Компьютерно - техническая экспертиза
0x6874 0x7470 0x3A2F 0x2F63 0x6F6D 0x7075 0x7465 0x722D 0x666F 0x7265 0x6E73 0x6963 0x732D 0x6C61 0x622E 0x6F72 0x672F
Computer forensics and investigations

Home » Articles » Kapinus O.V., Michailov I.Y. Smart-cards research as a part of computer-technical expertise.

Smart-cards research as a part of computer-technical expertise. Kapinus O.V. Michailov I.Y. (info@computer-forensics-lab.org)

Swift development of electronics during the last decades caused a wide spread of smart-cards.
Smart-card is a plastic card, the size of a standard credit card, with one or several integrated circuits (chips) capable to store information of any kind.
Criminalistical features of smart-cards, in our opinion, are:
1. The size which is visually perceived as the size of a standard credit card.
2. The information containing in the chip of a smart-card. Process of its record, storage and interpretation is determined both by the chip manufacturer and by the firm producing the equipment where the smart-card is used.
At present smart-cards find their application in the systems of prepaid access, delineation of access and cryptographic protection, in banking.
The most widespread smart-cards are those with the protected memory (payphone), asynchronous.
Owing to the technical features, we consider only asynchronous smart-cards. Asynchronous smart-card is (actually) a set of functional components which realize similar functions with the components of a personal computer.
The operation of a card is realized by specialized software (so-called operating system of smart-card) which is responsible for the process of card cooperation with external devices, which organizes work with the smart-card file system.
The specificity of areas in which smart-cards are used, causes the big interest in them of all kinds of malefactors. Using all possible methods and algorithms, they try to make smart-card emulators. Emulators imitate electronic signals ("answers" and "requests") of a real smart-card in the system where it is used. Thus, using emulators, an evil-doer carries out the actions accessible, as a rule, only to the legal owner of the original smart-card.
Today in Russia there is a market of hardware and software by means of which it is possible to manufacture emulators of various smart-cards using blanks - not programmed smart-cards. In this way, on the basis of Goldwafer smart-card, embedding the corresponding software in it, it is possible to produce the following types of emulators: a payphone card, a key card for deciphering the coded signals of paid satellite TV channels, a SIM-card of a cellular communication operator.
During the collection of evidence on the cases connected with manufacturing of smart-cards emulators, their diagnostics is of great importance. Thus when making preliminary investigation or examination, the signs pointing that the presented objects are the emulators of original smart-cards can be:
1. The existence of several original smart-cards (by one or several manufacturers) which, as a rule, are used for definition of cards logic.
2. The existence of not programmed smart-cards.
3. The existence of the devices realizing the smart-cards functions.
4. The existence of special equipment for reading and recording information in the smart-card chips.
5. The existence of the specialized software for operation with smart-cards on the presented computers.
6. The other information on various data mediums about cards requisites, ways of smart-cards reprogramming, etc.
When investigating the given objects, it is necessary to give their detailed description and, if possible, to photograph them. To specify their marking, size and other signs on the smart-cards which allow to identify them.
If during preliminary investigative actions, namely field investigation or search, it appears that the card is inserted into the programmer, connected to a working computer and on its screen there is an information, allowing to assume current work with the smart-card, then, from our point of view, it is necessary to act in the following way: to photograph (or to write down) the information, visible on the screen of the monitor; to determine: whether the program for work with the programmer is run on the computer and whether this program is interchanging information with the card; to interrupt the information interchange between the program and the card (without ending the program); to describe in detail the way of connecting the programmer to the computer. Then it is necessary to extract the smart-card from the card receiver of the programmer, since ending the program or during the computer shutdown, the voltage on the bonding areas of the programmer can damage the card chip. Then, to switch off the computer properly and pack it. In addition to above-mentioned objects, it is necessary to seize connecting cables, power sources, the special equipment packing or its fragments. The rules of seizure, storage and transportation of material evidences on criminal cases dealing with the investigation of computer crimes are stated in the methodical recommendations of Zubah V.S., Usov A.I., Saenko G.V. and others. (General theses on the purpose of computer-technical expertise and its making.). When seizing the above-said objects, don’t forget about traditional criminalistical traces (finger-prints, etc.), which can be revealed, investigated and used later on, for proving the circumstances of the committed crime.
The methods of smart-cards research are both complex diagnosing of the system (in which the smart-card is applied), and separate hardware, software and dataware examination. The typical problems solved at smart-cards research as a part of computer-technical expertise are:
1. The ascertainment of crystal (chip) manufacturer in the given smart-card.
2. The ascertainment of the crystal (chip) type used in the given smart-card.
3. To ascertain the purpose of the given smart-car.
4. To decide whether it is possible by means of the given equipment to reprogram (read, delete) the information in the given smart-card.
5. To determine whether it is possible by means of the given smart-card and the specified equipment (seized from the malefactor, or used by the malefactor in the case) to perform the certain actions.
Let's consider the features of a payphone card emulator expertise:
1. Reading of available data from a card.
2. Documenting of the expertise, including, the means of photo-, cine-technics.
3. X-ray examination of a card.
4. Conducting tests on a real payphone.
5. Removing foil cover from a card.
6. Diagnostics of the circuit design on contacts connections.
In the research part of the expertise the type of a crystal, conductor topology (without a chip) are listed.
Expert research of smart-cards, depending on circumstances of concrete criminal case and the questions put before the expert (experts), necessarily requires the participation of other experts (specializing in such areas as tracelogy, CEMSP (criminalistic expertise of materials, substances and products), etc.) or specialist in other areas such as cryptography, circuitry, film integrated circuit technology, etc.