Some issues of computer crime investigation.

Some issues of computer crime investigation.

Some issues of computer crime investigation.
V. Golubev
Speech on February 26, 2003 at the Southeast Cybercrime Summit in Atlanta, USA

    Investigation of computer crimes differs significantly from investigations of other «traditional» crimes. In these criminal cases, errors are most often made, which is often explained by the lack of an adequate level of theoretical and practical training of operatives and investigators. A study of criminal cases of this category gives reason to believe that one of the significant reasons for the low quality of the investigation is the lack of systematized and proven methods for investigating computer crimes, as well as errors that are made during investigative actions in relation to computer information or the computers themselves.

   The results of the analysis of the practical activities of law enforcement agencies in investigating computer crimes indicate that it is advisable to conduct research on computer equipment in a forensic laboratory, where this work is performed by specialists with the necessary professional training.

    Evidence related to computer crimes and seized from the scene of the crime can be easily altered, both as a result of errors during their seizure and during the examination itself. Presenting such evidence in court requires special knowledge and appropriate training. Here, the role of expertise should not be underestimated, which can provide a qualified answer to the questions posed.

    However, an examination requires some time not only for its implementation, but also for finding the appropriate specialists, and when seizing computer equipment, an essential factor that allows preserving the necessary evidentiary information is surprise and efficiency. That is why the seizure of computers and information has to be carried out by those forces that are currently conducting investigative actions. In this case, it is the investigator who is not immune from errors due to lack of knowledge, which is then quite skillfully used by the defense in court.

    The problem posed has two aspects: common errors made by law enforcement officers when investigating computer crimes, and technical aspects related to the protection of information that is installed on computers by their direct users.

   As is known, the detection, inspection and seizure of computers and computer information in the course of investigative actions can be carried out not only during an investigative inspection (Article 190 of the Code of Criminal Procedure), but also during other investigative actions: searches (Article 178 of the Code of Criminal Procedure); seizures (Article 179 of the Code of Criminal Procedure); reproduction of the circumstances and environment of the incident (Article 194 of the Code of Criminal Procedure).

    It is necessary to highlight some rules for working with computers seized during the investigation of crimes in the field of computer information, and also to offer general recommendations that may be useful when processing computer evidence.

    Let us consider some typical errors most often made during investigative actions in relation to computer information or the computers themselves.

Error 1. Erroneous work with the computer.

    The first and most important rule that must be strictly followed is the following: never and under no circumstances work on a confiscated computer. This rule assumes that a confiscated computer is, first and foremost, an object of a specialist's examination. Therefore, it is advisable not to even turn it on before handing it over to experts, since it is strictly forbidden to perform any operations on a confiscated computer without ensuring the necessary protection measures (for example, protection from modification or creating a backup copy). If a protection system is installed on the computer (for example, a password), then turning it on may cause the destruction of information located on the hard drive. Booting such a computer using its own operating system is not allowed.

    This measure is explained quite simply: it is not difficult for a criminal to install a program on his computer to destroy information on a hard or floppy disk by writing such «traps» through modifying the operating system. For example, a simple DIR command, which is used to display a disk directory, can be easily modified to format a hard drive.

    After the data and the destructive program itself are destroyed, no one will be able to say for sure whether the «suspect» computer was equipped with such programs on purpose, or is this the result of carelessness when examining computer evidence?

Error 2. Access to the computer of the owner (user) of the computer.

    A serious mistake is to allow access to the owner's computer being examined to assist in its operation. There are many known cases from practice when suspects during interrogations related to computer evidence were allowed to work on the confiscated computer. Later, they told their friends how they encrypted files «right under the noses of the police», and the latter did not even suspect it. Given such consequences, computer specialists began to make backup copies of computer information before allowing them to work on it.

    Another problem is related to the possibility of refuting in court the identity of the software presented at the trial with the one that was on the computer at the time of seizure. To avoid such situations, the computer should be sealed in the presence of witnesses, without turning it on. If a law enforcement officer decides to inspect the computer on the spot, the first thing that needs to be done is to make a copy from the hard magnetic disk and any floppy disk that will be seized as evidence. This means that before carrying out any operations with the computer, it is necessary to record its condition at the time of the investigative actions.

Error 3. Lack of checking the computer for viruses and software bookmarks.

    In order to check your computer for viruses and program bookmarks, you need to boot the computer not from its operating system, but from your own pre-prepared floppy disk, or from a bench hard disk. All storage media are subject to checking — floppy disks, hard disk and other storage media. This work should be done by a specialist involved in the investigative actions using special software.

    It is impossible to allow the court to have the opportunity to accuse the investigation of deliberately infecting the computer with viruses, of incompetence in conducting investigative actions, or simply of negligence, since it is hardly possible to prove that the virus was on the computer before the examination, and such an accusation will cast doubt on the entire work of the expert and the reliability of his conclusions.

    These are the most typical mistakes that often occur when examining a computer in cases related to the investigation of computer crimes. However, the list considered does not cover all the mistakes that arise in the process of seizure and examination of computer information. This can be easily explained: the lack of sufficient experience in such cases in our country. At the same time, Western European countries and the United States have already accumulated a wealth of experience in investigating complex computer crimes. It is necessary to study it more thoroughly, which will allow us to avoid many of them.

    In order to avoid errors during investigative actions at the initial stage of the investigation, which may lead to the loss or distortion of computer information, it is necessary to adhere to certain precautionary measures.

Recommendation 1. First of all, it is necessary to make a backup copy of the information.

During the search and seizure process involving the seizure of a computer, magnetic media and information, a number of common problems arise related to the specifics of the technical means being seized. First of all, it is necessary to provide for security measures that are taken by criminals in order to destroy computer information. For example, they can use special equipment that, in critical cases, creates a strong magnetic field that erases magnetic records.

During the search, all electronic evidence located on the computer or in the computer system must be analyzed in such a way that it can be subsequently recognized by the court. World practice shows that in most cases, under pressure from defense representatives, electronic evidence is not taken into account in court. In order to guarantee their recognition as evidence, it is necessary to strictly adhere to criminal procedure legislation, as well as standardized methods and techniques for their seizure.

Computer evidence is usually preserved by making an exact copy of the original (the primary evidence) before any analysis is done. But making copies of computer files using standard backup programs alone is not enough. Physical evidence may exist in the form of destroyed or hidden files, and the data associated with these files can only be preserved using specialized software. In its simplest form, this can be a program like — SafeBack, and for floppy disks, DOS Discopy is often sufficient.

Magnetic media to which information is to be copied must be prepared in advance (it is necessary to make sure that there is no information on them). Media should be stored in special packages or wrapped in clean paper. It is necessary to remember that information can be damaged by humidity, temperature influence or electrostatic (magnetic) fields.

Recommendation 2. Find and make copies of temporary files.

Many word processors and database management programs create temporary files as a by-product of the normal operation of the software. Most computer users do not realize the importance of these files because they are usually destroyed by the program at the end of the session. However, the data inside these destroyed files can be most useful. Especially if the original file was encrypted or the word processing document was printed but never saved to disk, such files can be recovered.

Recommendation 3. It is imperative to check the Swap File.

The popularity of Microsoft Windows has brought some additional tools regarding the study of computer information. Swap Files function as disk memory, a huge database and many different temporary pieces of information. Even the entire text of the document can be found in this Swap File.

Recommendation 4. It is necessary to compare duplicates of text documents.

Often duplicates of text files can be found on hard or floppy disks. These may be minor changes between versions of a single document that may have evidentiary value. Discrepancies can be easily identified using the most modern text editors.

I would also like to highlight general recommendations that must be taken into account when examining a computer at the scene of a crime.

When starting to examine a computer, the investigator and the specialist directly performing all actions on the computer must adhere to the following:

• Before turning off the computer, it is necessary to close all programs used on the computer if possible. It should be remembered that incorrect exit from some programs may cause destruction of information or damage the program itself;
• take measures to set a password for access to protected programs;
• in case of active intervention of the company's employees seeking to counteract the investigation team, it is necessary to turn off the power supply of all computers at the facility, seal them and remove them together with magnetic media for examination of the information in laboratory conditions;
• if consultations with the enterprise personnel are necessary, they should be obtained from different persons by questioning or interrogation. Such a method will allow obtaining the most truthful information and avoiding intentional harm;
• when confiscating technical equipment, it is advisable to confiscate not only system units, but also additional peripheral devices (printers, streamers, modems, scanners, etc.);
• if there is a local area network, it is necessary to have the required number of specialists for additional research of the information network;
• remove all computers (system units) and magnetic media;
• carefully examine the documentation, paying attention to the working notes of computer operators, since it is often in these notes of inexperienced users that codes, passwords and other useful information can be found;
• make a list of all freelance and temporary employees of the organization (enterprise) in order to identify programmers and other IT specialists working in this institution. It is advisable to establish their passport details, addresses and permanent places of work;
• write down the details of all persons present in the premises at the time the investigation team arrives, regardless of the explanation for their presence in this premises;
• make a list of all employees of the enterprise who have access to computer equipment or who are often present in the premises where the computers are located.

If direct access to the computer is possible and all undesirable situations have been excluded, proceed to the inspection. Moreover, the investigator and the specialist must clearly explain all their actions to the witnesses.

During the inspection, the following must be established:

• the computer configuration with a clear and detailed description of all devices;
• the model numbers and serial numbers of each device;
• the inventory numbers assigned by the accounting department when placing equipment on the balance sheet of the enterprise;
• other information from factory labels (on the keyboard, the label is usually on the back, and on the monitor and processor — on the back). Such information is entered into the inspection report of the computing equipment and may be important for the investigation.

Recommendation 5. Photographing and marking computer system elements.

Photographing and marking computer system components is an important first step in preparing the system for transportation. Documenting the system's condition at this stage is necessary for proper assembly and connection of all system components in the laboratory. When photographing, close-up shots of the front and back of the system should be taken. Photographing and marking components of the seized computer system makes it possible to accurately recreate the condition of the computer equipment in the laboratory research conditions. Some equipment, such as external modems, may have many small switches recording its condition, which may be changed during transportation, which will create additional problems for the expert.

In conclusion, it should be emphasized that when conducting any investigative actions related to the investigation of crimes in the field of computer technology (especially the seizure of information and computer equipment), it is advisable to involve an IT specialist from the very beginning. Before the start of investigative actions, you should also have certain information regarding the brand, model, computer, operating system, peripheral devices, communications equipment and any other information about the system that is the object of the investigation. The targeted activity of the investigator and operational workers, especially at the initial stage of the investigation, ensures the success of further investigation of computer crimes.