Международная студенческая конференция
«Современные подходы к доказательствам
в уголовном судопроизводстве»
3
SPECIFICS OF SEARCH AND SEIZURE IN CYBERCRIME
INVESTIGATIONS
Zokirov Sardorjon Karimjon ugli
Lecturer of the Criminal Procedure Law
Department of the Tashkent State Law University
Annotation.
The article considers the general issues of inspection, search and
seizure in cases of crimes in the sphere of computer information. The specifics of
these investigative actions when committing crimes in the sphere of computer
information in customs authorities are also given.
Key words:
computer information; computer information crimes; computer
crime; investigative actions; customs authorities.
During the preliminary investigation in cases of crimes in the field of
computer information, special complexity arises from the implementation of
investigative actions related to the detection and collection of physical evidence:
inspection, search, and seizure. Physical evidence comprises objects (items) of the
material world, possessing the properties of carriers of evidentiary information,
received and attached to the criminal case in the manner prescribed by law.
According to Article 203 of the Criminal Procedural Code of the Republic of
Uzbekistan, material evidence includes any objects that served as instruments of
the crime or preserved traces of the crime; on which criminal actions were
directed, as well as other objects and documents that may serve as means for the
detection of a crime and the establishment of circumstances of a criminal case. In
most cases of crimes in the field of computer information, such objects are
computer equipment, due to the specificity of both objects and instruments of
criminal encroachments. This fact predetermines the direction of the entire
course of investigative actions.
The problem of conducting searches, inspections, and seizures in cases of
crimes in the field of computer information has been considered by many
proceduralists. However, there is no consensus on this issue. In our opinion, at the
preparatory stage of the investigative actions mentioned above, the most justified
activities will include the following: if possible, study in detail the situation of the
place of the investigative action; determine the location and layout of the room;
find out the mode of access to the room; investigate the room's power supply
system (this will allow, if necessary, to exclude the possibility of destruction of
traces of the crime by intruders). It is also advisable to determine which computer
equipment is operating in the room and how they are interconnected with each
other and with public networks, and to establish the operating means of
information protection. An important factor is the participation of an IT specialist.
With their help, it is necessary to prepare special technical and software tools that
Международная студенческая конференция
«Современные подходы к доказательствам
в уголовном судопроизводстве»
4
may be useful during the search, inspection, or seizure; to instruct the persons
involved in the investigative action; and to determine the optimal time of its
execution.
At the main stage of investigative actions in cases of crimes in the sphere of
computer information, special attention should be paid to the following points:
When the investigative team arrives at the place of the investigative action, it is
important to decide on the expediency of disconnecting the power supply. The
investigator should consider that, on the one hand, the preliminary disconnection
of power will prevent the actions of intruders aimed at hiding traces of the crime
by means of computer technology (both deletion of computer information and
destruction of information on paper carriers with the help of a shredder), but on
the other hand, the forced disconnection will destroy the information stored in
the operational memory device of the computer, which may be useful for the
investigation of the crime. Additionally, this measure may not have the desired
effect due to the use of uninterruptible power supplies by the owner of the
computer equipment.
Immediately upon arrival at the scene of the investigation, it is necessary to
eliminate the possibility of altering computer information. The investigator
should instruct personnel to leave their workstations without terminating the
equipment or completing programs. The best option here is to 'leave everything
as it is.' Security guards should be installed for surveillance of workstations,
servers, and power control panels.
If the investigative site is equipped with satellite communications, such as
many customs checkpoints, the communications device should be monitored to
prevent possible intentional disruption. Particular attention should be paid to
mobile remote access devices (e.g., '3G', '4G' modems), and wireless data
transmission devices (e.g., 'Wi-Fi', 'Bluetooth') should be disabled if available on
the investigated computer equipment.
Next, it is important to promptly identify the computer containing the
computer information of greatest interest for the purposes of the investigation.
After that, it is advisable to install peripheral devices interfaced with the
computer of interest. This step is crucial to detect information that the intruder
may have stored on these devices, as well as to identify other traces of the crime.
Modern technologies enable the storage of large amounts of information on
relatively small media. Accordingly, actions should be taken to locate computer
data carriers, including personal searches if necessary. Mobile media may contain
information that is either the subject of a computer crime (e.g., an illegally copied
database) or was used as a means of committing the crime (e.g., a malicious
program used to overcome software protection tools).
Special attention should be paid to the possibility of premeditatedly
disabled hard disks within the system unit of a computer. These hard disks, which
will not be displayed in the system directory during a traditional examination of
the computer, may contain important information. Traditional, 'non-computer'
Международная студенческая конференция
«Современные подходы к доказательствам
в уголовном судопроизводстве»
5
traces of crime should also not be underestimated in the investigation process.
For instance, the study of sweat marks on input devices, data carriers, and other
peripheral devices can be extremely useful for identifying individuals involved in
the commission of the crime, especially in cases where many persons have access
to the room containing the computer used to commit the crime. Additionally,
information relevant to the crime may be printed out by the attacker (e.g.,
malware code) or stored in any other (non-electronic) way (e.g., the password for
access to protected information may be written on paper; using this password
would greatly speed up the process of investigating the computer if the suspect is
unwilling to cooperate with law enforcement).
The application of the above measures is typical for all cases of these
investigative actions. However, when searching, examining, or seizing computer
equipment belonging to customs authorities, the investigator must also consider
other factors.
At the initial stage of the investigative action, it should be reliably known
what computer equipment is in the room where the investigative action is
conducted, what software is used, where the servers are located, what the power
supply system is, who the responsible person is, etc. Obtaining such information
is possible by requesting the necessary official documentation from the superior
customs authority, where the required information is specified. At the same time,
the investigator must take measures to ensure the suddenness of the search.
Additionally, it may be advisable to instruct operative officers to collect the
necessary information by covert methods. Thus, the initial stage is characterized
by the possibility of obtaining more information about the situation of the place
of the investigative action, allowing for qualitative preparation for the main stage.
Familiarizing oneself with the records of computer work will be useful. For
example, when working with the Automated System for Customs Transit Control
(ASCTT), a person who has access to an automated workstation (ARM) with pre-
installed ASCTT software must keep a log of computer time. To activate the
workstation, a magnetic key in a special device is required, which is issued against
a signature in the issuance log. Additionally, a paper carrier with the password for
access to cryptographic means of protecting information transmitted via ASCTT
must be kept in a safe. The keys to the safe are issued by the head of the customs
authority against signature, and this action is also recorded in a special logbook.
The safe, as well as the room containing the computer connected to the ACCTT,
should be sealed with numbered metal seals, which will also help to clarify the list
of persons involved in the crime committed.
Thus, by paying attention to various logbooks, more information can be
obtained about the persons who had access to the computer.
It is not advisable to address the issue of disconnecting the power supply
before an investigative action positively, since practically all automated
workstations in customs authorities are equipped with uninterruptible power
supplies.
Международная студенческая конференция
«Современные подходы к доказательствам
в уголовном судопроизводстве»
6
When conducting a search or inspection, the sudden appearance of an
investigative team will be significantly hampered by the fact that customs
authorities are in protected areas. Therefore, the investigator must take steps to
preserve surprise.
The nature of the data processed by customs authorities must also be
considered
–
most of it is restricted information (including state secrets). Thus,
the investigator should take measures to ensure the protection of such
information during the investigative action.
Today, the information systems of Russian customs authorities are
characterized by a high level of interconnectivity of their elements. Most of the
ARMs used by customs authorities are united in the Departmental Integrated
Telecommunication Network, significantly complicating the search for traces of
crime due to the increase in the number of computers that need to be investigated.
Since customs authorities use technical and software means of information
protection, overcoming which is a very complicated process, priority attention
should be given to customs officers and employees, the so-called 'insiders'.
Customs authorities employ Russian citizens with higher education (including
technical education), therefore, when conducting a search or inspection, it is first
necessary to investigate the ARMs of officials with technical education, since the
probability that they have the special knowledge necessary to commit a crime in
the field of computer information is higher than that of other employees.
The performance of such investigative actions as search, seizure, and
inspection in customs authorities in cases of crimes in the sphere of computer
information has the above-mentioned features, which should be taken into
account to achieve the best results.
References:
1. Vekhov V. B., Ilyushin D. A. Peculiarities of computer examination as
physical evidence in cases of crimes in the sphere of provision of services
"Internet" // Problems of struggle against crime: collection of scientific works /
Volgograd Academy of the Ministry of Internal Affairs of Russia. with crime:
collection of scientific papers / Volgograd Academy of the Ministry of Internal
Affairs of Russia. Volgograd: GU "Publisher", 2004.
2. Vekhov V. B. Features of organization and tactics of the scene
examination in the investigation of crimes in the sphere of computer information
// Russian investigator. 2004.
№ 7.
3. Ilyushin D. A. Peculiarities of the search tactics in the investigation of
crimes in the sphere of Internet services // Russian investigator D. Ilyushin in the
sphere of provision of services "Internet" // Bulletin of the Municipal Institute of
Law and Economics (MIIE). and Economics (MIPE). Issue. 1. Lipetsk: Izd-vo NOU
"Interlingua", 2004.
4. Komissarov V., Gavrilov M., Ivanov A. Search with extraction of computer
information // Lawfulness.
Legality. 1999. № 3.
Международная студенческая конференция
«Современные подходы к доказательствам
в уголовном судопроизводстве»
7
5. Krainev E.V. Some peculiarities of seizure and search of computer systems
// Ulyanovsk State University. Notes of the Ulyanovsk State University. Vyp. 5.
Theses of reports at the regional scientific-practical conf. "Actual problems of law
and its realization in modern conditions" / ed. by A. I. Chuchaev. Ulyanovsk, 1998.
6. Krasnova L. B. "Search-inspection" of means of computer technology //
Voronezh criminalistic readings. Vyp. 1 / under p.
7.
Байбекова З. Ф. и др. ОПЫТ ЗАРУБЕЖНЫХ СТРАН В ПРАВОВОМ
РЕГУЛИРОВАНИИ
ОБОРОТА
КРИПТОВАЛЮТ
//СОВРЕМЕННАЯ
ЮРИСПРУДЕНЦИЯ: АКТУАЛЬНЫЕ ВОПРОСЫ, ДОСТИЖЕНИЯ И ИННОВАЦИИ.
–
2021.
–
С. 72
-76.
8.
Zokirov Sardorjon Karimjon оgli, & Toxtabakiyev Kamronbek Abdukarim
ogli. (2023). ON PROOF AND EVIDENCE IN CRIMINAL PROCEEDINGS
–
EXPERIENCE OF UZBEKISTAN. American Journal of Research in
Humanities
and
Social
Sciences,
18,
27
–
30.
Retrieved
from
https://americanjournal.org/index.php/ajrhss/article/view/1452
9.
Зокиров
Сардоржон.
(2023).
ПРЕПОДАВАТЕЛЬ
КАФЕДРЫ
УГОЛОВНО
-
ПРОЦЕССУАЛЬНОГО
ПРАВА
ТАШКЕНТСКОГО
ГОСУДАРСТВЕННОГО
ЮРИДИЧЕСКОГО
УНИВЕРСИТЕТА.
UNIVERSAL
JOURNAL OF LAW, FINANCE AND APPLIED SCIENCES, 1(4), 10
–
14. Retrieved
from https://humoscience.com/index.php/lfas/article/view/1617
10.
Расулев, Абдулазиз, and Шохрухбек Собиров. "Отличительные
черты цифровых доказательств."
in Library 21.1 (2021): 1-4.