Conducting technical expertise in a criminal case
Hello everyone, my name is Vasily. I have been a state expert of the Department of Computer and Radio Engineering Expertise for more than 4 years.
The purpose of technical expertise is to identify existing or deleted information according to specified criteria, in this case, the selection condition is set by the investigator. Information is retrieved from any object that has an information storage device, from a micro-sd drive to server equipment.
The first thing that happens to the object of research is its photographic fixation in a packaged form, to be displayed in the conclusion of an expert on the integrity of the package. After opening the package, a direct photographic fixation of the object of research itself with an attached forensic ruler takes place.
Consider, as an object of study, PC.
After photographing the object in the package and without, we must fix all the storage media (they may be different, so I will summarize) located in the PC, as well as its internal contents with a ruler and fix the S / N of the system unit and storage media.
In this format, the question is posed in the expert’s opinion.
Questions for the expert:
“Does the storage system (system unit) have information about the bank card number No. XXXX XXXX XXXX XXXX (account number XXXXXXXXXXXXXXXXXXXX)?”
“Does the storage system (system unit) have information about the subscriber number X-XXX-XXX-XX-XX?”
Note: questions №№1-2 were combined and solved jointly.
Next comes the description of the package and the object.
The object is presented in a black plastic bag. The system unit (hereinafter referred to as the SB) in a black and silver case has overall dimensions of 480 × 400 × 200 mm. On the front panel of the SB there is: an on / off button, a reset button, connectors for connecting interface devices, as well as LED indicators. The rear panel of the SB has a power supply connector and connectors for connecting interface devices. The following is installed in the SB case: a power supply unit, a system board, in the slots of which there is a RAM module and a video controller board, a hard disk drive (hereinafter referred to as HDD) with a 3.5 ”form factor and a SATA connection interface.
There is a label on the HDD case that reads “…TOSHIBA…S/N: XXXXXXXX…1.0TB…”.
To determine the date / time settings of the SB system board, it was turned on with the information storage device turned off. By reviewing the information displayed in the basic input/output system (BIOS), it is determined that the date/time settings of the SB system board correspond to the current values.
To perform the study, the hard drive was connected to the stand in the “readonly” mode (ReadOnly), using the software (hereinafter referred to as software) “R-Studio” version “8.12”, bit-by-bit copying of the data contained in the memory was made from it to the stand drive HDD. All further studies were carried out with a copy of the information storage device. This research method ensures the safety and immutability of the information contained in the information storage device. Information about the HDD obtained through the software “Paragon Hard Disk Manager 15” version “10.1” is shown in the table.
Size in bytes
266 038 868 480
47 029 936 640
850 487 891 968
13 371 819 008
With the help of software “R-Studio” version “8.12” data recovery from the free area of the HDD (deleted files) was carried out. The recovered data is copied to the stand drive. Subsequently, the search for information was carried out both among the files that are available in explicit form, and among the data recovered during the study.
By viewing the contents of the HDD file systems, as well as using the “Windows Registry Recovery” version “2.2” software, it was found that in Partition 1 there is an operating system that attributes itself as “Windows 10 Home”, the installation date is “05/17/2020”.
Solving issues No. 1-2
To solve the problem, the software “Archivarius 3000” version “4.72” was used, and the contents of the HDD file systems were also viewed. As a result, no files containing the keywords: “XXXX XXXX XXXX XXXX”, “XXXXXXXXXXXXXXXXXXXXXX” were found in the HDD memory. Information about the subscriber number “XXXXXXXXXXX” is available in the meaning of the autocomplete fields. The discovered information is given in a file named “Autocomplete.xslx” which is recorded on the optical disk attached to the expert’s report.
Next comes the formation of preliminary conclusions and conclusions. Between them there is an indication of the S / N of the DVD, on which the information was recorded and the inventory of the packaging in which the object was packed after the examination.
PS This article is written to highlight another great world so that your imagination can get in touch with this area. The simplest production expertise is described.