Some issues in the investigation of computer crimes.

Апр 27, 2024

Some issues in the investigation of computer crimes

Some issues in the investigation of computer crimes
V. Golubev
Speech February 26, 2003  at the Southeast Cybercrime Summit   in Atlanta, USA

    The investigation of computer crimes differs significantly from the investigation of other “traditional” crimes. In these criminal cases, mistakes are most often made, which is often explained by the lack of an appropriate level of theoretical and practical training of operational workers and investigators. The study of criminal cases in this category gives reason to believe that one of the significant reasons for the low quality of the investigation is the lack of systematized and proven methods for investigating computer crimes, as well as errors that are made during investigative actions in relation to computer information or the computers themselves.

    The results of the analysis of the practical activities of law enforcement agencies in the investigation of computer crimes indicate that it is advisable to study computer equipment in a forensic laboratory, where this work is performed by specialists with the necessary professional training.

    Evidence related to computer crimes that is recovered from a crime scene can be easily altered, both as a result of errors during its seizure and during the research process itself. Presentation of such evidence in court proceedings requires special knowledge and appropriate preparation. Here one cannot underestimate the role of expertise, which can give a qualified answer to the questions posed.

    However, the examination requires some time not only to carry it out, but also to find the appropriate specialists, and when seizing computer equipment, a significant factor in preserving the necessary evidentiary information is surprise and efficiency. That is why the seizure of computers and information has to be carried out by those forces that are currently conducting investigative actions. In this case, it is the investigator who is not immune from errors caused by insufficient knowledge, which is then quite skillfully used by the defense in court.

    The problem posed has two aspects: general mistakes that are made by law enforcement officials when investigating computer crimes, and technical aspects related to the protection of information that is installed on computers by their direct users.

    As is known, the discovery, inspection and seizure of computers and computer information in the process of investigative actions can be carried out not only during an investigative examination (Article 190 of the Code of Criminal Procedure), but also during other investigative actions: searches (Article 178 of the Code of Criminal Procedure); seizures (Article 179 CPC); reproduction of the circumstances and conditions of the incident (Article 194 of the Code of Criminal Procedure).

    It is worth highlighting some rules for working with computers seized during the investigation of crimes in the field of computer information, as well as offering general recommendations that may be useful when processing computer evidence.

    Let's look at some typical mistakes that are most often made when conducting investigative actions regarding computer information or the computers themselves.

Error 1. Incorrect operation of the computer.

    The first and basic rule that must be strictly followed is the following: never, under any circumstances, work on a seized computer. This rule assumes that the seized computer is primarily an object of investigation by a specialist. Therefore, before transferring it to experts, it is advisable not to even turn it on, since it is strictly forbidden to perform any operations on a seized computer without providing the necessary protection measures (for example, protection against modification or creating a backup copy). If a security system is installed on the computer (for example, a password), then turning it on may cause the destruction of information located on the hard drive. It is not allowed to boot such a computer using its own operating system.

    This measure can be explained quite simply: it is not difficult for a criminal to install a program on his computer to destroy information on hard or floppy magnetic disks by recording such “traps” through a modification of the operating system. For example, a simple DIR command that is used to display a drive's directory can be easily modified to format a hard drive.

    Once the data and the destructive program itself are destroyed, no one can say for sure whether the “suspect” computer was equipped with such programs on purpose, or is it the result of carelessness in examining computer evidence?

Error 2. Access to the computer by the owner (user) of the computer.

    It is a serious mistake to allow the owner access to the computer under investigation to assist in its operation. There are many cases from practice when suspects during interrogations related to computer evidence were allowed to work on a seized computer. Later, they told their friends how they encrypted files “right under the noses of the police,” and they didn’t even know about it. Given these consequences, computer specialists began to make backup copies of computer information before allowing them to work on it.

    Another problem is related to the possibility of refuting in court the identity of the software presented at the trial to the one that was on the computer at the time of seizure. To avoid such situations, the computer should be sealed in the presence of witnesses, without turning it on. If a law enforcement officer decides to inspect a computer on site, the first thing to do is to make a copy of the hard drive and any floppy disk that will be seized as evidence. This means that before carrying out any operations with a computer, it is necessary to record its state at the time of investigative actions.

Error 3. Failure to scan your computer for viruses and software bookmarks.

    In order to check your computer for viruses and software bookmarks, you need to boot the computer not from its operating system, but from your floppy disk prepared in advance, or from a bench hard drive. All storage media are checked — floppy disks, hard drives and other media. This work should be done by a specialist involved in investigative actions using special software.

    It cannot be allowed that the court has the opportunity to accuse the investigation of deliberately infecting a computer with viruses, of incompetence in carrying out investigative actions, or simply of negligence, since it is hardly possible to prove that the virus was in the computer before the investigation, and such an accusation will cast doubt all the work of the expert and the reliability of his conclusions.

    These are the most typical errors that are often encountered when examining a computer in cases related to the investigation of computer crimes. However, the list considered does not cover all errors that arise in the process of seizing and examining computer information. This can be easily explained: the lack of sufficient experience in such matters in our country. At the same time, Western European countries and the United States have already accumulated a wealth of experience in investigating complex computer crimes. It is necessary to study it more carefully, which will avoid many of them.

    To avoid investigative errors at the initial stage of the investigation, which may lead to the loss or corruption of computer information, certain precautions should be followed.

Recommendation 1.The first thing you should do is back up your information.

In the process of search and seizure associated with the seizure of a computer, magnetic media and information, a number of general problems arise related to the specifics of the seized technical equipment. First of all, it is necessary to provide security measures that are carried out by criminals in order to destroy computer information. They, for example, can use special equipment that, in critical cases, generates a strong magnetic field that erases magnetic recordings.

During the search, all electronic evidence located on the computer or computer system must be analyzed in such a way that it can later be recognized by the court. World practice shows that in most cases, under pressure from defense representatives in court, electronic evidence is not taken into account. To ensure their recognition as evidence, it is necessary to strictly adhere to criminal procedural legislation, as well as standardized techniques and methods for their seizure.

Typically, computer evidence is preserved by making an exact copy of the original (the primary evidence) before any analysis is done on it. But making copies of computer files using only standard backup programs is not enough. Physical evidence may exist in the form of destroyed or hidden files, and the data associated with these files can only be saved using special software. In its simplest form, these can be programs like SafeBack, and for floppy disks the DOS Discopy program is sufficient.

Magnetic media on which information is to be copied must be prepared in advance (you must make sure that there is no information on them). Media should be stored in special packaging or wrapped in clean paper. It must be remembered that information can be damaged by humidity, temperature influences or electrostatic (magnetic) fields.

Recommendation 2. Find and make copies of temporary files.

Many text editors and database management programs create temporary files as a byproduct of the software's normal operation. Most computer users are not aware of the importance of creating these files because they are usually destroyed by the program at the end of the session. However, the data inside these destroyed files may be the most useful. Especially if the original file was encoded or the text preparation document was printed but never saved to disk, such files can be recovered.

Recommendation 3. Be sure to check the Swap File.

The popularity of Microsoft Windows has brought some additional tools regarding computer information research. Swap Files function as disk storage, a huge database and many different temporary pieces of information. Even the entire document text can be found in this Swap File.

Recommendation 4. It is necessary to compare duplicate text documents.

Often, duplicate text files can be found on hard or floppy disks. These may be minor changes between versions of the same document that may have evidentiary value. Discrepancies can be easily identified using most modern text editors.

I would also like to highlight general recommendations that must be taken into account when examining a computer at the scene of an incident.

When starting to inspect a computer, the investigator and the specialist who directly performs all actions on the computer must adhere to the following:

  • Before turning off your computer, you should, if possible, close all programs running on your computer. It should be remembered that incorrect exit from some programs can cause the destruction of information or damage the program itself;
  • take measures to set an access password to protected programs;
  • with the active intervention of enterprise employees seeking to counteract the investigative team, it is necessary to turn off the power supply to all computers at the facility, seal them and remove them along with magnetic media for studying the information in a laboratory setting;
  • If consultations with enterprise personnel are necessary, they should be obtained from different persons through questioning or interrogation. This method will allow you to obtain the most truthful information and avoid intentional harm;
  • when seizing technical equipment, it is advisable to seize not only system units, but also additional peripheral devices (printers, streamers, modems, scanners, etc.);
  • if there is a local computer network, it is necessary to have the required number of specialists for additional research of the information network;
  • confiscate all computers (system units) and magnetic media;
  • carefully examine the documentation, paying attention to the work records of computer operators, because often it is in these records of inexperienced users that you can find codes, passwords and other useful information;
  • compile a list of all freelance and temporary employees of the organization (enterprise) in order to identify programmers and other specialists in the field of information technology working in this institution. It is advisable to establish their passport details, addresses and places of permanent work;
  • record the data of all persons present in the premises at the time of the appearance of the investigative team, regardless of the explanation of the reasons for their presence in this premises;
  • compile a list of all employees of the enterprise who have access to computer equipment or who are often in the premises where computers are located.

If direct access to the computer is possible and all undesirable situations have been excluded, proceed with the inspection. Moreover, the investigator and specialist must clearly explain all their actions to witnesses.

During the inspection, the following should be established:

  • computer configuration with a clear and detailed description of all devices;
  • model numbers and serial numbers of each device;
  • inventory numbers assigned by the accounting department when placing equipment on the balance sheet of the enterprise;
  • other information from factory labels (on the keyboard the label is usually on the back, and on the monitor and processor — on the back). Such information is included in the inspection report of computer equipment and may be important for the investigation.

Recommendation 5. Photographing and marking elements of the computer system.

Photographing and labeling computer system components is an important first step in preparing the system for shipping. Documenting the state of the system at this stage is necessary for the correct assembly and connection of all system elements in the laboratory. When photographing, you should take close-up shots of the system of its front and rear parts. Photographing and marking the elements of a seized computer system makes it possible to accurately recreate the state of computer equipment under laboratory research conditions. Some equipment, such as external modems, may have many small switches that record its state, which may be changed during transportation, which will create additional problems for the expert.

In conclusion, it must be emphasized that when carrying out any investigative actions related to the investigation of crimes in the field of computer technology (especially the seizure of information and computer equipment), it is advisable to involve a specialist in the field of information technology from the very beginning. Before beginning any investigative actions, you should also have certain information regarding: make, model, computer, operating system, peripheral devices, communications and any other information about the system that is the subject of the investigation. The purposeful activity of the investigator and operational workers, especially at the initial stage of the investigation, ensures the success of further investigation of computer crimes.

Мы используем cookie-файлы для наилучшего представления нашего сайта. Продолжая использовать этот сайт, вы соглашаетесь с использованием cookie-файлов.