|
Special knowledge
implementation in the criminal cases investigation on crimes,
committed
in the computer technology use
Nowadays computers are widely used for information
storage and processing. They are also
used in criminal activity. During larceny or embezzlement investigation,
economic crimes in financial-banking sphere there are computers, which serve
either as object of a
criminal encroachment or served as instruments for committing crimes and
possess criminal action trace. Thus, during investigation actions such as
examination or inspection (article 190
CPC of Ukraine), search (article 190 CPC of Ukraine), seizure (article 197 CPC
of Ukraine), reconstitution of conditions and circumstances (article 194 CPC of
Ukraine) on different categories of criminal cases, during investigation of
computer information sphere, a new object of investigation and research can be
identified – computer technique, and object of a search can be identified as
information stored in the computer memory or external carriers – disks,
diskettes etc. It is important to
implement specialized knowledge for obtaining full and complete information
concerning committed crime.
The use of special knowledge and technical methods by
investigator, prosecutor-criminalist and by court differs from other forms of
their implementation by its remedial and criminalistic orientation on
collecting, recording, research, and use of actual database of a specific crime
circumstances and of guilty persons involved in it, remedial order of
investigatory actions. Investigator
(prosecutor-criminalist) applies his professional criminalistic knowledge,
methods, techniques and criminalistic techniques means with the purpose of
finding, recording and seizure of evidence. Conditions and result of their
implementation are recorded in the investigatory actions minutes and by
criminalistic methods of recording (such as photographs, moulds, sound –and
video recordings etc.), which together with the minutes are the remedial source
of established facts.
The form of special knowledge use by investigators on
pre-judicial trial has its peculiarities. The difference is in its direct,
clear cognitive orientation on crimes disclosing and revealing those who are
involved in it, complete ascertainment of case circumstances according to the
subject of proof (articles 23,64 CPC of Ukraine).
While investigating a certain crime, alongside with
professional knowledge, all different kinds of
knowledges in law ascertained order of investigatory actions conducting, and in carrying out a personal investigation of ascertained facts are used.
The necessity of the complex use of different kinds of
special knowledge is explained by investigator’s remedial functions and law
demands on complete, thorough and objective investigation of case circumstances
and proves that ascertain them (articles 22,67 CPC of Ukraine).
According to the profession and remedial functions an
investigator must possess special knowledge, methods and scientific-and
technical means that are necessary for circumstances ascertainment, which
constitute a case subject. With these purposes he has the right to apply
special knowledge within his commission during the whole investigating period.
The investigator studies all the crime circumstances, collects, verifies and
evaluates actual data that ascertain them, determines ways for further
investigation, makes necessary decisions for defining and instituting criminal
proceedings against guilty persons, and elimination of those reasons and
conditions that contribute to committing a crime.
Crime investigation is a cognitive process of
perception, accumulation, processing and using of criminal information. It is a
mediate cognition, which is based the subjects study that contain information
about past objects and events. The investigation result is a completed criminal
case, which is a well-ordered model of the investigated crime. The whole
investigation is a process of the model formation. The information obtained
during investigatory actions is evaluated by her proving meaning and has its
own place in this model.
Realization of any investigatory action requires thorough preparation that is explained by computer means peculiarities. The site crime survey includes: a) preparatory; b) working and c) final stages, which have their own goals and tasks.
It is very important to get the following data during
the preparatory stage of survey or search: IBM configuration; organization of a
local network or connecting to the global network (such as Internet);
information safety service availability; data protection from unauthorized
access with the purpose of automated information deleting, which can be deleted
during opening of a computer body, of a room where computer is located or under other circumstances; conditions of
a water supply system of the premises where computer engineering is installed,
users’ qualifications, and correlation among those employees who operate the
technique. It is necessary to make out
a plan of survey conducting on preparatory stage
A high level
of computer protection can be characterized by a special information protection
system from an unauthorized access or certified means of protection; permanent
territory and premises guarding and security where the computer system is
located: by technical means and specially trained staff, strict pass procedure,
special premises equipment, information protection service, normal functioning
and control of the work.
Low level of protection determined by a casual
algorithm of access limitation (database is protected by a password), it’s easy
to obtain data on how to get through the password so it’s not necessary to
apply special access techniques.
Site crime survey gives the investigator a chance to
identify the crime itself, time and place of intrusion into a system, methods
of intrusion and infringement in the system work.
The characteristic feature of such survey is that the
place of actual criminal actions and the place where its results may
materialize can be located at a long distance (for example, in different
states). Thus, during the illegal intervention in the computers operation,
systems and their networks investigatory picture includes:
a) Traces on magnetic carriers, which were used by a
criminal;
b)
Traces on "transit" magnetic carriers through which the criminal
directly established connection with information resources;
c)
Traces on magnetic carriers of information system in which illegal access was
carried out.
Besides site crime survey (premises, computers
location. Crime was committed with the help of those computers), computer
equipment, which served as an instrument for committing a crime, is examined,
or database, components and documents, which became crime objects are
examined.
If the place examination has gone successfully and its
tactics doesn’t differ from premises examination investigating other kinds of
crimes, examination of computer equipment and its components, search for
computer information, which may serve as evidence, requires special training of
the staff, who conduct the examination, observance of special regulations of
computer engineering operation and maintenance.
Therefore,
to crime investigation and, in particular, to the site crime examination,
search, seizure or a representation of conditions and circumstances of the
event, with the purpose of obtaining of the most effective results to
participation in investigatory actions according to article 128-1 CPC of Ukraine, it is necessary to involve those persons
who possess necessary special knowledge and skills - the expert in computer
science and computer techniques field, and also it is desirable to involve the
expert - criminalist because there may be hand prints on the computer devices ,
metal-working tools, elements of the manual soldering on internal elements of
computer devices. Also it is necessary
to involve experts from computer safety and network technologies (if local
computer networks or the Internet were used during committing a crime). As it
is understood it is necessary to involve those persons who are professional in
the computer technologies operation [4, 38].
In the systems where the critical factor is
information storage, systems of uninterrupted power supply are used, and also
reserve file servers, which contain copies of all files (copying is carried out
by the system automatically through the given time intervals). The lattest can take, as trespassers are not always
capable to delete a copy of system information on additional servers. For
safety reasons this information is encrypted and stored in the passages
inaccessible for users, so there is a possibility to define the method for
protection overpassing and additional information obtaining, which will help to identify a trespasser.
Tactics of search of the computer information is chosen, from data security, functioning of the computer and its peripheral equipment conditions at the moment of investigatory action realization. It is necessary to define whether computer technique means is connected to local network or to the main computer - server where investigatory action is carried out. A casual computer, not the main one, may also contain information.
It is
necessary to know that when you erase information from magnetic carriers,
physically it doesn’t really get erased it changes its status. It becomes
“invisible” and is stored until new information is recorded instead. Thus,
there is a possibility to renew it completely using special utilities, and
partially – when new information is recorded instead.
During examination,
search, seizure and conditions and circumstances representation it is necessary
to isolate premises, people who have nothing to do with examination, and to
avoid unauthorized access to the computer both by those who are present and
through the network connected to the computer. For this purpose it is necessary
to disconnect network cables
on the back panel of the system block and if access to a network is carried out
on a computational telephone line - disconnect modem power supply or feeding,
and in case when the modem is built in the computer - disconnect a telephone
cable from the socket, it is necessary to provide a uninterrupted feeding of investigated
techniques.
It
is necessary to quit programs operation, which work at the moment of the
examination, preliminary having written down all system messages on the status
of the program at the moment of a halt. It is necessary to save active documents
with new names, leaving their original versions unchanged. It is reasonable to
take a picture of a monitor according to criminalistic photographs regulations,
and to record it – if possible.
Computer manipulations
on evidence information search should be given to an expert, if an investigator
doesn’t possess necessary knowledge and skills. It is recorded in the minutes
what actions are committed, their consequence and order, software used for
information search. The goal and
content of every action is explained.
Most of the text and financial programs store a list of the lattest
session operation and can render them immediately, if they are not erased or
moved to another place. The user
usually keeps documents in catalogues on the computer disk with standard names:
MY DOCUMENTS, DOCUMENTS, DOCS, ARCHIVE and so forth. Document files have characteristic specification
("expansion"), that is a part of the name which stands after a dot in
the file name: *.doc, *.txt and so forth. All computer files keep date of the
last change or alteration, and after some programs - date of a file recording.
Popular software package Microsoft Office after
installation on the computer conducts the private file - minutes where the date
and time of all computer plugs in are recorded. Programs of connection and network operation store
addresses of many Internets - contacts of the user, documents of email with
addresses of the sender [3,15].
The results of the search are stored in electronic version on the variable magnetic carrier and are printed and are draw up like a supplement to the
minutes.
There is no need to limit the search of information by computer. It is necessary to look through all the
documentation including scraps of paper, as programmers don’t rely on their
memory and make notes passwords, system configurations changes, peculiarities
of making out a computer information database. . Many of users keep file recordings on diskettes, in
order to prevent their loss at computer failure. That is why any revealed data
carriers should be withdrawn and studied.
In
special cases at realization of the investigatory actions it is necessary to
search for hiding places where variable computer data carriers may be stored;
with the expert help open cases of hardware of computer engineering and
techniques to reveal specially switched - off internal data carriers, for
example, an additional hard disk.
When experts are not involved it is reasonable to conduct seizure procedure in order to avoid accidental or deliberate information alterations in the computer. Characteristic features, specifications and quantity of the seizured equipment are recorded in the minutes.
It is necessary to follow basic regulations on
computer operation and maintenance to avoid failures on hardware and program
levels:
-
Equipment is not supposed to subject to
vibrations and hits;
-
Do not connect and disconnect peripheral devices during computer operation
(exceptions are: devices which are connected to serial ports ÑÎÌ1/ÑÎÌ2;
mouse; modem;
- It is possible to take out and install motherboards
extensions in the computer when it is off;
- To keep away magnetic
carriers of information from influence
of electromagnetic radiation, exceedingly high and low temperatures, liquids,
and mechanical influence;
-To switch off the computer following the procedure of
switching off. Nonobservance of this regulation will lead to errors both in the
software operation and to partial or complete loss of information on magnetic
carriers and to software failure.
It is unacceptable and
invalid to record that the computer is being seizured. If the computer sealed with the manufacturer, it is necessary to note
its serial number and to withdraw or seizure the documentation on it. In case
when serial number is absent or a seal of the manufacturer damaged, it is
necessary to establish a hardware configuration of the computer:
- Type and model of the central processor (information is issued during
the preceding launching testing
of hardware;
- The operative memory volume - is given in the next
line after the information about the type of the central processor;
- Information on type and
model of magnetic disks storages magnetic
disks (it is given during computer launching after the memory test, or is
installed on devices labels.
After this procedure it is
necessary to mark all sockets and
cables on the back panel of the system block (it will help to reconstruct
connection of devices in the future).
At the hardware examination attention is paid on type
and model of the microschemes or microcurcuits on motherboards, motherboards
name, and serial numbers and model storages.
During motherboards examination it is forbidden to
touch contacts and microschemes with metal items and hands. The latest ones are
very sensitive to the static electricity and can go out of order. Thus, before
examination of the computer central units it is necessary to remove from
yourself static charge, holding a central heating pipe or water supply pipe.
Together
with the computer magnetic data carriers are withdrawn or seizured (diskettes,
cartridges to streamers, demountable
"winchesters" on which the
information is stored, that will allow to reconstruct a
system condition to the non-authorized
intervention in its operation and to determine the way and consequences of such
intervention).
Withdrawing computer equipment, find out from
responsible persons or network manager passwords and codes of access to
computer resources.
Magnetic carriers are numbered beforehand by diskette
labels and are packed into the sealed packages. They are kept and transported in special containers or in
standard diskette or other aluminium cases of factory production which exclude
destroying action of different electromagnetic fields and indirect radiation,
including as a metal detectors affect that are used for luggage check at the
airports. It is not necessary to put computers on each other, or to place other
subjects on them. Computers should be kept in a dry, warm premise where there
are no cockroaches, spiders, ants, rodents that may cause malfunction of the
equipment and damage of information carriers [2, 193].
The
literature recommends withdrawing or seizure all means of computer engineering
revealed at realization of the examination, search, reconstruction of
conditions and circumstances of events. But it is impossible to agree with this
idea completely.
Programs play a significant
role in the computer, and document just a part of it. Besides technical
difficulties there also economic ones: in case of failure of the COMPUTER the
bank may "hold on" no more than two days, a wholesale firm- 3-5, the
insurance company - 5-6 days. In this situation claims are possible on the part
of the organization that suffered losses [3, 14].
Duly
withdrawal and seizure of the computer information and computer equiopment and
their correct withdrawal contribute to the efficiency of the subsequent
computer - technical expert examination which is appointed with the purpose of
reception of the information which is stored on magnetic carriers, and
identifying traces of criminal activity.
Special knowledge in the sphere of information science
and computer engineering (computer technologies and software) are the basis of
the expertise.
The subject of the computer-technical expertise is
tendency of forming and research of computer systems and computer information
circulation, facts research and circumstances on manifestation of the tendency
on the orders of investigatory and judicial bodies.
Computer-technical expertise solves both
identification and diagnostic (nonidentification) problems. According to the
research goal within the computer-technical expertise the following expertise
are defined: technical expertise of computers and their components and software
expertise. The first one studies constructive features and computer condition,
its peripheral equipment, magnetic information carriers etc., computer network,
and the reasons of deviations in the computer operation.
Software expertise is appointed to study information,
which is stored in the computer, on magnetic carriers.
Other kinds of expertise can
be appointed on these cases: trasological - – for breaking in traces research, dactyloscopic - traces of hands on external in
internal surfaces of computers and their components; judicial - economic:
financial and economic, accounting, economic - statistical and so forth, when a
crime in sphere of the computer information movement connected to crimes in
financial sphere; technical-criminalistic -
examination of documents - when the computer is used as means for counterfeit
documents, false money and so forth; phonoscopic - diskettes contain recordings
of the person's language which needs to be identified with the suspected
which concerns the committed crime.
1. Criminal-Procedure Code of Ukraine. - Ê:
Atika, 2001. - 208 p.
2. Bilenchuk P.D., Zimbalyuk V.C. Computer Crime.
Studybook. - Ê.: Atika, 2002. - 240 p.
3. Komissarov V., Gavrilov M., Ivanov A. Search with
computer information extraction. // Legality.
1999 ¹ 3, p.12-15.
4. Selivanov N.A.
Problems of fighting with computer crime. //Legality.
1993 ¹ 8, ñ.36-40.