Judicial computer-network expertise

Judicial computer-network expertise is based on the functional purpose of computer tools that implement information-network technologies. It is highlighted in a separate form due to the fact that in the study of corporate networks used in most public and private enterprises, only the use of specialized knowledge in the field of network technologies allows us to combine the weight of the objects considered earlier, the information about them and effectively solve the tasks assigned to the expert. .

Forensic examination of this kind is made to solve the following tasks:

- determination of the properties and characteristics of hardware and software; establishing the place, role and functional purpose of the object under investigation in the network (for example, for a software tool - in relation to the network operating system; for hardware - relating to the server, workstation, active network equipment, etc.);

- identification of properties and characteristics of a computer network, establishment of its architecture, configuration, identification of installed network components, organization of data access;

- determination of compliance of the identified characteristics typical for a particular class of network technology tools; determining whether the tool belongs to the server or client-side applications;

- determination of the actual state and health of the network facility, the presence of physical defects, the state of the system log, the access control components;

- establishing the initial state of the computer network as a whole and each network facility separately, the possible place of purchase (acquisition), clarification of changes made to the initial configuration (for example, adding additional network devices, expansion devices on a server or workstations, etc.);

- determining the causes of changes in the properties of the computer network (for example, on the organization of access control levels; establishing the fact of violation of network operation modes; facts (traces) of using external ("alien") programs, etc.);

- determination of the properties and state of the computer network by its mapping in information of data carriers (for example, web arrays, hard disks, floppy disks, disk drives, etc.), etc .;

- determining the structure of the mechanism and the circumstances of the event in the network according to its results (for example, an unauthorized access scenario, a mechanism for the distribution of malicious functions in a network, etc.);

- establishing a causal relationship between the use of specific hardware and software of the computer network and the results of their use.

A striking example of the need for computer-network expertise is the study of the network computer system of the office, when you need to establish the possibility of making any changes associated with the work of the accounting department. Optimal research would be inside the computing environment. Working with individual computers in this case may not give any result, since network systems for the most part imply distributed information storage and multi-level access to it, and the violation of the integrity of the system may entail the loss of meaningful data.

In conclusion, I would like to note that the forensic computer-technical expertise is very young. A number of its theoretical aspects are still under development. Private expert methodologies have not yet been settled and have not received universal recognition, in connection with which experts in their work often have to use general scientific methods and methods of information and computer technologies.