do not necessarily reflect the views of UKDiss.com.
Digital Forensic Techniques Used By Police and Investigation Authorities in Solving Cybercrimes
The tremendous scientific progress in information technology and its flow in the last three decades has made a digital revolution that is now applied in all aspects of life and has become difficult for us to dispense with its unlimited services, and as the nature of the human soul, where some villains exploit the scientific inventions, and the advanced means of committing many of the traditional crimes, taking advantage of the enormous potential of these innovations, or the development of other images of criminality linked to these techniques that become the subject of these crimes or means to commit. The rates of such crimes have increased in the last two decades in particular, in a way that led to the dawning of a new criminal phenomenon, known as cyber criminality. With this development, it has become difficult for the police and law enforcement agencies to trace these criminals and identify those perpetrators and their locations so that the Internet becomes the theatre of committing cybercrime. Then if the crime is harmful to others, whether individuals, private or public companies, it is a great surprise to the many harmful acts practiced by some Internet users and the huge number of tools and techniques of crime, which became richer than before. Examples of such tools include programs for copying information stored in computers, the computer network, the Internet as a center for committing such crime, telephone lines used to connect cameras, spyware, ATMs, barcode scanning devices, printers, mobile phones and smartphones, digital landline phones, video gaming consoles, databases, tools used to scan secured transfer protocol ports (Transmission Control Protocol) and unsecured ports (User Datagram Protocol), other software tools that are available through the Internet such as survey and data collection tools, many of which are available in the form of free products and products for sale for good purposes, that are focused on security vulnerabilities and troubleshooting analysis, but the weak people who are looking for acts that fill the moral holes in them, resort to the use of these tools for non-benign ends, to prove Self, curiosity and so on. Thus, banks were robbed with the help of these novel methods, and organized crime grew under this scientific revolution in the field of information and communication, especially in the fields of terrorism, drug trafficking, arms trade and organized prostitution using the Internet Many crimes have been committed, including hacking, spying, sabotaging, stealing computer and reading the contents of its disks, and these are at least a violation of privacy, not to mention the use of information in the purposes of the looting of assets and the destruction of the enterprise privacy, access to unauthorized information, destruction, alteration and elimination, or collection, reuse and diversion of data and information, forgery of editors, and infringement of computer software, whether by modifying or fabricating, publishing and using computer programs in violation of the laws of property rights, trade secrets, and the withdrawal of money from ATMs using the cards of others unjustly after breaking passwords for those cards and transferring funds from one account to another after illegal entry of financial company data such as banks. In addition, there have been crimes associated with these innovations, including the violation of glory, defamation, child abuse and the airing of sexual pictures or films, ejaculation or insult via email, dirty money laundering using electronic money.
So we conclude that the criminal has knowledge of the computer operating systems in general and a deep knowledge of at least one of them, and may have tendencies and hobby in the design of software more than the tendency to operate, and may be an expert in at least one programming language or an expert in the drivers of networking devices. Also, believes in the presence of people like him, cooperates with them and exchanges information about the latest methods used in cybercrime, and they are called hackers. So all the specs already mentioned are only available in those who have a limit that exceeds the average of the usual types of intelligence. And here comes the role of the police and the law-enforcement agencies in initiating investigations, detection of crime and the identification of the perpetrators, carried out with the necessary speed and accuracy. Also, the seriousness of this new criminal phenomenon, that crime is easily committed by these devices, and that their execution often takes only a few minutes, sometimes in a matter of seconds. Often, perpetrators try to destroy the evidence following the commission of the offence, particularly in the field of organized crime, criminals tend to store data related to their criminal activities in electronic systems with the use of encryption or secret codes to hide them from the eyes of the justice system, which raises significant problems in collecting and proving forensic evidence. If the phenomenon of cybercrime raised some problems with respect to substantive criminal law in search of the possibility of applying its traditional type to this type of crime, respecting the principle of legality, and narrow interpretation of criminal provisions, it also raised many problems within the scope of criminal procedural law, The provisions of the Code of Criminal Procedure for the control of proceedings relating to traditional crimes do not have significant difficulties in proving or investigating them and collecting evidence relating to them, subject to the principle of the judge’s freedom of conviction to reach the objective truth about the crime and the offender.
Procedural problems in the area of cybercrime begin with their frequent attachment to electronic processing data and non-physical logical structure, and it is therefore difficult to detect these crimes, and on the other hand, it is sometimes impossible to gather evidence about them, which makes it even more difficult for the proceedings in these as we have already pointed out, the speed and accuracy of the implementation of cybercrime, the possibility of erasing its effects, the concealment of evidence conducted immediately after implementation, and the inspection and collection of evidence are facing many difficulties in this area, and may relate to data stored in electronic systems or networks located abroad, in which the attempt to collect and transfer them to the state where the investigation takes place raises problems relating to the sovereignty of the State or other states that have such data. In this case, international cooperation is needed in the areas of research, inspection, investigation, and gathering of evidence, extradition and even enforcement of foreign judgments in this area. Some criminals may resort to storing data or information on the offence abroad, which is difficult to prove, and erupts question about the free flow of information, if the flow of data that exists outside the State relating to the crime in question is valid. Inspection, seizure or confiscation in the area of electronic communication systems raises the need for procedural controls to establish a balance between individual freedom and the inviolability private life of the individual, between the required effectiveness of the security apparatus, and the investigating authorities in detecting the ambiguity of the crime and the control of its perpetrators and to investigate and bring them to court. One of the procedural problems raised by this type of crime is the extent to which witnesses, or suspects, are obliged to disclose symbols, numbers or passwords relating to crime-related data or programs. The extent to which electronic outputs are authoritative in evidence is also questioned, given their particular nature in comparison with traditional means of proof. Multiple questions, and in order to answer them writing book is needed, not just a few pages dedicated to this research. It is interesting to take a break with this story, but the bitter and inexhaustible reality is that the criminal use of the latest new media can even serve death and destruction, let us refer to some of the crimes committed by those criminals, and the role of investigators in initiating investigations into detecting crime and identifying the perpetrators, their arrest, the execution of the culprits, and the course of justice and to make them a lesson to those who are not.
Back on April 14th, 2009 a lady in her 25’s called Julissa Brisman, who used to be an Erotic Masseuse, and advertise her services on Craigslist website, had an appointment with a tall white blonde male client in 23’s at the downtown Back Bay area Marriott hotel in Boston, MA. Julissa used to post her advertisements on Craigslist website using a fake name, Morgan, which was fake, as found out be Philip Markoff was the one who used the name Andy M. when he saw her advertisement and scheduled an appointment with her that night. Megan every time she has an appointment with a client she used to check in and out with her employer, who called herself Mary Beth Simons. But that night her employer got the check in but never heard back from her after that, while the session usually takes one hour. Simon tried afterward to contact her multiple times but no avail, after a few hours later she called the hotel security to check up on her, once the security reached her room, they found her body on the ground and tied up with a plastic zip tie, and then they called the police immediately. Police arrived they found her smashed over her head with a butt of a gun and shot three times from a close range and one of the bullets struck her heart using a 9MM weapon. They did not find any fingerprint or DNA evidence in the room, so they found out that the only one potential lead would be the hotel security camera surveillance and found the guy, who was leaving the hotel at the time of the crime, Simons called detective Daniel duff, the one in charge, and provided him with the password of the yahoo email been used for the transaction along with Andy M email address that the killer used to set up the appointment, which means the IP address, which will lead to the killer. Also, Simons called her friend Mark Rasch, who is a former head of computer crimes unit at the US Department of Justice and now a digital forensic expert, who he helped the investigators in solving the crime. In addition, they remembered that there was a similar crime reported by Trisha Leffler four days earlier on April 10th, with similar description of the tall blonde white guy, who committed the similar type of crime and used similar weapon with similar plastic zip tie for binding wrists and targeted a female victim in a hotel room with an appointment, and used a disposable Trac phone to schedule the appointment with the victim to make it harder to the investigation authority to track him. Police and investigators interviewed Trisha, who used Craigslist as well to advertise her erotic services, and had an appointment with the white guy in her room at the Back Bay Westin hotel. In the police report she mentioned that once she allowed him into her room and locked the door, he pulled his 9MM pistol and pointed it at her, which found out later to be the same gun used to kill Julissa, and asked Trisha to get on the ground on her stomach, tied her up with similar plastic zip tie with his gloves on, and threatened her that he is not going to kill her if she cooperates with him and give him her money and cards, then he took her $800, cards and a pair of underwear. He did a huge mistake and took off his gloves to delete his phone number from her phone and tied her up in the bathroom, and covered her mouth using a duct tape, so now his fingerprints are all over the place. The white guy thought he is smarter than all others, but he did a huge mistake by taking off his gloves, showing his face to his victims, allowing himself to get captured on the hotels security camera surveillance, it is ignorance, he thought he is going to rob her, flee with it, she is not going to report it, and that nobody is going to investigate it. On the other hand, Police and Investigators interviewed Trisha, and asked her if she can identify the guy who robbed her; she confirmed that she can. She went to the police station and they showed her some photos from security camera surveillance captured the suspect leaving the hotel at the time of the incident, and she recognized him. She thought it was the Westin hotel cameras, but they told her that they suspect him for targeting another girl in another hotel room and end up killing her. But Philip continued with his rage, and two days after Julissa’s incident he scheduled another appointment with Cynthia Melton or who is called in this case Amber, a stripper at Cadillac Lounge, just sixty miles away from Boston, in Providence, Rhode Island. Amber advertised her lab dances offering on Craigslist’s erotic services section as all other victims, and on April 16th, the same white guy had an appointment with her using his Trac Phone at a Holiday Inn hotel room in Warwick, Rhode Island. Once she allowed him in the room he pulled again his 9mm gun and pointed it at her with a shaky hands and told her that he does not want to kill her, he just wants her money, and tied her up with the same type of plastic zip tie that been used in Boston two days before, her husband who is waiting in the hotel lobby, who usually checks up on her when she starts a session with a client, called her to make sure everything is okay but she never picked up; immediately he ran to her room, and suddenly knocked on the room door, the suspect opened the door and point the gun at her husband and then each person took a different direction and flee away, afterwards they reported it to the police, and described as a tall blonde white guy wearing a baseball cap, and found him on the Holiday Inn hotel security camera surveillance, texting or emailing with his Trac phone while entering the hotel. With the cooperation of the forensic computer investigators, Mark Rasch and Erik Laykin, police and investigators tracked down his phone since he used it for texting or emailing at a certain time provided on the photo captured by the camera surveillance and found out that he did a purchase from a nearby Walmart earlier that night, then took his image captured at Walmart into custody for comparison. Duff and Investigators found out that the email used for appointment booking with Julissa was never used after April 14th, and used all evidences available to track down the IP address which is equivalent to a social security number, which is unique and more than enough to identify the murderer, even though he attempted to hide his tracks by using more than one fake name or email account during his prowling to find his next victim, his IP address remained the same. Duff and the police performed a trackback on his IP address and found the suspect source point computer, which was located in an apartment in Highpoint Circle, Quincy, Massachusetts, which belongs to Philip Markoff, and discovered that the email used for the meeting booking was initiated from an IP address in his apartment, they searched his apartment and found a 9mm gun hidden inside one of his books, they performed a ballistic test and resulted in that the same gun was used to kill Julissa. A search warrant was issued for his arrest. Coincidently, he was stopped by the police for speeding while he was driving back to New Jersey with his Fiancé Megan McAllister to spend the time over there. Philip was arrested and his fiancé was interviewed. Megan recognized Philip in some photos captured by the hotels security camera surveillance and recognized the leather jacket that he was wearing in the photo, and accidentally mentioned that it was a masseuse killed in the Marriott hotel in Boston without the investigators mentioning any of that. Investigators also searched his car and found the plastic zip ties used for binding his victims wrists, and other tools used for committing the crime. Philip was held in prison without a bail, and then he committed suicide.
Our Society still face new kind of threats, that never been around until last few years, that targets our youth, especially females, so that some individuals have technical experience and use it to committing crimes over the internet, and try to hide their IP addresses, to make it harder to police and investigators to track them down. As many people heard on news, there is a guy called Buster Hernandez in his twenties, lives in Bakersfield, California, known as Brian Kil, who wanted to be to be the worst cyber terrorist been arrested lately around August 1st, 2017, for threatening, harassing, exploiting, blackmailing and committing extortion against minor children, teachers, other students and business owners and caused schools and shopping malls to close down for few days, which took police and investigation authorities twenty months to catch him, take him into custody, and punish him with federal penalties. Brian Kil was targeting minor females, young children, asking them about the photos they sent to their friends, asking them how many friends that they sent dirty pictures to, and if he gets a response, he asks the victim to share more dirty pictures with him, or otherwise threatens them to publish their surmised dirty pictures on social media and send them to their family and relatives, and victims usually cannot do anything to stop it. In some cases, the goal of committing such a crime would be a financial advantage to stop his sextortion. Brian Kil victimized a twelve years old girl in Plainfield, Indiana for one year and four months, and when she refused to comply with his demands, he threatened her to kill her, all students and teachers in her class at Danville High Schools and threatened violence against the whole community and police if they responded, which caused schools and business owners to shut down temporarily around December of 2015 and January of 2016. Brian Kil also attempted to extort a number of other females in multiple states, by using multiple Facebook accounts and hiding his IP address using TOR Technique, an acronym for (The Onion Router), which allows the use of the internet in a revolutionary way, without being tracked. All it takes is to install the program, which will allow the entrance to the dark internet world or the dark web to chat with anyone, read or create websites, and share files with complete confidentiality. It also allows criminals to continue their crimes on a global scale, which makes it harder for the Police and Investigators to breakthrough that dark world. The FBI installed a poll camera at Brian Kil house and created malicious software that collects all metadata for TOR users. This software is a malicious preamble that exploits the Flash Player within the TOR browser and exploits vulnerabilities in TOR using the Flash Player to break through the TOR Network to hack the criminal computer and identify their real IP addresses. Using the best developers and information security experts to decrypt the coded networks, by sending an image to Brian Kil, and once he viewed it, as he thought it is a victim sexually explicit image, it ran a computer code called NIT (Network Investigative Technique) and allowed the Police and Investigators to find Brian Kil real IP address, obtained a warrant for his arrest, and successfully arrested him with a possibility to face 45 years in Jail with a three quarters of a million in fines.
In December of 2015, Syed Rizwan Farook and his wife Tashfeen Malik carried out a terrorist armed attack in San Bernardino, California, and killed fourteen individuals and injured another twenty-two individuals, before police were able to shoot both of them down. And on February 16th of 2016 federal prosecutors filed a warrant for Apple’s help after the FBI failed to break through the iPhone entry code two months after the investigation into the December attack and that the phone contains critical information regarding the attack, so California Judge ordered Apple to provide a reasonable assistance to the FBI in accessing the data stored in Farook’s iPhone 5c, by specifically asking them to create a program that could be used exclusively on the 5c iPhone and allow investigators to circumvent automatic data wipe, which usually occurs after several useless attempts to enter the wrong security code to unlock the phone, basically asking them to bypass the data erase feature after multiple useless attempts; because back in September of 2014, Apple released a new update that led data on Apple devices such as text messages and images to undergo automatic encryption. This means that if the device is locked, data can only be accessed with the owner security code of four digits, which also mean that there are ten thousand possible combinations; because after ten fail attempts the device will automatically delete all data on the iPhone, and lose evidence of Farook’s activities and plans, which the FBI is trying to avoid. But Apple’s CEO, Tim Cook responded that no one even Apple can access the data, only the user has the code, providing such program is very dangerous; because if it ends up in the bad hands, it would allow the entry code for any Apple device, it threatens the security of their users, and also raises concerns about the level of privacy protection, which lead to losing their trust. This is a move many other technology companies have taken after June of 2013 when Edward Snowden revealed the US government’s intelligence activities by exploiting a gaping hole in the security system of the National Security Agency servers and stole about twenty thousand top secret files without leaving a trace, who used to be a former intelligence contractor. On the other hand, if it happened to be an Android such as Samsung, LG, Sony, or etc. it would have been much easier for the FBI to access the phone and got all data needed for the case; because Androids are more vulnerable. There is a computer program that gives hackers the ability to break through Android devices, the program creates an APK virus file in the form of a dummy Android application that can be integrated with any real application, which is available in Google play store, when the user downloads this application on the smartphone it gets connected to the hacker computer through ports and gives hackers the access to almost complete control of all contents and functions of that smartphone. With that being said, some would agree that Apple has a way more advanced capabilities in encryption and more sophisticated, complicated, and protected operating system, and Apple introduced this complex default encryption and continued to develop years before Android began to develop or come out with such encryption.
From these stories we conclude that it is necessary to confront this new and complex phenomenon of criminality to achieve several things, including the need to prepare security and judicial personnel for research, investigation and prosecution of this type of crime, as well as the development of existing substantive or procedural criminal legislation by introducing the provisions of criminalization, punishment and the necessary procedural provisions to deal with this crime. Moreover, international cooperation in the area of security, investigation, extradition, and enforcement of sentences is an indispensable necessity. In order to address the fundamental issues of procedural problems in this area, we must first investigate and unravel the mystery of cybercrime and then investigate the field of cybercrimes through the training of personnel and the use of technical expertise, previewing, inspection and then control. Thus, computer-related crimes are characterized by a modernity of methods of committing them, their speed of execution, their ease of concealment, and the accuracy and speed of wiping their effects. These general characteristics require that the investigators and prosecution bodies have a high degree of knowledge of the computer systems, how they operate, and methods of using it to committing crimes, with the ability to uncover the vagueness of these crimes and the speed with which they are acted upon in terms of detection and control of the tools used in committing the crime, and the reservation of the data or devices used or those that are the object of the crime. The police and investigation agencies have encountered considerable difficulties since the emergence of this type of crime, whether in unraveling the mystery, conducting the necessary inspection and retention, or investigating them in a manner that required the preparation of training programs for these personnel in a manner that enables them to achieve the task required efficiently, so in the initial period of the occurrence of this type of crime, the police have made serious mistakes that have caused damage to the equipment, files, or evidence to prove the crime. It happened that a police department asked a company that had been hacked to stop operating its automated system in order to enable it to be placed under surveillance with a view to detecting perpetrator; as a result, the police department inadvertently caused damage to the files and programs that had been handed over. Traditional investigative techniques may not be suitable for detecting cybercrime, arresting the perpetrator, and reserving evidence. Preliminary investigations may be carried out prior to the search, investigation, and retention, in order to detect the vagueness of the cybercrime with a view to seizing the perpetrator and to collect evidence relating thereto. The victim of such offences can provide substantial help to the police, or to the investigative authority, using the information provided, which would be very useful in knowing the nature of the crime and the methods of committing it, the tools used to commit it, the suspected persons, the motives of the crime, and whether there are witnesses or not. As indicated above, the privacy of computer-related crimes requires that criminal investigation methods and procedures be developed in a manner consistent with this privacy, which would enable the police officer and the investigator to detect the crime and identify the perpetrators with the necessary speed and accuracy. In order to achieve this, on the one hand, the training of personnel conducting investigations should be carried out with the assistance of persons with outstanding expertise in this field, as well as the development of criminal procedures to achieve the desired purpose. This is what legislation has begun to achieve a few years ago, including the Belgian Criminal Investigation Act of November 23, 2000. In the following pages we will address the preparation of personnel to conduct investigations, use the technical expertise, conduct the required inspection, and proceed with inspection and retention, which will help understanding how much progress has been made in this area procedurally in order to require the right of the state to punish the offender by detecting the crime, collect evidence, and bring them to court. Personnel must be trained because the nature of crimes related to the computer requires distinctive knowledge of computer systems, how to operate them, and the means of abuse by users. This technical knowledge will only be achieved by training investigative officers to investigate cybercrime, to the extent that some called for the need to have specialized police and a specialized prosecution in this field. The training should include how to operate the computers, after identification of different types and systems, to acquire skills and knowledge related to computer programming, electronic processing of data, crimes that use computers as a means to commit such crimes, methods of committing this type of crime, as well as computer security, means of penetration, together with examining cases of its applicability to predetermined crimes, and how they were confronted. In many countries of the world, specialized training courses for police and prosecutors are held, both in subordinate centers to the Ministry of the Interior or specialized centers of the Ministry of Justice, such as in England and Canada. Since the advent of computer-related crimes, police and investigative or prosecuting authorities have been using the expertise of distinguished computer professionals and technical experts, in order to uncover the mystery of the crime, collect evidence and reserve it, and the assist to clear the ambiguities in the precise electronic processes related to the crime under investigation. Therefore, it is necessary to use a technical expert who is authorized by the investigator or the judge; because in purely technical matters, the judge cannot make a decision without the people of experience opinion, in this case using the expert opinion is a must, because If the technical issue was addressed and adjudicated without being achieved by an expert, then judgment is defective, and it should be repealed. And the importance of using the expert in the field of cybercrime, appear in his absence, the police and investigation authority cannot detect the vagueness of the crime, may be unable to collect evidence about the crime and may destroy or erase the evidence due to ignorance or negligence when dealing with it. The expert is not only required to have high scientific competence in the field of specialization, but must be supplemented by years of experience in the area in which he or she is distinguished, and in particular offences related to the current technology, it may be a matter of forgery of documents, manipulation of data, fraud during the transmission of data, money laundry crimes or outrages upon privacy, or the display of photographs or films in violation of public morals. A recent piece of legislation that organized the work of expertise in the area of cybercrime is the Belgian Criminal Investigation Act of November 23, 2000. Article 88 of the Act stipulates that the investigating judge and the judicial police may use an expert to present in a comprehensible manner the information necessary on how to operate the system, how to use it, locate the data stored which is processed or transmitted by the system, and also the law gives the investigator the authority to ask the expert to run the system, search it, make a copy of the data required to investigate, or withdraw stored, converted or transferred data, in the manner that the investigating authority wants. According to the law referred to, the obligation to operate the system and to extract the required data from it is due to the investigating judge, or due to the prosecution as an exception in the case of flagrante delicto or when satisfied with the inspection. According to the previous provision, the task of the expert is, on the one hand, to operate the system and, on the other hand, to provide the required data, depending on how the investigator wants it, the investigator may want the data to be on a storage device or on paper. The obligation of the expert is a commitment to care; he is not asked if he does not reach the desired result due to his lack of experience, or due to the obstacles that he encountered during the course of his mission; his responsibility may arise if he refuses to perform the task assigned to him or deliberately damages the data required to deal with or reserve. In addition to the expert’s obligation to perform the task assigned to him by the investigating authority, he is also obliged to maintain the confidentiality of the profession and, in the case of secret disclosure, he shall be punished by the penalty prescribed for this crime. After training personnel or getting technical expert support and after the crime has occurred then after identifying the suspect then it is time for getting the warrant for searching, at this stage, the searching stage, which is a procedure of investigation, aimed at searching for crime-related objects and what is generally useful in revealing the truth, whether people or places. And searching has objective conditions relating to the probable cause, since an offence is indeed a felony or a misdemeanor, and the person to be searched or searching his or her home and its purpose, which is taking into custody physical evidences that are useful in revealing the truth. Formal requirements are determined by the fact that the search warrant is justified, the presence of the accused, his or her deputy, third party or his or her inspection representative, and the issuance of the search warrant. The question arises as to the possibility of inspection in accordance with previous controls and its purpose in the field of cybercrime? The purpose of this question is to clarify that, in the traditional sense; the purpose of the search is to preserve material objects related to crime and to reveal the truth, whereas the nature of electronic data does not have a tangible physical appearance in the outside world. However, these intangible data can be inspected via electronic media for archiving and storing such as magnetic disks, floppy disks, CDs, USBs, computer outputs, portable hard drives, servers and cloud accounts. Therefore, the legislations issued in this field have allowed the possibility of procedures for the inspection of storage and reservation of the data processed automatically and stored in the computer, or the electronic media on which the data was recorded. Inspection in this case is subject to what traditional sense is subject to. The European Council defined this search phase as a procedure that allows for the collection of evidence stored or recorded in electronic form. Searching electronic networks allows the use of electronic means to search anywhere for the required data or evidence. Thus, Inspection procedures and subsequent retention includes the logical programs and data recorded in the computer’s memory and output, records installed for the use of the automated data processing system, the operating journal and the transaction log, records of access to the automated data processing system, and related password records, Switches, and decrypted keys. Given the fact that the inspection includes a restriction on individual freedom and constitutes a violation of the privacy, it must have the legal guarantees necessary for its validity, including that a judicial order is issued upon a probable cause or due to the public prosecutor or the judicial officer as an exception in the case of flagrante delicto or when satisfied with the inspection. According to the standard, the inspection warrant must be issued in writing, but this condition sometimes carries certain risks if the search for evidence of the crime requires that the inspection be conducted in another information system located elsewhere other than what the written authorization is issued for. The risk is that the perpetrator can destroy, erase, transmit or modify the data during the period for which a written permission is issued again. To address these risks, some believe that the first permission to search somewhere should include permission to inspect any other information system located anywhere other than the place of search if necessary. The extension of the search warrant to other places or systems, other than those mentioned in the first authorization, raises some problems. The first concerns the refusal of the owner of the place or the other regime to inspect. In some cases, that would disrupt the possibility of the continuation or extension of such search except in cases of flagrante delicto or when satisfied with the inspection. In addition, Article 32 and 26 of the Belgian Criminal Investigation Act added that the authorization might go beyond the limits of local jurisdiction, so in order to search for the evidence of the crime, in addition to being issued by the competent authority, the representative of the Prosecutor shall be informed within the scope of his or her geographical competence of the new place of inspection. This led to the introduction of Article 88 of the Criminal Procedure Code under the Law of November 23, 2000, which provides that if the investigating magistrate orders an inspection in an information system or part of it, this search may extend to another information system located elsewhere other than the place of search, and this is done according to two limitations. First, if it is necessary to reveal the truth about the crime. Secondly, if there is a risk of loss of some evidence, because of the ease of erasure, destruction or transmission of the data in question. Some would agree that, in the case of extension of jurisdiction, the order may be issued orally by the investigating magistrate, in order to speed up the process, and then issue a written authorization, and in all cases there must be a probable cause to be authorized, so that the judicial authority can monitor the validity and legitimacy. The second problem arises in the case of the extension of authorization to search outside the geographical territory of the State from which the competent authorities are asked to issue the authorization and enters into the geographical sphere of another State, where the extension violates the sovereignty of the other State. The law considers that this cross-border electronic search is not permitted in the absence of an international agreement between the two States authorizing such extension, or at least the authorization of the other State. This stresses the importance of international cooperation in combating cybercrime. However, Article 32 of the European Convention, which was prepared by the European Council on May 25, 2001, allows for the possibility of entering for the search and seizure in other countries’ devices or networks without their authorization, only in two cases. If the information or data intended to be collected is available to the public or the owner or holder of such data is satisfied with such inspection. Furthermore, the application of this provision could pose serious problems. International cooperation in this area is imperative under a bilateral or multilateral agreement or at least the authorization of the inspected State in its territorial sphere. This will lead to the inspection or examination phase, which is intended to observe and prove the physical evidence left at the crime scene, in order to preserve it from being destroyed, erased or modified. The inspection or examination is a preliminary investigation procedure; the investigator may resort to it when he or she deems it necessary to investigate. The standard is that the parties to the case may attend the inspection, and the investigator may decide to do the inspection in their absence, and the investigator shall not be obliged to invite the accused’s counsel to attend. The mere absence of the accused in the conduct of the inspection would not invalidate it. Bearing in mind the importance of the inspection following the occurrence of a conventional crime, where an actual crime scene has physical evidence, the aim of the inspection is to be kept in custody in order to examine the authenticity of the evidence, which is not the case for cybercrime, as it is unlikely to lag behind a physical evidence, and the period of time between the occurrence of the crime and its discovery may be prolonged, which exposes the evidence to erasure, damage or tampering with it. If the inspection takes place after the crime occurs in the electronic field, the computer and its peripherals connected to it must be taken into consideration, with the recording of time, date and place of each image captured, observing and proving the way the system is set up, and the status of the connections and cables connected to all the components of the system in order to conduct comparisons and analysis when the matter is presented later in court, and making sure no data is transferred from the crime scene before testing to ensure that the outer perimeter of the computer’s location is devoid of any magnetic force that can cause the recorded data to be erased, and taking into custody the data located in the recycle bin or the waste of any discarded or torn sheets, used carbon sheets, tapes, damaged storage devices, and paper input and output documents of the computer related to the crime to raise and match the fingerprints may be found, and directly limit the inspection to researchers and investigators who have the scientific competence and expertise in the field. Here comes the seizure phase, the purpose of the search is to seize physical evidences related to the crime and to report on the ongoing investigation, whether this was a tool that was used in committing the crime or something that resulted from it, or otherwise, which would be useful in revealing the truth. Given the fact that in this case the seizure is in the field of cybercrime and that the data is processed electronically, the question arises here is. Does this type of data fit to be controlled? Which means, do those evidences have similar provision as it is for those tangible physical evidences in the traditional crime? The legislations are divided into two directions when answering this question. Some believe that computer data is not suitable for being controlled, for the physical element to be absent. It cannot be controlled unless it is transferred into physical evidence, through photography or other material means. This view is based on the fact that the legislative provisions concerning the seizure, that it is applicable for tangible material evidences. On the other hand, the second trend is that electronically processed data are only electronic oscillating, or electromagnetic waves, which accept recording, saving and storage on physical media, which can be transported, broadcasted, received and reproduced. So its physical presence is undeniable. This trend is based on some legislative provisions, such as article 31 of the Canada Evidence Act, which provides that searches and seizures of books and records of a financial institution, restricted to search the place for the purpose of inspecting it and taking a copy of the records, which would be either in a written or electronic form. This controversy called on the legislator in some countries to develop the legislative provisions related to the search and seizure, to include tangible material evidences, electronically processed data, or issuing legislation provisions related to cybercrimes, including the appropriate codes of procedure related to this form of data, as provided in Article 14, 25 and 35 of the Belgian Criminal Investigation Act, entered into codification under the law of November 23, 2000, which includes seizure of tangible material evidence and electronic form of information and data. Although, fearing to erase, destroy, transfer or lose evidence obtained by inspection, Article 88 of the Belgian Criminal Investigation Act gave the investigation magistrate the power to order a reservation, if exists on Belgian territory or to request from foreign authorities a copy of such evidences, if found out to be in a foreign state. Also, reservations are made to the evidences related to the crime, as well as the instruments used in committing the crime, and all evidences that are left behind which are useful in revealing the truth. Where a copy of the seized information is extracted from the media that became in custody and remains under the investigation authority control until the end of the trial, and some believe that another copy should be kept in court, for fear of damage or loss of the only copy that the investigating party have. The difficulties encountered in seizing electronically processed data may be the size of the network containing the electronically processed information that needs to be seized, the presence of such data in networks or devices of a foreign country, which necessitates their cooperation with the police and the investigation authority in the search, seizure and restraint process. Also, the search and seizure sometimes constitute a breach of privacy, which makes it necessary that guarantees must be taken to protect these rights and freedoms. In order to ensure that the data in question is preserved and compared to the version issued by the device in case of denial by the accused, the Belgian Act gave the Public Prosecution the power to block such data to prevent access to it. In accordance with Article 42 of the Belgian Act, the data previously copied shall be withdrawn from the devices in the following cases, if it is related to the crime, violating public system or good morals, pose a threat to electronic systems, or the information stored, processed or transmitted by such systems. With that being said, Article 88 of the Belgian Act of 2000 allows the investigating judge to obtain a copy of the data he or she requires in the case of extending the search for the crime evidences outside Belgium. This means that such a copy is to be obtained without the permission of the State within whose territory the data is located, and Belgian legislation justifies this provision by providing that the investigative authority can access the system and the required data without considering that these data exist physically outside Belgian territory. The alternative to this provision is to send a judicial committee to that State and to request the competent authority to reserve the evidences of the crime scene and give a copy of the constituent data, which takes time for the accused to destroy the data. However, the legislation recognizes that this provision constitutes violation to the State sovereignty. It is clear that investigation, search, inspection and the collection of evidence in the field of cybercrime are shrouded in mystery, surrounded by many difficulties, but it is imperative to continue the search, investigating, and gathering evidence with the continued development of search methods, training police and investigation authorities, and strengthen international cooperation in this field.
We conclude that there is a need to prepare the police and investigative authorities technically to search, investigate and collect evidence in the field of cybercrime, which necessitates the establishment of specialized centers in all countries for this purpose, develop existing legislation or to enact new legislation to deal with this emerging phenomenon, the need for cooperation between different countries, through exchange information and experiences, and cooperation in the security and judicial fields in its various ways, the need to conclude a joint agreement to confront the phenomenon of cybercrime, similar conventions, including the convention to combat terrorism, as well as seminars and conferences to discuss ways of combating such phenomena.
Belgium Code of Cybercrime Procedure
Smartphones Operating System
Canada Evidence Act