In practice, we encountered a case when the NABU detective ordered comprehensive forensic telecommunications and computer-technical examinations of iPhones and iPads (with one question — overcoming logical access, having previously unsuccessfully tried to overcome such access independently during the examination, and having received a conclusion about the impossibility of overcoming such access from a KNDISE expert) to a specialist who is not in the register of forensic experts, in addition to a NABU detective. And yet such an "expertise" is conducted for more than half a year, and the "expert" replied to the detective's request that the investigation "may last days, months and years" (this is a verbatim quote)!
We have prepared some legal position and are sharing it with colleagues.
Examinations are scheduled in violation of the Code of Criminal Procedure of Ukraine
Thus, according to Clause 2 of Article 69 of the Criminal Procedure Code of Ukraine, "persons who are officially or otherwise dependent on the parties to criminal proceedings or the victim cannot be experts." According to Clause 19, Part 1, Article 3 of the Criminal Procedure Code of Ukraine, "parties to criminal proceedings — from the side of the prosecution: investigator, investigator, head of the pre-trial investigation body, head of the investigation body, prosecutor…". In the Resolutions on the appointment of complex judicial telecommunications and computer-technical examinations, it is stated that the EXPERT is the head of the detective department of the criminal laboratory of the Department of Analytical and Information Processing of NABU, the DETECTIVE is a detective…. department …. a division of the Main Division of NABU detectives. That is, the DETECTIVE and the EXPERT are part of the NABU detectives, subordinate to the same head of the pre-trial investigation body, that is, there are official and other dependencies between them.
A specialist cannot be involved as an expert
In the Resolutions on the appointment of complex forensic telecommunications and computer-technical examinations, it is stated that the expert is not a forensic expert who is entered in the state Register of certified forensic experts, but is a specialist and has a higher education in the specialty "Security of information and communication systems".
According to Art. 7 of the Law of Ukraine "On Forensic Expertise": "Forensic expert activity is carried out by state specialized institutions, their territorial branches, expert institutions of communal ownership, as well as forensic experts who are not employees of the specified institutions, and other specialists (experts) from the relevant fields knowledge in the manner and under the conditions specified by this Law".
According to Art. 9 of the Law of Ukraine "On Forensic Expertise": "A person or body that appoints or orders a forensic expert opinion may entrust it to those forensic experts who are included in the State Register of Certified Forensic Experts, or to other specialists in the relevant fields of knowledge, unless otherwise established by law".
In accordance with Articles 7 and 8 of the Law of Ukraine "On Forensic Expertise", the Ministry of Justice of Ukraine by Order 53/5 approved the Instruction "On Appointment and Conduct of Forensic Expertise and Expert Research". According to clause 1.12 of these Instructions: "Experts who are not employees of state specialized institutions and carry out forensic expert activity on a professional basis, ensure the conduct of examinations and research in accordance with the requirements of the Instruction "on the peculiarities of conducting forensic expert activity by certified forensic experts, which do not work in state specialized expert institutions", approved by order of the Ministry of Justice of Ukraine dated December 12, 2011 No. 3505/5, registered in the Ministry of Justice of Ukraine on December 12, 2011 under No. 1431/20169.
NABU and its laboratories are not state specialized expert institutions according to Art. 7 of the Law of Ukraine "On Forensic Examination". That is, their experts are subject to the requirements of the Instruction "on the peculiarities of forensic expert activity by certified forensic experts who do not work in state specialized expert institutions." According to clause 1 of paragraph III of these Instructions: "A mandatory condition for the performance of forensic expert activity by forensic experts who do not work in state specialized institutions is the presence of a certificate of qualification of a forensic expert issued by the Ministry of Justice of Ukraine on the basis of a decision of the Central Expert of the qualification commission under the Ministry of Justice of Ukraine, which is granted the right to conduct specific types of examinations". That is, the involvement of a specialist as an expert is possible only in state specialized expert institutions. In this case, it is impossible to involve a specialist as an expert.
Examinations were appointed in violation of the Law, as they are not comprehensive
According to the Instruction "on the appointment and conduct of forensic examinations and expert studies" clause 1.2.14: "Comprehensive is an examination carried out with the application of special knowledge of various fields of science, technology or other special knowledge (of different directions within the same field of knowledge) to solve one common (integration) task (question)". That is, experts from different fields of knowledge are involved at the same time. In this case, one specialist from the same field of knowledge as the KNDISE expert (who made a preliminary examination on the impossibility of providing a conclusion) was involved, namely the field of knowledge — research of telecommunication systems and means, computer equipment and software products.
The appointment of expert examinations took place in violation of the Law, as the guarantee of the independence of the judicial expert was violated
According to Art. 4 of the Law of Ukraine "On Forensic Expertise": "The independence of the forensic expert and the correctness of his conclusion are ensured by: …the existence of forensic expertise institutions, independent of the bodies that carry out operational investigative activities, bodies of pre-trial investigation and the court…". In this case, the examination is assigned to a body dependent on the body that carries out operational and investigative activities, namely to the criminal laboratory of the Analytical and Information Processing Department of NABU.
The examination is carried out in violation of the Law, namely in violation of the terms
According to the Instruction "on the appointment and conduct of forensic examinations and expert studies" clause 1.13:
"The term of the examination is set by the head of the expert institution (or the deputy head or the head of the structural unit) and should not exceed 90 calendar days.
In the event of a significant load on the expert (if he has more than ten examinations to perform at the same time, including commission and complex ones), a longer reasonable period is established by written agreement with the body (person) that appointed (involved) the examination ) of the expert), after preliminary study by the expert of the materials provided.
The time for preliminary study of materials should not exceed fifteen working days.
In case of refusal of the body (person) who appointed the expert examination (recruited the expert) to agree to the proposed reasonable term of the examination, the case materials are returned with a proposal to assign the examination to other subjects of forensic expert activity, defined in Article 7 of the Law of Ukraine "On Forensic Expertise".
In case of failure to comply with the expert's requests to provide additional materials, failure to pay the cost of the examination within 45 calendar days from the date of sending the request in accordance with the procedure provided for by the current legislation, failure to ensure the arrival of the expert, unhindered access to the research object, as well as proper conditions for its work (obstruction on the part of the parties participating in the case, in the inspection of the object) the case materials are returned to the body (person) that ordered the examination (recruited the expert), with an indication of the motivated reasons for the impossibility of conducting it.
The term of the examination begins on the working day following the day of receipt of the materials at the expert institution, and ends on the day of drawing up the expert's opinion (notification of the impossibility of providing an opinion). If the expiration of the established term for the examination falls on a non-working day, the next working day is considered the expiration date.
According to the ECtHR's position, the burden on the expert cannot be considered as a valid reason for violating the reasonable time limit. The absence of expert opinions in this case only indicates the negligent attitude of experts and detectives to their duties. The ECtHR assesses such violations as a violation of reasonable pre-trial investigation periods and an abuse of the restriction of the suspect's rights (the case of Adiletta v. Italy).
The NABU detective tried to overcome the logical protection of the devices even before the examination was assigned to KNDISE, and testified that it was not possible
On the page of the Inspection Report, the NABU detective notes that "it is impossible to overcome the logical protection system with the available means. In order to overcome the logical defense … there is a need for an expert investigation." Later, the detective appointed a computer-technical examination to KNDISE and received a message about the impossibility of providing a conclusion. In this conclusion, the KNDISE expert notes that ""hacking" of data protection tools for the user of Apple devices is, from a technical point of view, a generally unsolved problem." In view of this, NABU's repeated attempt to independently overcome the logical protection of Apple devices is only a delay in time, a violation of current legislation, a violation of the rights of Person 1, and does not meet the objectives of criminal proceedings.
The list of questions for the examination does not comply with the Law and the Instructions
According to the Instruction "on the appointment and conduct of forensic examinations and expert studies" of Chapter II "Engineering and technical examinations" Approximate list of resolved issues of examination of computer equipment and software products, item 13.2:
- Does this media contain information about (indicate what information you are interested in) and in what form?
- Does the medium of the investigated computer contain information about certain (specify which) user actions?
- Was the studied drive subjected to certain procedures to destroy information?
- Could this information have been created on this computer or was it transferred from another medium?
- How was the information (specify which one) transferred to the investigated computer (media)?
- What is the technology and chronology of the creation of an electronic document (indicate the electronic document and certain content)?
- What are the attributes (time of printing, editing, creation, deletion, etc.) of files containing information about… (specify content)?
- Does the data storage of the investigated computer contain certain (specify which one – installed, not installed) software?
- What functional malfunctions does this computer equipment or its individual components and devices have and how do these malfunctions affect the operation of the equipment as a whole?
- Is it possible to perform certain actions with the help of this software product?
- Is it possible to solve a certain task with the help of this software product?
- Are the functions provided by the technical task for its development implemented in this software product (software code)?
and Approximate list of issues to be resolved in the examination of telecommunication systems and means of item 14.2:
- What is the type, brand, model of the telecommunication device (system)?
- Is the telecommunication facility (object) in working condition?
- What characteristics of network connections does the telecommunication tool have?
- Did the user of the telecommunications network change the settings of individual devices, at what time, and what were their values?
- What is the general nature of connections to the telecommunications network performed by the object (telecommunications system, means)?
- What software was used to connect to the telecommunications network?
- What is the topology of hardware combined into a telecommunications system?
- Does the functioning of the telecommunications device (system) correspond to the technical documentation?
- What are the technical characteristics (parameters) of the telecommunication tool (system)?
- Did the fact of access to the telecommunications system take place and in what way?
- Did the use of resources and information take place in the telecommunications system and in what way?
- Did the fact of transmission (reception) of information in the telecommunications system take place and in what way?
- Are there signs of interference in the work of the telecommunications system?
- Could the hardware be combined into a telecommunications network and by what means?
- What are the ways of data routing in the telecommunications system?
- Is it possible to use the telecommunication means (equipment) for the specified purposes?
The detective in the Regulations only assigned the question of the presence and overcoming of the logical protection system and granted permission to the expert to change the properties of the object of examination, which testify to the violation of the Instructions, and makes it impossible to appoint (if necessary) further repeated, complex, commission and other examinations.
Semyon Khanin, managing partner of Amber Law Company, lawyer