On the evidentiary value of log files.
On the evidentiary value of log files.
I. Sobetsky
Currently, the fight against crime in the high-tech sphere is gaining momentum. Since the adoption of the new Criminal Code of the Russian Federation, which included Articles 272-274 on liability for crimes in the sphere of computer information, the relevant departments have been created and have begun active work in the system of the Ministry of Internal Affairs of the Russian Federation. Criminal cases on crimes in the sphere of computer information are considered by the courts, and they often result in convictions against specific offenders. Recently, in addition to some private detective services, even the security services of large firms have taken up the investigation of incidents in the sphere of computer information — with the help of employees with very dubious qualifications.
As practice shows, during the disclosure and investigation of crimes in the field of computer information, the investigator builds a chain of evidence: data from the inspection of the scene of the crime — research — making inquiries — identifying and detaining the offender. At the first stage, in accordance with Articles 164, 176 and 177 of the Criminal Procedure Code of the Russian Federation, the scene of the crime is inspected, that is, the computer system that has been subjected to a hacker attack. During this inspection, the investigator seizes and attaches to the case various log files, including from firewalls, operating system and application program logs, etc. Then, after analyzing these log files, the specialist determines the tactics of further investigation. Depending on the specific circumstances of the case, log files are then obtained by seizure or even search in provider or hosting companies, companies providing wired communication services, as well as in some other places. Based on these log files, at a minimum the location (and sometimes identity information such as passport details or a photograph) of the suspect is established. The data from these log files is then presented as evidence in court proceedings.
Of course, in such a situation, all participants in the trial face the question: how is the evidentiary value of log files attached to the criminal case ensured? In other words, are log files admissible evidence in criminal proceedings? This question is very actively discussed on many sites devoted to security issues, including http://securitylab.ru. However, according to my observations, the greatest activity in these discussions is shown by persons who have not participated in real investigations of crimes in the field of computer information and, moreover, have not represented either the prosecution or the defense in court. During such discussions, the online community has mostly come to the following highly controversial conclusions:
- Log files seized from the victim's computer do not have any evidentiary value in the future, since they could have been previously changed either by the victim himself or by third parties, regardless of his wishes. After the seizure, the log files can be modified by the investigator, specialist or law enforcement officers.
- Log files received from provider companies will not have any evidentiary value in the future, since in accordance with the Law of the Russian Federation «On Communications», the provider does not have the right to provide anyone with information about the private life of citizens without a court decision. Based on the investigator's suspicions alone (after all, log files from the victim's computer do not have evidentiary value), the courts will not make such a decision.
- The results of the examination of any computers (including those seized from suspects) carried out by an expert do not have evidentiary value, since in order to carry out such examinations the expert must use methods certified by the Ministry of Justice and be employed by a specialized expert institution. In fact, at the moment there are no such specialists on the staff of the expert institutions of the Ministry of Justice (and even the Ministry of Internal Affairs and the FSB — author's note).
- To prevent crimes in the field of computer information, it is necessary to develop special “Internet legislation” and “Internet law”, since ordinary laws cannot operate in cyberspace.
Based on these considerations, it is easy to draw the erroneous conclusion that proving any crime in the field of computer information is currently virtually impossible. And, as a result, some visitors to such forums, who do not have sufficient legal training, often commit offenses themselves, after which they are easily prosecuted.
In fact, the difficulties that arise when assessing the evidentiary value of log files are easily resolved within the framework of current legislation. As in many other aspects of our lives, theory clearly does not withstand a clash with practice. Just as the first round-the-world trip proved the inconsistency of the flat Earth theory, the very first court hearing in the case of a citizen accused under Article 272 of the Criminal Code of the Russian Federation proved the inconsistency of home-grown legal theories. The accused (in the city of Volgograd) received a suspended sentence of two years of imprisonment, and practicing lawyers received valuable experience, which was applied in the investigation of criminal cases under Articles 272 and 273 of the Criminal Code of the Russian Federation in various constituent entities of the Russian Federation.
For a better understanding of the text below, let's look at a simple example, comparing computer crime with general criminality. Let's say a robbery and murder have been committed. The victim's relatives contact the police, after which the investigator removes a bloody knife with the killer's fingerprints from the body. The killer was identified and detained based on the fingerprints. However, in his defense, he states that his fingerprints on the knife were falsified by the investigator or the victim's relatives, and the items stolen from the apartment were planted on him by the police. That is, he is innocent and demands immediate release. Such a statement is not as absurd as it seems. Any investigator can remember many «clients» who told stranger stories. In fact, this is a sure way to get the maximum sentence for the incriminated article.
The investigator and the court evaluate the evidence in the case based on Articles 87 and 88 of the Criminal Procedure Code of the Russian Federation. Thus, in accordance with Article 87 «the verification of evidence is carried out by the inquiry officer, investigator, prosecutor, court by comparing it with other evidence available in the criminal case, as well as establishing its sources, obtaining other evidence confirming or refuting the evidence being verified». In accordance with Article 88,«each piece of evidence is subject to assessment in terms of relevance, admissibility, reliability, and all of this evidence taken together is sufficiency for resolving the criminal case». The same article indicates that specific evidence in a criminal case may be deemed inadmissible (that is, having no legal force) either by the investigator or the court.
It is obvious that during the investigation of a criminal case on a crime in the sphere of computer information, the investigator is unlikely to agree to recognize log files he personally seized as inadmissible evidence. The only way out for the criminally liable offender is to file a corresponding petition directly at the court hearing. In this case, the petition will be considered in compliance with the requirements of Article 234 of the Criminal Procedure Code: «When considering a motion to exclude evidence submitted by the defense on the grounds that the evidence was obtained in violation of the requirements of this Code, the burden of refuting the arguments presented by the defense lies with the prosecutor. In other cases, the burden of proof lies with the party that submitted the motion.»Thus, if the investigator or operatives did not commit procedural violations when seizing log files, then the fact of their forgery by the victim or third parties will have to be proven by none other than the perpetrator himself. And he will have to fully experience the wisdom of Confucius: «It is difficult to catch a black cat in a dark room, especially when it is not there!»
When inspecting the crime scene and seizing log files, the only innovation compared to solving common crimes is the need to ensure the presence of sufficiently competent witnesses during the inspection, who would understand the meaning of the investigator's actions (and, possibly, the specialist invited by him) to seize log files. Otherwise, inspecting the crime scene is one of the most stereotypical and well-described investigative actions in specialized literature. Therefore, if the problem of the competence of witnesses is resolved, then any other procedural violations are extremely unlikely. As a result, it is usually impossible to challenge the evidentiary value of log files removed from the victim's computer.
The second common misconception concerns the legality of obtaining log files from provider and telecommunications companies. These actions are carried out in accordance with the Laws of the Russian Federation «On the Police» and «On Operational Investigative Activities». Indeed, the Law of the Russian Federation «On Communications» contains provisions on the secrecy of communications. Thus, Article 31 of this law states:
«Information about postal items and messages transmitted over telecommunications networks, as well as these items and messages themselves, may be issued only to senders and addressees or their legal representatives.
Wiretapping of telephone conversations, familiarization with telecommunications messages, delay, inspection and seizure of mail and documentary correspondence, obtaining information about them, as well as other restrictions on the secrecy of communications are permitted only on the basis of a court decision.»
In most cases, provider companies are requested to provide data directly related to the victim (such as details of connections under his login, calls to his modem pool, etc.). The investigator receives this data from the provider company with the personal written consent of the victim, that is, from the point of view of the Law «On Communications», he actually acts as his legal representative. Therefore, the data obtained cannot be considered inadmissible evidence and can be used in court and during the preliminary investigation.
In other cases, data from telecommunications companies can be obtained on the basis of a court decision. Since, as discussed above, previously obtained log files still have evidentiary value, there are no obstacles to a positive court decision. It should also be taken into account that such decisions are made by the judge alone, without the participation of the parties. As a result, as the author's personal experience shows, courts satisfy petitions from law enforcement agencies in 95% of cases. The remaining 5% are cases of obvious botched work in drafting documents and gross errors by individual operatives. Data obtained by court decision, of course, is also used in court and during the preliminary investigation. Thus, the second bastion of defenders of freedom of computer hooliganism falls…
But now the identity of the perpetrator has been established, the equipment he used has been seized and sent for examination. At this stage, the defendant's lawyers, following the public, raise the question: who can act as an expert? Unfortunately, there is nothing to argue about here either. The answer to this question has already been given by the Criminal Procedure Code of the Russian Federation. Article 57 of the Criminal Procedure Code, which defines the status of an expert, states:
«1. An expert is a person with special knowledge appointed in the manner prescribed by this Code to conduct a forensic examination and provide an opinion.
2. An expert is summoned, appointed and conducted in the manner prescribed by Articles 195-207, 269, 282 and 283 of this Code.
3. An expert has the right to:
1) to become familiar with the materials of the criminal case related to the subject of the forensic examination;
2) to petition for the provision of additional materials necessary for giving an opinion, or for the involvement of other experts in the conduct of the forensic examination;
3) to participate, with the permission of the inquiry officer, investigator, prosecutor and the court, in procedural actions and ask questions related to the subject of the forensic examination;
4) to give an opinion within the limits of his competence, including on issues, although not raised in the resolution on the appointment of a forensic examination, but related to the subject of the expert examination;
5) to lodge complaints against the actions (inaction) and decisions of the inquiry officer, investigator, prosecutor and court that limit his rights;
6) to refuse to give an opinion on issues that go beyond his special knowledge, as well as in cases where the materials presented to him are insufficient to give an opinion.
4. An expert does not have the right:
1) without the knowledge of the investigator and the court, negotiate with participants in criminal proceedings on issues related to the conduct of a forensic examination;
2) independently collect materials for expert examination;
3) conduct research without the permission of the inquiry officer, investigator, or court that may entail the complete or partial destruction of objects or a change in their appearance or basic properties;
4) give a knowingly false conclusion;
5) disclose preliminary investigation data that became known to him in connection with his participation in a criminal case as an expert, if he was warned about this in advance in the manner established by Article 161 of this Code.
5. For giving a knowingly false opinion, an expert shall be liable in accordance with Article 307 of the Criminal Code of the Russian Federation.
6. For disclosing preliminary investigation data, an expert shall be liable in accordance with Article 310 of the Criminal Code of the Russian Federation. «
At the same time, Article 195 states: “Forensic examination is carried out by state forensic experts and other experts from among persons with special knowledge”. At the same time, the code does not define the circle of «other» experts in any way, and no special certificates, including from the Ministry of Justice, are required for experts. In other words, any person with the necessary knowledge and skills can be involved as an expert. The level of competence of the expert is determined by the investigator.
Of course, in court the accused or his lawyer can file a motion to challenge the expert on the grounds of his incompetence or demand to invite his own expert. However, the author has not yet known of a single case where such motions were granted by the court. The fact is that investigators entrust the production of examinations to sufficiently competent specialists, who also «heart to heart» pass on to each other some general methodology for conducting such studies (developed by the Investigative Committee of the Ministry of Internal Affairs of the Russian Federation and somewhat modernized by the Scientific and Research Institute «Informzashchita»), which ensures the evidentiary value of the examination result. And here the lawyer is in for a fiasco!
Finally, the proposal to acquire a special «Internet law» does not stand up to criticism. In fact, practicing lawyers meet such proposals with great mistrust. Law is intended to regulate the most important social relations, and it is unthinkable to equip each subject area with its own branch of law. Otherwise, it will be necessary to create not only computer law, but also medical, geological, chemical, office law. And many other branches…
This approach leads to a dead end. In reality, almost all issues of relations between users of computer networks and telecommunications companies can be resolved within the framework of traditional civil, administrative and even criminal law. Telecommunications and the Internet are far from the only transnational structure at present. Transport companies, postal services, many corporations with a diversified infrastructure operate in many countries. At the same time, their activities are subject to various national laws, which does not interfere with the prosperity of the corresponding business. Nevertheless, corporations do not require the introduction of specific automobile manufacturing or postal law. In fact, all issues of protecting the interests of both the company and its clients are resolved in accordance with the legislation of a particular state.
Thus, the ideas commonly used on online forums do not completely coincide with Russian reality. And such a gap between ideas and harsh reality can lead to extremely unpleasant consequences in the courtroom…
The author of this article will be grateful for comments and remarks at sobetsky@infosec.ru