modern society saturated with information computer technologies is to fight computer crimes. According to interrogations, materials, hearings and scientific researches, the world society faces serious problems in this sphere. Thousands cybercrimes are committed in the developed countries and economic losses inflicted by them make up billions US dollars.
According to US expert statistics, in the USA an average damage is $3.2 thousand (a physical bank robbery), $23 thousand (a swindle) and $500 thousand (a computer crime).
The imperfectness of laws and state system on fighting cybercrimes aggravates all this [1].

It is necessary to protect computer information systems from committing crimes connected with stealing, illegally modifying or destroying processed information, using computers in an unauthorized way, as well as deliberate interference with their work because of an increased significance of information e-systems in a social life, sizes of their use to process limited access data and popularity of the Internet.
Vitaly Kozlov considers it expedient to place both computer information or its protection crimes and computer technology ones among computer offenses [2]. In our mind, such a definition fully complies with UNO experts’ recommendations and covers any crime that can be committed in the computer system and network.

The investigation of computer crimes considerably differs from that of other “traditional” offenses. The study of criminal cases shows that the low investigation results from the lack of systematized and worked through procedures of investigating computer crimes, as well as mistakes made during investigating actions with respect to computer information or computers themselves [3].

At first sight computer crimes seem to be investigated by using traditional laws on theft, misappropriation, property damage and so on. However, when we try to establish the availability of all structural elements of the traditional crime committed by using electronic computer, it will be evident that the traditional legislation cannot be used to investigate new crimes. For example, if a delinquent person illegally or for the criminal purpose entered the room with electronic computers, the law can be applied in a traditional way. When a criminal penetrated into the room with electronic computers to damage the machine material part or steal program, only an illegal intrusion will suffice to bring an accusation. However, if a person tries to obtain an illegal access to computer memory data to download valuable information, the traditional legislation does not provide preferring a charge for such a crime. A criminal can obtain an access through his home remote terminal or secret phone code. It is not always possible to prove the fact of stealing property as required by law. For example, computer program can be “read” from the remote computer terminal. Such a withdrawal does not affect computer hardware and even software because coded information can be only copied somewhere without leaving the computer. The traditional law on stealing or withdrawing cannot be used to bring an accusation against a person copying or downloading information without modifying and removing it in a physical way.

Let us consider main problems faced by inspectors and experts.
The most difficult will be to establish the fact of committing a computer crime because its external evidences are much decent when compared with a grocery robbery. In fact, there is no visible material damage when committing computer crimes. For example, an illegal copying of information remains undetected and introducing of viruses is viewed as an unpremeditated mistake made by a user that could not “catch” it when communicating with the outer computer world.

Now the exposure of computer crimes is quite low because of the complexity of hardware and software. Moreover, the victims are often not in a hurry to appeal to law enforcement bodies. Sometimes the guilty persons are dismissed or transferred to other structural organizations. The refusal of criminal prosecution results in the lack of general prevention thereby inviting the other persons to try their forces. The victims should not be blamed because the difficult complex of problems affects their conduct. An understanding of it can help both a potential victim and law enforcement bodies.

The mechanism of committing crimes connected with automated systems of processing information is hidden from the victims (firm share-holders). In addition, the fact of information leakage can be concealed by e-means before revealed.

The officials responsible for computer system security are not interested in revealing the fact of committing e-crimes. The acknowledgement of an unauthorized access to the computer system puts their professional qualification under doubt whereas the inadequate measures of computer security taken by authorities can result in serious inner problems.

As a rule, banking officials carefully conceal revealed crimes committed against bank computers because it can damage its prestige and result in losing clients.

Some victims are afraid of serious, competent investigation because it can reveal an improper or even illegal mechanism of transacting. They often fear that insurance companies will increase insurance payments or refuse to renew their insurance policy if computer crimes are regularly committed at this organization. Victims can turn down the investigation because of disclosing in court their financial and other official secrets.

Foreign attorneys and inspectors note that documents produced by those suffered from computer crimes do not often suffice to bring grounded accusations.

If commercial activity crimes are traditionally measured with minutes, hours, days and weeks, automated system offenses are measured with fractions of a second.

The difficulty of estimating inflicted losses is an interesting aspect of financial computer crimes. Schneider’s case of Pacific Ocean Phone Company e-robbery can serve as an example of it. He stated during the inquiry that he had stolen nearly $1 million whereas the company indicated the lost sum of at most $100 hundred. The investigation of computer crimes is often quite expensive. Sometimes organizations do not want to increase their losses by adding investigation costs. The victim often denies an idea of exposing a crime because of limited material resources. Exposed computer criminals in many countries are known to get off with small penalties (often – suspended sentences). It compels the victims not to report an incident to law enforcement agencies.

Therefore, inspectors are deprived of the suffered organization support at the beginning of investigation.
Another important problem complicating the investigation is that the society does not consider computer crimes as a serious danger when compared with traditional ones.

Average citizens perceive a hacker as a clever and interesting person whereas a victim – greedy and stupid. Therefore, people do not often shed tears apropos of organizations suffered from computer crimes and those do not hasten to make a laughing-stock of themselves [4].

Sometimes computer crimes are exposed by chance. One day an official from the computer center working some oil companies noticed that a client’s read indicator had been turned on for a long time before the record LED was lighted. The investigation showed that this man had been engaged in industrial espionage and sold company data to its rivals.

There is no doubt that a good inspector investigating computer crimes should be a perfect programmer or at least know about the use and possibilities of electronic computers. Unfortunately, there are not many such specialists among programmers let alone inspectors.

However, it is an erroneous opinion that the investigation of computer crimes is incredibly difficult and the matter of elite. There are some factors simplifying the investigation. Among them is a strictly limited circle of persons disposed to committing such a crime. In fact, there are much more people capable of tearing away a receiver in the public call box than those inventing and spreading computer viruses.

The investigations of crimes connected with an illegal using of information computer systems show that most of those offenses were perpetrated by authorized persons that knew quite well the system-operating mode and could take it to their mercenary advantage.
If a programmer found some modifications of his program and library access password, incorrectly made copy or restored archive, he knows whom to raise a claim.
If it is a matter of an unauthorized access to thoroughly closed system, data imitation, planting a “logical bomb” in the adjusted program, such experts can be counted on the fingers of one hand in every computer center.

There is a paradox here: the more skilful is a computer crime the easier a criminal can be found.
Another factor simplifying the investigation is that all large computer centers are equipped with systems registering an operator’s actions. As a rule, the service personnel should monitor an operator’s register.

For example, Kernel University experts managed to open the archive of passwords used to obtain a system access and reveal a person that had introduced a virus into the nation-wide phone network combining military, industrial and scientific organizations. The systems preventing illegal penetrations fix such attempts.

As appears from the above, computer protecting technical means can play an important role in exposing computer crimes. We will not describe technical methods of investigation that can be used by the programming inspector [5]. We will only note that there are very many of them. They are reference and real text variance place search programs, key words search programs, system change indicating programs, anti-virus programs and so on.

Computer crimes are difficult to expose because of that there are no correct programs and crime attempts can be easily masked under computer malfunctions or errors. Thus, Uniteddime serving bank fell a victim to its measures on correcting mistakes when a senior teller used them and changed a balance of huge inactive accounts. He just reviewed and modified them to reflect a sum that left on the account after visiting the banking vault. When his attention was attracted by individual money shortages, he attributed them to electronic errors. He corrected errors and covered shortages by transferring them from other accounts. The misappropriation of $1.5 million was revealed not by auditors but FBI officials furnishing evidences that he had put into circulation up to $300 thousand a day.

The same author notes that none of known 63 mistakes made by the banking computer was in favor of a client. Evidently, it is not a mere randomness. No criminal was arrested.

Another problem for the inspector is a holding of more than one profession during the operation of electronic computers. The bookkeeper is often a programmer and operator at the same time. As a result, mutual checks are excluded, the possibility of misuses increases and investigating actions are more difficult to carry out.

The analysis of home and foreign special literature and publications in the periodic press on fighting computer crimes [6] allows us to distinguish three main groups of preventive measures:

1) Legal^;
2) Organizational and technical^;
3) Criminalistical.

Sometimes it is necessary to realize some usual investigating actions (searching and collecting material evidences) when investigating computer crimes. In fact, the search of a computer differs from that of a flat. Special programs modifying computer information are only used to enter the computer memory and find any programs, codes and so on there. Therefore, an unfair inspector always have an opportunity to find something necessary for him in the computer and search witnesses can hardly hinder him. At the same time, a “competent” inspector can destroy crime evidences when trying to make a copy.

The same problem appears when collecting evidences. Could a printing copy or magnetic carrier information be considered as an evidence?

Now the e-document has become an element of the documented information structure. Russia’s legislation defines it as a document where information is presented in the electronic form. This document can be considered as evidence in writing if its truth can be established, i.e. if the court can make a particular check or expert examination - a main criterion of considering such documents as evidence in court. Consequently, it is necessary to confirm the truth of information.

The problem was solved with the help of electronic digital signature (EDS) that prevents from forging e-documents. It is resulted from cryptographic data transformation with the use of locked key that allows identifying an owner and establishing the lack of information distortion in the e-document.

The force of an e-document with EDS depends on the availability of signature identifying program and technical means in the automated information system and observation of established conditions of its use.

The question of making an expert examination of the e-document has not been settled yet. According to the procedural legislation, the court has the right to schedule an examination on request of a party to solve some problems. The point is that the expert examination cannot be made when both parties abandoned a document that is a core of their dispute. It results in disabling the court to schedule an examination and, consequently, making it impossible for both parties to protect their interests in an appropriate way.

The problem of producing e-copies of traditional documents in court has not been resolved yet but features particular perspectives.

Considering a printed copy as evidence requires making it with the help of specially certificated programs checked for protection from modifying printed (copied) information in an illegal way. The Criminal Procedural Code should specify procedures of conducting such actions as making copies from machine carriers and printing information. The court should not regard such documents as evidences until this question is settled.

Let us pay attention to one more question connected with investigating computer crimes – suspect’s alibi. After committing a crime (removing the electronic computer data record), the criminal can forge computer information to change an operation time and user’s code. It is obvious that courts should not have much confidence in such an alibi as well as evidences of suspect’s guilt obtained by copying and printing machine information.

In conclusion, it should be noted that fighting computer technology crimes in an effective way depends on an optimum combination of legal and preventive measures, laborious work on improving criminal laws and elaborating norms that establish the liability for committing cybercrimes and are practically used.

1. O. Baranov Electronic legislation // Weekly mirror. - #20 (P. 395. – June 1-7th, 2002).
2. V. Kozlov Computer crime: What is it? (Criminalistical aspect). - http / www.crime-research.org/library/Ccrime.html.
3. V. Golubev Some problems of investigating computer crimes. – Report of February 26, 2003 at the Southeast Cybercrime Summit (Atlanta, USA) - Crime-research.org.
4. V. Golubev Criminalistical characteristic of criminals committing computer technology crimes - http/ www.crime-research.org/library/Golubev0104.html.
5. Information protection and classification of protective measures was taken from: A.V. Nechaev Some aspects of protecting information // Personal computer helps militia and investigation. Opportunities and perspectives. M., 1997. – P. 58-64.
6. A. V. Golubev Information security: problems of fighting cybercrimes. – Zaporozhye: SU “ZIGMU”, 2003. – 220p.

^macro[showdigestcomments;^uri[];Some aspects of investigating computer crimes ]

] ^macro[html_end]