As practice shows, during the detection and investigation of computer crimes the investigator builds a chain of evidence: scene examination data – investigation – making inquiries – identification and apprehension of the perpetrator. At the first stage, in accordance with articles 164, 176 and 177 of the Code of Criminal Procedure of the Russian Federation, the scene of the incident is examined, i.e. the computer system subjected to a hacking attack. During this examination, the investigator seizes and attaches various log files, including those from firewalls, operating system and application program logs, etc. to the case. After analyzing these log files, the specialist then determines the tactics for further investigation. Depending on the specific circumstances of the case, protocol files at ISPs, hosting companies, wireline companies, and certain other locations are further obtained through seizures or even searches. From these log files, the location (and sometimes identity information such as passport details or a photograph) of the suspect is established at a minimum. The data from these log files is then presented as evidence in court proceedings.
Naturally, this state of affairs raises a question for all participants of the judicial process: how is the evidentiary value of log files attached to a criminal case ensured? In other words, are log files admissible as evidence in criminal proceedings? In the course of such discussions, the online community for the most part came to the following highly controversial conclusions:
Log files seized from the victim’s computer have no evidentiary value in the future, as they may have been previously modified by the victim or by third parties independent of the victim’s wishes. After the seizure, however, the log files may be modified by the investigator, a specialist or law enforcement operatives.
Log files obtained from ISPs have no evidentiary value in the future, because in accordance with the RF Law “On Communications” an ISP has no right to provide information about the private life of citizens to anyone without a court decision. Based on the investigator’s suspicions alone (after all, log files from the victim’s computer have no evidentiary value), courts will not make such a ruling.
The results of examination of any computers (including those seized from suspects) made by an expert have no evidentiary value, because in order to carry out such examinations, the expert must use methods certified by the Ministry of Justice and be employed by a specialized expert institution. In fact, at the moment there are no such experts on the staff of expert institutions of the Ministry of Justice (and even the Ministry of Internal Affairs and the FSB).
Special “Internet Laws” and “Internet Laws” need to be developed to suppress computer information crimes, as conventional laws cannot operate in cyberspace.
Guided by these considerations, it is easy to draw the erroneous conclusion that it is almost impossible to prove any crime in the field of computer information nowadays. And, as a result, some visitors to such forums, who do not have sufficient legal training, often commit offences themselves, after which they are prosecuted without much difficulty.
In fact, the difficulties arising in assessing the evidentiary value of log files are easily resolved within the framework of current law. As in many other aspects of our lives, theory clearly does not stand up to collision with practice. Just as the first circumnavigation of the globe proved the inconsistency of the flat earth theory, the first court session in the case of the citizen, accused under Article 272 of the Criminal Code, proved the inconsistency of home-grown legal theories. The defendant (in the city of Volgograd) received a sentence of two years of suspended imprisonment, and the practicing lawyers gained valuable experience, which was applied in the investigation of criminal cases under Articles 272 and 273 of the RF Criminal Code in various RF subjects.
For a better understanding of the following text, I will give a simple example comparing computer crime with conventional crime. Suppose that a robbery and a murder are committed. The relatives of the victim went to the police, after which the investigator removed from the corpse a bloody knife with the fingerprints of the killer. Based on the fingerprints, the murderer was identified and detained. However, in his defence he claimed that his fingerprints on the knife had been falsified by the investigator or the murdered man’s relatives and that the items stolen from the apartment had been planted on him by the police. That is, he is innocent and demands his immediate release. Such a statement is not as ridiculous as it seems. Any investigator can remember many “clients” who have told even stranger stories. In fact, it’s a sure way to get the maximum sentence under the incriminated article.
eddie bauer cc