Automated workplace for performing criminalistic reviews of electronic information carriers

FIELD: criminalistics and forensic examination.

SUBSTANCE: automated workplace consists of stand for researching electronic information carriers and personal computer. Stand featured in invention consists of controllable commutation device, ensuring possible mating of electronic information carrier and personal computer, and a source of controllable voltage. Controllable commutation device has m+n inputs/outputs and is represented by a set of m·n controlled rectifying cells, forming a commutation matrix of m×n dimensions, connecting 1÷m and (m+1)÷(m+n) inputs/outputs, while m=k+1, numbers k and n corresponding to maximal values of numbers of contacts of sockets of personal computer and electronic information carrier, respectively. Controllable rectifying cell is in turn represented by device, providing controllable capability of one-direction commutation with controllable transfer coefficient.

EFFECT: no limitations on types of electronic information carriers being connected, increased quality and speed of reviews of electronic information carriers, in other words, suggested automated workplace allows highly reliable fast access to information, stored in memory of electronic information carrier received for review, while quantitative and qualitative characteristics of electronic information carriers are not changed.

3 dwg


The proposed automated station (AWS) relates to the field of criminalistics and forensic expertise, namely the use of electronic means to improve the efficiency and objectivity of expertise and expert studies electronic media by automating a number of operations.

The proposed APM allows with high reliability to quickly access information stored in the memory admitted to a forensic examination of electronic media (ENI), with quantitative and qualitative characteristics of ENI does not change, which is crucial to ensure the validity of the results of forensic examination.

One of the genera of forensic examination is computer-technical expertise (CED). At this stage of development, CED - separate genus forensic examinations related to class engineering expertise and conducted in order to: determine the status of the object as computer tools, identifying and examining its trace pattern in the investigated crime, as well as access to computer information on ENI followed its comprehensive study. These goals are represented by generic tasks CED [1].

The process of gathering evidence of crimes involving computer use, the situations funds includes, first of all, detection, capture and seizure of computer data. Tactics of investigative actions on the disclosure and investigation of crimes in the present case are inextricably and directly depends on special tools and instruments. These technical tools should be used for searching and preliminary studies ENI, which may subsequently acquire the status of the evidence. Devices, apparatus, equipment, tools, facilities, used for the collection and examination of evidence in proceedings, usually denoted as "forensic engineering".

The primary basis of the considered class forensic technology consists of hardware and software tools, tricks and techniques from such fields of science and technology, as computer technology and programming, radio engineering and electronics, computing, and telecommunications, cryptography and information security.

Gradually forensic technique is replenished tools, techniques and methods specifically designed for research purposes and solving crimes in the sphere of computer information.

At the moment the typical technical and forensic equipment collecting computer information are the trail of the existing tools [2]:

- portable personal computer (IBM-compatible), with sufficient speed and memory, capable preliminary full physical copy of the investigated media (including hard drives) pin Winchester suitable container (often removable variant);

- installed on the specified PC operating system Windows 98 (2000) with a set of system and application utilities (such as Norton System Work); the file managers (including support for MS DOS sessions), advanced application software (MS Office, graphics (PhotoShop, Corel-Draw), etc.;

- set of blank 3.5" floppy;

- the CD-RW for CD-ROMs;

- set a blank CD-R;

- the necessary cables mates (including the null-modem cable);

- a set of floppy disks (boot and service utilities) to determine the configuration of the studied personal computer, its characteristics;

- a set of floppy disks with the programs of viral diagnostics;

packing material rigid boxes for packing seized system blocks and data carriers; anti-static bags for the data carriers, plastic bags and canvas bags; paper for sealing connectors, glue, sticky tape;

- tools - electronic tester, screwdrivers, pliers, etc. (for example, to stop the s connectors, opening the casings system units, removal of the hard disk).

The stated positions relate to only one type of objects computer tools - IBM-compatible computers and typical ENI to them. At the same time, the diversity of hardware and software of modern information technologies requires the development of similar approaches to other possible objects of research (computer network, telecommunications and communications, personal use (electronic organizers, pagers) etc)of interest to the investigation.

Funds research information stored in electronic form must provide [3]:

- technical ability to access the information contained in the object of study (computer hard disks, floppy disks, magneto-optical disks, tapes of streamers, optical disks, flash memory or other data storage media);

- fixing information, without destroying it and without changing the object of study (for example, on the hard drives of the lab computers, recordable optical disks);

- convert the information into a form comprehensible by the expert (software for search and information visualization).

These tasks are solved together technical and software security research.

the thus, the we can conclude that the method of solving any problem in computer-technical expertise will need to be updated when a new generation of hardware or new versions of the software [4, 5].

Due to the presence of highly skilled professionals in a number of the leading expert organizations practiced technology in practical operation for conducting forensic examinations ENI. For this, we apply a set of specific non-standard work, designed and developed the appropriate tools.

The result of these works are workstation (software or hardware-software systems) for all specific types of work.

Methodological developments and automation, accumulating knowledge and experience unique highly skilled professionals help to improve the level of decision issues KTE small forces on the ground by assigning these tasks, small group or individual staff experts.

One such workstation is a system SCAN.

Workstation SCAN for conducting forensics is a specialized software and hardware complex for automation of activity of the expert and his workplace at CED.

The technical part to the Plex represents:

- stand for research of the information carriers,

- PC for processing survey data and preparation of expert reports.

Software part of the system consists of a set of General and special software (OMO and SMO).

As SMO is used "Professional system for solving Search tasks and Logical Analysis of computer media" ("SCAN").

Arm "SCAN" is selected as a prototype.

The main disadvantage of the prototype is the inability to connect ANY new types introduced after its creation, and the impossibility of its modernization to eliminate this drawback due to the limited number of codes of the trap corresponding to the maximum number of connected external devices.

An object of the invention is the removal of restrictions on the types of connected ANE.

Because modern ENI different standards used interfaces and systems teams to create a workstation that allows examination of any ANE on the basis of the standard access devices and pairing required a large set of such devices, in addition, the use of standard equipment makes no warranty that the quantitative and qualitative characteristics of ENI will not change, which is crucial to ensure lawful si is s the results of forensic examination.


- preparing the workstation to the examination of specific ENI may require changes its configuration (which can lead to significant consumption of time);

- the creation of a complete set of standard access devices and pairing is associated with significant financial costs;

- the need to adopt measures to modernize the standard access devices and pairing to exclude the possibility of modification of the quantitative and qualitative characteristics of ENI requires appropriate qualification of the expert.

Therefore, the second objective of the invention is to improve the quality and efficiency of examination ENI.

The problem is solved in that arm for conducting forensic examinations ENI consists of:

- universal stand for research ENI;

- PC 1 for the preparation and storage guidelines, processing of survey data and preparation of expert opinions (see figure 1).

Universal stand for research of ENI represents a set of managed switching devices (UCF) 2, providing the possibility of pairing ENI and PC 1 information on tyres and tyre management (the term "pair" means providing electrical connections and coordination of signal levels), and source reguliruemoj the voltage (IRN) 3, to ensure food UCF and ENI (through UCF), (see figure 1).

UCF has 2 m+n inputs/outputs (BB) and is a set of m·n controllable valves (HC) 4, forming a switch matrix of dimension m×n, connecting 1÷m and (m+1)÷(m+n) BB (see figure 2) so that each i-th CENTURIES (i∈{1, m}) is connected with the j-th CENTURIES (j∈{m+1, m+n}) by HC 4.ij. Thus m=k+1, k and n correspond to the maximum values of the number of connector pins PC and ENI, respectively.

HC 4 is designed to allow pairing ENI and PC 1 information on tyres and tyre management, and enable supply of electric power from IRN to ENI.

HC 4 consists of two controllable amplifiers (SU) 5 and 8, and two unmanaged valves (NUV) 6 and 7, and outputs the SU 5 and 8 are connected to the inputs NUV 6 and 7, respectively, and outputs NUV 6 and 7 are connected to the inputs of the SU 8 and 5, respectively. The point of connection of the inputs CU and outputs NUV serve as inputs/outputs HC 4 (see figure 3).

IRN 3 is the power supply that enables the formation voltage, the value of which is not less than required to supply ANY.

The principle of the workstation consists of the following. Each contact of the connector of the PC 1 is connected with the i-th CENTURIES (i∈{1, k}) UCF 2. Each contact of the connector ENI is connected with the j-th CENTURIES (j∈{m+1, m+n}) UCF 2. Output IRN 3 is otkluchaetsia to m-th CENTURIES UCF 2. All SU 8 m-th channel UCF 2, channels connected to the connector of the PC 1, which is the output, and channels that are connected to the contacts of the connector ENI, which inputs are set to zero gain (output SU 8 constant zero potential). All SU 5 m-th channel UCF 2, channels connected to the connector of the PC 1, which is the input channels connected to the contacts of the connector ENI, which outputs are set to the specified gain level (ensuring the coordination of input and output signal levels of the PC and ENI).

Arm can be used in two modes:

1) research mode;

2) the mode of conducting forensics ENI.

In research mode, making all connections and establish the necessary levels of stress is a highly qualified professional based on the study of the technical characteristics and features of ENI. The results are recorded in the form of guidelines posted in the PC 1.

In the mode of conducting forensics ENI after making all connections and establish the necessary levels of stress (in accordance with the methodological guidelines) is reading information from the memory of the ANE shape the image of ENI in the PC 1 (operational or long-term, for example, W is the harsh conditions of the magnetic disk).

After the formation of the image ENI UCF 2 is turned off and is disconnected from ENI UCF 2.

Further comprehensive research is carried out when working with image ENI.

The proposed workstation can be used for all kinds of ENI, however, that the problem of access to information the most difficult to resolve for ENI, which is not directly intended for use as an external device PC, of particular importance is the practical solution for such devices (e.g., electronic organizers and notebooks, pocket translators, speed controllers, GPS receivers, and other).


Automated workplace for conducting forensic examinations of electronic media, consisting of a test facility for the investigation of electronic media and the PC 1 for the processing of survey data and preparation of expert opinions, characterized in that the test facility for the investigation of electronic media is universal, consisting of a controlled switching device 2 that enables the coupling of electronic media and PC (1) information on tyres and tyre management, and variable voltage source (3), the managed communication device (2) has m+n inputs/outputs and is a set of m·n controllable valves (4)forming a switch matrix of dimension m·n, connecting 1÷m and (m+1)÷(m+n) inputs/outputs so that each i-th input/output (i∈{1,m}) is connected to the j-th input/output (j∈{m+1, m+n}) by means of a controlled valve (4.ij), when this m=k+1, k and n correspond to the maximum values of the number of pins of the PC (1) and electronic media according to the public; in turn, controlled by valve (4) consists of two controllable amplifiers (SU) (5, 8)and two uncontrolled valves (NUV) (6, 7), and outputs controlled amplifiers (5, 8) are connected to the inputs unmanaged valves (6, 7) respectively, the outputs unmanaged valves (6, 7) are connected with the inputs of the controllable amplifiers (8, 5), respectively, and the point of connection of the inputs of the controllable amplifiers and outputs unmanaged gates are the inputs/outputs controllable valves (4); output source the regulated voltage is connected to the m-th input of the control switching device (2), 1÷k inputs/outputs controlled switching device (2) connected to contacts of the connector of the PC (1), (m+1)÷(m+n) inputs/outputs controlled switching device (2) connected to contacts of the connector of the electronic media.


