Judicial information and computer expertise (data)

Judicial information and computer expertise (data) is carried out to study the data that is the information component of a computer system. The purpose of this kind of expertise is to search, detect, analyze and evaluate information prepared by the user or generated (created) by programs for organizing information processes in a computer system.

The objects of information and computer expertise are all computer system files that are not executable modules and are prepared by the user or the system itself in terms of their information content.

Information and computer expertise is the most common type of computer and technical expertise conducted in expert institutions of the Russian Federation. To date, it is also the most popular. In the production of information and computer expertise, it is possible to conduct a study not only of the data actually present on the information carrier, but also of the “deleted” data - which are considered to be lost.

A striking example of such expertise is the study of the computer system unit, produced in a civil case about the protection of honor and dignity.

Mr. P., using the Internet and software that allows him to access and remotely control someone else's computer, stole from Mr. R. an address book with information about the e-mail of the recipients. Then letters were sent to the addresses of the persons contained in the address book discrediting the honor and dignity of Mr. R. The respondent categorically denied any involvement in the dissemination of such information. As a result of SIKE among the "remote" information on his computer were found mockups of these letters and, as it turned out, fake photos of the plaintiff of a compromising nature.

The following questions are put on permission of information and computer expertise:

- what properties, characteristics and parameters (volumes, creation dates, attributes, etc.) have data on the storage media?

- what kind (explicit, hidden, remote, archive) is there information on the media?

- what type of identified (determined) data (text, graphic, database, spreadsheet, multimedia, plastic card recording, ROM data, etc.) belong and what software are they provided with?

- how is the access (free, limited, etc.) organized to the data on the storage medium, what are its characteristics?

- what signs of overcoming protection (or unauthorized access attempts) are available on the information carrier?

- what is the content of protected data?

- What is the actual state of the detected data and does it correspond to the typical state on the respective data carriers?

What inconsistencies to the standard representation are found in the identified data (integrity violation, format inconsistency, malicious inclusions, etc.)?

- What are the user (consumer) properties and the purpose of the data on the storage medium?

- what data for solving a certain functional (consumer) task is available on a data carrier?

- what data with the facts and circumstances of the particular case are on the presented data carrier?

- what data about the owner (user) of the computer system (including names, passwords, access rights, etc.) are available on storage media?

- what data from the documents (samples) submitted for examination and in what form (holistic, fragmentary) are on the information carrier?

- what is the initial state of the data on the media (in what form, what content and with what characteristics, attributes were certain data before their deletion or modification)?

- what mechanism (sequence of actions) for solving a specific task is reflected in certain data on the information carrier?

- what chronological sequence of actions (operations) with the identified data took place when solving a specific task (for example, preparing images of bank notes, securities, stamp impressions, etc.);

- what is the causal connection between the actions (input, modification, deletion, etc.) with the data and the event that occurred (for example, a malfunction of the computer system, including malfunctions in software and hardware)?

- What is the degree of compliance (or inconsistencies) of actions with specific information to special regulations or rules for operating a particular computer system?

Unfortunately, it is necessary to note that the prevalence and widespread use of SIKE, in addition to the positive, has negative aspects. One of them is the fact that due to the large range of issues it resolves and the huge amount of information to be processed in the process of conducting a study, it is one of the most time-consuming computer-technical examinations. In addition, we have to note that the apparent simplicity in the performance of information and computer expertise entails lack of thought, allowed by the customer of the examination, in posing questions to the expert. For example, a situation is often encountered when the question is as follows: "What information pertaining to the case presented in the plot is available on a magnetic (optical) information carrier?". Such a question makes it almost impossible for an expert to solve the problem, since in addition to the special knowledge that he possesses, he also requires an assessment of the evidentiary value of the entire set of information he studies.