Organization of technical and forensic examination of computer systems.
I. Sobetsky
In the article (On the evidentiary value of log files), I analyzed the evidentiary value of log files obtained during the investigation of criminal cases on offenses in the field of computer information.
However, there remains another equally important question — on the production of examination of various types of computer systems.
Such expertise may be required both in civil (in case of disputes about liability between the customer and the contractor, about the occurrence of an insured event, innocent causing of harm) and in criminal proceedings (examination of equipment belonging to offenders or victims, to establish the truth in the case).
At the same time, lawyers and information security experts are currently facing many problems that complicate the production of such expert studies and the use of their results in civil and criminal proceedings.
It is obvious that the examination of computer equipment carried out within the framework of criminal proceedings can provide the investigator and the court with significant evidence of the guilt (or innocence) of the defendant.
This applies not only to crimes in the field of computer information, but also to most economic crimes and some general criminal crimes (for example, illegal distribution of pornographic materials or objects, fraud, forgery of documents, etc.).
As is known, any organized activity, including criminal, cannot do without accounting, and in modern conditions, most types of accounting are successfully automated using computer technology.
A typical example of the use of the results of technical and forensic examination was the case of the Yukos Oil Company, when the owner of the company, M.B. Khodorkovsky, was charged based on data obtained as a result of the examination of computers seized from the Oil Company.
However, technical and forensic examination of computer equipment, unlike many other examinations, has not yet been put on stream.
What is allowed to Jupiter is not allowed to the bull — in hundreds of less high-profile cases, there is no one and no time to conduct technical and forensic examination of computer systems.
In general, when appointing a technical and forensic examination of computer systems, investigators have to solve the following most significant problems:
- Lack of sufficiently qualified specialists in the field of computer information in the staff of expert departments of law enforcement agencies and the Ministry of Justice.
- Insufficient training in the field of computer technology, which does not allow for the correct formulation of questions for the expert (especially for general criminal offenses). Asking experts questions that are beyond their competence.
- Difficulties in interpreting the results of the examination.
Let's consider these problems in more detail.
Currently, examination of criminal cases is carried out either by forensic departments of the internal affairs agencies and the FSB, or by forensic laboratories of the Ministry of Justice.
Departmental experts of the Ministry of Internal Affairs and the FSB, with very rare exceptions, understand computer systems at the level of an «advanced user», that is, in principle, they do not have the ability to conduct complex examinations.
In the best case, such experts cannot overcome password protection in Windows NT or ask to «remove the password» from a jpg file (employees of NIP «Informzashita» have repeatedly had to consult such specialists).
In the worst case, the results of their examination are either incomplete or, due to errors, lose their evidentiary value.
The author knows of several particularly difficult cases when insufficiently qualified experts completely destroyed essential information on seized computer equipment.
The expert laboratories of the Ministry of Justice carry out quite high-quality examinations of computer systems, but even here there is a clear shortage of relevant specialists.
Therefore, technical and forensic examinations of computer systems are not carried out in all regions of the Russian Federation and take a significant amount of time.
Due to insufficient training, investigators and judges often ask the expert the wrong questions when ordering an examination of computer systems.
The three most typical mistakes here are:
- Posing overly general questions that are irrelevant to the case at hand. A classic example from the author's practice is «Restore and print all deleted files.» I wonder if all the multiple copies of the win386.swp file should also be printed?
- Posing questions that are clearly beyond the expert's professional competence or that are fundamentally unsolvable. For example, «Establish whether there are fingerprints of citizen H on the keyboard?» or «Establish where the information copied by unknown persons from the computer under investigation is currently located?»
- Posting questions that should not be resolved by the expert, but exclusively by the investigation and the court. These include questions about violations of legislation in a particular area, as well as about the goals and motives of any actions. A typical example is «Are the programs on the seized computer counterfeit?»
Since departmental experts, as a rule, are uncritical about such issues, their conclusions are either vague, uninformative for the investigation, or are contested in court by the opposing party's lawyer.
Indeed, when an expert writes in his conclusion that he has found counterfeit software on a certain computer, he essentially assumes the functions of the court. Only a court can establish the presence of a crime in Russia.
Nevertheless, the expert, without waiting for a court verdict, himself declares the crime proven.
Of course, the court may be critical of such a conclusion.
Due to the insufficient number of experts, the production of technical and forensic examination in the institutions of the Ministry of Justice takes a long time.
The time frame for the preliminary investigation is strictly limited by the Criminal Procedure Code.
In accordance with Article 162 of the Criminal Procedure Code, «the preliminary investigation of a criminal case must be completed within a period not exceeding 2 months from the date of initiation of the criminal case».
The preliminary investigation period may be extended, but in ordinary criminal cases of an economic nature, an extension is rarely issued for a period exceeding 1 month.
As a result, the expert opinion received in the last days before the end of the investigation period is simply filed in the case as one of the pieces of evidence.
The investigator simply does not have time to use the information provided by the expert for new investigative actions.
The consequence of all of the above is that the results of the examination are of little use to the investigator.
In most cases, the expert's conclusion is scanned «diagonally», the investigator is convinced that the questions he asked have been answered positively.
And in court it may turn out, for example, that the expert has discovered signs of other crimes that were happily ignored by the investigator.
Underfunding of expert departments ultimately creates favorable conditions for the infringement of the rights of both defendants and accused persons, as well as victims.
Thus, the author is not aware of a single case where the accused would exercise his right, declared in paragraph 11 of part 4 of article 47 of the Criminal Procedure Code of the Russian Federation, to “familiarize himself with the decision to appoint a forensic examination, ask questions of the expert and familiarize himself with the expert’s report.”
The claims of victims to the implementation of their rights, provided for in paragraphs 9 and 11 of part 2 of article 42 of the Criminal Procedure Code – «participate with the permission of the investigator or inquiry officer in investigative actions carried out at his request or the request of his representative» and «familiarize yourself with the decision to appoint a forensic examination and the expert's conclusion» — are generally perceived by investigators as a witty joke.
Investigators understand that most experts from government agencies are simply not ready for strict and biased control.
A very unpleasant situation arises if the conclusions of such experts are called into question in court.
In such a case, the court can only order a repeat examination, usually in the same institution.
It often turns out that during the first examination the systems under study have been changed to such an extent that the new expert is guided to a greater extent by corporate solidarity — there are no more objective materials left anyway.
Many lawyers in such a situation insist on an «independent» examination, inviting their own experts. However, the independence of these experts is highly questionable, since their services are paid for by one of the parties to the process!
It is easy to assume that the conclusions of these experts will be dominated by a clearly expressed «justifying bias», as opposed to the «accusatory bias» of experts in the civil service. The situation with examination in civil proceedings is even worse.
While in criminal cases there are still institutions obliged to conduct an examination of computer systems, no one is obliged to conduct an examination in civil cases.
Moreover, independent examination centers that exist in various regions and have a good reputation for themselves do not, in principle, engage in professional examination of computer systems.
As a result, participants in civil proceedings are forced to turn to “independent” experts, who often have a very dubious reputation.
There are frequent cases when both sides put forward «independent» experts with opposing opinions. Nothing surprising, however — as we know, he who pays the piper calls the tune.
A situation of conflict between two «independent» experts on the part of the plaintiff and the defendant puts the court in a difficult position.
According to Russian law, not only cannot a judge uncontestedly assign someone to conduct an expert examination in a civil case, but he also does not have the right to offer the parties an expert known to him.
As a result, the litigants time and again bring to court experts they paid for, whose objectivity is highly questionable.
It is suggested to turn to private specialists in a more or less authoritative organization specializing in information security when conducting computer system examinations.
As a rule, such organizations value their reputation, and the specialists working in them are quite highly qualified.
However, truly serious private experts compare very unfavorably with experts in the civil service — they demand adequate payment for their expertise.
The demands of specialists, from the point of view of law enforcement officials, are unreasonably high.
Thus, the cost of a complete study of information contained in just one personal computer in various organizations ranges from 7,500 to 25,000 rubles. These amounts significantly exceed the funds allocated to investigative and judicial bodies.
Therefore, when ordering technical and forensic examination of computer systems in most criminal cases, investigators and judges proceed primarily from financial considerations.
Cheap state experts and all the problems arising from their conclusions are perceived as the lesser evil in this case.
It seems to the author that a way out of the current situation could be to include the full cost of examination in criminal cases in legal expenses. In this capacity, these expenses will in most cases be covered by the funds of the convicted person.
Private experts will not be under the pressure of corporate solidarity with law enforcement agencies, and it will be much more difficult to challenge the conclusions they issue.
A transparent system of payment for their services will help avoid accusations of collusion with the defense. This option, of course, is also not ideal.
However, nothing better (and moreover, something that can be implemented in practice) is currently not visible.
A similar mechanism is provided (although practically not used) in civil proceedings.
The plaintiff pays for the examination from his own funds, and if the claim is satisfied, this amount is recovered from the defendant. As in the case of examination in criminal cases, the professional reputation of the expert will serve as the best protection against possible falsifications.
Now let us discuss some aspects of the examination itself. Let us assume that the expert has begun to examine a certain computer system.
At the same time, his activities are regulated by Article 57 of the Criminal Procedure Code of the Russian Federation:
- An expert is a person with special knowledge and appointed in the manner established by this Code to conduct a forensic examination and provide an opinion.
- The summoning of an expert, the appointment and conduct of a forensic examination shall be carried out in the manner established by Articles 195 — 207, 269, 282 and 283 of this Code.
- The expert has the right to:
- familiarize himself with the materials of the criminal case relating to the subject of the forensic examination;
- to request that he be provided with additional materials necessary to provide an opinion, or that other experts be involved in the forensic examination;
- to participate, with the permission of the investigator, the prosecutor and the court, in procedural actions and ask questions related to the subject of the forensic examination;
- to give an opinion within the limits of his competence, including on issues that, although not raised in the resolution on the appointment of a forensic examination, are related to the subject of the expert examination;
- to lodge complaints against the actions (inaction) and decisions of the inquiry officer, investigator, prosecutor and court that limit his rights;
- to refuse to give an opinion on issues that go beyond his special knowledge, as well as in cases where the materials presented to him are insufficient to give an opinion.
- The expert does not have the right to:
- without the knowledge of the investigator and the court, conduct negotiations with participants in criminal proceedings on issues related to the conduct of a forensic examination;
- independently collect materials for expert examination;
- conduct, without the permission of the investigator, the investigator, or the court, research that may entail the complete or partial destruction of objects or a change in their appearance or basic properties;
- give a knowingly false conclusion;
- disclose preliminary investigation data that became known to him in connection with his participation in a criminal case as an expert, if he was warned about this in advance in the manner established by Article 161 of this Code.
- For giving a knowingly false conclusion, an expert shall be liable in accordance with Article 307 of the Criminal Code of the Russian Federation.
- For disclosing preliminary investigation data, an expert shall be liable in accordance with Article 310 of the Criminal Code of the Russian Federation.
Most experts violate the requirements of this article immediately at the very beginning of the examination — as soon as the computer being examined is turned on.
The fact is that paragraph 3 of part 4 of this article directly prohibits the expert from performing actions that cause changes in the basic properties of the object being examined.
With regard to computer equipment, the expert is obliged to ensure the immutability of the contents of hard drives and other information carriers in the computers being examined. Only if this condition is met can the expert's conclusions be verified, if necessary, by a repeated examination.
Most modern operating systems, in particular Windows 95/98/NT/XP, Windows 2000/2003, MacOS, OS/2 and all varieties of UNIX, write to the hard drive during operation – at least to the swap file.
If we are talking about computers used for criminal purposes, then they may even have a special program installed to destroy information.
When such a «mined» computer is turned on without special precautions, the contents of its hard drive may change to such an extent that it will no longer be of any value to the investigation or the court.
Therefore, the expert must ensure that all examined storage media are kept unchanged.
This goal can be achieved both technologically and by physical methods. The main technological method is loading the so-called trusted operating system from an external storage device onto the examined computer, which is known not to make unauthorized recordings to the hard drive.
A typical example of such a system is MS DOS 6.22 (without memory managers such as QEMM), as well as some stripped-down versions of UNIX.
It is also permissible to remove the hard drive from the computer being examined and connect it to your own computer with a trusted operating system loaded there.
The hard drive of the computer being examined can be physically protected from writing by connecting it through a special device.
For example, the FastBloc device manufactured by the American corporation Guidance Software provides hardware blocking of recording on hard drives with IDE and SCSI interfaces while maintaining the speed of exchange with the disk.
In such (and only in such!) configuration, it is permissible to boot the computer under study in the normal mode.
In any case, the inability to record on the hard drive of the computer under study significantly complicates the process of searching for the necessary information.
It turns out to be impossible, for example, to restore deleted files, work with word processors and DBMS, or even just perform an advanced search for information.
Therefore, in order to carry out an examination in an acceptable time, the expert must create an image file of the examined hard drive on his computer or simply copy the examined hard drive to another.
Standard copying of files is unacceptable, since the expert is no less interested in the disk space considered free.
Special software should be used, such as Symantec Ghost, which performs sector-by-sector copying of storage media.
The weak point of this approach is, as always, funding.
In order to create an image or copy of the hard drive being examined on your computer (or computers), the expert must have a storage medium of at least the same capacity.
And if several computers are sent for examination, and even a server with a RAID array…
This is where the state expert remembers that only a colleague from the next room can verify his conclusion. And Article 57 is sacrificed to expediency.
Since there is simply no such amount of free space, the expert begins to work directly with the hard drive of the computer being examined.
In this case, files can be restored, archives can be unpacked, the password can be removed from a database that has come to hand…
In short, during the examination, the very same “change in appearance or basic properties” of the object under study occurs.
Similar mistakes are often made by “independent” experts invited by the parties to the process or law enforcement agencies.
If the defendant was able to use the services of a highly paid lawyer and the expert’s conclusions are questioned, then significant difficulties may arise during a repeated examination.
For example, some time ago the author of the article had to examine a computer that had been in the crooked hands of an “independent” specialist.
The court then ruled to re-examine the case.
During the re-examination, numerous files were found on the hard drive of the computer under investigation that had been created… after the date the computer was seized!
The case was not sealed, and there were no RAM chips at all.
The «independent» expert was as simple as two kopecks: the files with the accounting documents were formatted very inconveniently, so he simply took and edited them directly on the computer under investigation.
It doesn't matter that the contents have changed, but everything fits on the printer!
After the «independent» examination, the computer was stored unsealed in an unguarded corridor for a long time, so anyone could have extracted the microcircuits, maybe they weren't there from the very beginning.
And anyway, what do microcircuits have to do with it, the hard drive needs to be examined! What, old man, don't you believe me?!
With joint efforts, the would-be expert was explained that the examination of computer systems is carried out on the basis of collecting and analyzing objective facts, and that one can believe or not believe in one's free time in the temple.
Unfortunately, the author of the article had to record in the conclusion of the study both the dubious authorship of the accounting documents, and the change in the hardware configuration, and the unpacked archives… By the time of the new court hearing, the case had become half as bad.
The verdict justified the best expectations of the lawyer.
Further examination of the disk image created by the expert is only a matter of time. True, it will take quite a long time – there is still no special software for conducting examinations in Russia.
Therefore, the oldest and most reliable expert tool remains the Disc Editor program from the Norton Utilites set.
When using this program to search for specific key sequences on the disk being examined, searching for just one sequence on a 40 GB disk image takes from 30 minutes to 1 hour, depending on the performance of the expert's computer.
A full examination of such a computer can take several days.
The examination of servers with a large amount of disk space stretches out for weeks.
In institutions provided with funding, experts can use specialized software.
In a number of Western European countries and the United States, programs have been developed specifically for the production of computer equipment expertise.
The best among them, without a doubt, is the EnCase program, developed by the American company Guidance Software.
Initially, this program was developed exclusively for the needs of such US government organizations as the Secret Service of the Treasury Department, the FBI and the NSA, but is currently offered for free sale.
The EnCase program almost completely automates both the process of creating a copy of the hard drive being examined and the examination of its contents.
The main features of this program are:
- performing contextual search and analysis of information on magnetic media with different file systems simultaneously, including FAT12, FAT16, FAT32, NTFS, Linux, UNIX, Macintosh, as well as CD-ROM and DVD-R;
- the built-in macro language makes it possible to create powerful filters and programs for configuring EnCase and apply “advanced” methods for automatic analysis of all data contained on the studied media;
- the image collection subsystem automatically identifies all files containing fragments of graphic images and displays them as icons that can be easily bookmarked or copied to CD-ROM;
- view files without changing their content or creation time;
- «simple» search for information on the entire disk using any number of keywords;
- «complex» search for information using the powerful UNIX GREP syntax;
- view files with complex structures, such as the Windows registry, e-mail attachments, and Zip files;
- view all significant time stamps for all files on a computer using a powerful timeline program.
EnCase and similar programs are not expert systems or knowledge bases, they cannot analyze log files and protocol files, and they do not provide any advice to the investigator.
In fact, these programs are a multifunctional and quite convenient tool for analyzing the contents of seized computer information media.
The methodology for working with these programs ensures the evidentiary value of these data, even under the stricter US legislation in this regard.
Due to the use of EnCase and similar programs, the time for examining one server is reduced to 3-4 days, and a computer with a hard drive of not too large a volume is examined in less than 1 day.
Unfortunately, many state expert institutions are unable to purchase expert software due to underfunding.
At the same time, the author would not like to create the impression that experts from non-state institutions can look down on their colleagues in the state service.
The fact is that almost all employees of state expert institutions have studied the procedural side of the case to perfection and have very valuable experience in defending their conclusions directly in court.
Specialists from non-governmental structures, while generally having higher qualifications in the field of computer systems, often do not pay sufficient attention to either the procedural design of their conclusions or their performance in court.
The old stereotype of a programmer comes into play — these issues are resolved «by default», everything important was written in the conclusion, and the unimportant is taken for granted.
Meanwhile, an expert's report is not a novel, and free style is inappropriate here. Article 204 of the Criminal Procedure Code of the Russian Federation stipulates the basic requirements for an expert's report:
- The expert's report shall indicate:
- date, time and place of the forensic examination;
- grounds for the forensic examination;
- the official who appointed the forensic examination;
- information about the expert institution, as well as the expert's last name, first name and patronymic, his education, specialty, work experience, academic degree and (or) academic title, position held;
- information about warning the expert about liability for giving a knowingly false opinion;
- questions put to the expert;
- objects of research and materials presented for the forensic examination;
- data on persons present during the forensic examination;
- content and results of research indicating the methods used;
- conclusions on the questions put to the expert and their justification.
- If, during the forensic examination, the expert establishes circumstances that are significant for the criminal case, but about which he was not asked questions, he has the right to indicate them in his conclusion.
- Materials illustrating the expert's conclusion (photographs, diagrams, graphs, etc.) are attached to the conclusion and are an integral part of it.
A good expert opinion that has a good chance of being accepted in court must consist of three parts: an introductory part, where, in accordance with paragraphs 1-8 of Part 1 of Article 204, all the necessary formalities are set out, a descriptive part, where the entire research process is described in detail, and a final part, where the main conclusions are indicated.
It is advisable to use very specific terminology in the opinion. For example, an expert can only give three types of answers to questions posed by the investigator, as in the army: “categorically yes,” “categorically no,” and “presumably.”
Such revelations of experts as “in my humble opinion”, “everyone knows that…” and even “based on this data, I guessed…” are not quoted in courts. The author cited last is still remembered in one of the courts under the affectionate pseudonym “smart”, which did not prevent his conclusion from being rejected.
It should also be remembered that in accordance with Article 282 of the Criminal Procedure Code of the Russian Federation, the author of an expert opinion can be summoned for questioning in court:
- At the request of the parties or on its own initiative, the court has the right to summon for questioning an expert who gave an opinion during the preliminary investigation, to clarify or supplement the opinion given by him.
- After the expert's opinion is announced, the parties may ask him questions. In this case, the party on whose initiative the examination was appointed asks the questions first.
- If necessary, the court has the right to grant the expert the time necessary to prepare answers to questions from the court and the parties.
Not a single expert known to the author of the article has prepared specifically for such a campaign. These specialists believe that in court, when communicating with amateurs in the computer sphere, it is enough to say a couple of terms and insist on your conclusion.
In fact, interrogating an expert is an independent action. During interrogation, the court has the opportunity to both check the expert's qualifications and obtain additional information that was not included in the conclusion.
However, private experts who are not prepared for such a situation often become easy prey for the opposing lawyers. An experienced lawyer with extensive experience in court appearances usually has no trouble confusing and suppressing a person who has never appeared in court.
A corresponding set of ungentlemanly, but nevertheless quite legal techniques is described in specialized literature.
Even if an expert has strong nerves and enviable independence, he can be caught in a simple provocation. For example, in St. Petersburg, before a trial on a criminal case on an economic crime, a lawyer's assistant politely asked the expert to go into a certain room — «You are being called there!»
After that, the lawyer only had to record with the witnesses how the independent expert went into the room reserved in the court for representatives of the prosecutor's office before the trial — after which the expert was challenged at the trial on the grounds of his personal interest in the outcome of the case.
Despite the undisputed professionalism of the expert in the field of information security, his conclusion lost its evidentiary value due to just one wrong step!
Lawyers are so accustomed to the legal illiteracy of non-governmental experts that they even get offended when the expert does not «go along».
In one of the Moscow courts, after a short discussion with the author of the article, the lawyer was sincerely indignant: «You have disgraced me in front of the client! Who allowed you to quote codes?!”.
This same phrase was repeated with varying degrees of affectation by other losing lawyers…
In general, it can be considered that at the present stage it is advisable to organize a high-quality examination of computer systems in both criminal and civil cases on the basis of non-governmental institutions specializing in the field of information security.
Of course, such an approach presupposes increased attention to the legal side of the issue, in particular mandatory procedural “educational program” for employees of these organizations directly involved in the production of examinations.