Judicial software and computer expertise

Judicial software and computer expertise is carried out to carry out expert research of software.

The subject of this examination can be defined as facts and circumstances relevant to a criminal, civil or arbitration case, related to the creation, use or distribution of computer programs, established on the basis of special knowledge in the field of computer technology, programming and algorithmization.

The use of software that allows you to control the operation of computer technology in all spheres of human activity has set the task of researching these new objects in the interests of court and investigation. Computer programs in the process of their creation go through three stages: the algorithm, the source code of the program and the program itself. On this basis, the generic objects of the forensic software and computer expertise are executable modules, packages, algorithms and source texts of programs. Species objects are basically the same fundamental principle, the only difference is that these guises of the software product are considered in relation to specific areas of programming.

To date, the type of software and computer expertise includes the following types of forensic examinations:

- examination of system software;

- expertise of web server services;

- software and computer expertise of system security;

- software and computer expertise of databases and data banks.

This division is based on the need for expert knowledge, not only in the general theory of programming, but also in a number of different areas. First of all, it concerns the tools and in-depth knowledge of the characteristics of not only individual operating systems, but also their parts.

The tasks of the software and computer expertise today are:

- individual identification of the original program (installation version) and ce copies on the computer system data carriers;

- establishment of group membership of software according to common features;

- Identification of private features of the program, allowing later to identify its authorship;

- identification of specific features of the program, allowing later to identify the relationship with the information support of the investigated computer system;

- the identification of private features of the program, allowing subsequently to reveal the relationship with the hardware of the computer system under investigation;

- the establishment of signs of counterfeit information and software products submitted for examination;

- determination of the main characteristics of the operating system;

the identification and study of functional properties, as well as software settings, the time of its installation (installation on computer media);

- determination of the actual state of a program object, the composition of the files corresponding to it, their parameters (volume, creation date, attributes), methods of input-output information, the presence or absence of any deviations from typical parameters (for example, undocumented functions);

- diagnosing the algorithm of a software product (presented both as a software product, and as a graphic or text file);

- establishing types of tools used in the development of a software product (algorithm);

- establishing types of hardware and software platforms supported by the software product;

- the establishment of the initial state of the program (for example, during the initial installation) and the identification of possible subsequent changes (updates, changes in the composition);

- definition of goals and conditions for changing the properties and state of the software (deliberate change of any functions, configuration to a specific hardware environment);

- Establishment of the way to implement changes in the program (for example, the impact of malware, software errors, unauthorized access);

- determination of the properties and state of the program by its mapping in the data being processed (by the contents of the service, system files), by the supporting hardware;

- identification of the structure of the event mechanism based on the software performance and dynamics;

- establishing a causal relationship between the actions of a computer system user with respect to software and the ensuing consequences.

Most often, the following questions are put on the resolution of software and computer expertise :

- What is the general characteristic of the presented software, what components (software) does it consist of?

- Does the software have signs of counterfeit?

- Do the two software products have a single source of origin (when establishing copyright for the software product)?

- Does the body of the software product include details of its developer and / or owner, if any, which ones?

- What is the overall functional purpose of the software?

- what are the requirements of this software to the hardware of the computer system?

- What is the compatibility of a specific software with the presented hardware-software system?

- Is this software used to solve a specific functional problem?

- What is the actual state of the software, its performance on the implementation of individual (specific) functions?

- Does the software have protective capabilities (software, hardware and software) from unauthorized access and copying?

- How are the protective features of the software organized?

- What is the general algorithm of this software?

- what software tools (programming languages, compilers, standard libraries) were used to develop this software?

- Are the source texts (codes) of the program on the media?

- What actions allow you to make changes to the program?

- What is the chronology of the use of the software (since its installation)?

- what are the consequences of further exploitation of a certain software?

A striking example of software and computer expertise is the study of software products for signs of counterfeitness and the establishment of a single source of origin for software products. This problem is solved within the framework of determining the authorship of a software product.

For example, the court made a decision to a non-state expert institution to conduct an examination to establish the complete coincidence of software written by citizen V. and software product distributed by BBZZ. On the study gr. V. was presented with the program listing, and the trading company presented an executable module. For a correct comparison, the experts brought the objects to a single form. As a result of a subsequent study, it was found that the programs have the same work algorithm, the same input and output forms, and are written in the same programming language, but a slight difference was found in the screen forms. As a result, it was not possible for the experts to make an unequivocal conclusion that this is one and the same software product. However, it was unequivocally established that they have a single source of origin.

Or, for example, firm A filed a lawsuit in an arbitration court against firm T with a request to forcibly terminate the contract for the installation and commissioning of the enterprise management software package. According to the management of company A, the payment for services was made in stages, depending on the commissioning by firm T of the next block of the system (warehouse, accounting, personnel management, etc.). However, despite the fact that at the end of the first stage, the companies signed a list of disagreements and, on its basis, company A paid for the first stage, company T did not eliminate the deficiencies in a timely manner, it also broke all other terms established by the contract. Firm T. refused on the basis of this to terminate the contract and claimed that the product was put into operation in accordance with the established schedule.

The court appointed a software and computer expertise, during which the software and computer system installed in firm A was studied, the technical documentation attached to the contract (the technical task for the project), and the contract itself. On the basis of the conducted research, it was found that during the commissioning process, the conditions for adapting the software to the needs of a specific user were grossly violated, and a number of necessary software settings were not made, without which the operation of the declared blocks is impossible.