Vladimir Golubev

 

PECULIARITIES OF INVESTIGATING CYBER CRIMES

      

  Rapid introduction of up-to-date information technologies into economy, management and, in particular, banking provoked arising new crimes - cyber crimes. In opinion of criminologists and international experts the cited above poses a very serious threat both the economy and information security - an essential of national security.

As it stands today, of primary concern is to combat the new threat. The reason is that while computer technologies are rapidly making progress and reliance on the Internet is increasing the legislation on information and legal procedures governing cybercrime combat activities do not keep in step with these advances yet. [1].

To provide liability for cyber crimes by amending the Criminal Code (CC) of Ukraine, in particular Article 198¹  "Disturbance of automated systems (АS) [2], would necessitate criminalistic study of new sorts of crime including identification and detection, development of criminalistic characteristics and finally recommendations for investigation.

The law "On computer information protection" was adopted in 1994. The law provides the legal basis for realizing and protecting information property right in the cited above area and for solving the cybercrime problem in general [3].  However, the practice has highlighted the law incomprehensive because of drawbacks in its drafting. As result the law lags behind the information advances that have taken place in the community recently.

Cyber crime and in particular its transnational expansion is on of the international problems provoked by prevailed reliance on global information networks, especially the Internet as the primary infrastructure that has already united most countries through out the world. The adoption of networked systems is likely to continue to increase. In the developed countries cyber crime causes severe financial losses. AS owners and users have to spend a great deal of money on developing and implementing software, hardware and other tools to protect information from unauthorized access, defacement and destruction.

According to the information by the FBI director, their cyber crime caseload doubled last year. In 1998 the bureau opened 547 computer intrusion cases; in 1999, that jumped to 1154. The national statistics tell the story. In the USA 90% respondents detected security breaches on Internet in 1999. At least 74% of respondents reported security breaches including theft of property information and financial fraud.   Information theft and financial fraud caused the most severe financial losses, put at $68 million and $56 million respectively. The losses from 273 respondents totaled just over $265 million. Losses traced to denial of service attacks were only $77,000 in 1998, and by 1999 had risen to just $116,250. [4]. 

Cibercrimes are of the following characteristics. It is of high latency. It is complex to identify and investigate, to prove such cases to the satisfaction of the court. It is an increasingly global problem under using the Internet and suffering huge damage in even in one incident. According to the statistics the US law enforcement detect only 5% of cyber crimes. About 20% of them are prosecuted. [5].

Unfortunately Ukraine has no official cyber crime statistics. Though the June 1999 criminal case is evident that these categories of crime pose a great threat to social security. The case materials tell the story. On October 23, 1998 the intruders gained unauthorized access to the AS of Ukraine National Bank Administration Vinnizckaya Region and illegally transferred 80.4 mln. hryvnas (20 mln. $ exchange rate of UNB at a point of the commission) from the bank surplus fund. The eight months investigation by organized crime strike force officers was successful. The Strike Forces Chief Administration, Ministry of Interior developed the plan. The followed-up eleven simultaneous searches   led to the arrest of about 30 individuals involved in this sensational criminal case. The officers detected and seized 81 thousand $ just only at one of perpetrator's dwelling. [6].

Government and private sector especially suffered from attacks especially under their banking activities give no much credence to the law enforcement capability to detect such crimes. It chiefly accounts for high latency. We believe that high latency and low level of incidents' detection, above all, is caused the challenges that cybercrime and technology present for law enforcement agencies to bring a criminal action. The cited above is sequent of the complexity to classify criminal acts and the peculiarities to conduct certain investigative activities. 

Based on the analysis of the Ukraine's legislative policy as to information relationships, viz. social relationships under owning, utilizing and using information we can make the conclusion that having both positive and negative features the current legislation is not still and all exhaustive and adequate to address the expanding criminal threat effectively.

First of all it should be noted that one of the positive steps is government’s recognition of the right to information property. Thus, under Article 41, Constitution [7] information is a subject of national security that is provided by the laws «On information», of October 2, 1992 [8], «On AS information protection» [3] and Article 198¹ , CC [2].

The law «On AS information protection» establishes the legal mechanism to regulate relations as to protecting AS information under the current legislation guaranteeing the citizens of Ukraine and legal entities the right to information property including the right to information access and the right to information owner to protect it and restrict access to information.

The law applies to any AS information. It specifies the objects that subject to law protection   — information under processing in AS, rights of information and AS owners and users (Part 1 Article 2). Under the law any AS information is subject to protection. An information owner or the current legislation determines the necessity to protect information. (P. 2 Art. 2). It provides for general requirements as to information protection (Art. 11) and disciplinary, administrative, criminal and pecuniary responsibility for the law violations. (Art. 17).

It is the cited above provision that creates the law basis for enacting Article 198¹ , CC. The former regulates criminal and law guard of the range of the cited above social relationships. The Article 198¹ , CC provides for the liability for two independent criminal acts:

1) intentional break into AS work that led to defacement or destruction of information or information carriers;

2) dissemination of software and hardware devices designed to gain unauthorized access to AS and cause defacement or destruction of information or information carriers.

As is well known the Supreme has already adopted the draft Criminal Code (DCC) in second reading. The draft committee of the Cabinet of Ministers developed the draft CC and included new Section 16 " Automated and electronic computer systems-related crimes"  [9].

To our mind Section 16 does not contain clear terms, which moreover haven't been brought to conformity with the current information legislation. The first variance is in terms “automated and electronic computer systems” and “automated system” in Section 16 and the law "On Information protection "respectively. The lack for terminology coordination can lead to confusion when interpreting and applying the Articles of the cited above section.

We consider it groundless that the draft committee included Article 198¹  ,CC, in Article 332, the DCC, practically unchanged. The main drawback of the cited above transference is an attempt to unite two encroachments characterized by different objects into one provision:

·         Violation of AS operation regulations;

·         Unauthorized use of the means specified.

Such approach is inconsequent as Art.334; DCC is primarily and completely devoted to incidents when breaking AS operation regulations.

Another drawback is that the terms used in the headline of Art.334, DCC do not reflect the specificity of information-related crimes, provided that the Article's dispositions are specified and interpreted. Besides, we consider it inconsequent to overburden the dispositions of the cited above acts. The former can be classified according to the general provisions, i.e. computer information extortion. In that case the specificity of the object of encroachment is not appropriate for such specialization.

Let us discuss main circumstances that are binding for identification in criminal cases of the cited above category in compliance with the current legislation, viz.: object and instrument of a crime, objective and subjective crime essentials and subject of a crime.

            Under the law “On AS information protection”, the crime object is legal relationships as to AS information protection.

            Under the present CC [2], the crime object is:

·       automated system (AS) - system of data automated processing. It contains technical facilities for data processing (calculation and communication devices) including methods, procedures and software;

·       information carrier — individuals, field and signals, chemical medium, data stackers in information systems;

·       information utilized in AS — the aggregate of all data and programs used in AS regardless of means of physical and logical presentation;

·       software and hardware tools of/for unauthorized access.

Objective element (actus reus) of crimes is characterized by intruding into AS or disseminating hardware and software devices of/for unauthorized access to AS, which can cause defacement or destruction of information or its carriers.

            Subjective element (mens rea) is characterized by intent as to the acts committed by the accused. The criminal's mental state as to the results caused defacement and destruction of information or its carriers can be characterized as both a direct or indirect intent and negligence. Under disseminating software and hardware for unauthorized access to AS the intent is only direct as mens rea of such crime identifies the accused's mental state toward the acts committed. Motives and objective can be different and evident that AS has been intruded in order to commit other crimes.

            The peculiarities of crimes involving dissemination of software and hardware of/for intruding into AS are that objective element is the criminal actions per se irrespective of damage caused, i.e. defacement or destruction of information or its carriers.

            The peculiarity of crimes involving breaking into AS consists in that that besides different acts against AS, the obligatory indications of their objective element are also defacement and destruction, i.e. disturbance of its integrity (destruction, defacement, modification and annihilation) and casual relationship between conduct and result.

Intrusion into AS is considered any evil and intentional acts [2], that influence AS information processing, i.e. the entity of all operations (storage, input, record, transformation, reading, preserving, deletion, registration) under using software and hardware devices including data exchange through transmission channels. When perpetrated an attack against AS causes AS disturbance and defacement of information processing that all, in its turn, inflict defacement and annihilation of information and its carriers.

Annihilation of information is loss of information, i.e. individuals and legal entities having a full or limited right to the information property cannot use AS information. Under annihilation, loss of information should be also considered as it’s blocking, i.e. AS user trying to access the system is denied its service (one of the examples related to such acts is the well-known attack - Distributed Denial-of-Service Attack (DDOS)). AS disturbance can inflict harm on information transmission channels including channels connecting information processing and preserving hardware in AS and separate ASs. As the result information transmitted for processing is erased or defaced.

Information defacement should be understood as changing its content, disrupting its integrity including its partial destruction.

Subject of such crimes can be any individual liable to prosecution and coming of 16 y.o. including an AS insider who is charged with managing and serving AS by AS owner or his representative. A special subject is most often personnel serving AS, users and other insiders, whose professional duties involves information handling and information services. When formed organized groups engage computer experts, managers and other executives in their activities. Members of a criminal group can reside in various places and in different countries.

Discussing the difficulties that law enforcement faces in practice it should be taken into account the peculiarities under investigating cybercrimes including examination at the scene, search and seizure, victims and witnesses interrogation and expert examination. To be admitted probative the facts are to be obtained from sources under observing the rules provided by the criminal procedure code.

Another critical factor is lack of suitably trained staff to prevent and combat cyber crime. As discussed above, cyber offenders are highly qualified practitioners, so- called criminals-intellectuals. Unfortunately, law enforcement officers are not able to execute effective and reliable incident response. The check-up materials and criminal cases (if they were initiated) are not lawfully sufficient. Criminals remain unpunished. Thus it is obligatory to engage computer professionals in cyber crimes investigation. International law enforcement experience corroborates the cited above need.

Here we consider the procedure of collection evidence under investigating cyber crimes.

Examination at the scene. Arriving at the scene of action investigators are to implement measures to ensure computer information and peripheral memory safety. It is necessary:

·       to prohibit the inside personnel from access to computer equipment;

·       to prohibit the inside personnel to switch off computer equipment;

·       in case if the object has been disconnected from the electricity, before the examination it is necessary to switch off all computer equipment in the premises under search;

·       not to carry out any computer devices manipulation if the final result is unpredictable;

·       to transport dangerous agents, materials and devices (electromagnetic, explosive, toxic and other) from the premises under examination.

Implementing the cited above obligatory measures one can go to examine the scene of the action and collect real evidence. Under that it should be taken into account the following:

·       insiders' attempts to do damage to computer equipment in order to erase information if the personnel are involved in a crime;

·       special unauthorized access security means in a computer system that automatically erase all information if a certain code is input at the fixed time;

·       other anti-access security means.

Search and seizure of real evidence. Under searching and seizing computers, carriers and information the common problems arise from the hardware specificity. It is of paramount importance to take precautions against offenders' attempts to do away with real evidence. For example, offenders can use special hardware that at the critical moment establishes high magnetic field causing magnetic records destroyed. A well-known case illustrates the problem. In the doorway a hacker established such magnetic field that erased magnetic carriers when brought out. Any offender can create software that makes a computer periodically demand a right password input otherwise in seconds all computer data are annihilated. Sometimes sharp-witted users establish hidden commands that destroy or archive critical information under a password if certain procedure known only by the users is not implemented to start the system.

Taking into consideration the features of real evidence including their search and seizure in cybercrime cases it is necessary first of all to start at seizing and analyzing computer information. As search and analysis of information and software always requires special knowledge an expert should conduct subsequent investigation.

Analysis and seizure of computer information is carried out both in random-access memory (RAM) and HDD - hard magnetic disk drives, mirror disks, diskettes, magnetic bands and others. Remember that the switching off PC (personal computer) or completing work at the certain program and not storing the former it led to all RAM data cleaned and destroyed. The simplest and most effective way to hold data in RAM to outtype the information.

As is well known, information is filed and ordered in catalogues (directories) in HDD. It is necessary to search for "hidden" files and archives that hold important information. Under detecting files encrypted or protected by password the former should be subject to decryption and decoding by the respective experts.

Just as in case of RAM, when detecting information in HDD the former should be outtyped and printed in the form of examination records' enclosures. Extraction of e-mail data from "mailbox" can be conducted in compliance with the rules of post collection.

When extracting, transporting and preserving material evidence including PC and magnetic carriers require particular precision. It is necessary to protect the former from blows, high temperature, moisture and tobacco smoke. All the external disturbances cited above can cause the data, information and equipment's peculiarities lost. Under search and examination an expert should remember about collecting traditional evidence, for example - fingerprints on the keyboard, switches and other. All devices of a concrete computer should be examined. When analyzing the results under assistance of an expert the examination conducted will facilitate to reconstruct the crime and to obtain important evidence.

The optimal procedure of seizing a computer and magnetic information carriers is to register them at the place under examination and to pack the former in order to assemble the equipment successfully, correctly and accurately as it was detected in the scene both in the laboratory and any place for examination. An expert should take into account that certain hardware and software environment is of limited use. It means that, the environment disturbed or lack for the data about it's accurate fixing (including at the place where the former was detected) can influence not only the effective examination under investigation but the court's evaluation of the sufficiency of evidence whether or not a crime is committed. Thus, when searching or examining the sort of the computer software an expert can detect the tasks for which the computer was used. For instance, if the computer has a net software and modem link the former is an evidential fact that using such AS an intruder can obtain unauthorized access in any distant computer.

Hardware and software examination (HSE) is assigned under prosecution and in cases provided by Articles 75 and 76, CCU [10], to conduct the following examination:

·         establishing the correspondence of a certain computer system or network with the standard and the examination of the system by the special tests.

·         Material evidence examination must involves the following:

-  Identifying the source, sort, means of data input, output and processing;

-  Detecting if software devices were changed and  supplemented;

-  Restoring the files if defected or erased;

- Restoring magnetic and other information carriers if defectedї;

- Determining the date of certain software fragments fulfilled;

·         Identifying software author and its functions (virus or other), establishing the fact of its interpretation and the limits of compilation enabled.

Under carrying out the chief requirements of HSE some supplementary tasks can be fulfilled:

·       Evaluating the value of computer equipment, peripheral devices, software products and examining the contracts on delivery of the cited above objects;

·       Establishing if certain individuals are appropriate experts in programming and computer technology;

·       Translating the technical-in content documents  (under certain conditions).

As examination of computers and information carriers presupposes seizing different documents, the investigation requires criminalistic examination conducted. Dactyloscopic examination allows identifying fingerprints on the documents, computer parts and carriers.

Taking into account that in cybercrime cases search and seizure of real evidence requires special knowledge professionals should carry out the cited above activities implementing respective means and methods. The Criminal Procedure and Criminalistics Department, Humanitarian University “Zaprozhsky State and Municipal Administration» and Ukrainian Information Security Center developed the Technical Task "Development of the working place for the expert in cybercrimes investigation – expert working place (EWP). The development and implementation of EWP is an up-to-date software and hardware means to conduct criminalistic examination and allows to solve the following problems:

 Criminalistic examination:

·         interpreting computer information in case;

·         interpreting complex terminology and documents of technical contents;

·         restoring, if possible, files and records erased on information carrier, detecting if information was subject to erasing and modifying;

·         identifying if the date and time was changed and if certain records on information carriers and files were installed in computer; 

·         deciphering, if possible, encrypted information;

·         detecting attacks on achieves and documents protected by password access;

·         printing necessary information and non-text documents contained in hard disk drive (HDD) and external magnetic carriers;

·         determining the developer, the place of production and the means of information technology to produce documents;

·         evaluating technical health of computer device and other IS facilities;

·         stating the value of computer and peripheral facilities, magnetic carriers and software products;

·         assessing the level of appropriate proficiency of respective practitioners in programming and IS security;

 

Experts who apply WRE can answer the following question:

·       What programming facilities are installed in IS? Is it possible to perpetrate the action that the accused is incriminated with?

·       What information resources did IS user work with?

·       Are the detected files the copies of information in the certain IS?

·       Are the detected documents the ones that were created in the certain IS?  If so, were the former erased in IS afterwards?

·        When (day, month, hour, minute) and on what IS (whose working place?) did an individual (i.e. by whom and whose is the access password) work with the certain information on the IS?

·       Does virus cause the information turn? If so, what virus? What effects does the virus have (erasing, copying, modifying, and transferring information and other)?

·       Do the files represented (or IS) and programs contain “program marks”? If so, what “program marks”? What effects does the former have (erasing, copying, modifying, and transferring information and others)?

·       Are the documents presented on paper carrier the records that afterwards were typed by the concrete IS user in the concrete electronic documents?

·       Was the computer information subject to erasing, modifying, and copying?

·       What IS operational regulations (security policy) exist in the information system? Were the regulations broken (work at IS at overtime, unauthorized connection of modem and IS and installation of unauthorized software and other)?

·       Did the operation regulation violations cause erasing, modifying and copying information?

·       What electronic address was subject to unauthorized transmission of the concrete information (including a person, who obtained the information) and what information was transferred?

 

In conclusion it should be noted that adoption and deployment of new information technologies provoked new categories of crimes, in particular ranging from AS disturbance to unauthorized access to computer information. On account of the mechanism and means of commission and concealment cybercrime is of particular specificity including high latency, many offenders remain unprosecuted and certain crime catogories are of transnational character.

Under relative novelty of problems arisen and rapid public informatization the law enforcement faces complicated problems to combat this new social and law phenomena and in particular the problem of identification and investigation. At present cybercrime is outside the scope of law enforcement control.  In the XXІ century it can put national and international security at risk.

 

1.    R. A. Kaluzhnyi, V. D. Gavlovskyi, V. S. Zcymbaluke, M. V. Guzcaluke. Issues as to the concept of reforming information-related legislation of Ukraine // Law, statutory and metrological providing for information protection in Ukraine: Materials of international scientific and practical conference. —К, 2000. —P.17-21.

2.    Criminal Code of Ukraine: Official text with amendments dated by February 1996. -Kiev: Ukrainian State Law Information Center, Ministry of Justice, 1996. – 224 pp.

3.    Law of Ukraine “On AS information protection “. //Release of Supreme Rada/#31/ 1994–286 pp.

4.    Statement for the Record of Louis J. Fresh, Director Federal Bureau of Investigation on Сybercrime Before the Senate Committee on Judiciary Subcommittee for the Technology, Terrorism, and Government Information Washington, D.C.— 28 March 2000.

5.    Analytical Review by NCB of Interpole in Ukraine “On anti-cybercrime experience of the law enforcement of the USA”. The Information of the Ministry Interior of Ukraine, April 4, 1997— p.2-4.

6.    In Ukraine a first bank robbery through computer has been disclosed. - Facts/#126/July13, 1999/p.2.

7.    Constitution of Ukraine, June 28, 1996. — Kiev/1996.

8.    Law of Ukraine «On Information» // Verhovna Rada of Ukraine Reports (VRR). — 1992/#48/p.650.

9.    Criminal Code of Ukraine: the Draft developed by the Cabinet of Ministers, Ukraine. — Kiev/ 1997 — 138p.

10.  Criminal Procedure Code of Ukraine. – Kiev: Jurnicom /1995/ p.639.