ABSTRACT: This article addresses the issues related to cybercrimes and highlights the role and significance of expert examinations in such cases, including judicial cyber expertise and other types of forensic examinations. The author emphasizes the necessity of introducing telecommunications network expertise, telecommunications infrastructure expertise, information systems and computer data expertise, software and program expertise, cryptographic expertise, coverage and communication quality expertise, as well as judicial cyber expertise. The article also points out the shortcomings of the existing computer-technical expertise and the need for its improvement, along with proposals for enhancing the legislation.
The development of information and communication technologies and their integration with other technologies have led to the rapid digitalization of all sectors and industries today, including the field of forensic examinations related to cybercrimes. The processes of appointing examinations, conducting them, and preparing expert conclusions are currently being gradually digitalized.
In general, cybercrime and expertise are distinct concepts. Cybercrime refers to a culpable socially dangerous act (action or inaction) committed in the cyber environment, including cyberspace, or by using information and communication technologies—such as telecommunications, informatization, artificial intelligence, digitalization infrastructure, neural, bio, and cyber technologies, as well as other related technical means—that is prohibited by the criminal legislation of each state and entails the threat of punishment.
Expertise, on the other hand, is a procedural activity aimed at establishing the circumstances of a case, involving the conduct of forensic examinations and the provision of conclusions by an expert based on special knowledge in the fields of science, technology, art, or craft.
Accordingly, expertise plays an important role in the detection and investigation of cybercrimes.
It should be emphasized that today large-scale efforts are being carried out in the Republic of Uzbekistan to digitalize the field of expertise. In particular, 152 legislative documents related to expertise have been adopted, with attention being paid to the digitalization of expertise in each area and to the appointment of expertise in relation to cybercrimes.
During the past period, procedures have been established for conducting expertise to assess the compliance of information systems and resources of cybersecurity entities, as well as information systems included in the category of critical information infrastructure objects, and also project specifications for the development of information systems and resources, with cybersecurity requirements1, At the Academy of the Ministry of Internal Affairs, the educational process in the field of “Combating Crimes in the Sphere of Digital Technologies” has been organized within a dual education system, specializing in the prevention of offenses, operational-search activities, and forensic-expert activities. Within the existing staffing structure of the Academy, a Faculty of Cybersecurity and Digital Forensics has been established, which includes departments of Cyber Law, Exact Sciences, Digital Technologies and Information Security, as well as Forensic Examinations2, Along with identifying information on offenses related to crypto-assets by pre-investigation inquiry, inquiry, and preliminary investigation bodies, the implementation of the following measures has been established:
examining the memory of information storage devices;
analyzing the distributed ledger of data based on the crypto-wallet address;
appointing a forensic computer-technical examination;
sending relevant inquiries to service providers in accordance with the procedure established by law;
submitting inquiries to obtain information related to banking secrecy.3
Why is expertise necessary for cybercrimes?
Firstly, individuals serving as investigators, interrogators, prosecutors, and judges in the Republic of Uzbekistan may have studied at different higher educational institutions; however, their main specialization is in law, and almost none of them sufficiently understand or possess knowledge in the field of information and communication technologies;
Secondly, in the cyber environment created by information and communication technologies, including cyberspace or by using it, there exists a risk of digital evidence related to cybercrimes being deleted, altered, or traces of the cybercrime being lost. To eliminate this risk, the mandatory involvement of a specialist or an expert is required;
Thirdly, in order to provide a conclusion regarding where, when, and under what circumstances a cybercrime was committed in the cyber environment, including cyberspace or through its use, the participation of a specialist or an expert is required;
Fourthly, in accordance with Articles 238–240 of the current Criminal Code, a specialist is not warned, whereas an expert is warned, and this, in turn, may serve as a factor that encourages the expert to provide a correct conclusion, realizing the responsibility for the opinion given;
Fifthly, cybercrimes are international transnational crimes, and their commission in conjunction with other types of crimes requires extensive knowledge and analytical thinking, for which the field of expertise is specifically specialized.
At present, cybercrime cases are usually examined through forensic computer-technical expertise; however, from a technical perspective, the limited scope of computer technology indicates the necessity of revising this type of expertise.
In particular, forensic computer-technical expertise is considered an examination that reviews computer information, that is, the conditions related to computer technology within information and computing systems4, networks, and their components. However, it should not be forgotten that computer information may also be connected to infrastructures related to other information and communication technologies.
For example, the telecommunications network and computer technology are considered different means. In a telecommunications network, computer information is transmitted through telecommunications, that is, by means of a signal. However, if the speed and quality of this signal do not affect the integrity and wholeness of the computer information, then in such a case it would be incorrect to associate the conducted examination with forensic computer-technical expertise.
The reason is that the main function of telecommunications is the transmission, reception, and processing of information — whether in the form of text, image, sound, video, or other types of signals — by using radio, optical, or other electromagnetic systems.5
In this process, computer information is transmitted not through computer technology, but through telecommunications networks, facilities, structures, and devices.
In practice, the “Electromagnetic Compatibility Center” State Unitary Enterprise, on the basis of the instructions and cooperation of the Inspectorate for Control in the Field of Informatization and Telecommunications and its regional divisions, measures mobile communication coverage. Insufficient mobile coverage constitutes an administrative offense provided for in Article 153 of the Code of Administrative Liability. However, at present, neither of these organizations uses the technology for fully measuring communication quality. The reason is that this measuring equipment is very expensive, and since the fines imposed for administrative offenses under Article 153 of the Code of Administrative Liability are very small and are transferred to the state budget, sufficient reforms in this regard have not yet been implemented by the aforementioned organizations.
At this point, it should be emphasized that it is possible to measure the quality of mobile communication through the following equipment, devices, and tools. In particular:
1) Drive Test. In this method, vehicles equipped with special measuring equipment move along cities and roads to measure the quality of mobile communication. For example:
Rohde & Schwarz TSME6: This device is used to assess the quality of LTE and 5G networks. It is integrated with GPS and measures parameters such as signal strength, quality, and interference.
PCTEL SeeGull IBflex®: This scanner operates in the range from 400 MHz to 2.7 GHz and is designed for small-cell and in building testing;
2) Walk Test. The quality of communication is measured by walking on foot. This method is especially used in large cities and crowded areas. For example, the Rohde & Schwarz TSMA Autonomous Mobile Network Scanner: this device connects to smartphones via Wi-Fi or Bluetooth, collects data, and performs analysis;3) Mobile Device Testing. This method is used to measure communication quality through mobile phones. For example, Samsung Galaxy S21+ 5G: in tests conducted in Poland, these smartphones were used together with Rohde & Schwarz equipment to evaluate communication quality;
4) MDT (Minimization of Drive Tests). In this method, mobile devices automatically measure the quality of the connection and send the data to the operator. This allows for the continuous collection of extensive and comprehensive information.
The technologies mentioned above themselves require cybersecurity, and only when the management system, network encryption, web browser, and endpoint security are ensured can these technologies be fully utilized. In 2016 in Poland, 2020 in the USA, 2021 in Canada, 2022 in Switzerland, 2023 in Iceland and 2024 in Estonia, separate studies were conducted to assess the quality of mobile communication networks. However, today, there are still several challenges in this regard in the Republic of Uzbekistan. It should be noted that the quality of communication also contributes to cybersecurity, as it allows for the rapid detection of issues, including cybercrimes committed in the cyber environment.
However, in the Republic of Uzbekistan, there is not even a specialized type of expertise for measuring mobile communication quality, and no personnel training has been established in this field, so the relevant technology is not fully utilized. Meanwhile, the authority responsible for monitoring mobile communication quality – the Inspection for Control in the Field of Informatization and Telecommunications – received 1,191 appeals in the first quarter of 2025 alone, the majority of which concerned poor communication quality.
This, in turn, necessitates the implementation of reforms in this field.
Additionally, in the USA, the United Kingdom, Germany, and other developed countries, the following types of expertise related to information and communication technologies are utilized:
The main types of expertise used in foreign countries for cybercrime by investigators, prosecutors, or courts are as follows:
1) Computer-Technical (Digital Forensic) Expertise
Purpose: To identify, recover, and analyze information and other data from computers, laptops, and servers.
Main Applications: It is primarily used to identify the source of a cyber-attack, analyze cases of file deletion, encryption, and modification, and monitor activities through log files;
2) Mobile Device Expertise
Purpose: To examine information and other data stored on smartphones and tablets.
Main Applications: It is primarily used to analyze calls, SMS messages, applications, GPS data, social networks or messengers—including WhatsApp, Telegram, and Messenger chats—as well as Internet activity and browser history;
3) Network (Network Forensic) Expertise
Purpose: To analyze cyber attacks or data flows carried out through networks.
Main Applications: It is primarily used to investigate DDoS attacks, identify IP addresses, and uncover attempts to hide activity using VPNs or proxies;
4) Data Recovery Expertise
Purpose: To restore deleted, formatted, or damaged data.
Main Applications: It is primarily used to preserve reliable and necessary information in cases of cyber sabotage or cyber theft;
5) Malware Analysis Expertise
Purpose: To analyze programs used in cybercrime, including viruses, trojans, and ransomware.
Main Applications: It is primarily used to identify the source of malicious software and study its operational mechanisms;
6) Email and Personal Communication Expertise
Purpose: To analyze information sent via email or personal communication channels.
Main Applications: It is primarily used to detect threats, fraud, or cases of personal data theft related to information transmitted through email or personal communication channels;
7) Cryptography Expertise
Purpose: To analyze encrypted data, passwords, and cryptocurrency transactions.
Main Applications: It is primarily used to investigate crimes related to crypto currency and to analyze information concerning encrypted files and programs;
8) Cyber Forensic Auditing
Purpose: To present technical evidence in legal proceedings.
Main Applications: It is primarily used to ensure that expert reports are accepted as legal evidence in court.
In the Republic of Uzbekistan, only the first type of expertise mentioned above is used more frequently, while most others are not applied. Even when expertise is utilized, it is in the form or content of a court computer-technical (digital forensic) expertise. However, in the practice and history of investigation, prosecution, and courts in Uzbekistan, cyber forensic auditing has never been applied, and its nature is still unknown to them.
It is known that, according to Article 81 of the Criminal Procedure Code, digital evidence is included among the types of evidence. Article 951 of the CPC provides for the inadmissibility of evidence obtained from unknown sources or from sources that cannot be identified during the investigation of a criminal case.
In practice, almost all physical items, objects, or the electronic (digital) data and digital evidence they contain are collected by an investigator, prosecutor, or court report and then handed over to a specialist or expert. However, no expertise is conducted to determine whether procedural or technical errors occurred during the collection of such evidence. This, in turn, can affect processes related to determining the method, time, and circumstances of a cybercrime, as different information may arise regarding the source and creation history of the data. For example, information in a computer system may have been created at a different time, copied to another device, or recorded at a different time in the report, potentially showing a creation time that does not match the actual time of the cybercrime. This poses a risk of disconnecting the cybercriminal from the timing of the offense. For this reason, assigning a cyber forensic auditing (Cyber Forensic Auditing) is of critical importance.
Furthermore, identifying processes related to artificial intelligence requires extensive knowledge and reasoning.
For this reason, it is appropriate to reconsider the specialization of court computer-technical expertise and to establish a unified list of expertise conducted in the field of information and communication technologies, taking into account the specific characteristics of this field. To accomplish this task, based on the unique features of the field and its developing technologies, it is proposed to assign expertise for cybercrimes by dividing it into the following types:
- Telecommunication Network Expertise
- Telecommunication Infrastructure Expertise
- Information Systems and Computer Data Expertise
- Software and Application Expertise
- Cryptographic Expertise
- Communication Coverage and Quality Expertise
- Cyber Forensic Auditing.
In this framework:
Telecommunication Network Expertise is conducted for cybercrimes committed using or within telecommunication or Internet networks, in accordance with the Criminal Code;
Information Systems and Computer Data Expertise focuses on information systems, including user servers, databases, devices, files, information, and other data, covering aspects such as data recovery, creation time, purpose, functions, and tasks;
Cryptographic Expertise deals with the encryption of computer data and software;
Communication Coverage and Quality Expertise determines the coverage area and quality of wired or wireless communications;
Software and Application Expertise provides information about various software and applications, identifies the functions of malicious viruses, and assesses the risk level of their execution;
Telecommunication Infrastructure Expertise involves a comprehensive study of all the above aspects.
Cyber Forensic Expertise determines the admissibility of computer data and other evidence related to cybercrimes;
Computer-technical (digital forensic) expertise, mobile device expertise, network forensic expertise, data recovery expertise, malware analysis, and email and personal communication expertise are considered as integral components of the above-mentioned expertise;
Why is it appropriate to classify the types of expertise applied to cybercrimes as described above? The reason lies in the technical nature of information and communication technologies. Negative events occurring within or between telecommunication infrastructures today manifest as cybercrimes. A cybercrime cannot occur without telecommunication. Every cybercrime requires some form of communication. For example, if a malicious program on a user’s device, such as a flash drive, connects to a computer system, it can damage the system or its data. However, this crime occurs specifically because the malicious program enters the computer system via telecommunication. Therefore, since a cybercrime is also a technical crime, and the telecommunication sector constitutes the foundation of the information and communication field, classifying the types of expertise related to cybercrimes based on this sector is technically justified.
It should be emphasized that, based on the specific characteristics of information and communication technologies, the above-mentioned types of expertise could be further expanded. However, classifying them according to their specific attributes is of crucial importance. Therefore, it is not an exaggeration to say that the time has come to classify the types of expertise related to cybercrimes in this manner and to broaden the name and scope of judicial computer-technical expertise. This is because cybercrimes are directly linked to the development of information and communication technologies.
1 The Regulation “On the Procedure for Conducting Expertise for Compliance with Cybersecurity Requirements”, approved by Order No. 113 of the Chairman of the State Security Service of the Republic of Uzbekistan dated October 15, 2024 (14.11.2024, registration number: 3573) // lex.uz – National Database of Legislative Information of the Republic of Uzbekistan.
2 Resolution of the President of the Republic of Uzbekistan No. PP-17 dated January 22, 2025 “On measures to introduce a system of training professional personnel in the field of combating crimes committed using digital technologies” // lex.uz – National Database of Legislative Information of the Republic of Uzbekistan.
3 Resolution of the Ministry of Internal Affairs of the Republic of Uzbekistan No. 44 dated December 20, 2024, Resolution of the Prosecutor General’s Office No. 14 dated December 19, 2024, and Resolution of the National Agency for Promising Projects No. 14 dated December 18, 2024 (25.12.2024, registration number: 3591)”On the procedure for the seizure, seizure, storage and transfer of crypto-assets identified during the conduct of pre-investigation checks and the investigation of crimes”, approved by // lex.uz – National database of legislative data of the Republic of Uzbekistan.
4 Rules for the Provision of Telecommunications Services, approved by Order No. 208-mh of the Minister of Information Technologies and Communications of the Republic of Uzbekistan dated June 30, 2020 (registration number 3275, June 30, 2020) // lex.uz – National Database of Legislative Information of the Republic of Uzbekistan.
5 Law of the Republic of Uzbekistan “On Telecommunications” No. ZUR-1015 dated December 27, 2024 // lex.uz – National Database of Legislative Information of the Republic of Uzbekistan.
List of References
Regulation “On the Procedure for Conducting Expertise for Compliance with Cybersecurity Requirements”, approved by Order No. 113 of the Chairman of the State Security Service of the Republic of Uzbekistan dated October 15, 2024 (14.11.2024, registration number: 3573) // lex.uz – National Database of Legislative Information of the Republic of Uzbekistan.
Resolution of the President of the Republic of Uzbekistan No. PP-17 dated January 22, 2025 “On measures to introduce a system of training professional personnel in the field of combating crimes committed using digital technologies” // lex.uz – National Database of Legislative Information of the Republic of Uzbekistan.
Resolution of the Ministry of Internal Affairs of the Republic of Uzbekistan No. 44 dated December 20, 2024, Resolution of the Prosecutor General’s Office No. 14 dated December 19, 2024, and Resolution of the National Agency for Promising Projects No. 14 dated December 18, 2024 (25.12.2024, registration number: 3591) “On the procedure for the seizure, seizure, storage and transfer of crypto-assets identified during the conduct of pre-investigation checks and the investigation of crimes”, approved by // lex.uz – National database of legislative data of the Republic of Uzbekistan.
Rules for the Provision of Telecommunications Services, approved by Order No. 208-mh of the Minister of Information Technologies and Communications of the Republic of Uzbekistan dated June 30, 2020 (registration number 3275, June 30, 2020) // lex.uz – National Database of Legislative Information of the Republic of Uzbekistan.
Law of the Republic of Uzbekistan “On Telecommunications” No. ZUR-1015 dated December 27, 2024 // lex.uz – National Database of Legislative Information of the Republic of Uzbekistan.
