Professional Documents
Culture Documents
TECHNICAL CAPABILITIES
THE PNP ANTI-CYBERCRIME GROUP
PNP – ACG was activated on MARCH 20, 2013:
Criminal
Investigation and
Detection Group
(CIDG)
ATCCD
Authority:
NAPOLCOM RESOLUTION NO. 2013-220 dated February 27, 2013; and
GENERAL ORDER NO. DPL-12-09 dated February 27, 2013.
THE PNP ANTI-CYBERCRIME GROUP
Functions:
Functions:
Cellphone/
Cybercrime Computer Computer Audio/Vide
Cybercrime Mobile
Incident Network Forensic o Forensic
Investigations Forensic
Response Log Analysis Examination Examination
Examination
PNP-ACG DIGITAL FORENSIC LABORATORIES
Regional Digital Forensic Laboratory:
RDFL 3 RDFL 4a
RDFL 10
DFL, HQ
RDFL 11
RDFL 7
RDFL 9 RDFL 12
PNP-ACG DIGITAL FORENSIC EQUIPMENT
Digital Forensic Equipment
PNP-ACG CYBER TRAINING FACILITY
Training Facility and Equipment:
o MicroSystemation ( XRY/XACT)
PNP-ACG DIGITAL FORENSIC COMPETENCY
International Standard Trainings and Certification
DIGITAL FORENSICS
- Digital Evidence
DEFINITION
o What is Computer ?
o Refers to an electronic, magnetic, optical, electrochemical, or
other data processing or communications device, or grouping
of such devices, capable of performing logical, arithmetic,
routing, or storage functions and which includes any storage
facility or equipment or communications facility or equipment
directly related to or operating in conjunction with such
device. It covers any type of computer device including devices
with data processing capabilities like mobile phones, smart
phones, computer networks and other devices connected to
the internet. (R.A. 10175)
o Computer Data?
o Refers to any representation of facts, information, or concepts
in a form suitable for processing in a computer system
including a program suitable to cause a computer system to
perform a function and includes electronic documents and/or
electronic data messages whether stored in local computer
systems or online.
DEFINITION
o Prosecutors
o Rely on evidence obtained from a computer to
prosecute suspects and use as evidence.
o Civil Litigations
o Personal and business data discovered on a
computer can be used in fraud, divorce,
harassment, or discrimination cases.
o Insurance Companies
o Evidence discovered on computer can be used to
mollify costs (fraud, worker’s compensation, etc)
WHO USES DIGITAL FORENSICS ?
o Private Corporations
o Obtained evidence from employee computers can
be used as evidence in harassment, fraud, and
theft cases.
o Individual/Private Citizens
o Obtain the services of professional computer
forensic specialists to support claims of
harassment, abuse, or wrongful termination from
employment.
REASONS FOR EVIDENCE
“ EVIDENCE ”
MANY TYPE OF EVIDENTIAL DATA
Graphics Internet
Correspondence
Reports
Finance
Life Style ?
Diary Faxes
Address book
Organizer
BUT NO MATTER WHAT TYPE OF DATA, IT IS JUST….
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
1010101110101010110101010101010101010
WHY CAN’T I JUST TURN IT ON ?
o Volatile Data
o Non-Volatile Data
29
WHERE THE FILES LOCATED ?
30
WHERE THE FILES LOCATED ?
l
e
U LETTER.DOC
LETTER.DOC t
N then deleted
5K t 5K U it becomes
S
e
r
E ?ETTER.DOC
.
D BUT...
d Data Remains there
o until overwritten
c 3K
FILE SLACK
klkkkk
bhh Remains of File can be viewed.
bjhjkjhk
Invoice.doc 3K
INVOICE.DOC 5K
3K
S 2K remains of
l letter.doc
a
c
k 3K
A BEST PRACTICES GUIDE
Non Compliance
Will often make
evidence
inadmissible
http://www.7safe.com/electronic_evidence/A
CPO_guidelines_computer_evidence.pdf
ACPO PRINCIPLES OF DIGITAL EVIDENCE
Principle 2
Principle 3
Working Notes
ACPO PRINCIPLES OF DIGITAL EVIDENCE
Principle 4
Acquisition/ Court
Identification Analysis Reporting
Imaging Presentation
Acquisition/ Court
Identification Analysis Reporting
Imaging Presentation
o Identification
o This step involves identifying what type of storage
media and what data or information could be
recovered relative to the investigation or case.
STEPS OF DIGITAL FORENSICS
o Identification
o This step involves identifying what type of storage
media and what data or information could be
recovered relative to the investigation or case.
STEPS OF DIGITAL FORENSICS
Acquisition/ Court
Identification Analysis Reporting
Imaging Presentation
o Acquisition/ Imaging
o Physically or remotely obtaining possession of the
computer data from the original digital storage
media through digital forensic imaging process.
750 Gb
Sector[A] Sector[X]
Sector[0]
C:\ E:\
Sector[Z]
Sector[B] Sector[Y]
Partition Boundary
STEPS OF DIGITAL FORENSICS
o Is a mathematical algorithm
o Produces a unique digital fingerprint
o Verifies that binary content of an acquired forensic
image is exactly the same as the source media
52
STEPS OF DIGITAL FORENSICS
Acquisition/ Court
Identification Analysis Reporting
Imaging Presentation
o Analysis
o Evaluating the information or data recovered from the
storage media evidence to determine if and how it
could be used against the suspect.
STEPS OF DIGITAL FORENSICS
STEPS OF DIGITAL FORENSICS
Acquisition/ Court
Identification Analysis Reporting
Imaging Presentation
o Reporting
o Once the analysis is complete, a report is
generated. This report may be a written report,
oral testimony, or some combination of the two.
STEPS OF DIGITAL FORENSICS
STEPS OF DIGITAL FORENSICS
STEPS OF DIGITAL FORENSICS
STEPS OF DIGITAL FORENSICS
Acquisition/ Court
Identification Analysis Reporting
Imaging Presentation
o Court Presentation
o This step involves the presentation of evidence
discovered, in a manner which is understood by
lawyers, non technically staff/management, and
suitable as evidence as determined by the rules on
electronic evidence or any related law.
STEPS OF DIGITAL FORENSICS
Acquisition/ Court
Identification Analysis Reporting
Imaging Presentation
?
END
Thank you
and
Good day …
ISSUES AND CHALLENGES
o 1. Equipment and Training of Personnel.
o 2. Rapid evolution of Computer Technology.
o 3. Update of Forensic Hardware and Software and CPE of Forensic
Examiners
o 4. Limited number of Trained Digital Forensic Examiners
o 5. Limited number of field Police Officers who were trained in
seizure of digital evidence.
o 6. Only few Prosecutors and Judges who are inclined in Digital
Forensic.
o 7. Storage Media Encryption Technology
o 8. The 30 days extension period for Digital Forensic Examination
base on R.A 10175, SEC. 15
o 9. SEC. 18. Exclusionary Rule. — Any evidence procured without a
valid warrant or beyond the authority of the same shall be
inadmissible for any proceeding before any court or tribunal.
o a. (How about electronic evidence recovered through warrantless arrest
like entrapment operation)
o b. Evidence recovered from the Crime Scene such as Cellular Phone and
other form of portable storage media (SD, Micro SD)