Подождите, пожалуйста, выполняется поиск в заданном разделе

Features of the appointment of judicial computer technical expertise

In accordance with the current legislation of the Russian Federation, an examination is appointed if during the conduct of judicial actions it becomes necessary to resolve issues related to areas of special knowledge in science, technology, art or craft. In our case, this special knowledge may be contained, for example, in such branches of scientific knowledge as programming, system electronics, computer engineering, systems engineering, etc.

The need for appointment is determined by the court. This takes into account that the expert has the right to request, in addition to the presented objects, case materials relating to the subject matter of the examination, and to file a petition for providing him with the necessary additional materials. For the class of examinations under consideration, this is especially important since the correct conduct of the study of computer tools and systems requires a thorough study of the accompanying technical documentation, the use of a specific, auxiliary software and hardware that is used in a particular situation. Often there are cases when, when answering the questions posed by an expert, an individually-defined hardware-software complex is required. This is typical for those situations where the examination is carried out in cases involving the manufacture of counterfeit money (securities), with violations of copyright and related rights.

I would like to note that the involvement of experts to participate in the formulation of questions posed for expert research is today a necessary reality, which is explained both by the rapid development of the information technology field itself and by the lack of well-established ideas about the possibilities of computer-technical expertise.

There are several issues that it would be advisable to discuss with a specialist before the court to appoint a computer-technical examination.

I. Specification of the type (type) of expertise specified in the court ruling. As expert practice shows, when assigning computer and technical expertise, the courts are currently experiencing serious difficulties in determining the class and type of expertise to be appointed. When conducting research on court rulings on the appointment of the examination under review, it was found that there was a lot of confusion on this issue. Unfortunately, it leads to the fact that the examination is appointed to state expert institutions that do not have specialists in the required field, or to private experts who do not have the necessary qualifications. It does not take into account the need for the production of complex examinations, questions are posed that are not related to the field of special knowledge of computer-technical expertise.

The active introduction of modern information technologies in all spheres of human life increasingly often objectively raises the question of the need to appoint and manufacture complex computer-technical examinations and other kinds and types of forensic examination. Consider the most relevant areas of expertise, in conjunction with which today should be assigned a computer-technical expertise.

Judicial financial and economic expertise is assigned to solve problems related to the financial activities of organizations, determine their financial condition, comply with legislation governing their financial relations with the state budget (determining the amount of illegally received revenues as a result of non-compliance with the rules for making financial transactions, hidden from the state profits, unjustified deductions to monetary funds, etc.), fulfillment of contractual obligations, distribution and payment of dividends, era tio securities, investments, etc.

In the course of judicial forensic financial and economic expertise, information about the actual state of the objects under study is often available only in a computer in the form of specialized software systems and information contained in them. Since the diversity and complexity of such systems is growing very rapidly, it is already almost impossible to keep track of the appearance on the market of new products of this type. Therefore, to obtain objective information, it is often necessary not only to be able to use one or another application package, but also to understand the construction, consistency, and operation of the entire system as a whole, and this requires knowledge of experts specializing in computer-technical expertise.

An example of such a comprehensive expert study can serve as a non-judicial examination conducted on a private request, as a result of which it was found that the mistakes made in the financial accounting of a trading company are not employee negligence, but the result of uncoordinated activities of software components of an computer-aided computer system . As a result, the client company sued the company supplying and installing this system.

Note that if a study is carried out on a large distributed system operating in a large company, when deciding on the performance of the installed system, it is often necessary to conduct not only a forensic software and computer expertise, as was the case discussed above, but also a forensic hardware and computer expertise. This is necessary because, in some cases, the performance of the system depends on the operability, proper selection and installation of the hardware-computer complex.

In the process of production of forensic accounting expertise , production and financial-economic activities of enterprises with various forms of ownership are analyzed, which have made losses, losses, appropriation of inventory, mismanagement, and are determined by the amount of liability for the material damage.

The use of "double" accounting becomes a typical offense established when studying the procedure for conducting financial affairs in enterprises, institutions and banks. A variety of accounting computer systems designed to provide automation of diverse tasks in this area. In the general case, the traces of business operations, the comparison of actually performed operations with the data reflected in the accounting and reporting, are established by forensic accounting. At the same time, a significant part of the evidence can be obtained by studying the information-software and hardware tools that provide the accounting technology under study. In such cases, it is advisable to appoint a comprehensive forensic computer-technical and forensic accounting expertise.

Forensic-technical examination of documents is carried out in order to establish the method of manufacture or forgery of a document (contract, will, cash ticket, security, etc.) and technical means used for this, restore the contents of damaged documents, study materials of documents (paper, dyes, etc. ).

The tasks of the computer-technical expertise of such complex, multi-disciplinary expert studies include the determination of the possibility of producing accounting documentation presented on paper with the help of specific software, hardware and a specific data set presented in electronic form.

Judicial merchandising expertise is appointed in cases when it is necessary to examine finished industrial and food products (products), their consumer properties, packaging and packaging, storage conditions, mechanisms for the occurrence of defects.

If, when the court considers civil cases and arbitration disputes, it comes to cost, related technical documentation, storage media, product, manufacturer of hardware and software products, then there is a need to assign a comprehensive commodity analysis and judicial software and computer expertise. The essence of this study is the integration of special knowledge in the technology of production of goods and computer technology. Experts study here not only the goods themselves - information software and hardware computer tools, but also their consumer properties, factors affecting consumer value, basic and auxiliary materials from which information carriers are made, packaging and packaging.

2. Formulation of questions to the expert. As practice shows, the solution of this issue always causes a lot of disputes between the court and the experts. Most often, the basis for them is a different interpretation of the terms and processes that underlie one or another legal fact. So, to clarify the circumstances of violation of copyright or related rights, the court needs to find out whether the same product of the program represented in objects of various types (for example, executable module and listing) is the same product. In this situation, the question is asked whether one program is a copy (recycling) of the other. However, with respect to these objects, it is illegal, since in the field of information technology the term "copying" and as derived from it the term "copy" has a different meaning - byte-by-match with the original data sequence.

Another example is the question of the possibility of issuing false invoices when using the accounting software package used in the enterprise. The solution of such issues requires at least a comprehensive forensic software-computer and forensic expertise.

Another example is the question of establishing a counterfeit product. It should be noted here that the questions that are put to the expert’s resolution should not go beyond his special knowledge, and in the example given, the question can be directly qualified as containing an assessment of legal facts. An expert specializing in computer research is able to give an opinion only on the detection of signs of counterfeitness, but not on violation of copyright and related rights. In order to avoid such situations, it is best to involve experts as specialists at the stage of formulating questions in the resolution (definition) on the appointment of computer-technical expertise.

3. Preparation of materials for examination, including the selection of samples for comparative studies. For a full-scale and effective computer-technical examination, it is necessary to correctly prepare materials and select samples for comparison submitted for expert research. Therefore, recommendations are needed regarding the objects of each kind of this examination.

Representation of objects for carrying out judicial hardware and computer expertise in the majority does not represent special difficulties. The fundamental requirement here is the exclusion of access to hardware components and information changes, as well as the safety of all components of the computer device. The exceptions are those cases when a hardware complex including a number of stationary installed computer devices operating in an inseparable relationship is to be investigated. For example, an automated workplace "photo workshop", or "audio studio". In these cases, it is necessary to investigate the entire set of hardware, since it is only possible to solve the tasks assigned to the expert only when examining the entire complex as a whole. For example, to establish the causes of system malfunction, to establish the possibility of interaction of its components, its functionality.

Another important feature concerning the submission for the study of objects of judicial hardware and computer expertise, is that an expert for a full and quick answer to the questions posed is often required in addition to the hardware itself and its accompanying documentation.

The situation with the objects of judicial information and computer expertise is more complicated. For its implementation, the objects must be delivered in a form that excludes the possibility of making changes to the information at the time of delivery. For this purpose, it is preferable that the objects are packed and sealed at the places of opening the package.

Information to be examined during the examination process can be contained both on the external and internal media. An external information carrier is a medium that can be removed from a running computer without stopping its operation. An internal information carrier is such a carrier, which is part of the computer system design, and for its removal a complete computer stop is necessary. Depending on the type of media, the type of representation of objects differs. If in the first case it is enough to submit the information carrier itself and to ensure that it is impossible to access its contents before the beginning of the examination, in the second case, very often the representation of only the media itself without a computer system, of which it is a part, can lead to the loss of information relevant to the business.

So, for example, the system computer unit entered the study, and the task was set to make financial information for the enterprise available to the expert accountant. As a result of the study, it was found that the internal storage medium of the system is not "native" for it, i.e. there was a substitution. If only the information carrier itself was delivered to the study, then it would not have been possible to establish this fact.

In many respects, a similar situation develops with the objects of judicial software and computer expertise. As already mentioned earlier, they are: program algorithms, source codes of programs presented on both electronic and paper carriers, and, finally, executable modules and software packages. However, the difficulty of presenting the data lies in the fact that these objects can be in several guises, namely:

- texts and algorithms of programs on paper;

- algorithms and texts of programs - in electronic form (installed and uninstalled programs).

In the case of the presentation of objects on paper, the issue under consideration is solved in the same way as in the case of the presentation of objects to a forensic technical study of documents.

A completely different picture when objects are presented in electronic form. A simple case is the presentation of a software module or software package on an external electronic medium. This is possible when the software product was originally on it or when it can be transferred from internal to external media using the simple copy method. Such actions can most often be performed with uninstalled programs, which are a set of files1 that reside on one or several media of the same type2, as well as distributions of software products that reside on internal media, program texts and algorithms.

The situation is much more complicated with the programs installed (installed for functioning in a specific information-computer system). In this situation, in no case should the program be transferred by simple copying to an external medium for the system, since a large block of information necessary for the normal functioning of the information and software product may be lost. In some cases it is important in which system the program is installed, since it is possible to link the work of the software product to the hardware. Therefore, when appointing an examination of software, it is better to submit either a complete system or a clone of the information carrier created by a specialist describing all the hardware used by the system.

It should be noted the characteristic feature of the presentation of software products for expert research to solve problems related to the violation of copyright and related rights, while establishing the authorship of the software product. In these cases, samples are almost always required for comparative studies. If, when solving the first group of tasks, the issue of submission of samples is solved simply by sending a formal request through the court with a request to submit a licensed (author) software product - an analogue of the study, then the second group requires the submission of additional materials. Such materials may be, for example, samples of other programs written by the disputing parties.

I would like to give particular attention to the consideration of the issue of the representation of objects in the event of a forensic computer-network examination.Important here is the fact that the object of examination will be the entire set of previously considered objects connected in a single system. To obtain the most complete and reliable results, it is necessary to investigate the computer network as a whole, and therefore it will be most expedient to conduct an examination on a “site”, i.e. where this computer network is installed. It is under these conditions that comprehensive testing of the system’s performance and assessment of the functions performed by it is possible. Transfer of information and software components to individual carriers is not appropriate in this case. The simulation of the operation of the network required for the study in the conditions of an expert institution may not give the desired results or may be impracticable due to the lack of such a hardware base for which the system was designed,with all its characteristic features of customization and functioning. The transfer of all components may not be feasible, for example, due to the large number of components. When deciding on the location of the examination, it should also be borne in mind that such a transfer of the system as a whole can permanently stop the operation of the entire enterprise.

Хотелось бы отметить, что при описании объектов компьютерно-технической экспертизы не был пока упомянут отдельно такой объект, как документация, сопровождающая программные и аппаратные компьютерные средства. Хотя данный объект не является основным для рассматриваемого класса судебных экспертиз, его представление для последующего изучения совместно с основными объектами (программными, аппаратными средствами) в большинстве случаев необходимо. Изучение сопутствующей документации дает возможность эксперту сделать вывод о том, насколько корректно используется тот или иной компонент системы, совпадают ли его заявленные функции с реальными, правильно и корректно ли были сделаны настройки. Это впоследствии помогает дать наиболее полные и обоснованные ответы на поставленные вопросы.

4. Особенности назначения комплексной и дополнительной компьютерно-технической экспертизы. Как уже упоминалось, комплексная экспертиза - это исследование, проводимое специалистами разных отраслей знаний для решения поставленных перед экспертом вопросов, смежных для различных родов (видов) судебных экспертиз. Обычно необходимость комплексной экспертизы вызывается невозможностью разрешения задач экспертизы на основе одной отрасли знаний. При назначении комплексной экспертизы, включающей судебную программно-компьютерную экспертизу, зачастую встает вопрос о се производстве одним экспертом, одинаково хорошо владеющим сразу несколькими знаниями в области науки и техники. Практика показывает, что сегодня эксперты, занимающиеся компьютерно-технической экспертизой (а таковых пока немного), часто владеют всеми ее родами. Поэтому данную экспертизу как комплексную экспертизу на сегодняшний день может квалифицированно провести один эксперт. В ряде случаев подобное проведение экспертизы является наиболее приоритетным. Примером этому может служить обследование аппаратно-программного комплекса ЭВМ на предмет возможности выполнения с его помощью специфических (заданных) функций.

В последние время в государственных экспертных учреждениях стали появляться эксперты, обладающие знаниями не только в области программирования и информационных технологий, но и в области товароведения. Они могут проводить экспертизы по этим двум направлениям. Есть такие эксперты, например, в РФЦСЭ при Минюсте России. Однако, поскольку законодатель утверждает, что комплексная экспертиза всегда должна быть комиссионной1, целесообразно при назначении экспертизы не выделять роды, а назначать моноэкспертизу и указывать в определении суда о необходимости назначения компьютерно-технической экспертизы. Тем более что, поскольку эта экспертиза является новой, ее классификация еще не до конца устоялась. Напомним к тому же, что согласно ч. 1 ст. 84 АПК комиссионный характер экспертизы определяется арбитражным судом. Но, поскольку комплексная экспертиза проводится не менее чем двумя экспертами разных специальностей (ст. 85 АПК), она также обязательно является комиссионной, т.е. может быть назначена только судом. Это служит еще одним немаловажным аргументом в пользу нашей рекомендации о назначении моноэкспертизы.

Дополнительная экспертиза назначается при недостаточной ясности или неполноте ранее данного заключения, что может быть результатом сужения экспертом объема задания, исследования не всех свойств и признаков объектов, неполноты рассмотрения некоторых вопросов. Примером этому может служить ситуация, когда при решении вопроса о наличии признаков контрафактности программного продукта экспертами исследуются только внешние признаки, охватывающие описание носителя информации и файловый состав, и не исследуются ее функциональные характеристики, свойства интерфейсов, а также поступившая вместе с ней техническая документация. Неясность также может выражаться в том, что по данному заключению нельзя судить о конкретных фактах, установить, являются ли выводы положительными или отрицательными, категорическими или вероятными. Например, при решении вопроса о том, переустанавливалось ли системное программное обеспечение компьютерной системы, экспертом дан ответ: "Системное программное обеспечение могло быть переустановлено в данной компьютерной системе".

Дополнительная экспертиза также назначается в тех случаях, когда после экспертного исследования возникают новые вопросы, связанные с исследованием того же объекта, которые ранее не ставились перед экспертом. Так, если после исследования программного обеспечения подвергшейся атаке компьютерной системы устанавливается, что в момент обнаружения происшествия ЭВМ не была подключена к сети, назначается повторная судебная программно-компьютерная экспертиза. На ее разрешение ставится вопрос о поиске возможных недокументированных функций программного обеспечения, установленных на активизацию и выполнение заданного набора действий в конкретный промежуток времени. Именно последнее основание назначения такой экспертизы чаще всего встречается в практике. В суде дополнительная экспертиза назначается лишь после дачи экспертом заключения в стадии судебного разбирательства дела и если неясность или неполноту заключения не представилось возможным устранить путем допроса эксперта1.

Дополнительная экспертиза всегда является экспертизой того же рода, вида и подвида, что и первичная. От новой экспертизы дополнительная отличается тем, что решаемые ею вопросы связаны с ранее решенными и эксперту не нужно заново проводить полное исследование программного обеспечения - он может использовать некоторые результаты ранее проведенных. Поэтому целесообразно по возможности поручать производство дополнительной экспертизы тому же эксперту (экспертам). Если же вновь назначенная экспертиза никак не связана с предыдущей, то она будет не дополнительной, а новой, самостоятельной экспертизой.

Основанием для назначения повторной компьютерно-технической экспертизы не может являться недовольство суда вероятной формой выводов, противоречие другим доказательствам, полученным в результате судебного разбирательства.


Comments (0)


leave a comment

To reply

Highly loaded projects. Theory of parallel computing. Supercomputers. Distributed systems

Термины: Highly loaded projects. Theory of parallel computing. Supercomputers. Distributed systems