This  file  is  a basic description of russian computer law related
issues.  Part  1  contains  information  gathered  primarily  from
open sources. As this sources  are  all  russian, information may be
unknown to those who doesn't know russian language. Part  2  consists
of  instructions  on  computer crime investigation: raid guidelines and
suspect's system exploration.


0 - DISCLAIMER 1 - LAW
  1.1 - Basic Picture 1.2 - Criminal Code 1.3 - Federal Laws
2 - ORDER
  2.1 - Tactics of Raid 2.2 - Examining a Working Computer 2.3 -
  Expertise Assignment


--[ 0.DISCLAIMER.

INFORMATION PROVIDED FOR EDUCATIONAL PURPOSES ONLY. IT MAY BE ILLEGAL
IN YOUR COUNTRY TO BUST HACKERS. IT MUST BE ILLEGAL AT ALL. THERE ARE
BETTER THINGS TO DO. EXPLORE YOURSELF AND THIS WORLD. SMILE. LIVE.


--[ 1.	 LAW.

----[ 1.1. Basic Picture.

Computer-related  laws	are  very  draft and poorly describes what are
ones about.  Seems  that  these  are  simply  rewritten instructions
from 60's *Power Computers* that took a truck to transport.

Common	subjects  of lawsuits include carding, phone piracy (mass
LD service thievery)  and...  hold  your  breath... virii infected
warez trade. Russia is a real  warez  heaven  -  you can go to about
every media shop and see lots of CDs with  warez,  and some even has
"CRACKS AND SERIALS USAGE INSTRUCTIONS INCLUDED" written  on  front
cover  (along with "ALL RIGHTS RESERVED" on back)! To honour pirates,
they  include  all  .nfo  files  (sometimes  from  4-5 BBSes warez was
courriered  through).  It  is  illegal	but  not  prosecuted.  Only if
warez are infected  (and  some VIP bought them and messed his system up)
shop owners faces legal  problems.
/* Latest addition - pressure on warez became stronger. Article was writen in 2002 */

Hacking  is  *not  that  common*,  as  cops are rather dumb and busts
mostly script kiddies for hacking their ISPs from home or sending your
everyday trojans by email.

There  are  three  main  organisations	dealing  with  hi-tech	crime:
FAPSI (Federal	Government  Communications  and  Information  Agency
- mix of FCC and secret service), UKIB FSB (hi-tech feds; stands for
departamernt of computer and information  security)  and  UPBSWT  MVD
(hi-tech  crime fightback dept.) which incorporates R unit (R for radio -
busts ham pirates and phreaks).
/* Latest addition - FAPSI was disbanded */

FSB   (secret	service)  also	runs  NIIT  (IT  research  institute).
This organisation  deals  with	encryption  (reading your PGPed mail),
examination of malicious  programs  (revealing	Windoze source) and
restoration of damaged data (HEXediting saved games). NIIT is believed
to possess all seized systems so they have tools to do the job.

UPBSWT	has a set of special operations called SORM (operative
and detective measures	system).  Media describes this as an
Echelon/Carnivore-like thing, but it  also monitors phones and
pagers. Cops claims that SORM is active only during major criminal
investigations.


----[ 1.2. Criminal Code.

Computer criminals are prosecuted according to this articles of the Code:

 159:	Felony. This mostly what carders have to do with, accompanied by
	caught-in-the-act  social  engineers.  Punishment  varies
	from fine (minor, no criminal record) to 10 years prison term
	(organized and repeated crime).

 272:	Unauthorized access to computer information. Easy case will end
    up in fine  or up to 2 years probation term, while organized, repeated
     or involving "a person with access to a computer, computer complex
	or network" (!#$@!) crime may lead  to	5  years  imprisonment.
	Added to  this are weird comments on what are information,
	intrusion and information access.

 273:	Production, spreading and use of harmful computer
    programs. Sending trojans  by  mail considered to be lame and punished by up to 3
	years in prison. Part II says that "same deeds *carelessly* caused
	hard consequences" will result in from 3 to 7 years in jail.

 274:	Computer, computer complex or network usage rules breach. This
    one is tough  shit.  In  present,  raw  and  somewhat	confused
	state this looks, say, *incorrect*.  It  needs that at least
	technically literate person should provide correct and clear
	definitions. After that clearances this could be useful thing:
	if  someone  gets  into  a  poorly  protected  system,	admin will
	have to take responsibility too. Punisment  ranges  from ceasing
	of right to occupy "defined" (defined  where?) job positions to
	2 years prison term (or 4 if something fucked up too seriously).


----[ 1.3. Federal Law.

Most notable subject related laws are:

"On  Information,  Informatization  and Information Security"
(20.02.95). 5 chapters	of  this  law  defines	/*  usually not
correct or even intelligent */ various	aspects  of  information  and
related issues. Nothing really special or important  -	civil rights
(nonexistent), other crap, but still having publicity (due  to	weird
and easy-to-remember name i suppose) and about every journalist covering
ITsec pastes this name into his article for serious look maybe.

"National  Information Security Doctrine" (9.9.2K) is far more
interesting.  It  will tell you how dangerous Information Superhighway
is, and this isn't your average  mass-media  horror  story  -  it's
a  real thing! Reader will know how hostile  foreign  governments  are
busy  imlpementing  some  k-rad mind control tekne3q  to  gain r00t on
your consciousness; undercover groups around the globe are  engaging in
obscure infowarfare; unnamed but almighty worldwide forces also about
to control information...ARRGGH! PHEAR!!!

{ALiEN special note: That's completely true. You suck Terrans. We'll
own your planet soon and give all of you a nice heavy industry job}.

Liberal values are covered too (message is BUY RUSSIAN). Also there are
some definitions (partly correct) on ITsec issues.

"On  Federal  Government  Communications and Information" (19.2.93,
patched 24.12.93  and  7.11.2K).  Oh yes, this one is serious. Everyone
is serious about his  own  communications - what can i say? Main message
is "RESPONSIBLES WILL BE FOUND. OTHERS KEEP ASIDE".

Interesting  entity defined here is Cryptographic Human Resource -
a special unit	of  high qualified crypto professionals which must be
founded by FAPSI. To be  in  Cryptographic  Human  Resource  is to serve
wherever you have retired or anything.

Also  covered  are rights of government communications personnel. They
have no  right	to  engage  in	or to support strike. Basically they have
no right to fight  for	rights.  They  don't  have  a right to publish or
to tell mass-media anything about their job without previous censorship
by upper level management.

Cryptography   issues	are  covered  in  "On  Information  Security
Tools Certification"  (26.6.95 patched 23.4.96 and 29.3.99) and "On
Electronic Digital Signature"  (10.2.02).  Not	much  to  say about. Both
mostly consists of strong definitions of certification procedures.


--[ 2. ORDER.

----[ 2.1. Tactics of Raid.

Given information is necessary for succesful raid. Tactics of raid
strongly depends on previously obtained information.

It  is	necessary to define time for raid and measures needed to conduct
it suddenly  and  confidentially. In case of presence of information
that suspect's computer  contains  criminal  evidence  data,  it  is
better to begin raid when possibility that suspect is working on that
computer is minimal.

Consult  with  specialists  to	define what information could be stored
in a computer  and  have  adequate technics prepared to copy that
information. Define all  measures to prevent criminals from destroying
evidence. Find raid witnesses who  are	familiar  with	computers
(basic	operations, programs names etc.) to exclude  possibility of
posing raid results as erroneous at court. Specifity and complexity
of  manipulations  with  computer  technics  cannot be understood
by illiterate,	so  this  may  destroy	investigator's efforts on
strengthening the value of evidence.

Witness' misunderstanding of what goes on may make court discard evidence.
Depending  on  suspect's  qualification  and  professional  skills,
define a computer technics professional to involve in investigation.

On arrival at the raid point is necessary to: enter fast and sudden
to drive computer stored information destruction possibility  to  the
minimum. When possible and reasonable, raid point power supply must be
turned off.

Don't allow no one touch a working computer, floppy disks, turn computers
on and off; if necessary, remove raid personnel from the raid point;
don't allow no one turn power supply on and off; if the power supply
was  turned  off at the beginning of raid, it is necessary to unplug all
computers and peripherals before turning power supply on; don't manipulate
computer technics in any manner that could provide inpredictable results.

After  all  above  encountered	measures  were	taken,	it  is necessary
to preexamine  computer technics to define what programs are working
at the moment.	If   data  destruction	program  is  discovered  active
it  should  be	stopped immediately  and examination begins with exactly
this computer. If computers are connected  to  local  network,	it  is
reasonable to examine server first, then working computers, then other
computer technics and power sources.


----[ 2.2. Examining a Working Computer.

During the examination of a working computer is necessary to:

 define what program is currently executing. This must be done by
  examining the  screen  image  that  must  be  described  in detail in raid
  protocol. While necessary, it should be photographed or videotaped. Stop
  running program and fix results of this action in protocol, describing
  changes occured on computer screen;

 define presence of external storage devices: a hard drive (a
  winchester*), floppy  and ZIP type drives, presence of a virtual drive (a temporary
  disc which is  being	created  on  computer  startup	for increasing
  performance speed) and describe  this  data  in  a  protocol	of raid;

 define presence of remote system access  devices  and  also  the
  current state of ones (local network connection, modem  presence),  after  what
  disconnect  the computer  and modem, describing results of that in
  a protocol;

 copy programs and files from the virtual drive (if present) to the
  floppy disk or to a separate directory of a hard disk;

 turn the computer off and continue with examining it. During this is
  necessary to describe  in	a  raid protocol and appended scheme the location
  of computer and  peripheral  devices (printer, modem, keyboard,
  monitor etc.) the purpose of every  device,  name,  serial  number,
  configuration (presence and type of disk drives,  network  cards,
  slots etc.), presence of connection to local computing network  and
  (or) telecommunication networks, state of devices (are there tails
  of opening);

 accurately  describe the order of mentioned devices interconnection,
   marking (if necessary) connector cables and plug ports, and disconnect computer
   devices.

 Define, with the help from specialist,  presence  of	nonstandard
  apparatus inside the computer, absence of microschemes, disabling of an inner power
  source (an accumulator);

 pack (describing location where were found in a protocol) storage
  disks and tapes.  Package  may	be special diskette tray and also common paper
  and plastic bags, excluding ones not preventing the dust (pollutions
  etc.) contact with disk or tape surface;

 pack	every  computer  device  and  connector  cable.  To  prevent
  unwanted individuals' access, it is necessary to place stamps on system block -
  stick the power  button  and	power  plug slot with adhesive tape and
  stick the front and side panels mounting details (screws etc.) too.

If it is necessary to turn computer back on during examination, startup
is performed with a prepared boot diskette, preventing user programs
from start.

* winchester - obsolete mainstream tech speak for a hard drive. Seems to
be of western origin but i never met this term in western sources. Common
shortage is "wint".

----[ 2.3. Expertise Assignment.

Expertise  assignment  is an important investigation measure for such
cases.	General  and  most  important  part  of  such  an expertise is
technical program (computer technics) expertise. MVD (*) divisions have
no experts conducting such expertises  at  the	current  time,	so  it
is possible to conduct such type of expertises	at  FAPSI  divisions
or to involve adequately qualified specialists from other organisations.

Technical program expertise is to find answers on following:

 what information contains floppy disks and system blocks presented to
   expertise?

 What is its purpose and possible use?

 What programs contains floppy disks and system blocks presented to
   expertise?

 What is their purpose and possible use?

 Are there any text files on floppy disks and system blocks presented to
  expertise?

 If so, what is their content and possible use?

 Is there destroyed information on floppy disks presented to expertise?

 If so, is it possible to recover that information?

 What is that information and what is its possible use?

 What program products contains floppy disks presented to expertise?

 What are they content, purpose and possible use?

 Are  between	those  programs  ones  customized  for	passwords
  guessing or otherwise  gaining  an  unauthorized	computer  networks access?

 If so, what are their  names,  work  specifications, possibilities of
usage to penetrate defined computer  network?

 Are there evidence of defined program usage to penetrate the
abovementioned network?

 If so, what is that evidence?

 What is chronological sequence of actions necessary to start defined
program or to conduct defined operation?

 Is it possible to modify program files while working in a given
computer network?

 If so, what modifications can be done, how can they be done and from
what computer?

 Is it possible to gain access to confidential information through
mentioned network?

 How such access is being gained?

 How  criminal  penetration  of  the  defined	local  computer
network  was committed?

 What	is  the  evidence  of  such  penetration?

 If this penetration involved	remote access, what are the possibilites
of identifying an originating computer?

 If an evidence of a remote user intrusion is absent, is it possible
to point computers from which such operations can be done?

Questions may be asked about compatibility of this or that programs;
possibilities of running a program on defined computer etc. Along with
these, experts can be asked on purpose of this or that device related
to computer technics:

 What is the purpose of a given device, possible use?

 What is special with its construction?

 What parts does it consist of?

 Is it industrial or a homemade product?

 If it is a homemade device, what kind of knowledge and in what kind of
  science and technology do its maker possess, what is his professional
  skill level?

 With what other devices could this device be used together?

 What are technical specifications of a given device?

Given methodic recommendments are far from complete list of questions
that could be asked in such investigations but still does reflect the
important aspects of such type of criminal investigation.


* MVD (Ministry of Inner Affairs) - Russian police force.


CREDITS

     I like to mention stiss and BhS group for contibutions to this file.