THE TRAINING OF EXPERTS IN INVESTIGATION OF
COMPUTER CRIMES
I. INTRODUCTION
Like many other progressive technologies computer know-how gives boundless opportunities both to progress and crime. Attacks against networks,
fraud, software piracy, technical espionage and distribution of child
pornography are only some crimes committed in global information network ²nternet.
Criminal groups get scientifically and
technically armed. This is an objective reason for law enforcement to apply modern information technologies and new secret tools of operative detection to combat crime. For example, PC disks of drug and arms dealers can contain financial
data on deliveries and clients. When a criminal use information technologies to plan or commit a crime it is possible to withdraw the plan of murder or theft form the criminal’s computer.
To take off computer information lawfully the requisites are special hardware tools, law’s provision to install such tools and appropriate training of operative detection teams.
Difficulties mainly emerge at the initial stage of transnational cyber
crime
investigation [1].
The results obtained by the Center of the Study of Computer Crime and the analysis of law enforcement practice on computer crimes are evident that detected at the scene computer equipment should be examined in the criminalistic laboratory only by suitably
trained experts.
The other question arises here. Where can such experts be found if no
Ukrainian higher educational establishment trains them? Thus, it is urgent concern to train and retrain law enforcement teams to combat
cyber crime.
As is well known Donetsk Law Institute, the Ministry of Interior of
Ukraine, has already taken step forward. On September 1, 2001 Humanitarian University, Zaporozhzhye Institute of State and Municipal Management, started teaching the Methods of computer crimes investigation to its students.
II.
Main Part
The curriculum of the cited above course provides for 8 themes in
sum of 81 hours including 16 hours for lectures, 18 - for practical training and 47 - for self-training. The
purpose of the course «Methods of cyber crime investigation» is to teach the notions and essence of computer information, main means of storage and protection
including “Criminal law
characteristics of computer crimes”, “Criminalistic characteristic of computer
crimes”, “Peculiarities of the initial cyber crime investigation stage”, “Cyber
crime investigation at post-initial
stages”, “Cyber crime prevention” and “The Methods of prevention and
investigation of transnational cyber crimes”.
Theme #1, Subject and Key Notions deals with the subject and key notions of the course
including confidentiality, integrity and accessibility of information; reasons for
computer crime increase; the role of information security; law enforcement activity to detect and investigate cyber crimes;
national policy as to information protection in the automated systems.
Theme #2, Notion and Essence of Computer Information, Main Means of Its Storage and Protection is devoted to the essence of computer information and its difference from other kinds of information; main means for its storage; main transmission mediums;
basic means and methods of computer information protection.
Theme #3, Criminal Law Characteristic of Computer Crimes concerns the
criminal law criminalistic characteristic of computer crimes
including the object and subject of computer crimes; the objective element of
computer crimes; the subjective element of computer crimes and its subject;
aggravating circumstances in computer crimes; differences of compute crimes
from adjacent corpus delicti.
Theme #4, Criminalistic Characteristic of Computer crimes deals with the ways of committing computer crimes and their mechanisms; the ways of concealing computer crimes; instruments (means) of computer
crimes; situation and scene of computer crime; traces of
computer crimes; data on the subject of a criminal encroachment; data on
individuals committing computer crimes.
Theme #5, Peculiarities of Computer Crimes Investigation at the Initial Stage is, to my mind, the key theme of the course as law enforcement
practitioners make mistakes mostly at this stage. It is devoted to control situations, the procedure of obtaining explanations and examining the scene; typical mistakes made
under detective activities within computer crime investigation. We pay great
attention to the following mistakes:
1. Inexpert use of computer.
Any
investigator must conform to the hard and fast rule lying in the following: never
and under no circumstances don’t work on a seized computer. This rule
presupposes that a seized computer is first of all a subject of expert
examination. That’s why till handing over à
computer it is advisable not even to switch on the former as it is forbidden to
carry out any programs on a seized computer without undertaking precautionary
measures (for example, protecting log or making copies). If the protection is
installed on the computer’s exit then the switched on the computer may cause
its information destroyed. Nobody must load such computer or launch his own
operational system on the former.
The
cited above measures are of urgent need as it easy for a criminal to provide
his computer with the program aimed to destroy the hard disk content or with
special files by installing programs-traps in the PC or by modification of the
operational system. For example, a usual command DIR (document information
retrieval) used for representing a disk catalog can be easily modified in order
to reformat a hard disk.
After both the data and destructive program destroyed nobody can say
for sure if the cited above programs have been purposefully installed in the
«suspected» computer or negligence has caused the destruction under processing
computer-based evidence.
2. Access of an owner (a user) to the examined
computer.
A serious error is when an investigator admits a user to the examined computer to assist with servicing. According
to many foreign sources there are some cases when the suspected persons were
admitted to the seized computers during the interrogation as to the computer
evidence. Afterwards they told to their acquaintances how they had coded files
‘right under policemen’s nose’ while they even had no idea what was going on.
Nevertheless it does not always work now. Computer experts make several copies
of the information before they admit the suspected to the computer.
3. Not examining a computer as
to viruses and program beetles.
After loading a computer with the operational system from the expert’s diskette or stand computer the first thing to do is to conduct a virus and beetles test. All the examined diskettes and hard disk are subjected to the cited above test. Engaged in the investigation an expert should
test the computer by appropriate software.
It cannot be allowed that the defence has an
opportunity to charge the investigation with infecting intentionally the
computer with viruses and with incompetence at conducting investigative actions
or simply with negligence as it is impossible to prove that the virus has been
in the computer before the examination. Such a charge will raise a doubt of the
expert’s efforts and reliability of the opinion.
Proceeding
from experience these are the most typical errors made under examining a
computer in the investigation of cyber crimes. There is no doubt that the list
cited above does not include all mistakes made under withdrawing and examining
computer information.
Students study appropriate methods and means for avoiding mistakes of the initial investigation stage, which can cause computer information lost or destroyed.
Theme
# 6, Computer Crime Investigation at Post-Initial Stages is devoted to the methods of interrogation of the
accused and witnesses; confrontation; the prescribing of expert examinations.
Theme
# 7, Prevention of Cyber Crimes covers circumstances conducive to computer crimes and
ways and means of computer crime prevention.
Theme #8, Methods of Prevention and Investigation of Transnational Computer Crimes involves the problems of transnational computer crime
prevention and investigation. It is a usual thing that the area of law is closely connected with the technical one, i.e. the use of internet shields to protect computer systems. The theme also includes
Strasbourg Convention on Cyber-crime [2] and international laws on
transnational-cyber-crime investigation. You can obtain more detailed information on the work program and curriculum on the Methods of computer crimes investigation at our Website [3].
No doubt, along with other crimes transnational cyber crime poses great threat to people. To my mind, at the same time the Ukrainians are not fully aware of the threat. However, even our little experience and, all the more, foreign achievements unambiguously testify that any nation is vulnerable to attack. Moreover, transnational cyber crime has no
bounds because attacks against any information system in the world do not
require the attacker to be physically present at the site of the attack. As a
rule, such crimes transgress the bounds of traditional ones and very often criminals go
unidentified and unpunished. Special
concern is
the investigation of crimes, which traces are destroyed or concealed by
attackers. Investigation of these crimes can take a week or even a month that
gives an attacker opportunity to do away with traces and escape from punishment.
Here I make some remarks as to the content of practical trainings. The course provides for 4 practical lessons in
computer classes. The subject of the first lesson is “Protection MS
WORD files under using access
parameters”.
Students are supposed to become acquainted with and learn to use in practice standard Microsoft Word methods to protect files by
means of passwords and to identify passwords by means of Msofpass.exe utilities to open files for reading and
correcting.
Practical Lesson 2 is devoted to protection of archival quality files by means of password and respective actions to prevent passwords identified and files dearchived.
Based on well-known Folder Guard 4.08f program Practical Lesson 3
involves studying the use of modern software to allocate the rights of access to logical drives, files and catalogs.
During Practical Lesson 4 students work in the Internet and apply methods of computer stenography. You can obtain information on the guidelines of conducting practical trainings, “the Methods of cyber crime investigation”, at our Website - http://www.crime-research.org/eng/library.html
III. Conclusions
Thus, to our mind, under developing the course of the Methods of cyber crime investigation we have taken into account all drawbacks in the professional training of law enforcement staff specializing in cyber crime prevention and investigation.
So not only is responding to fast-growing attacks difficult technically, but also many of the accepted methods for practicing law enforcement are ineffective. An effective solution can only come in the form of organic
balance between criminal law and criminalistic strategies to combat cyber
crime. At that, under rapid development and adoption of modern computer
technologies it is of paramount importance to train and retrain law enforcement
experts.
Summarizing all the cited above it is necessary to note that other law educational establishments of Ukraine should also take a quick and positive decision as to training experts in cyber crime
investigation. Establishing the respective specialization at
the existing training courses can be a first and immediate step in this
direction. At that another important requirement is the conditions created for developing new specializations and training experts and, first of all,
faculty staff and experts able to draw up methods, recommendations, textbooks
and other.
1. V.A.Golubev, V.D.Govlovsky, V.S.Scymbuluke. Information security: the
issues as to the struggle against transnational cyber crime. Monograph.
Zaporozhzhye: Prosvita Publishing House, 2001. – pp. 198 – 201.
2. Draft Convention on
Cyber-crime. STRASBOURG, April 27, 2000 - COUNCIL OF EUROPE.
http://www.crime-research.org/library/Draft27.html.
3.
Carriculum of the Course “Methods of computer crimes
investigation”, http://www.crime-research.org/library/Rabprog.htm.
4.
http://www.crime-research.org/library/Cybercr.htm