CYBER CRIME INVESTIGATION

What is Electronic Evidence?

Data obtained from ICT that can be used in a court of law is known as electronic evidence(a.k.a.
digital evidence).

Two types of electronic/digital evidence:

• Volatile: Memory that loses its content once the power is turned off like data stored in RAM.
• Non-volatile: No change in content even if the power is turned off. For example, data stored in a
tape, hard drive, CD/DVD, and ROM.

Take Note: Law enforcement officer gather and use digital evidence not only for computer crime or
computer related crime but for traditional crime as well.

What is Digital Forensics?

The process of identifying, acquiring, preserving, analyzing, and presenting electronic evidence is
known as Digital Forensics. 

What is Digital Footprint?

Refers to the data left behind by ICT users that can reveal information about them. This digital
footprint can be active or passive.

 An active digital footprint  is created by data provided by the user, such as personal information,
videos, images, and comments posted on apps, websites, social media, and other online forums.
 A passive digital footprint is data that is obtained and unintentionally left behind by the users of the
Internet and digital technology

Crime Scene in Cybercrime Cases

With respect to cybercrime, the crime scene is not limited to the physical location of digital devices
used in the commissions of the cybercrime and/or that were the target of the cybercrime. The cybercrime
crime scene also includes the digital devices that potentially hold digital evidence, and spans multiple digital
devices, systems, and servers.

Phases of Digital Forensics

1. Identification. This phase includes the search for and recognition of relevant evidence, as well as
its documentation. In this phase, the priorities for evidence collection are identified based on the
value and volatility of evidence. Also, In the identification phase, preliminary information is obtained
about the cybercrime case prior to collecting digital evidence. This preliminary information is similar
to that which is sought during a traditional criminal investigation
 2. Collection. This phase involves the collection of all digital devices that could potentially contain
data of evidentiary value. The investigator, or crime scene technician, collects the evidence. The
collection procedures vary depending on the type of digital device.

3. Acquisition. Those collected devices are then transported back to a forensic laboratory or other
facility for acquisition and analysis of digital evidence. This process is known as static acquisition.
However, there are cases in which static acquisition is unfeasible. In such situations, live
acquisition of data is conducted. It is the way to collect digital evidence when a computer is
powered on and the suspect has been logged on to.

At the forensics laboratory, digital evidence should be acquired in a manner that preserves
the integrity of the evidence. This obtainment of data without altering will be accomplished by
creating a copy of the original content of the digital device specifically a storage device (the
process is known as forensic imaging) while using a device known as write blocker that is designed
to prevent the alteration of data during the copying process.

Take Note: The seized digital devices are considered as the primary source of evidence. The digital
forensics analyst does not acquire data from the primary source. Instead, a duplicate is made of the
contents of that device and the analyst works on the copy.

Take Note: To determine whether the duplicate is an exact copy of the original a hash value. If the hash
values for the original and copy match, then the contents of the duplicate are the exact same as the
original.

Mobile Device Acquisition/Extraction

There are two methods for retrieving data from a cell phone. The logical extraction and physical
extraction. Logical extraction is easier and less time-consuming, but returns less information. Physical
extraction is more difficult and takes much longer, but has a greater return of hidden or deleted information.

4. Preservation. Evidence preservation seeks to protect digital evidence from modification. The

integrity of digital devices and digital evidence can be established thru maintaining the chain of
custody, which is defined as the process by which investigators preserve the crime scene and
evidence throughout the life cycle of a case.

5. Analysis. The digital forensics process also involves the examination and interpretation of digital
evidence. This phase requires the use of appropriate digital forensic tools and methods to uncover
digital data. There are numerous digital forensics tools on the market of varying qualities.
(Examples of digital forensics tools include Encase, IEF, and Autopsy). The type of digital forensics
 tools varies depending on the type of digital forensics investigation conducted. Files are analyzed
to determine their origin, and when and where the data was created, modified, accessed,
downloaded, or uploaded.
Four Types of Analyses that can be performed:
 Time-frame analysis seeks to create a timeline or time sequence of actions using time
stamps (date and time) that led to an event or to determine the time and date a user
performed some action.

 Ownership and possession analysis is used to determine the person who created,
accessed, and/or modified files on a computer system.

 Application and file analysis is performed to examine applications and files on a computer
system to determine the perpetrator's knowledge of and intent and capabilities to commit
cybercrime

 Data hiding analysis searches for hidden data on a system. Criminals use several data-
hiding techniques to conceal their illicit activities and identifying information, such as using
as steganography and encryption.

Take Note: In the world of cybersecurity, steganography is the technique of hiding secret data within a
non-secret, ordinary file or message to avoid being detected. Encryption physically blocking third-party
access to a file, either by using a password or by rendering the file or aspects of the file unusable.

6. Reporting. The results of the analysis are documented in a report. This phase includes a detailed
description of the steps taken throughout the digital forensics process, the digital evidence
uncovered, and the conclusions reached based on the results of the digital forensics process and
the evidence revealed

Common obstacles to cybercrime investigations

1. Anonymity of information and communication technology affords to users. Anonymizers, or
anonymous proxy servers, hide users' identity data by masking/hiding their IP (Internet Protocol)
address or substituting it with a different IP address.

Take Note: IP address is a unique identifier assigned to a computer or other Internet-connected digital
device by the Internet service provider when it connects to the Internet.

Did you know?

 The Onion Router (or Tor), one of the anonymity network/system which enables anonymous
access was originally developed by the United States Naval Research Laboratory to protect intelligence.
Since the release of Tor to the public, it has been used by individuals to protect themselves against private
and government surveillance of their online activities. Nonetheless, Tor and other anonymizing networks
have also been utilized by cybercriminals to commit and/or share information and/or tools to commit cyber-
dependent and cyber-enabled crimes.

*To identify the Internet service provider (ISP) associated with the IP address, the cybercrime investigator
can use ICANN's WHOIS query tool (https://whois.domaintools.com/). The WHOIS query tool can be used
to identify the contact information and location of the organization associated with a domain name. The
WHOIS query tool can also be used to identify the contact information and location of the organization
associated with an IP address.

2. The lack of mutual legal assistance on cybercrime matters, and timely collection, preservation, and
sharing of digital evidence between countries.

Take Note: In the Philippines, Cyber Warrants can also be enforced even outside the Philippines coursed
through the DOJ – Office of Cybercrime. DOJ -OOC is also the Central Authority in all matters relating to
international mutual assistance and extradition, as far as cybercrime is concerned.

Jurisdiction of Cybercrime Courts

 All Filipino citizens regardless of place of commission of cybercrime
 Any of the elements of cybercrime committed within the Philippines or committed with the use of
any computer system wholly or partly situated within the Philippines.
 The cybercrime causes damage to a natural or juridical person who at the time of the offense was
committed, was in the Philippines.

3. Cybercrime investigators face technical challenges. Investigators may not have the necessary
knowledge, equipment and digital forensics tools needed to adequately conduct cybercrime
investigations involving digital devices.
Common Defenses of Cybercriminals and Evidence to rebut this defenses
1. Ghost in the Machine
 Computer infected with virus
 Computer controlled by botnet and defendant had nothing to do with the crime
Take Note: A botnet is a collection of internet-connected devices infected by malware that allow hackers to
control them.
Rebut with evidence
 There is anti- virus software installed in the computer of the defendant
 No known malwares found on the computer
  Use other corroborative Evidence like: (google searches for terms relevant to the crime, hacker
tools etc.)
 Provide/ look for non-electronic evidence

2. SODDI Defense (Some other dude did it)

 Roommates/other people had access to my computer
 Used a wireless router
 Others have access to server
Rebut with evidence
 Show firewall logs and remote desktop logs
 There is password set up on computer
 Defendant’s router was locked down
 Provide non-computer evidence

Take Note: A firewall is a security device — computer hardware or software — that can help protect your
network by filtering traffic and blocking outsiders from gaining unauthorized access to the private data on
your computer

3. Being Framed
 My computer was clean when it was taken
 Something must have happened when the computer was imaged
Rebut with evidence
 Time/date stamps on imaging
 Imaging process and verification with hash values to prove authenticity of the data
 Explain the forensic imaging process

Common Digital data acquisition and analysis tool

1. Encase
○ Recover active and deleted files
○ Email and file system analysis
○ Malicious code discovery

2. Internet Evidence Finder (IEF)

○ Is similar to EnCase but focuses mostly on internet artifacts
○ Find, analyze digital evidence from computers, smartphones and tablets
○ User-friendly Interface

3. Autopsy
○ Similar to EnCase in overall features
○ Email and file system analysis
○ Advanced searches
○ File type identification
○ Data carving