RU2454719C1 - Apparatus for duplicating data media for conducting computer-based legal criminalistic examination - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: automated workstation for conducting criminalistic examination of electronic data media consists of a personal computer and a universal stand for examining electronic data media, wherein the stand further includes a write protection module which is a set of s channels formed by series-connected delay line and controlled circuit breaker, a comparator and a command register. Inputs of the 1^st-s^th channels are respectively connected to the 1^st-s^th first inputs of the comparator, whose second 1^st-s^th inputs are connected to the 1^st-s^th outputs of the command register. The output of the comparator is connected to control inputs of all controlled circuit breakers.

EFFECT: high reliability of examination results owing to elimination of the possibility of writing information onto the electronic data medium when preparing for and during examination.

4 dwg

Description

The proposed device relates to the field of forensics and forensics, and in particular to the use of electronic means to increase the efficiency and objectivity of conducting examinations and expert studies of information carriers by automating a number of operations.

The proposed device allows with high reliability to quickly create an information copy of an electronic information carrier (ENI), while the quantitative and qualitative characteristics of ENI do not change, which is crucial to ensure the validity of the results of the forensic procedure.

One of the types of forensics is computer forensics (CE). At this stage of development, CE is an independent type of forensic examination, belonging to the class of engineering and technical examinations and carried out in order to: determine the status of an object as a computer tool, identify and study its trace in the investigated crime, and also gain access to computer information on information media followed by a comprehensive study of it. These goals are represented by the generic tasks of CE [1]. At the same time, electronic information carriers (ENI) act as information carriers in this type of expertise.

The process of collecting evidence for crimes involving the use of computer tools includes, first of all, the detection, recording and removal of computer information. The tactics of investigative actions for the disclosure and investigation of crimes in the case under discussion are inextricably and directly dependent on the special tools and instruments used. These technical means should be designed for the search and preliminary investigation of ENI, which can subsequently acquire the status of material evidence. Instruments, apparatus, equipment, tools, accessories used to collect and investigate evidence in the course of legal proceedings are commonly referred to as “forensic technology”.

The primary basis of the class of forensic technology under consideration is hardware and software, techniques and methods borrowed from such fields of science and technology as computer engineering and programming, radio engineering and electronics, computer networks and telecommunications, cryptography and information protection.

Gradually, the forensic technique is replenished with means, techniques and methods specially developed for the purpose of investigation and disclosure of crimes in the field of computer information.

To date, the following technical means are the typical technical and forensic equipment for collecting computer information [2]:

- a personal portable computer (PC), with sufficient speed and RAM capacity, with the possibility of preliminary full physical copying of the studied storage media (including hard drives) to a working hard drive of the appropriate capacity (often in a removable version);

- Windows 98 (2000) operating system installed on the specified PC with a set of system and application utilities (for example, Norton SystemWork); file managers (including with support for MS DOS-sessions), advanced application software (MS Office, graphic packages (PhotoShop, Corel-Draw), etc .;

- a set of empty CDs and / or CD-Rs;

- CD-RW device for recording on compact discs;

- necessary interface cables (including null modem cable);

- a set of CDs and floppy disks (bootable and with service utilities) for determining the configuration of the investigated personal computer, its characteristics;

- a set of CDs and floppy disks with virus diagnostic programs;

- packaging material: rigid boxes for packaging seized system units and data carriers; antistatic bags for data carriers, plastic bags and canvas bags; paper for sealing connectors, adhesive, adhesive tape;

- auxiliary tools - an electronic tester, screwdrivers, pliers, etc. (for example, to disconnect connectors, open the covers of system units, remove hard drives).

Means of researching information stored in electronic form should provide [3]:

- the technical ability to access the information contained in the object of study (computer hard drives, flexible magnetic disks, magneto-optical disks, tape drives, optical disks, flash memory and other means of information storage);

- fixing information without destroying or changing the object of study (for example, on hard disks of laboratory computers, recordable optical discs);

- converting information into a form that is accessible to the expert (software for searching and visualizing information).

These tasks are solved jointly by hardware and software research support.

Thus, we can conclude that the methodology for solving any problem during computer examination should be refined when a new generation of hardware or new software versions appears [4, 5].

Thanks to the presence of highly qualified specialists, a number of leading expert organizations are developing technologies for conducting practical work on conducting forensic examinations of ENI. For this, a whole range of specific non-standard work is carried out, the corresponding tools are developed and mastered.

The result of the corresponding work is AWP (software or hardware-software systems) for all specific types of work.

Methodological developments and automation tools, accumulating the knowledge and experience of unique highly qualified specialists, make it possible to increase the level of solving CE issues by small local forces by assigning these tasks to small groups or individual full-time experts.

One such AWP is the PROPLAN system.

The PROPLAN automated workstation for computer expertise is a specialized software and hardware complex that provides automation of the expert and his workplace during CE.

The technical part of the complex is:

- a stand for the study of information media,

- A personal computer for processing research data and preparing an expert opinion.

The software part of the complex consists of a set of general and special software (OMO and SMO).

As a QS, the “Professional system for solving Search problems and the Logical ANALYSIS of machine data carriers” (“PROPLAN”) is used.

The main disadvantage of this AWP is the impossibility of connecting ENI of new types that appeared after its creation, and the impossibility of upgrading it to eliminate this drawback due to the limited number of system interrupt codes corresponding to the maximum number of connected external devices.

The indicated drawback was eliminated in the AWS for conducting forensic examinations of ENI [6].

соединен с j-м входом/выходом

посредством управляемого ij-го вентиля, при этом m=k+1, числа k и n соответствуют максимальным значениям чисел контактов разъемов ПЭВМ и электронного носителя информации соответственно; в свою очередь управляемый вентиль состоит из двух управляемых усилителей (УУ), а также двух неуправляемых вентилей (НУВ), причем выходы управляемых усилителей подключены ко входам неуправляемых вентилей, а выходы неуправляемых вентилей соединены со входами управляемых усилителей таким образом, что образуется замкнутое кольцо из четырех элементов; точки соединения входов управляемых усилителей и выходов неуправляемых вентилей служат входами/выходами управляемых вентилей; выход источника регулируемого напряжения подключается к m-му входу управляемого коммутационного устройства, 1÷k входы/выходы управляемого коммутационного устройства подключаются к контактам разъема ПЭВМ, (m+1)÷(m+n) входы/выходы управляемого коммутационного устройства подключаются к контактам разъема электронного носителя информации.Workstation for conducting forensic examinations of ENI consists of a stand for research of ENI and PCs for processing research data and preparing an expert opinion. The ENI research bench consists of a controlled switching device that provides the possibility of interfacing an electronic information carrier and a personal computer via information buses and control buses, and an adjustable voltage source, while the controlled switching device has m + n inputs / outputs and is a set of m · n controlled gates forming a switching matrix of dimension m × n connecting 1 ÷ m and (m + 1) ÷ (m + n) inputs / outputs in such a way that every i-th input / output

connected to j-th input / output

by means of a controlled ij-th gate, with m = k + 1, the numbers k and n correspond to the maximum values of the numbers of contacts of the PC connectors and the electronic information carrier, respectively; in turn, the controlled valve consists of two controlled amplifiers (UE), as well as two uncontrolled gates (NUV), the outputs of the controlled amplifiers are connected to the inputs of the uncontrolled gates, and the outputs of the uncontrolled gates are connected to the inputs of the controlled amplifiers in such a way that a closed ring of four elements; connection points of inputs of controlled amplifiers and outputs of uncontrolled gates serve as inputs / outputs of controlled gates; the output of the regulated voltage source is connected to the m-th input of the managed switching device, 1 ÷ k inputs / outputs of the controlled switching device are connected to the terminals of the PC connector, (m + 1) ÷ (m + n) the inputs / outputs of the managed switching device are connected to the contacts of the connector electronic information carrier.

The main disadvantage of this AWP is the potential for unauthorized recording of information on the ENI during preparation for the examination and during its conduct due to the peculiarities of the interaction between the personal computer and the ENI (due to the algorithmic features of the functioning of the personal computer operating system, as well as utility and application programs executed on the PC when connected ENI) and the errors of experts and technical support staff. If entries appear on the ENI that are dated after its withdrawal, the results of the examination may be protested and invalidated.

This AWP is selected as a prototype.

The aim of the invention is to eliminate the possibility of recording information on ENI during preparation for the examination and during its implementation, which will improve the reliability of the results of the examination.

The inventive device consisting of a personal computer and a universal stand for the study of ENI, characterized in that the universal stand, consisting of a managed switching device (UCF), providing the possibility of pairing the ENI and the PC, and an adjustable voltage source (IRN) is supplemented by a recording blocking module, the basis of which is a set of s channels, each of which is a chain of series-connected delay lines and a controlled breaker. In addition, the Comparison Device and the Command Register are part of the Record Blocking Module. The control buses of the PC and ENI are connected via the Write blocking module. When a set of signals corresponding to the “record” command appears at the input of s channels, a control signal is generated that blocks the receipt of this command at the s channel outputs, which makes it impossible to record any information on the ENI. The number s is equal to the number of ENI control buses, the channels are opened by a command from the Comparison Device, formed when the set of signals at the input of the channels coincides with the contents of the Command Register. The delay lines delay the signals for a time interval equal to the speed of the Comparison Device.

List of figures:

Figure 1 - Scheme of the Duplication of information media for computer forensic forensics. Shows the main elements of the device and the relationship between them.

Figure 2 - Diagram of a controlled switching device. The principle of constructing a switching matrix of dimension m × n, consisting of mn controlled gates, as well as the inputs and outputs of a controlled switching device, is shown.

Figure 3 - Scheme of a controlled valve. The composition of the controlled valve, as well as the connection between the elements included in its composition, is shown.

4 is a diagram of a recording blocking module. The composition of the recording blocking module, as well as the connection between the elements included in its composition, is shown.

This goal is achieved in that the Device for duplication of information media for computer forensic forensics consists of:

- A universal stand for the study of ENI;

- PC 1 for the preparation and storage of guidelines, processing of research data and the preparation of an expert opinion (see figure 1).

The universal test bench for ENI is a combination of a Controlled Switching Device (UKU) 2, which provides the possibility of pairing ENI and PC 1 on information buses and control buses (the term “pairing” means providing an electrical connection and matching signal levels), a source of adjustable voltage ( IRN) 3, which provides power to the UCU and ENI (via the UCU), and the Write blocking module 4, which blocks the receipt of the “write” command to the ENI inputs (see Fig. 1).

соединен с j-м ВВ

посредством УВ 5.ij. При этом m=k+1, числа k и n соответствуют максимальным значениям чисел контактов разъемов ПЭВМ и ЭНИ соответственно.UKU 2 has m + n inputs / outputs (BB) and is a set of m · n controlled gates (HC) 5 forming a switching matrix of dimension m × n connecting 1 ÷ m and (m + 1) ÷ (m + n ) BB (see figure 2) in such a way that each i-th BB

connected to the j-th explosive

by HC 5.ij. Moreover, m = k + 1, the numbers k and n correspond to the maximum values of the numbers of contacts of the PC and ENI connectors, respectively.

UV 5 is designed to provide the possibility of pairing the ENI and the PC 1 on the information buses and control buses, as well as providing the possibility of supplying electrical power from the IRN to the ENI.

HC 5 consists of two controlled amplifiers (CC) 6 and 9, as well as two uncontrolled gates (CCF) 7 and 8, with the outputs of CC 6 and 9 connected to the inputs of CCF 7 and 8, respectively, and the outputs of CCF 7 and 8 are connected to the inputs UU 9 and 6, respectively. The connection points of the inputs of the UE and the outputs of the NUV serve as inputs / outputs of the HC 5 (see figure 3).

IRN 3 is a power supply unit that provides the ability to generate voltage, the value of which is not less than necessary for power ENI.

The write blocking module 4 is a collection of s channels, each of which is a chain of series-connected delay lines 10 and a controlled breaker 11, the comparison device 12 and the register of the command 13.

The inputs of the 1st - sth channels are connected respectively to the 1st - sth first inputs of the Comparison Device 12, to the second 1st - sth inputs of which the 1st - sth outputs of the Command Register 13 are connected. Output Comparison device 12 is connected to the control inputs of all managed breakers 11.

The delay line 10 is a device that implements a time delay of the water signal for a time equal to the speed of the Comparison Device 12, which ensures that control commands are not input to the ENI before a decision is made by the Comparison Device 12 (see Fig. 4).

Managed circuit breaker 11 is a conductivity, the resistance of which increases sharply on command received at the control input. The mechanical analogue of the Managed breaker 11 is a relay. When a command arrives at the control input of the Managed breaker 11.i, the connection of the ENI with the PC 1 through the i-th channel is interrupted.

Comparison device 12 is a device with 2s inputs, when all input signals are paired at the first and second s inputs at the output of Comparison device 12, a control signal is generated, the input of which to the inputs of the Controlled Breakers 11 leads to disconnection of the ENI from the PC 1 via the control buses.

The register of the command 13 is a register consisting of s memory cells, designed to store the value of the command "record".

УКУ 2. Каждый контакт разъема ЭНИ соединяется с j-м ВВ

УКУ 2, причем шины управления ЭНИ соединяются через Модуль блокирования записи 4. Выход ИРН 3 подключается к m-му ВВ УКУ 2. Все УУ 9 m-го канала УКУ 2, каналов, подключенных к контактам разъема ПЭВМ 1, являющихся выходами, и каналов, подключенных к контактам разъема ЭНИ, являющихся входами, выставляются в режим нулевого усиления (на выходе УУ 9 постоянный нулевой потенциал). Все УУ 6 m-го канала УКУ 2, каналов, подключенных к контактам разъема ПЭВМ 1, являющихся входами, и каналов, подключенных к контактам разъема ЭНИ, являющихся выходами, выставляются на заданный уровень усиления (обеспечивающий согласование входных и выходных уровней сигналов ПЭВМ и ЭНИ). В Регистр команды 13 записывается значение команды «запись».The principle of operation of the Device for duplication of information media for computer forensic forensics is as follows. Each pin of the PC connector 1 is connected to the i-th explosive

UKU 2. Each pin of the ENI connector is connected to the j-th explosive

UKU 2, and the ENI control buses are connected via the Record blocking module 4. IRN 3 output is connected to the mth explosive device of UKU 2. All УУ 9 of the mth channel of UKU 2, channels connected to the PCM connector pins 1, which are outputs, and channels connected to the contacts of the ENI connector, which are inputs, are set to zero gain mode (at the output of UU 9 a constant zero potential). All UU 6 of the m-th channel of UKU 2, channels connected to the contacts of the PC connector 1, which are inputs, and channels connected to the contacts of the ENI connector, which are outputs, are set to the specified gain level (ensuring matching of the input and output signal levels of the PC and ENI ) The value of the “write” command is written to the Command Register 13.

The device can be used in two modes:

1. Research mode;

2. The regime of forensic examination of ENI.

In a research mode, the implementation of all compounds and the establishment of the necessary voltage levels is carried out by a highly qualified specialist based on a study of the technical characteristics and characteristics of ENI. The results are recorded in the form of guidelines placed in the memory of PC 1.

In the forensic examination mode of the ENI, after all the connections have been made and the necessary voltage levels have been established (in accordance with the methodological instructions), information is read from the ENI memory and an ENI image is formed in the PC memory 1 (operational or long-term, for example, on a hard magnetic disk).

In the case of issuing (unauthorized or erroneous) control commands “record” on the control bus Comparison device 12 generates a control signal that is fed to the control inputs of the Managed circuit breakers 10.1-10.s, as a result of which the PC-ENI communication opens on the control buses and the command “ recording ”is not performed.

After the image is formed (duplication is completed) ENI UKU 2 is disconnected and ENI is disconnected from UKU 2 and Record Blocking Module 4.

Further comprehensive study of the information is carried out when working with the image ENI.

The proposed device can be used for all types of information media, which are ENI with a parallel interface, however, due to the fact that the problem of access to information is most relevant for information media in the form of a hard disk drive, a practical solution is of particular importance in relation to such devices.

It was experimentally established that when using the proposed device in conjunction with a PC running the Windows XP operating system, an attempt to write information to an external hard disk drive leads to the output of the message “Write Error” on the monitor screen, while the information is not written to the disk, therefore, the duplicated information medium does not change its content.

Thus, the objective of the invention is achieved.

BIBLIOGRAPHY

1. Zubakha B.C., Usov A.I., Saenko G.V., Volkov G.A., Bely S.L., Semikalenova A.I. General provisions on the designation and production of computer-technical expertise: Methodological recommendations. - M .: GU EKTS Ministry of Internal Affairs of Russia, 2000. - 65 p., 6 ill., Bibliographer., Adj.

2. Sheludchenko V.I. Technical and forensic tools and methods for collecting computer information // Materials of the All-Russian Interdepartmental Seminar. - Belgorod: Ministry of Internal Affairs of the Russian Federation, 2002. - S.205-207.

3. Kopytin A.V., Marshalko B.G., Fedotov E.T. Forensic examination of a personal computer // Materials of the All-Russian Interdepartmental Seminar. - Kazan: Ministry of Internal Affairs of the Republic of Tatarstan, 2004. - C.115

4. Aikov D., Seiger K., Fopstorh U. Computer crimes. Computer Crime Guide. Per. from English V.I. Voropaev and G.G. Trekhalin. - M .: Mir, 1999.

5. Semenov N.V., Motuz O.V. Forensic-cybernetic examination - a tool to combat crime of the XXI century // Information Protection, Confident, 1999, 1-2.

6. An automated workstation for conducting forensic examinations of electronic information carriers. Patent for the invention of the Russian Federation No. 2297664 dated 04/20/2007.

Claims (1)

An automated workstation for conducting forensic examinations of electronic storage media (ENI), consisting of a Personal Electronic Computing System (PC) 1 for processing research data and preparing an expert opinion, a universal stand for investigating ENI, consisting of a Controlled Switching Device 2 that provides the ability to pair ENI and PC 1 on the information buses and control buses, and the Adjustable voltage source 3, while the controlled switching device your 2 has m + n inputs / outputs and is a set of m · n Controlled gates 5, forming an m × n switching matrix connecting 1 ÷ m and (m + 1) ÷ (m + n) inputs / outputs in this way so that each i-th input / output (i∈ {1, m}) is connected to the j-th input / output (j∈ {m + 1, m + n}) by means of the ij-th Control Gate 5, while m = k + 1, the numbers k and n correspond to the maximum values of the numbers of contacts of the PC connectors 1 and ENI, respectively; In turn, Controlled Valve 5 consists of two Controlled Amplifiers (CU) 6 and 9, as well as two Uncontrolled Gates (CIR) 7 and 8, and the outputs of Controlled Amplifiers 6 and 9 are connected to the inputs of Uncontrolled Gates 7 and 8, respectively, the outputs of Uncontrolled Gates 7 and 8 are connected to the inputs of the controlled amplifiers 9 and 6, respectively, and the connection points of the inputs of the controlled amplifiers and the outputs of the uncontrolled gates serve as inputs / outputs of the controlled gates 5; the output of the Adjustable voltage source 3 is connected to the mth input of the Controlled switching device 2, 1 ÷ k inputs / outputs of the Controlled switching device 2 are connected to 1 ÷ k contacts of the PC connector 1, characterized in that the Universal test bench for ENI additionally contains a recording blocking module 4, consisting of: s Delay lines 10, s Controlled circuit breakers 11, s-channel Comparison device 12 and s-bit Command register 13, while (m + s + 1) ÷ (m + n) inputs / outputs of the Controlled switching device 2 connect to to the corresponding contacts of the ENI connector directly, a (m + 1) ÷ (m + s) inputs / outputs of the Controlled Switching Device 2 are connected to 1 ÷ s contacts of the ENI connector, respectively, through 1 ÷ s channels of Record Blocking Module 4, each of which is a series the connected Delay Line 10 and the Controlled Switch 11, also the inputs 1 ÷ s of the Delay Line 10 are connected respectively to the first s inputs of the Comparison Device 12, to the second s inputs of which are connected 1 ÷ s the outputs of the Command Register 13 respectively, and the output of the Device is comparable Nation 12 is connected simultaneously to the control inputs of all managed breakers 11.

Images