CYBER CRIME INVESTIGATION

What is Electronic Evidence?

Data obtained from ICT that can be used in a court of law is known as electronic
evidence(a.k.a. digital evidence).

Two types of electronic/digital evidence:

• Volatile: Memory that loses its content once the power is turned off like data stored
in RAM.
• Non-volatile: No change in content even if the power is turned off. For example,
data stored in a tape, hard drive, CD/DVD, and ROM.

Take Note: Law enforcement officer gather and use digital evidence not only for computer
crime or computer related crime but for traditional crime as well.

What is Digital Forensics?

The process of identifying, acquiring, preserving, analyzing, and presenting electronic
evidence is known as Digital Forensics. 

What is Digital Footprint?

Refers to the data left behind by ICT users that can reveal information about them.
This digital footprint can be active or passive.

 An active digital footprint is created by data provided by the user, such as

personal information, videos, images, and comments posted on apps, websites,
social media, and other online forums.
 A passive digital footprint is data that is obtained and unintentionally left behind
by the users of the Internet and digital technology

Crime Scene in Cybercrime Cases

With respect to cybercrime, the crime scene is not limited to the physical location of
digital devices used in the commissions of the cybercrime and/or that were the target of the
cybercrime. The cybercrime crime scene also includes the digital devices that potentially
hold digital evidence, and spans multiple digital devices, systems, and servers.

Phases of Digital Forensics

1. Identification. This phase includes the search for and recognition of relevant

evidence, as well as its documentation. In this phase, the priorities for evidence
collection are identified based on the value and volatility of evidence. Also, In the
identification phase, preliminary information is obtained about the cybercrime case
prior to collecting digital evidence. This preliminary information is similar to that
which is sought during a traditional criminal investigation
 2. Collection. This phase involves the collection of all digital devices that could
potentially contain data of evidentiary value. The investigator, or crime scene
technician, collects the evidence. The collection procedures vary depending on the
type of digital device.

3. Acquisition. Those collected devices are then transported back to a forensic

laboratory or other facility for acquisition and analysis of digital evidence. This
process is known as static acquisition. However, there are cases in which static
acquisition is unfeasible. In such situations, live acquisition of data is conducted. It
is the way to collect digital evidence when a computer is powered on and the suspect
has been logged on to.

At the forensics laboratory, digital evidence should be acquired in a manner

that preserves the integrity of the evidence. This obtainment of data without altering
will be accomplished by creating a copy of the original content of the digital device
specifically a storage device (the process is known as forensic imaging) while using
a device known as write blocker that is designed to prevent the alteration of data
during the copying process.

Take Note: The seized digital devices are considered as the primary source of evidence. The
digital forensics analyst does not acquire data from the primary source. Instead, a duplicate
is made of the contents of that device and the analyst works on the copy.

Take Note: To determine whether the duplicate is an exact copy of the original a hash
value. If the hash values for the original and copy match, then the contents of the
duplicate are the exact same as the original.

Mobile Device Acquisition/Extraction

There are two methods for retrieving data from a cell phone. The logical extraction
and physical extraction. Logical extraction is easier and less time-consuming, but
returns less information. Physical extraction is more difficult and takes much longer, but
has a greater return of hidden or deleted information.

4. Preservation. Evidence preservation seeks to protect digital evidence from

modification. The integrity of digital devices and digital evidence can be established
thru maintaining the chain of custody, which is defined as the process by which
investigators preserve the crime scene and evidence throughout the life cycle of a
case.

5. Analysis. The digital forensics process also involves the examination and
interpretation of digital evidence. This phase requires the use of appropriate digital
forensic tools and methods to uncover digital data. There are numerous digital
 forensics tools on the market of varying qualities. (Examples of digital forensics tools
include Encase, IEF, and Autopsy). The type of digital forensics tools varies depending
on the type of digital forensics investigation conducted. Files are analyzed to
determine their origin, and when and where the data was created, modified,
accessed, downloaded, or uploaded.
Four Types of Analyses that can be performed:
 Time-frame analysis seeks to create a timeline or time sequence of actions
using time stamps (date and time) that led to an event or to determine the time
and date a user performed some action.

 Ownership and possession analysis is used to determine the person who

created, accessed, and/or modified files on a computer system.

 Application and file analysis is performed to examine applications and files

on a computer system to determine the perpetrator's knowledge of and intent
and capabilities to commit cybercrime

 Data hiding analysis searches for hidden data on a system. Criminals use
several data-hiding techniques to conceal their illicit activities and identifying
information, such as using as steganography and encryption.

Take Note: In the world of cybersecurity, steganography is the technique of hiding secret
data within a non-secret, ordinary file or message to avoid being detected. Encryption
physically blocking third-party access to a file, either by using a password or by rendering
the file or aspects of the file unusable.

6. Reporting. The results of the analysis are documented in a report. This phase
includes a detailed description of the steps taken throughout the digital forensics
process, the digital evidence uncovered, and the conclusions reached based on the
results of the digital forensics process and the evidence revealed

Common obstacles to cybercrime investigations

1. Anonymity of information and communication technology affords to users.
Anonymizers, or anonymous proxy servers, hide users' identity data by
masking/hiding their IP (Internet Protocol) address or substituting it with a different
IP address.

Take Note: IP address is a unique identifier assigned to a computer or other Internet-

connected digital device by the Internet service provider when it connects to the Internet.

Did you know?

 The Onion Router (or Tor), one of the anonymity network/system which enables
anonymous access was originally developed by the United States Naval Research
Laboratory to protect intelligence. Since the release of Tor to the public, it has been used by
individuals to protect themselves against private and government surveillance of their
online activities. Nonetheless, Tor and other anonymizing networks have also been utilized
by cybercriminals to commit and/or share information and/or tools to commit cyber-
dependent and cyber-enabled crimes.

*To identify the Internet service provider (ISP) associated with the IP address, the
cybercrime investigator can use ICANN's WHOIS query tool
(https://whois.domaintools.com/). The WHOIS query tool can be used to identify the
contact information and location of the organization associated with a domain name. The
WHOIS query tool can also be used to identify the contact information and location of the
organization associated with an IP address.

2. The lack of mutual legal assistance on cybercrime matters, and timely collection,
preservation, and sharing of digital evidence between countries.

Take Note: In the Philippines, Cyber Warrants can also be enforced even outside the
Philippines coursed through the DOJ – Office of Cybercrime. DOJ -OOC is also the Central
Authority in all matters relating to international mutual assistance and extradition, as far
as cybercrime is concerned.

Jurisdiction of Cybercrime Courts

 All Filipino citizens regardless of place of commission of cybercrime
 Any of the elements of cybercrime committed within the Philippines or committed
with the use of any computer system wholly or partly situated within the Philippines.
 The cybercrime causes damage to a natural or juridical person who at the time of the
offense was committed, was in the Philippines.

3. Cybercrime investigators face technical challenges. Investigators may not have the
necessary knowledge, equipment and digital forensics tools needed to adequately
conduct cybercrime investigations involving digital devices.
Common Defenses of Cybercriminals and Evidence to rebut this defenses
1. Ghost in the Machine
 Computer infected with virus
 Computer controlled by botnet and defendant had nothing to do with the crime
Take Note: A botnet is a collection of internet-connected devices infected by malware that
allow hackers to control them.
Rebut with evidence

 There is anti- virus software installed in the computer of the defendant

 No known malwares found on the computer
 Use other corroborative Evidence like: (google searches for terms relevant to the
crime, hacker tools etc.)
  Provide/ look for non-electronic evidence

2. SODDI Defense (Some other dude did it)

 Roommates/other people had access to my computer
 Used a wireless router
 Others have access to server
Rebut with evidence

 Show firewall logs and remote desktop logs

 There is password set up on computer
 Defendant’s router was locked down
 Provide non-computer evidence

Take Note: A firewall is a security device — computer hardware or software — that can
help protect your network by filtering traffic and blocking outsiders from gaining
unauthorized access to the private data on your computer

3. Being Framed
 My computer was clean when it was taken
 Something must have happened when the computer was imaged
Rebut with evidence

 Time/date stamps on imaging

 Imaging process and verification with hash values to prove authenticity of the data
 Explain the forensic imaging process

Common Digital data acquisition and analysis tool

1. Encase
○ Recover active and deleted files
○ Email and file system analysis
○ Malicious code discovery

2. Internet Evidence Finder (IEF)

○ Is similar to EnCase but focuses mostly on internet artifacts
○ Find, analyze digital evidence from computers, smartphones and tablets
○ User-friendly Interface

3. Autopsy
○ Similar to EnCase in overall features
○ Email and file system analysis
○ Advanced searches
○ File type identification
○ Data carving