Professional Documents
Culture Documents
Cdi 9 Part 2
Cdi 9 Part 2
Take Note: Law enforcement officer gather and use digital evidence not only for computer
crime or computer related crime but for traditional crime as well.
With respect to cybercrime, the crime scene is not limited to the physical location of
digital devices used in the commissions of the cybercrime and/or that were the target of the
cybercrime. The cybercrime crime scene also includes the digital devices that potentially
hold digital evidence, and spans multiple digital devices, systems, and servers.
Take Note: The seized digital devices are considered as the primary source of evidence. The
digital forensics analyst does not acquire data from the primary source. Instead, a duplicate
is made of the contents of that device and the analyst works on the copy.
Take Note: To determine whether the duplicate is an exact copy of the original a hash
value. If the hash values for the original and copy match, then the contents of the
duplicate are the exact same as the original.
5. Analysis. The digital forensics process also involves the examination and
interpretation of digital evidence. This phase requires the use of appropriate digital
forensic tools and methods to uncover digital data. There are numerous digital
forensics tools on the market of varying qualities. (Examples of digital forensics tools
include Encase, IEF, and Autopsy). The type of digital forensics tools varies depending
on the type of digital forensics investigation conducted. Files are analyzed to
determine their origin, and when and where the data was created, modified,
accessed, downloaded, or uploaded.
Four Types of Analyses that can be performed:
Time-frame analysis seeks to create a timeline or time sequence of actions
using time stamps (date and time) that led to an event or to determine the time
and date a user performed some action.
Data hiding analysis searches for hidden data on a system. Criminals use
several data-hiding techniques to conceal their illicit activities and identifying
information, such as using as steganography and encryption.
Take Note: In the world of cybersecurity, steganography is the technique of hiding secret
data within a non-secret, ordinary file or message to avoid being detected. Encryption
physically blocking third-party access to a file, either by using a password or by rendering
the file or aspects of the file unusable.
6. Reporting. The results of the analysis are documented in a report. This phase
includes a detailed description of the steps taken throughout the digital forensics
process, the digital evidence uncovered, and the conclusions reached based on the
results of the digital forensics process and the evidence revealed
*To identify the Internet service provider (ISP) associated with the IP address, the
cybercrime investigator can use ICANN's WHOIS query tool
(https://whois.domaintools.com/). The WHOIS query tool can be used to identify the
contact information and location of the organization associated with a domain name. The
WHOIS query tool can also be used to identify the contact information and location of the
organization associated with an IP address.
2. The lack of mutual legal assistance on cybercrime matters, and timely collection,
preservation, and sharing of digital evidence between countries.
Take Note: In the Philippines, Cyber Warrants can also be enforced even outside the
Philippines coursed through the DOJ – Office of Cybercrime. DOJ -OOC is also the Central
Authority in all matters relating to international mutual assistance and extradition, as far
as cybercrime is concerned.
3. Cybercrime investigators face technical challenges. Investigators may not have the
necessary knowledge, equipment and digital forensics tools needed to adequately
conduct cybercrime investigations involving digital devices.
Common Defenses of Cybercriminals and Evidence to rebut this defenses
1. Ghost in the Machine
Computer infected with virus
Computer controlled by botnet and defendant had nothing to do with the crime
Take Note: A botnet is a collection of internet-connected devices infected by malware that
allow hackers to control them.
Rebut with evidence
Take Note: A firewall is a security device — computer hardware or software — that can
help protect your network by filtering traffic and blocking outsiders from gaining
unauthorized access to the private data on your computer
3. Being Framed
My computer was clean when it was taken
Something must have happened when the computer was imaged
Rebut with evidence
1. Encase
○ Recover active and deleted files
○ Email and file system analysis
○ Malicious code discovery
3. Autopsy
○ Similar to EnCase in overall features
○ Email and file system analysis
○ Advanced searches
○ File type identification
○ Data carving