Vladimir Golubev
PECULIARITIES OF INVESTIGATING CYBER CRIMES
Rapid introduction of
up-to-date information technologies into economy, management and, in particular,
banking provoked arising new crimes - cyber crimes. In opinion of criminologists
and international experts the cited above poses a very serious threat both the
economy and information security - an essential of national security.
As it stands today, of primary
concern is to combat the new threat. The reason is that while computer
technologies are rapidly making progress and reliance on the Internet is
increasing the legislation on information and legal procedures governing
cybercrime combat activities do not keep in step with these advances yet. [1].
To provide liability for cyber crimes
by amending the Criminal Code (CC) of Ukraine, in particular Article 1981
"Disturbance of automated systems (АS) [2], would necessitate criminalistic
study of new sorts of crime including identification and detection, development
of criminalistic characteristics and finally recommendations for investigation.
The law "On computer information protection" was adopted in 1994. The law
provides the legal basis for realizing and protecting information property right
in the cited above area and for solving the cybercrime problem in general [3].
However, the practice has highlighted the law incomprehensive because of
drawbacks in its drafting. As result the law lags behind the information
advances that have taken place in the community recently.
Cyber crime and in particular its transnational expansion is on of the
international problems provoked by prevailed reliance on global information
networks, especially the Internet as the primary infrastructure that has already
united most countries through out the world. The adoption of networked systems
is likely to continue to increase. In the developed countries cyber crime causes
severe financial losses. AS owners and users have to spend a great deal of money
on developing and implementing software, hardware and other tools to protect
information from unauthorized access, defacement and destruction.
Cibercrimes are of the following characteristics. It is of high latency. It is
complex to identify and investigate, to prove such cases to the satisfaction of
the court. It is an increasingly global problem under using the Internet and
suffering huge damage in even in one incident. According to the statistics the
US law enforcement detect only 5% of cyber crimes. About 20%
of them are prosecuted. [5].
Unfortunately Ukraine has no official
cyber crime statistics. Though the June 1999 criminal case is evident that these
categories of crime pose a great threat to social security. The case materials
tell the story. On October 23, 1998 the intruders gained unauthorized access to
the AS of Ukraine National Bank Administration Vinnizckaya Region and illegally
transferred 80.4 mln. hryvnas (20 mln. $ exchange rate of UNB at a point of the
commission) from the bank surplus fund. The eight months investigation by
organized crime strike force officers was successful. The Strike Forces Chief
Administration, Ministry of Interior developed the plan. The followed-up eleven
simultaneous searches led to the arrest of about 30 individuals
involved in this sensational criminal case. The officers detected and seized 81
thousand $ just only at one of perpetrator's dwelling. [6].
Government and private sector
especially suffered from attacks especially under their banking activities give
no much credence to the law enforcement capability to detect such crimes. It
chiefly accounts for high latency. We believe that high latency and low level of
incidents' detection, above all, is caused the challenges that cybercrime and
technology present for law enforcement agencies to bring a criminal action. The
cited above is sequent of the complexity to classify criminal acts and the
peculiarities to conduct certain investigative activities.
First of all it should be noted that one of the positive steps
is government’s recognition of the right to information property. Thus, under
Article 41, Constitution [7] information is a subject of national security that
is provided by the laws «On information», of October 2, 1992 [8], «On AS
information protection» [3] and Article 1981 , CC [2].
The law «On AS information protection» establishes the legal mechanism to
regulate relations as to protecting AS information under the current legislation
guaranteeing the citizens of Ukraine and legal entities the right to information
property including the right to information access and the right to information
owner to protect it and restrict access to information.
The law applies to any AS information. It specifies the objects that subject
to law protection — information under processing in AS, rights of
information and AS owners and users (Part 1 Article 2). Under the law any AS
information is subject to protection. An information owner or the current
legislation determines the necessity to protect information. (P. 2 Art. 2). It
provides for general requirements as to information protection (Art. 11) and
disciplinary, administrative, criminal and pecuniary responsibility for the law
violations. (Art. 17).
It is the cited above provision that creates the law basis for
enacting Article 1981 , CC. The former regulates criminal and law
guard of the range of the cited above social relationships. The Article 1981
, CC provides for the liability for two independent criminal acts:
1) intentional break into AS work that led to defacement or
destruction of information or information carriers;
2) dissemination of software and hardware devices designed to
gain unauthorized access to AS and cause defacement or destruction of
information or information carriers.
As is well known the Supreme has already adopted the
draft Criminal Code (DCC) in second reading. The draft committee of the Cabinet
of Ministers developed the draft CC and included new Section 16 " Automated and
electronic computer systems-related crimes" [9].
To our mind Section 16 does not contain clear terms,
which moreover haven't been brought to conformity with the current information
legislation. The first variance is in terms “automated and electronic computer
systems” and “automated system” in Section 16 and the law "On Information
protection "respectively. The lack for terminology coordination can lead to
confusion when interpreting and applying the Articles of the cited above
section.
We consider it groundless that the draft committee
included Article 1981 ,CC, in Article 332, the DCC, practically
unchanged. The main drawback of the cited above transference is an attempt to
unite two encroachments characterized by different objects into one provision:
·
Violation of AS
operation regulations;
·
Unauthorized use of the
means specified.
Such approach is inconsequent as Art.334; DCC is
primarily and completely devoted to incidents when breaking AS operation
regulations.
Another
drawback is that the terms used in the headline of Art.334, DCC do not reflect
the specificity of information-related crimes, provided that the Article's
dispositions are specified and interpreted. Besides, we consider it inconsequent
to overburden the dispositions of the cited above acts. The former can be
classified according to the general provisions, i.e. computer information
extortion. In that case the specificity of the object of encroachment is not
appropriate for such specialization.
Let us discuss main circumstances that are
binding for identification in criminal cases of the cited above category in
compliance with the current legislation, viz.: object and instrument of a crime,
objective and subjective crime essentials and subject of a crime.
Under the law “On AS information protection”, the crime object is legal
relationships as to AS information protection.
Under the present CC [2], the crime object is:
·
automated system
(AS) - system of data
automated processing. It contains technical facilities for data processing
(calculation and communication devices) including methods, procedures and
software;
·
information carrier
— individuals, field and signals, chemical medium, data stackers in information
systems;
·
information utilized
in AS — the aggregate of
all data and programs used in AS regardless of means of physical and logical
presentation;
·
software and
hardware tools of/for unauthorized access.
Objective element (actus reus) of crimes
is characterized by intruding into AS or disseminating hardware
and software devices of/for unauthorized access to AS, which can cause
defacement or destruction of information or its carriers.
Subjective element (mens rea) is characterized by intent as to
the acts committed by the accused. The criminal's mental state as to the results
caused defacement and destruction of information or its carriers can be
characterized as both a direct or indirect intent and negligence. Under
disseminating software and hardware for unauthorized access to AS the intent is
only direct as mens rea of such crime identifies the accused's mental
state toward the acts committed. Motives and objective can be different and
evident that AS has been intruded in order to commit other crimes.
The peculiarities of crimes involving dissemination of software and hardware
of/for intruding into AS are that objective element is the
criminal actions per se irrespective of damage caused, i.e. defacement or
destruction of information or its carriers.
The peculiarity of crimes involving breaking into AS consists in that that
besides different acts against AS, the obligatory indications of their
objective element are also defacement and destruction, i.e. disturbance
of its integrity (destruction, defacement, modification and annihilation) and
casual relationship between conduct and result.
Intrusion into AS is considered any evil and intentional acts [2], that
influence AS information processing, i.e. the entity of all operations (storage,
input, record, transformation, reading, preserving, deletion, registration)
under using software and hardware devices including data exchange through
transmission channels. When perpetrated an attack against AS causes AS
disturbance and defacement of information processing that all, in its turn,
inflict defacement and annihilation of information and its carriers.
Annihilation of information is loss of information, i.e. individuals
and legal entities having a full or limited right to the information property
cannot use AS information. Under annihilation, loss of information should be
also considered as it’s blocking, i.e. AS user trying to access the system is
denied its service (one of the examples related to such acts is the well-known
attack - Distributed Denial-of-Service Attack (DDOS)). AS disturbance can
inflict harm on information transmission channels including channels connecting
information processing and preserving hardware in AS and separate ASs. As the
result information transmitted for processing is erased or defaced.
Information defacement should be understood as changing its
content, disrupting its integrity including its partial destruction.
Subject of such crimes can be any individual liable to prosecution
and coming of 16 y.o. including an AS insider who is charged with managing and
serving AS by AS owner or his representative. A special subject is most often
personnel serving AS, users and other insiders, whose professional duties
involves information handling and information services. When formed organized
groups engage computer experts, managers and other executives in their
activities. Members of a criminal group can reside in various places and in
different countries.
Discussing the difficulties that law enforcement faces in practice it should
be taken into account the peculiarities under investigating cybercrimes
including examination at the scene, search and seizure, victims
and witnesses interrogation and expert examination. To be admitted probative the
facts are to be obtained from sources under observing the rules provided by the
criminal procedure code.
Another
critical factor is lack of suitably trained staff to prevent and combat cyber
crime. As discussed above, cyber offenders are highly qualified practitioners,
so- called criminals-intellectuals. Unfortunately, law enforcement officers are
not able to execute effective and reliable incident response. The check-up
materials and criminal cases (if they were initiated) are not lawfully
sufficient. Criminals remain unpunished. Thus it is obligatory to
engage computer professionals in cyber crimes investigation. International law
enforcement experience corroborates the cited above need.
Here we consider the procedure of
collection evidence under investigating cyber crimes.
Examination at the scene. Arriving at the scene of action
investigators are to implement measures to ensure computer information and
peripheral memory safety. It is necessary:
·
to prohibit the inside
personnel from access to computer equipment;
·
to prohibit the inside
personnel to switch off computer equipment;
·
not to carry out any
computer devices manipulation if the final result is unpredictable;
Implementing the cited above obligatory measures one can
go to examine the scene of the action and collect real evidence. Under that it should be taken into
account the following:
·
other anti-access
security means.
Search and seizure of real evidence. Under searching and seizing computers,
carriers and information the common problems arise from the hardware
specificity. It is of paramount importance to take precautions against
offenders' attempts to do away with real evidence. For example, offenders can
use special hardware that at the critical moment establishes high magnetic field
causing magnetic records destroyed. A well-known case illustrates the problem.
In the doorway a hacker established such magnetic field that erased magnetic
carriers when brought out. Any offender can create software that makes a
computer periodically demand a right password input otherwise in seconds all
computer data are annihilated. Sometimes sharp-witted users establish hidden
commands that destroy or archive critical information under a password if
certain procedure known only by the users is not implemented to start the
system.
Taking into consideration the
features of real evidence including their search and seizure in cybercrime cases
it is necessary first of all to start at seizing and analyzing computer
information. As search and analysis of information and software always requires
special knowledge an expert should conduct subsequent investigation.
Analysis and seizure of computer
information is carried out both in random-access memory (RAM) and HDD - hard
magnetic disk drives, mirror disks, diskettes, magnetic bands and others.
Remember that the switching off PC (personal computer) or completing work at the
certain program and not storing the former it led to all RAM data cleaned and
destroyed. The simplest and most effective way to hold data in RAM to outtype
the information.
Just as in case of RAM, when detecting information in
HDD the former should be outtyped and printed in the form of examination
records' enclosures. Extraction of e-mail data from "mailbox" can be conducted
in compliance with the rules of post collection.
Hardware and software examination
(HSE) is assigned under prosecution and in
cases provided by Articles 75 and 76, CCU [10], to conduct the following examination:
·
Material evidence
examination must involves the following:
- Identifying the source, sort, means
of data input, output and processing;
- Detecting if software devices were
changed and supplemented;
- Restoring the files if defected or
erased;
- Restoring magnetic and other information
carriers if defectedї;
- Determining the date of certain software
fragments fulfilled;
·
Identifying software
author and its functions (virus or other), establishing the fact of its
interpretation and the limits of compilation enabled.
Under carrying out the chief requirements of HSE some supplementary tasks can
be fulfilled:
·
Translating the
technical-in content documents (under certain conditions).
As examination of computers and information carriers presupposes seizing
different documents, the investigation requires criminalistic examination
conducted. Dactyloscopic examination
allows identifying fingerprints on the documents, computer parts and carriers.
Taking into account that in cybercrime
cases search and seizure of real evidence requires special knowledge
professionals should carry out the cited above activities implementing
respective means and methods. The Criminal Procedure and Criminalistics
Department, Humanitarian University “Zaprozhsky State and Municipal
Administration» and Ukrainian Information Security Center developed the
Technical Task "Development of the working place for the expert in
cybercrimes investigation – expert working place (EWP). The development and
implementation of EWP is an up-to-date software and hardware means to conduct
criminalistic examination and allows to solve the following
problems:
Criminalistic examination:
·
interpreting computer
information in case;
·
interpreting complex
terminology and documents of technical contents;
·
restoring, if possible,
files and records erased on information carrier, detecting if information was
subject to erasing and modifying;
·
identifying if the date
and time was changed and if certain records on information carriers and files
were installed in computer;
·
deciphering, if
possible, encrypted information;
·
detecting attacks on
achieves and documents protected by password access;
·
printing necessary
information and non-text documents contained in hard disk drive (HDD) and
external magnetic carriers;
·
determining the
developer, the place of production and the means of information technology to
produce documents;
·
evaluating technical
health of computer device and other IS facilities;
·
stating the value of
computer and peripheral facilities, magnetic carriers and software products;
·
assessing the level of
appropriate proficiency of respective practitioners in programming and IS
security;
Experts who apply WRE can answer the following question:
·
What programming
facilities are installed in IS? Is it possible to perpetrate the action that the
accused is incriminated with?
·
What information
resources did IS user work with?
·
Are the detected files
the copies of information in the certain IS?
·
Are the detected
documents the ones that were created in the certain IS? If so, were the
former erased in IS afterwards?
·
When (day, month,
hour, minute) and on what IS (whose working place?) did an individual (i.e. by
whom and whose is the access password) work with the certain information on the
IS?
·
Does virus cause the
information turn? If so, what virus? What effects does the virus have (erasing,
copying, modifying, and transferring information and other)?
·
Do the files
represented (or IS) and programs contain “program marks”? If so, what “program
marks”? What effects does the former have (erasing, copying, modifying, and
transferring information and others)?
·
Are the documents
presented on paper carrier the records that afterwards were typed by the
concrete IS user in the concrete electronic documents?
·
Was the computer
information subject to erasing, modifying, and copying?
·
What IS operational
regulations (security policy) exist in the information system? Were the
regulations broken (work at IS at overtime, unauthorized connection of modem and
IS and installation of unauthorized software and other)?
·
Did the operation
regulation violations cause erasing, modifying and copying information?
·
What electronic address
was subject to unauthorized transmission of the concrete information (including
a person, who obtained the information) and what information was transferred?
In conclusion it should be noted that adoption and
deployment of new information technologies provoked new categories of crimes, in
particular ranging from AS disturbance to unauthorized access to computer
information. On account of the mechanism and means of commission and concealment
cybercrime is of particular specificity including high latency, many offenders
remain unprosecuted and certain crime catogories are of transnational character.
Under relative novelty of problems arisen and rapid
public informatization the law enforcement faces complicated problems to combat
this new social and law phenomena and in particular the problem of
identification and investigation. At present cybercrime is outside the scope of
law enforcement control. In the XXІ century it can put national and
international security at risk.
1.
R. A. Kaluzhnyi, V. D. Gavlovskyi, V. S. Zcymbaluke, M. V. Guzcaluke.
Issues as to the concept of reforming information-related legislation of Ukraine
// Law, statutory and metrological providing for information protection in
Ukraine: Materials of international scientific and practical conference. —К,
2000. —P.17-21.
2.
Criminal Code of Ukraine: Official text with amendments dated by February
1996. -Kiev: Ukrainian State Law Information Center, Ministry of Justice, 1996.
– 224 pp.
3.
Law of Ukraine “On AS information protection “. //Release of Supreme
Rada/#31/ 1994–286 pp.
4.
Statement for the Record of Louis J. Fresh, Director Federal Bureau of
Investigation on Сybercrime Before the Senate Committee on Judiciary
Subcommittee for the Technology, Terrorism, and Government Information
Washington, D.C.— 28 March 2000.
5.
Analytical Review by NCB of Interpole in Ukraine “On anti-cybercrime
experience of the law enforcement of the USA”. The Information of the Ministry
Interior of Ukraine, April 4, 1997— p.2-4.
6.
In Ukraine a first bank robbery through computer has been disclosed. -
Facts/#126/July13, 1999/p.2.
7.
Constitution of Ukraine, June 28, 1996. — Kiev/1996.
8.
Law of Ukraine «On Information» // Verhovna Rada of Ukraine Reports
(VRR). — 1992/#48/p.650.
9.
Criminal Code of Ukraine: the Draft developed by the Cabinet of
Ministers, Ukraine. — Kiev/ 1997 — 138p.
10. Criminal Procedure Code
of Ukraine. – Kiev: Jurnicom /1995/ p.639.