Home / Articles

Criminalistic description of interference with work of computers without right

March 18, 2004 · Vladimir Golubev

The article is topical because present-day practice of investigation and successful investigation of any crime depends on the ability of the investigative officer to reveal and estimate actual data and to a great extent on his faculty to delve into criminalistic crux of the investigated criminal activity. The detailed development of criminalistic description of computer related crimes is essential to reveal, disclose and investigate such crimes. Hence, it is very important to understand the sense of substantive law rules, to depict subject of proof and determine goals of investigation process.

The goal of this article is to study the most typical criminalistic information on signs and peculiarities of illegal interference with computer work. Hence, determination and forming of criminalistic description for illegal interference with work of computers (based on ways of committing a crime, crime concealment, background, tools and means, traces of crimes, mechanism of unlawful infringement and personal behavioral characteristics of those citizens who illegally interfere with computer work) are the main tasks of this research.

With due regard to the novelty of lawmaker’s decisions to determine criminal acts related to computer crimes, it is necessary to start any criminal activity examination with determining new concepts, introduced by the lawmaker while establishing corpus delicti (components of crime).

Analysis of Section 16 “Crimes in sphere of computers, computer systems and networks operation” of the Criminal Code of Ukraine shows that legislators introduced a number of concepts that had never been met before in legal criminal terms of law or in law regulating information relationship. These terms need to be essentially explained based on comprehension of both: technical features of new computer facilities and sense of information like new legal criminal and criminalistic category.

Taking into account the importance of semantic definition of the term “illegal interference”, which in general is not typical for conventional criminal legal descriptions of modus operandi, we will examine this concept with relation to current legislation.

Analysis of 361 Article shows that illegal interference with work of computers, systems and networks is penetration into these machines, systems and networks and committing actions that modify operation of computer, system or network, fully or partly stop its functioning without permission (assent) of the owner or the person authorized by him, as well as influence computer work with the help of various technical devices capable to corrupt functioning of this device.

Article 361 protects the proprietor’s right of inviolability of information in computers, systems or networks. The owner of automated system is any person that legally uses services of information processing as the proprietor of such system (computer, systems or networks) or as the person authorized to use such system.

Criminal act, responsibility for which is provided by Article 361, should consist of illegal intervention in the work of computers, systems or networks. It always has a character of certain actions FULFILLMENT, and can be a penetration into computer system using special technical means or software that allow to overcome installed systems of protection from illegal application of obtained passwords or posing as a legal user to penetrate into the computer system [3].

So, Part 1 of the Article 361 defines “illegal interference with operation of automated computers, systems and networks that has led to distortion or destruction of computer information or carriers of such information” as penal action. This component of crime has material character. Consequences of the crime are obligatory element. However, the law contains a limited list of harmful consequences in any other forms, except for specified in the Article 361. The person who has performed the specified actions in forms, not defined in the Article 361, is not subject to criminal liability.

N. Akhtyrskaya, P. Bilenchuck, V. Vekhov, A. Volevodz, Y. Gavrilin, M. Gutsaliuck, V. Kozlov, V. Krylov, V. Minaev, N. Rozenfeld, E. Rossinskaya, N. Saltevsky, O. Snigirev, V. Tsymbaluck, V. Cherkasov, N. Shuruhanov and others researched into problems of computer crimes lately. However they do consider issues of investigating illegal interference with work of computers as a separate crime. At the same time, law enforcement officers, engaged in investigating offences of the given kind, need scientifically based methods of examination. It is necessary to develop a criminalistic description of computer crime in order to conceive the scientific background of the problem.

Theoretical basis of general criminalistic description of crimes were worked out by P. Belkin, A. Vasilyev, V. Obraztzov, V. Shepitko, N. Yablokov and others.

The opinion of V. Korzh is also interesting. She researches into the concept and structure of economic crimes committed by organized criminal groups. Here she marks out features, specific character, signs, background, traces and other consequences of crimes [1].

N. Shuruhnov defines the criminalistic description of a crime as system of criminalistic features, properties, signs. This system contains data on typical methods of committing and concealing a crime, mechanism of criminal encroachment, traces, background of criminal event, subjects of criminal infringement, personal traits of the criminal and the victim, and also facts of the case that favour committing crimes [2].

According to V. Vekhov, the structure of criminal description should include important information on criminal’s personality, motivation and goal of his criminal actions, and also data on the victim [3].

According to V. Kozlov, criminalistic description of computer crimes is the most typical, significant, interrelated information on signs and features of these crimes. This information can be the basis for advancing cases (stories) of the crime [4].

Most homeland and foreign scientists think that criminalistic description is key element of criminalistic methods of investigating computer crimes.

Criminalistic methods of disclosing and investigating computer crimes is a complex of scientific regulations and recommendations, developed on their basis, i.e. scientifically based and approved in practice directions of disclosing and investigating computer crimes.

While estimating different definitions of criminalistic description, we may draw a conclusion that most researchers note elements of criminal description as follows: typical investigative cases, methods of committing crimes, typical material traces, personality descriptions of the criminal and the victim, methods of concealing crimes, crime background.

Mentioned approach allows to mark out a number of problematic issues in working out of criminalistic description of illegal interference with work of computers:

• high latency of computer crimes. V. Tsymbaluck notes that in majority of cases, victims are unwilling to notify police of criminal infringements with their computer systems because they do not want to undermine their reputation [5];

• complexity of evidence gathering and problems of proving at court;

• variety of criminalistic significant signs of computer crimes;

• absence of clear program on fighting computer crimes;

• complexity of disclosing computer crimes;

• absence of enough investigative practice of enquiry into computer crimes.

Criminalistic description of illegal interference with operation of computers, systems and networks is a system of summarized data on typical traces, methods and mechanisms of committing crimes, personality of the criminal and other significant features, properties, peculiarities of the crime and facts of the case that favour committing a crime. Criminalistic description helps to optimize investigation and practical application of means, ways and methods of criminalistics during disclosing and investigating crimes of the given kind. It consists of such data as follows: ways of crime committing (modus operandi) and mechanism of illegal action, ways of concealing illegal interference with operation of computer, system or network, instrument (means) of crime, facts of crime, place of crime, subjects of criminal encroachment, persons committed illegal interference with operation of computers, systems and networks, etc.

Let’s consider data on modus operandi and mechanism of illegal action. Modus operandi (way of committing crime) is a system of actions of the criminal (and/or related persons) united by one intention directed on preparing, committing and covering up a crime, determined by objective or subjective factors and connected to use of corresponding facilities and means. Today there is no clear classification of modus operandi for illegal interference in computers, systems and networks functioning [5]. On our opinion they can be divided in to 3 main groups:

The first group: ways of direct access.

This covers damaging, deletion, deterioration, alteration, suppression or copying of computer data, and also serious hindering without right of computer, system or network functioning by inputting corresponding commands from the computer where information is stored. Direct access may be made by both persons working with data (related to this work), and persons intentionally penetrating in restricted areas or premises, where information is processed.

The second group includes ways of indirect (remote) access to information. Access without right to certain computer or information is made via computer networks from another computer, located at certain distance. Ways of indirect (remote) access are:

1. Connecting to telecommunication cables of authorized user (i.e. phone line) and obtaining access to his system.
2. Penetrating in other information systems by automated picking out of phone numbers of subscribers with further connection to their computers (picking out is carried out till the criminal receives the answer of the modem on the other side of phone line). It is necessary to note that attempt of unauthorized access may be detected easily. That’s why similar hack is carried out from several workplaces: at specified time several (more than 10) PCs perform attempt of unauthorized access. System security may prevent several “attacks” and others get desirable illegal access. One of the penetrated computers blocks network logging system that fixes all access attempts. In a result other penetrated computers may not be detected and allocated. Some of them start to hack a certain sub network, other carry out fake operations in order to hinder functioning of the enterprise, institution, authority and cover up crime [6].
3. Penetrating in computer network with help of passwords, pretending to be an authorized user. Using this method violators crack password on purpose to access other’s computer. There is a number of specially developed software for these purposes. They may be purchased on the ”shadow” computer market. Having got the right password (it takes less than 24 hours for choosing 8-digit password), illegal user obtains access to computer information and may use it whatever he likes: copy, delete, deteriorate, modify or suppress computer data, perform operations like wire transfers, forgery of payment orders, etc. as the authorized user.

One of the most spread instruments of illegal access to a computer is computer itself. World Wide Web recently became the other widespread tool.

Two Kazakhstan men have been arrested in London for allegedly breaking into Bloomberg L.P.’s Manhattan computer system in an attempt to extort $200,000 from the business news service and its owner, Michael Bloomberg. Oleg Zezov, who was employed by Kazkommerts Securities in Almaty, Kazakhstan, and Igor Yarimaka were arrested in August 2000 on two extortion related counts and one count of computer intrusion. According to the complaints, Michael Bloomberg was part of a sting operation at a London hotel during which the defendants were arrested. They are currently being held in Britain and the United States is seeking their extradition. Zezov allegedly entered Bloomberg’s system through computers in Almaty. In the spring of 1999 Bloomberg provided database services, via a system known as Open Bloomberg, to Kazkommerts Securities. Zezov is one of four individuals at Kazkommerts associated with Kazkommerts contract with Bloomberg. Criminals believed they could intimidate companies with threats of computer hacking and/or the spreading of malicious accusations, Bloomberg said in a statement. This global operation showed that private industry can stand up for its property rights and does not have to submit to such blackmail. The complaint against Zezov allege that he sent a number of e-mails to Michael Bloomberg demanding that Bloomberg pay him $200,000 in exchange for revealing information about how he infiltrated the company’s computer system. One of the e-mail addresses Zezov used to contact Bloomberg was bloomberg-mike@hotmail.com. On March 27, a Bloomberg representative contacted the FBI and said that Michael Bloomberg had received e-mail from an individual using the bloomberg-mike@hotmail.com address and identifying himself in the text of the letter as Alex. Prosecutors alleged that Zezov was the author of the e-mail. In the e-mail, Zezov allegedly said he was not a criminal but intended to help you understand some drawbacks of your system. Among these was that Bloomberg Traveller, a smaller, more portable version of a Bloomberg terminal, had security problems. The same day, Bloomberg received a multi-page fax that consisted of a printout of Bloomberg computer screens containing personal information about Michael Bloomberg, including his employee identification photograph, his computer username and password at Bloomberg and credit card numbers. Bloomberg officials told the FBI that his information was only accessible to certain authorised persons and was not among data available to Bloomberg clients. At the direction of the FBI, Michael Bloomberg replied to the bloomberg-mike@hotmail.com address stating he was interested in the information and asking how to arrange for payment. In an April 3 e-mail, Zezov allegedly demanded $200,000 and Bloomberg responded that they should meet in person. Zezov then allegedly demanded that Bloomberg deposit the money in an offshore account. Bloomberg, at the FBI’s direction, opened an account in Deutsche Bank in London and deposited the sum. While Zezov was able to confirm that the account had been opened, he could not withdraw any funds. Zezov said he wanted control over the account and Bloomberg then suggested they resolve the matter in a face-to-face meeting in London. Zezov and Yarimaka flew from Kazakhstan to London and met with Bloomberg on Aug. 10 at the Hilton Hotel. Bloomberg was accompanied by two London police officers, one posing as a Bloomberg executive and the other serving as translator. Zezov introduced himself as Alex and Yarimaka said he was a former Kazakhstan prosecutor representing Alex in the payment matter. The defendants allegedly reiterated their demands at the meeting and were arrested.

As it was already noticed, interference in computer, computer system and network operation without right may be connected to violating or threatening a person. Violating or threatening a person may take place in case of direct, indirect or mixed methods of committing computer crime. At that, subject to violating or threatening are both authorized user of computer system and other person related to computer equipment. Direct access to computer information connected to violating or threatening a person may occur in case when authorized user of other person after violating or under the threat of which, are forced to commit interference in computer, computer system and network operation without right. The damaging, deletion, deterioration, alteration or suppression of computer data without right is performed on the computer where information is stored. Indirect access to computer information connected to violating or threatening a person will take place in case of direct or electromagnetic interception of information from computer where it is stored (with further copying, deletion, alteration and suppression of computer data without right) is committed by a person, suffered violation. This action may be not compulsory committed by a person suffered violation in full extent. It is enough only to obtain passwords, ids, access cards, etc. Mixed methods of interference in computers, computer systems and networks operation without right may be committed the same way. For instance in case of physical influence (or threat) on programmers (operators) on purpose of inputting unplanned commands in program or its alteration: if violence occurs in order to detect flaws in security system, or other kinds of mistakes related to program structure, for its further use without right.

Crime concealment is an activity (element of criminal activity) directed to hinder investigation by concealing, destructing and falsifying traces of crime and their carriers [6].

Methods of concealing illegal access to a computer are fairly determined by ways of its commitment. In case of direct access to a computer, concealing traces of crime is destruction of traces left (fingerprints, footsteps, micro particles and so on). In case of indirect access to a computer, concealing lies in modus operandi that embarrasses detection of illegal access. This is achieved by using other’s passwords, logins, etc.

Instruments of illegal interference with work of a computer, system and network are computer facilities and special computer software. It is necessary to distinguish instruments of direct and remote access.

Instruments of direct access are as follows: computer information carriers, all means of overcoming systems of information protection. At that, each category of protection means (organizational technical, software technical) corresponds to its own set of instruments of illegal interference with work of a computer.

Instruments of remote access are as follows: network facilities (in case of unauthorized access from local networks), facilities of access to remote networks (communication devices, modems).

Data on circumstances of the offence are significant for analysis and investigation into illegal access to a computer, i.e. situation of committing such unlawful actions.

On our opinion, situation of illegal access to a computer is composed of material, technical, space, time, socio-psychological circumstances of committing considered crime.

Extra factors describing conditions of committing illegal access to computer information may be as follows: presence and state of computer protection means (organizational, technical, software), discipline, demands of the management on observance of rules and regulations of information security and service of computers, etc.

Low organizational technical level of business function, low control over information security, inefficient system of information security, indifference to violations of information security regulations and other are peculiar to possible situation of the considered crime.

Exposing features of situation occurred allows to determine the most important facts during examining scene of action, examining computer equipment and documents, voucher and interrogation of certain witnesses and solving problems on necessity of certain documents seizure, etc.

The property that defines illegal access to a computer is that place of indirect committing illegal action (objective aspect of corpus delicti) and harmful consequences place (place where results of illegal action will ensue) may not be the same. This happens almost in all cases of illegal access to a computer. In case of direct access mentioned places are the same. Such crime is often committed by employees of the company or organization. Therefore, computer crime can be transnational (transboundary): the crime is committed under one jurisdiction and consequences ensue under the other. It is necessary to note that computer facilitated crimes become more transnational, organized and group. Transnational feature of these crimes poses certain dangers to information security which is a compound of national safety of the country.

Data on traces of illegal access to a computer is the most important element of the criminal description. The traces of a crime are any changes of surroundings caused by committing a crime [7].

The property that defines traces of a crime is that they are negligibly examined by present-day police science of traces or clues because, in most cases, they are informative, i.e. they represent one or another modification in computer information: damaging, deletion, deterioration, alteration or suppression.

Therefore traces of illegal access to a computer are divided into to types: traditional traces (traces-images examined by police science of traces or clues, traces-substances, and traces-objects) and untraditional traces – information traces.

The first are material traces: hand-written notes, printed materials, etc. that testify to preparing and committing a crime. Material traces may be left on the computers (fingerprints, micro particles on the keyboard, disk drives, printer, etc.) and on magnetic carriers and CD-ROMs.

Information traces are formed in consequence of influence (damaging, deletion, deterioration, alteration or suppression) on computer information by accessing and represent any modifications of computer information related to committing a crime. First of all, they remain in magnetic information carriers and reflect modifications in the stored information (as compared to the initial information).

Results of antivirus and test software work are also information traces. These traces may be revealed during examination of computer equipment, programmers’ work notes and antivirus software logs. It is necessary to involve experts in such examination.

Information traces can be left in case of indirect (remote) access through computer networks. They appear because perpetrator should log in to connect to the remote network. All these logins are fixed in system log files. Also system determines user network address, software and its version. Besides, users usually give their e-mail addresses, real names and other data for network connection. This information is requested by system administrator (provider) to control connections to his server. This allows to identify personality of users penetrating into the network.

Traces showing illegal access to a network may be as follows: operations of renaming directories and files; changing size, contents, standard properties, date and time of creation; appearing of new directories and files, etc.

**Targets of criminal encroachment **in case of illegal access to a computer are: computers, systems, networks and computer information. In spite of the fact that computer information cannot be unconditionally regarded as a target of crime because it is not material, the author agrees that it is reasonable to widen general theoretic concept of target of crime. It is suggested to include things not only of material world, but also definite evenly existing phenomena, formations, computer information [8]. Computer information is text, graphic and any other information (data) that exist in electronic format, is stored in appropriate carriers and can be created, changed and used with help of computer. Computer information can be defined as information fixed in machine-readable medium or transmitted through communication channels in a format accessible by computer.

Personality of the criminal is important element of criminalistic description of computer crimes. Crime committer is minimal cumulative evidence describing the person that committed a crime and necessary cause criminal proceedings against him. In particular personality traits of a person and environment in its interaction successively define motivation of decision making about criminal activity in computer technologies sphere. Motivation includes a process of emergence, forming of reason and purpose for criminal conduct. It is necessary to examine the reason of criminal conduct as compulsion, that was formed under influence of social environment and personal vital experience, which is the internal direct reason of criminal activity, and expresses attitude of a person to the object of criminal activity [9].

Researches conducted by Computer Crime Research Center show that 33% of perpetrators aged under 20, 54% aged between 20 and 40, 13% were older than 40 years old [10].

Men are 5 times more likely to commit computer crimes. The majority of criminals have higher or incomplete higher technical education (53,7%), along with 19,2% of those that have other higher or incomplete higher education. [11]. Lately, the number of women engaged in these crimes is increasing. It is concerned with women’s occupations related to workplaces equipped by automated computer systems, women’s oriented positions (secretary, accountant, economist, manager, cashier, inspector, etc).

Conducted researches show:

• 52% of the established criminals had special training in field of automated computer information processing;

• 97% of public authorities and institutions employees, that used computer systems and information technologies in their everyday life;

• 30% of them had direct relation to computer means exploitation.

Thus it is possible to make the following conclusions:

Criminalistic description of illegal interference with work of a computer includes data on modus operandi and concealment of a crime, facts of a crime, data on motives and goals of committed actions, and also data on personality of the criminal.

1. It is reasonable to divide modus operandi of illegal interference with work of a computer into two groups: direct and indirect (remote) access to a computer. Two different ways of illegal interference with work of a computer each of them has definite specific features. This conditions peculiarities of operative search activity for each of them.

2. Operative information can be obtained during examination of typical ways of hindering investigation into the given category of crimes. Concealing traces of crime is the most informative from this point of view. This may be reflected in damaging, deletion, deterioration, alteration or suppression

3. Main goals and motives of computer crimes are as follows: profit, hooligan motive, revenge, commercial espionage and sabotage.

4. Among cyber criminals, nearly four in five are male. Most criminals have higher or incomplete higher technical education, and also other higher or incomplete higher education. Most of them aged between 20 and 40.

5. Search activity of an investigator on interference with work of computers is a complex of procedural and other actions directed to establishing relevant facts known to the investigator.

6. Among main objects of search in cases on illegal interference with work of a computer are as follows: persons committed illegal interference, instruments used for illegal interference, computer information, literature of the subject.

7. Among main search signs of persons committed illegal interference with work of computers are general signs (sex, age, nationality, special peculiarities, place of residence, occupation and other) and special (programming skills, knowledge of computer equipment, personal data on a criminal left by him in different computer systems and other).

8. There is a principal possibility for search of the computer equipment used for crime committing. At this, search signs are as follows: configuration of the computer used for crime committing, mobility of the used computer equipment, presence of certain network and peripheral equipment, certain software.

[1] V. Korzh, Methods of investigating economical crimes, committed by organized groups, criminal organizations, Investigator’s Guideline, Scientific practical textbook, Kharkiv: “Licei” Publishing house, 2002, p.8. [2] N. Shuruhnov, Criminalistic description of crimes, Criminalistics (topical issues), edited by Zuev, Moscow: 1988, p.119.

[3] B. Vekhov, Computer crimes: ways of commitment and investigation methods – Moscow: 1996, p. 49-105.

[4] V. Kozlov, Theory and practice of fighting computer crimes, Moscow: 2002, p. 114.

[5] V. Tsymbaluck, Latency of computer crimes, Fighting organized crimes and corruption (theory and practice), 2001, #3, p. 178.

[6] R. Belkin, Course of criminalistics: volume 1, Lawyer, Moscow: 1997, p.364. [7] R. Belkin, Course of criminalistics: volume 1, Lawyer, Moscow: 1997, p.57. [8] A. Muzyka, D. Azarov, About concepts of crimes in computer information sphere, Law of Ukraine, #4, Kyiv, 2003, p. 87.

[9] K. Igoshev, Criminal Personality Typology and Criminal Conduct Motivation, Horky: 1974, p. 66.

[10] V. Golubev, A. Golovin, Problems of Investigating Computer Crimes, http://www.crime-research.org/library/New_g.htm

[11] P. Bilenchuk, B. Romanuk, V. Tsimbaluk, Computer Criminality, textbook, Kiev: Atika, 2002, p.123.