Professional Documents
Culture Documents
Take Note: Law enforcement officer gather and use digital evidence not only for computer crime or
computer related crime but for traditional crime as well.
An active digital footprint is created by data provided by the user, such as personal information,
videos, images, and comments posted on apps, websites, social media, and other online forums.
A passive digital footprint is data that is obtained and unintentionally left behind by the users of the
Internet and digital technology
With respect to cybercrime, the crime scene is not limited to the physical location of digital devices
used in the commissions of the cybercrime and/or that were the target of the cybercrime. The cybercrime
crime scene also includes the digital devices that potentially hold digital evidence, and spans multiple digital
devices, systems, and servers.
1. Identification. This phase includes the search for and recognition of relevant evidence, as well as
its documentation. In this phase, the priorities for evidence collection are identified based on the
value and volatility of evidence. Also, In the identification phase, preliminary information is obtained
about the cybercrime case prior to collecting digital evidence. This preliminary information is similar
to that which is sought during a traditional criminal investigation
2. Collection. This phase involves the collection of all digital devices that could potentially contain
data of evidentiary value. The investigator, or crime scene technician, collects the evidence. The
collection procedures vary depending on the type of digital device.
3. Acquisition. Those collected devices are then transported back to a forensic laboratory or other
facility for acquisition and analysis of digital evidence. This process is known as static acquisition.
However, there are cases in which static acquisition is unfeasible. In such situations, live
acquisition of data is conducted. It is the way to collect digital evidence when a computer is
powered on and the suspect has been logged on to.
At the forensics laboratory, digital evidence should be acquired in a manner that preserves
the integrity of the evidence. This obtainment of data without altering will be accomplished by
creating a copy of the original content of the digital device specifically a storage device (the
process is known as forensic imaging) while using a device known as write blocker that is designed
to prevent the alteration of data during the copying process.
Take Note: The seized digital devices are considered as the primary source of evidence. The digital
forensics analyst does not acquire data from the primary source. Instead, a duplicate is made of the
contents of that device and the analyst works on the copy.
Take Note: To determine whether the duplicate is an exact copy of the original a hash value. If the hash
values for the original and copy match, then the contents of the duplicate are the exact same as the
original.
5. Analysis. The digital forensics process also involves the examination and interpretation of digital
evidence. This phase requires the use of appropriate digital forensic tools and methods to uncover
digital data. There are numerous digital forensics tools on the market of varying qualities.
(Examples of digital forensics tools include Encase, IEF, and Autopsy). The type of digital forensics
tools varies depending on the type of digital forensics investigation conducted. Files are analyzed
to determine their origin, and when and where the data was created, modified, accessed,
downloaded, or uploaded.
Four Types of Analyses that can be performed:
Time-frame analysis seeks to create a timeline or time sequence of actions using time
stamps (date and time) that led to an event or to determine the time and date a user
performed some action.
Ownership and possession analysis is used to determine the person who created,
accessed, and/or modified files on a computer system.
Application and file analysis is performed to examine applications and files on a computer
system to determine the perpetrator's knowledge of and intent and capabilities to commit
cybercrime
Data hiding analysis searches for hidden data on a system. Criminals use several data-
hiding techniques to conceal their illicit activities and identifying information, such as using
as steganography and encryption.
Take Note: In the world of cybersecurity, steganography is the technique of hiding secret data within a
non-secret, ordinary file or message to avoid being detected. Encryption physically blocking third-party
access to a file, either by using a password or by rendering the file or aspects of the file unusable.
6. Reporting. The results of the analysis are documented in a report. This phase includes a detailed
description of the steps taken throughout the digital forensics process, the digital evidence
uncovered, and the conclusions reached based on the results of the digital forensics process and
the evidence revealed
Take Note: IP address is a unique identifier assigned to a computer or other Internet-connected digital
device by the Internet service provider when it connects to the Internet.
*To identify the Internet service provider (ISP) associated with the IP address, the cybercrime investigator
can use ICANN's WHOIS query tool (https://whois.domaintools.com/). The WHOIS query tool can be used
to identify the contact information and location of the organization associated with a domain name. The
WHOIS query tool can also be used to identify the contact information and location of the organization
associated with an IP address.
2. The lack of mutual legal assistance on cybercrime matters, and timely collection, preservation, and
sharing of digital evidence between countries.
Take Note: In the Philippines, Cyber Warrants can also be enforced even outside the Philippines coursed
through the DOJ – Office of Cybercrime. DOJ -OOC is also the Central Authority in all matters relating to
international mutual assistance and extradition, as far as cybercrime is concerned.
3. Cybercrime investigators face technical challenges. Investigators may not have the necessary
knowledge, equipment and digital forensics tools needed to adequately conduct cybercrime
investigations involving digital devices.
Common Defenses of Cybercriminals and Evidence to rebut this defenses
1. Ghost in the Machine
Computer infected with virus
Computer controlled by botnet and defendant had nothing to do with the crime
Take Note: A botnet is a collection of internet-connected devices infected by malware that allow hackers to
control them.
Rebut with evidence
There is anti- virus software installed in the computer of the defendant
No known malwares found on the computer
Use other corroborative Evidence like: (google searches for terms relevant to the crime, hacker
tools etc.)
Provide/ look for non-electronic evidence
Take Note: A firewall is a security device — computer hardware or software — that can help protect your
network by filtering traffic and blocking outsiders from gaining unauthorized access to the private data on
your computer
3. Being Framed
My computer was clean when it was taken
Something must have happened when the computer was imaged
Rebut with evidence
Time/date stamps on imaging
Imaging process and verification with hash values to prove authenticity of the data
Explain the forensic imaging process
1. Encase
○ Recover active and deleted files
○ Email and file system analysis
○ Malicious code discovery
3. Autopsy
○ Similar to EnCase in overall features
○ Email and file system analysis
○ Advanced searches
○ File type identification
○ Data carving