L. Borysova, P. Bilenchuk, M. Malii, V. Vynohradova
The article is noted that investigators are not able to track all technological changes in the field of information technology and to study the traces of this type of crime, special attention is paid to the use of examination of computer systems and computer media (order of the Ministry of Justice of Ukraine dated 08.10.98, No. 53/5).
During the examination, it is advisable to solve the following problems:
– identification, that is the diagnosis of system processes and system behavior; system identification; multivariate analysis and reconstruction of the circumstances of the event place (by methods of mathematical analysis and computer simulation); diagnostics of the functional purpose of individual elements of a computer system, an intelligent hacking system; identification of the author of the computer text (they seem more important for the investigation and the court);
– non-identification, that is determination of the structure and functions of telecommunication networks and e-mail facilities; reconstruction and prediction of system behavior; determination of the reliability and resilience of computer systems; classifying information as software; classifying specific programs as harmful; definition of semantics and grammar of controversial texts; diagnostics and classification of printers, faxes, copy machines according to the text that was made from them.
It is advisable in the expert’s conclusion to display the facts of fixing information traces about the actions of malicious programs and search for seized files, parts of files that were specially removed at the beginning of the review or accidentally during the review; results of verification of system, protection, and application logs using documents that govern the rules for archiving logs; audit results (operators, privileges, objects).
To the conclusion, it is necessary to attach reports that were generated by the corresponding software, copies on machine media that were obtained during physical fixation. In the case of using a computer document as evidence, there is a need to specify: the means of collecting and processing information; type of system used; control tools that are built into the system for guaranteed detection and correction of errors, determining the level of professional training of individuals in the field of programming and working with computer equipment.
Key words: transnational computer crimes, examination, identification and nonidentification features.