RU121619U1 - MOBILE AUTOMATED WORKPLACE FOR COLLECTING INFORMATION FOR COMPUTER EXAMINATION - Google Patents

Abstract

A mobile workstation for collecting information for computer examinations, consisting of a portable personal electronic computer that acts as a Processing Unit, RAID Writer, two hard disk drives (HDD), Indicator Panel, Control Unit and Label Printer, provides connection duplicated hard drives and copying simultaneously to two hard drives that make up the RAID array, a hash function is calculated in parallel with the copy process, after the automatic duplication is completed Two labels with the calculated value of the hash function are printed precisely, with which the HDD is marked with copies of the information.

Description

The proposed device relates to the field of forensics and forensics, namely, the use of electronic means to increase the efficiency and objectivity of conducting examinations and expert studies of information carriers by automating a number of operations.

The proposed device allows with high reliability to quickly create an information copy of an electronic information carrier (ENI), while the quantitative and qualitative characteristics of ENI do not change, which is crucial to ensure the validity of the results of the forensic procedure.

One of the types of forensics is computer forensics (CE). At this stage of development, CE is an independent type of forensic examination, belonging to the class of engineering and technical examinations and carried out in order to: determine the status of an object as a computer tool, identify and study its trace in the investigated crime, and also gain access to computer information on information media followed by a comprehensive study of it. These goals are represented by the generic tasks of CE [1]. At the same time, electronic information carriers (ENI) act as information carriers in this type of expertise.

The process of collecting evidence for crimes involving the use of computer tools includes, first of all, the detection, recording and removal of computer information. The tactics of investigative actions for the disclosure and investigation of crimes in the case under discussion are inextricably and directly dependent on the special tools and instruments used. These technical means should be designed for the search and preliminary investigation of ENI, which can subsequently acquire the status of material evidence. Instruments, apparatus, equipment, tools, accessories used to collect and investigate evidence in the course of legal proceedings are commonly referred to as “forensic technology”.

The primary basis of the class of forensic technology under consideration is hardware and software, techniques and methods, borrowed from such fields of science and technology as: computer engineering and programming, radio engineering and electronics, computer networks and telecommunications, cryptography and information security.

Gradually, the forensic technique is replenished with means, techniques and methods specially developed for the purpose of investigation and disclosure of crimes in the field of computer information.

To date, the following technical means are the typical technical and forensic equipment for collecting computer information [2]:

- a personal portable computer (PC), with sufficient speed and RAM capacity, with the possibility of preliminary full physical copying of the studied storage media (including hard drives) to a working hard drive of the appropriate capacity (often in a removable version);

- Windows 98 (2000) operating system installed on the specified PC with a set of system and application utilities (for example, Norton SystemWork); file managers (including with support for MS DOS-sessions), advanced application software (MS Office, graphic packages (PhotoShop, Corel-Draw), etc .;

- a set of empty CDs and / or CD-Rs;

- CD-RW device for recording on compact discs;

- necessary interface cables (including null modem cable);

- a set of CDs and floppy disks (bootable and with service utilities) for determining the configuration of the investigated personal computer, its characteristics;

- a set of CDs and floppy disks with virus diagnostic programs;

- packaging material: rigid boxes for packaging seized system units and data carriers; antistatic bags for data carriers, plastic bags and canvas bags; paper for sealing connectors, adhesive, adhesive tape;

- auxiliary tools - an electronic tester, screwdrivers, pliers, etc. (for example, to disconnect connectors, open the covers of system units, remove hard drives).

Means of researching information stored in electronic form should provide [3]:

- technical ability to access the information contained in the object of study (computer hard drives, flexible magnetic disks, magneto-optical disks, tape drives, optical disks, flash memory and other means of information storage);

- fixing information without destroying or changing the object of study (for example, on hard disks of laboratory computers, recordable optical discs);

- converting information into a form that is accessible to the expert (software for searching and visualizing information).

These tasks are solved jointly by hardware and software research support.

Thus, we can conclude that the methodology for solving any problem in computer forensics should be refined when a new generation of hardware or new software versions appears [4, 5].

Thanks to the presence of highly qualified specialists, a number of leading expert organizations are developing technologies for conducting practical work on conducting forensic examinations of ENI. For this, a whole range of specific non-standard work is carried out, the corresponding tools are developed and mastered.

The result of the corresponding work is AWP (software or hardware-software systems) for all specific types of work.

Methodological developments and automation tools, accumulating the knowledge and experience of unique highly qualified specialists, make it possible to increase the level of solving CE issues by small local forces by assigning these tasks to small groups or individual full-time experts.

One such AWP is the PROPLAN system.

The PROPLAN automated workstation for computer expertise is a specialized software and hardware complex that provides automation of the expert and his workplace during CE.

The technical part of the complex is:

- a stand for the study of information media,

- A personal computer for processing research data and preparing an expert opinion.

The software part of the complex consists of a set of general and special software (OMO and SMO).

As a QS, the “Professional system for solving Search problems and the Logical ANALYSIS of machine data carriers” (“PROPLAN”) is used.

The main disadvantage of this workstation is the inability to connect new types of ENIs that appeared after its creation and the inability to modernize it to eliminate this drawback due to the limited number of system interrupt codes corresponding to the maximum number of external devices connected.

The indicated drawback was eliminated in the AWS for conducting forensic examinations of ENI [6].

Workstation for conducting forensic examinations of ENI consists of a stand for research of ENI and PCs for processing research data and preparing an expert opinion. The ENI research bench consists of a controlled switching device that provides the possibility of interfacing an electronic information carrier and a personal computer via information buses and control buses, and an adjustable voltage source, while the controlled switching device has m + n inputs / outputs and is a set of m · n controlled gates forming a switching matrix of dimension m × n connecting 1 ÷ m and (m + 1) ÷ (m + n) inputs / outputs in such a way that every i-th input / output (i∈ {1, m}) connected to the j-th input / output (j∈ {m + 1, m + n}) by means of a controlled ij-th gate, with m = k + 1, the numbers k and n correspond to the maximum values of the numbers of contacts of the PC connectors and the electronic information carrier, respectively; in turn, the controlled valve consists of two controlled amplifiers (UE), as well as two uncontrolled gates (NUV), the outputs of the controlled amplifiers are connected to the inputs of the uncontrolled gates, and the outputs of the uncontrolled gates are connected to the inputs of the controlled amplifiers in such a way that a closed ring of four elements; connection points of inputs of controlled amplifiers and outputs of uncontrolled gates serve as inputs / outputs of controlled gates; the output of the regulated voltage source is connected to the m-th input of the managed switching device, 1 ÷ k inputs / outputs of the controlled switching device are connected to the terminals of the PC connector, (m + 1) ÷ (m + n) the inputs / outputs of the managed switching device are connected to the contacts of the connector electronic information carrier.

This AWP is selected as a prototype.

Versatility is the main advantage of this workstation. At the same time, the object of the vast majority of computer examinations of electronic storage media is hard disk drives (HDD). The use of AWP for computer expertise of HDD involves:

- seizure of the latter in accordance with the established procedure for procedural actions;

- duplication of this HDD on the HDD of the Workstation;

- storage of the seized HDD until the end of the trial as evidence.

Such an order of use determined the appearance of the automated workplace for conducting forensic examinations of ENI and the features of its implementation, one of which is its stationarity. This drawback creates significant inconvenience when using it at field events due to the cumbersomeness of the AWP component parts (PC system unit, keyboard, manipulator, monitor, power supply unit, ENI research stand), as well as the need to uncommute the components for transportation and subsequent assembly of the AWP for performing examination procedures.

The need to store the seized HDD until the trial is completed as material evidence is due to the need to have a standard of information subject to examination, which is important to ensure the validity of the results of the forensic procedure. Practice shows that in some cases the seizure of a hard drive leads to a halt in the business of the enterprise, and as a result of appeals to the court, court decisions are made to return the seized hard drive to the owner, which in most cases reduces the amount of work performed by the expert to zero.

Thus, the claimed device has a comprehensive goal: to ensure the prompt creation of an information copy of the hard drive without its removal (on the spot) with the possibility of confirming the integrity of the information submitted for examination.

The essence of the invention lies in the fact that a duplicated HDD using the inventive device is copied simultaneously to two HDDs that form a RAID array, a hash function calculation process is executed in parallel with the duplication process, after the duplication process is completed, two labels with the calculated hash function value are automatically printed, which are pasted on HDD with copies of information stored on the duplicated HDD, and the value of the hash function is recorded in the protocol.

List of figures:

Figure 1 - Scheme of a mobile workstation for collecting information for computer examinations. Shows the main elements of the device and the relationship between them.

Figure 2 - An experimental sample of a mobile workstation for collecting information for computer examinations. Shows the appearance and layout of the main elements of the device.

This goal is achieved by the fact that the Mobile workstation for collecting information for computer examinations consists of:

- Processing unit 1;

- RAID 2 writer;

- Replaceable hard drives 3 and 4, respectively;

- Indicator panel 5;

- Control unit 6;

- Label printer 7 (see figure 1).

Processing unit 1 is a motherboard with a processor and RAM, an input / output system having: a video output for connecting the Indicator panel 5, a control input for connecting a Control Unit 6, a printer output for connecting a Label Printer 7, a data input for connecting a hard drive and an output data for connecting the RAID 2 Writer, and provides, by executing program code for the appropriate purpose, reading information from the duplicated HDD, calculating the hash function, and writing information using M RAID 2 write module in parallel on HDD 3 and 4.

The RAID 2 writer is a hardware module for parallel writing of information to two HDDs, designed for its intended purpose.

HDD 3 and 4 are the same model of hard disk drives. Designed for recording and storing copies of information stored on a duplicated HDD.

The indicator panel 5 is a small-sized liquid crystal screen designed to display the progress and result of operations.

The control unit 6 is a button keyboard and is designed to control the operating modes of the Workstation.

Label printer 7 is a small-sized printing device designed for the manufacture of glued labels with the application of the hash value calculated during duplication on them.

The conditions of small size are determined by the requirement for mobility of the Workstation.

The information output of Processing Unit 1 is connected to the input of the RAID 2 Writer, the inputs of HDD 3 and HDD are connected in parallel 4. The video output of Processing Unit 1 is connected to the input of the Indicator Panel 5. The control input of Processing Unit 1 is connected to the output of the Control Unit 6. Printer output Processing unit 1 is connected to the input of the Label Printer 7.

The principle of operation of the Mobile workstation for collecting information for computer examinations is as follows. A duplicated HDD is connected to the data input of Processing Unit 1. Two HDDs 3 and 4 are connected to the output of the RAID 2 Writer with a volume of no less than the volume of the duplicated HDD. Using the buttons of the Control Unit 6, the program stored in the memory of the Processing Unit 1 is configured and launched, during which the Processing Unit 1 reads data from the duplicated HDD, calculates the hash value and transfers the data to the input of the RAID 3 Writer, which records these data in parallel to two HDDs 3 and 4.

During the duplication procedure, the parameters of the process of duplication and its results are displayed on the screen of the Indicator panel 5. The displayed parameters of the duplication process include: start time, recording speed, percentage of completion and estimated completion time. The duplication process can be completed normally or abnormally, which will be reflected on the screen of the Indicator panel 5.

After the duplication is completed, Processing Unit 1 outputs the calculated hash function value to the printer output, and the Label Printer 7 connected to this output automatically prints two labels that contain the calculated hash function value. Labels are pasted on HDD 3 and HDD 4, about which the corresponding record is made in the protocol indicating the calculated value of the hash function. Then, HDDs 3 and 4 are sent, accompanied by a protocol, to an expert institution, where one of them will be stored as material evidence as a reference, and the second will be examined by an expert.

An experimental sample of a mobile workstation for collecting information for computer examinations is presented in figure 2. Processing unit 1 is based on an industrial computer with the Linux operating system. The mobility of the workstation is ensured by placing all the elements of the claimed device in a metal case, the material and shape of which provide heat dissipation.

AWP is designed to be used as equipment by an expert criminalist during operational activities and at the scene.

This workstation is also suitable and convenient for use within the framework of copying computer information performed by representatives of the Federal Antimonopoly Service, who are not authorized to seize information carriers, but to which, in accordance with modern legislation, all persons engaged in commercial activities in the Russian Federation are required to provide access to all official information, including stored on computer media.

Thus, the objective of the invention is achieved.

BIBLIOGRAPHY

1 Zubakha B.C., Usov A.I., Saenko G.V., Volkov G.A., Bely S.L., Semikalenova A.I. General provisions on the designation and production of computer-technical expertise: Methodological recommendations. - M .: GU EKTS Ministry of Internal Affairs of Russia, 2000. - 65 p., 6 ill., Bibliographer., Adj.

2 Sheludchenko V.I. Technical and forensic tools and methods for collecting computer information // Materials of the All-Russian Interdepartmental Seminar. - Belgorod: Ministry of Internal Affairs of the Russian Federation, 2002. - S.205-207.

3 Kopytin A.V., Marshalko B.G., Fedotov E.T. Forensic examination of a personal computer // Materials of the All-Russian Interdepartmental Seminar. - Kazan: Ministry of Internal Affairs of the Republic of Tatarstan, 2004. - C.115

4 Aikov D., Seiger K., Fopstorh U. Computer crimes. Computer Crime Guide. Per. from English V.I. Voropaev and G.G. Trekhalin. - M .: Mir, 1999.

5 Semenov N.V., Motuz O.V. Forensic-cybernetic examination - a tool to combat crime of the XXI century // Information Protection, Confident, 1999, 1-2.

6 An automated workstation for conducting forensic examinations of electronic information carriers. Patent for the invention of the Russian Federation No. 2297664 dated 04/20/2007.

Claims (1)

A mobile workstation for collecting information for computer examinations, consisting of Processing Unit 1, RAID Writer 2, two hard disk drives 3 and 4, and a Label Printer 7, characterized in that the indicator panel 5 is additionally included and Control Unit 6, while the information output of Processing Unit 1 is connected to the input of the RAID 2 Writer, to the output of which the inputs of HDD 3 and HDD 4 are connected in parallel, the video output of Processing Unit 1 is connected to the input of the Display Panel 5, pack the processing input of Processing Unit 1 is connected to the output of Control Unit 6, the printer output of Processing Unit 1 is connected to the input of Label Printer 7.