Professional Documents
Culture Documents
Cdi 9 (Introduction To Cybercrime)
Cdi 9 (Introduction To Cybercrime)
“Ever since men began to modify their lives by using technology they have found themselves in a
series of technological traps”
Roger Revelle
What is Cyber Crime?
Cyber-crimes are essentially a combination of the elements of Computer and Net Crime and
can be best defined as "Offenses that are committed against individuals or groups of individuals
with a criminal motive to intentionally harm the reputation of the victim or cause physical or
mental harm to the victim directly or indirectly using modem telecommunication networks such
as the Internet and mobile phones.
In its simplest definition, Cybercrime is criminal activity that either targets or uses a
computer, a computer network or a networked device.
What is Cyber Criminology?
Cyber Criminology is the study of causation of crimes that occur in the cyberspace and its
impact in the physical space (Jaishankar 2007).
General categories of Cyber Crime:
1. Computer as a Target
2. Computer as a weapon
The computer as we know it today had its beginning on 19th century. English Mathematics
Professor named Charles Babbage designed the Analytical Engine and this design was used
as basic framework of the computers of today are based on.
The first person to be found guilty of cybercrime was Ian Murphy, also known as Captain
Zap, and that happened in the year 1981.
The first unsolicited bulk commercial email was sent by a Digital Equipment Corp
marketing representative to every ARPANET (Advanced Research Projects Agency Network)
address on the west coast of the United States on May 3, 1978. The message promoted the
availability of a new model of computer and was sent by Gary Thuerk to 393 recipients.
Take Note: Advanced Research Projects Agency Network (ARPANET) was the first wide-area
packet-switching network with distributed control and one of the first networks to implement the
TCP/IP protocol suite. This technology became the technical foundation of the Internet.
What is I Love You Virus?
I LOVE YOU virus, also known as a love bug virus, was a type of computer virus that
attacked billions of computers with windows operating systems. It started the attack May 2000
from the Philippines. The virus spread through internet network as an email attachment, with the
subject line as “ILOVEYOU” and an attachment “LOVE-LETTER-FOR-YOU.txt.vbs”.
This virus was created by computer programmer student of AMA namely Onel De Guzman.
What happened to the case of Onel De Guzman?
Absolutely nothing happened. Government prosecutors filed cases against him, but even at
the first stage, the indictment was dismissed because there was no law penalizing the said act
during the time of commission in the Philippines.
What was the effect of I Love You Virus Case on the Philippine Legislation?
In order to curb the threat posed by cybercrime, the Philippine Congress enacted Republic
Act (RA) 8792, otherwise known as the “Electronic Commerce Act of 2000”. This was signed
into law on 14 June 2000.
The salient features of the Act are as follows:
•Provides for the admissibility of electronic documents in court cases
•Penalizes limited online crime, such as hacking, introduction of viruses and copyright violations
of at least Php100,000 and a maximum commensurate to the damage incurred, and
imprisonment of six months to three years, among others;
• Promotes e-commerce in the country
•Aims to reduce graft and corruption in government
Take Note: RA 8792 is considered the landmark law in the history of the Philippines since it has
placed the Philippines among the countries penalizing cybercrime.
Likewise, the Supreme Court drafted the Rules on Electronic Evidence, which took effect on
1 August 2000, to emphasize the admissibility of evidence in electronic form, subject to its
authenticity and reliability.
Input devices - An input device is any hardware component that allows the user to enter
data into the computer.
Keyboard
Mouse
Scanner
Microphone
Digital Camera
PC Video Camera
Output Devices - An output device is any hardware component that gives information to
the user
Monitor
Printer
Speaker
Storage Media
Storage keeps data, information and instructions for use in the future.
Primary storage
RAM (Random Access Memory) - is the primary storage of a computer. When
you’re working on a file on your computer, it will temporarily store data in your RAM.
It allows you to perform everyday tasks like opening applications, loading webpages,
editing a document or playing games, and allows you to quickly jump from one task
to another without losing your progress.
Secondary Storage (Hard Disk Drives (HDD) & Solid-State Drives (SSD))
Hard Disk Drives (HDD) - Hard disk drives are commonly used as the main storage
device in a computer. HDDs often store operating system, software programs and
other files. These are magnetic storage devices
Solid-state drives (SSD) is a new generation of storage device used in computers.
SSDs replace traditional mechanical hard disks by using flash-based memory, which
is significantly faster. SSDs don’t rely on magnets and disks, instead they use a type
of flash memory called NAND
White hats - also known as ethical hackers, strive to operate in the publics best interest,
rather than to create turmoil. Many white hat hackers work doing penetration, to attempt
to break into the company’s networks to find and report on security vulnerabilities.
Black hat hackers – this kind of hackers, hack to take control over the system for personal
gains. They destroy, steal and even prevent authorized users from accessing the system
Gray hat hackers - They belong to the neutral zone. They act in the middle ground
between white hat hackers, who operate on behalf of those maintaining secure systems,
and sometimes act as black hat hackers who act maliciously to exploit vulnerabilities in
systems.
Take Note: Hacking is the process of intruding computer systems without authorization in
order to gain access to them, for good or bad purposes while cracking is breaking into the
security system for criminal and illegal reasons or for personal gains only.
4. Cyber Fraud - is the crime committed via a computer and internet with the intent to corrupt
another individual’s personal and financial information stored online from people illegally by
deceiving them.
a. Spoofing or Phishing - Spoofing is a type of scam in which criminals attempt to obtain
someone's personal information by pretending to be a legitimate source. It can be in the form
of:
Email Spoofing- Email spoofing is a technique used in spam and phishing attacks to
trick users into thinking a message came from a person or entity they either know or
can trust. In email spoofing attacks, the sender forges email headers so that client
software displays the fraudulent sender address, which most users take at face value.
Text Message Spoofing - Sometimes referred to as smishing. The text message may
appear to come from a legitimate source, such as your bank. It may request that you
call a certain phone number or click on a link within the message, with the goal of
getting you to divulge personal information.
URL Spoofing - URL spoofing happens when scammers set up a fraudulent website
to obtain information from victims or to install malware on their computers. Virus
hoax emails - Virus hoaxes are false reports about non-existent viruses, often claiming
to do impossible things like blow up the recipient's computer and set it on fire, or less
sensationally, delete everything on the user's computer.
b. Lottery Frauds - These are emails, which inform the recipient that he/ she has won a
prize in a lottery.
c. Credit Card Fraud -Credit card fraud is the unauthorized use of a credit or debit card, or
similar payment tool to fraudulently obtain money or property. Credit and debit card
numbers can be stolen from unsecured websites or can be obtained in an identity theft
scheme.
Take Note: Identity theft is the scheme of obtaining the personal, financial information or
other information of another person to use their identity to commit fraud or other illegal
activities.
d. Theft of Internet Hours - Unauthorized use of Internet hours paid for by another person.
e. Cyber Terrorism - It refers to unlawful attacks and threats of attacks against computers,
networks and the information stored therein when done to intimidate or coerce a government
or its people in furtherance of political or social objectives.
f. Cyber Pornography – is the act of using cyberspace to create, display, distribute, import,
or publish pornography or obscene materials, especially materials depicting children engaged
in sexual acts with adults.
g. Cyber-libel or cyber defamation- is a term used when someone has posted or emailed
something that is untrue and damaging about someone else on the social media, including
blogs, chat rooms, personal websites, social media, social networking sites, or other published
articles. Cyber defamation is also called as Cyber smearing.
h. Cyber Stalking - Cyber-stalking refers to the use of the Internet, e-mail, or other electronic
communications device to stalk and later on harass another person.
i. Denial of Service attacks- DoS attacks accomplish this by flooding the target with traffic,
or sending many information that triggers a crash on someone’s computer or computer
network..
j. Distributed denial-of-service attack (DDoS attack) - occurs when multiple systems flood
the bandwidth or resources of a targeted system, usually one or more web servers.
d. Trojan Horse - Trojan horse, commonly known as a “Trojan,” is a type of malware that
disguises itself as a normal file or program to trick users into downloading and installing
malware. A Trojan can give a malicious party remote access to an infected computer. Once an
attacker has access to an infected computer, it is possible for the attacker to steal data.
e. Virus - Viruses are designed to damage the target computer or device by corrupting data,
reformatting your hard disk, or completely shutting down your system.
What is RA 10175?
Republic Act No. 10175, otherwise known as the “Cybercrime Prevention Act of 2012”
What are the acts the constitute Cybercrime Offenses under RA 10175?
A. Offenses against the confidentiality, integrity and availability of computer data and
systems
1. Illegal Access – The access to the whole or any part of a computer system without right.
2. Illegal Interception – The interception made by technical means and without right, of any
non-public transmission of computer data to, from, or within a computer system, including
electromagnetic emissions from a computer system carrying such computer data: Provided,
however, That it shall not be unlawful for an officer, employee, or agent of a service
provider, whose facilities are used in the transmission of communications, to intercept,
disclose or use that communication in the normal course of employment, while engaged in
any activity that is necessary to the rendition of service or to the protection of the rights or
property of the service provider, except that the latter shall not utilize service observing or
random monitoring other than for purposes of mechanical or service control quality checks.
5. Misuse of Devices
a. The use, production, sale, procurement, importation, distribution or otherwise making
available, intentionally and without right, of any of the following:
i. A device, including a computer program, designed or adapted primarily for the
purpose of committing any of the offenses under this rules; or
ii. A computer password, access code, or similar data by which the whole or any part of
a computer system is capable of being accessed with the intent that it be used for the
purpose of committing any of the offenses under this rules.
b. The possession of an item referred to in 5a(i) or(ii) above, with the intent to use said
devices for the purpose of committing any of the offenses under this section.
B. Computer-related Offenses
1. Computer-related Forgery
a. The input, alteration or deletion of any computer data without right, resulting in
inauthentic data, with the intent that it be considered or acted upon for legal purposes
as if it were authentic, regardless whether or not the data is directly readable and
intelligible; or
b. The act of knowingly using computer data, which is the product of computer-related
forgery as defined herein, for the purpose of perpetuating a fraudulent or dishonest
design.
C. Content-related Offenses:
1. Any person found guilty of Child Pornography shall be punished in accordance with the
penalties set forth in Republic Act No. 9775 or the “Anti-Child Pornography Act of 2009”.
Take Note: The penalty to be imposed shall be one (1) degree higher than that provided for in
Republic Act No. 9775 if committed through a computer system.
The following constitute other cybercrime offenses punishable under the RA 10175:
1. Cyber-squatting – The acquisition of a domain name over the internet, in bad faith, in order to
profit, mislead, destroy reputation, and deprive others from registering the same, if such a
domain name is:
Take Note: Cybersex involving a child shall be punished in accordance with the provision on
child pornography of the Act.
3. Libel – The unlawful or prohibited acts of libel, as defined in Article 355 of the Revised Penal
Code, as amended, committed through a computer system or any other similar means
Take Note: This provision applies only to the original author of the post or online libel, and not to
others who simply receive the post and react to it.
Take Note: The NBI shall create a cybercrime division to be headed by at least a Head Agent. The
PNP shall create an anti-cybercrime unit headed by at least a Police Director.
Take Note: The DOJ – Office of Cybercrime (OOC) created under the Act shall coordinate the
efforts of the NBI and the PNP in enforcing the provisions of the Act. It also provided under this
law the creation of an inter-agency body known as the Cybercrime Investigation and Coordinating
Center (CICC) under the Office of the President.
Duties of Law Enforcement Authorities. – To ensure that the technical nature of cybercrime
and its prevention is given focus, and considering the procedures involved for international
cooperation, law enforcement authorities, specifically the computer or technology crime divisions
or units responsible for the investigation of cybercrimes, are required to submit timely and
regular reports including pre-operation, post-operation and investigation results, and such other
documents as may be required to the Department of Justice (DOJ) – Office of Cybercrime for
review and monitoring.
Preservation and Retention of Computer Data. – The integrity of traffic data and subscriber
information shall be kept, retained and preserved by a service provider for a minimum period of
six (6) months from the date of the transaction. Content data shall be similarly preserved for six
(6) months from the date of receipt of the order from law enforcement authorities requiring its
preservation.
Disclosure of Computer Data. – Law enforcement authorities, upon securing a court warrant,
shall issue an order requiring any person or service provider to disclose or submit, within
seventy-two (72) hours from receipt of such order, subscriber’s information, traffic data or
relevant data in his/its possession or control.
Search, Seizure and Examination of Computer Data. – Where a search and seizure warrant
is properly issued, the law enforcement authorities shall likewise have the following powers and
duties:
a. Within the time period specified in the warrant, to conduct interception, as defined in this
Rules, and to:
b. Pursuant thereto, the law enforcement authorities may order any person, who has knowledge
about the functioning of the computer system and the measures to protect and preserve the
computer data therein, to provide, as is reasonable, the necessary information to enable the
undertaking of the search, seizure and examination.
c. Law enforcement authorities may request for an extension of time to complete the examination
of the computer data storage medium and to make a return thereon, but in no case for a period
longer than thirty (30) days from date of approval by the court.
Custody of Computer Data. – All computer data, including content and traffic data, that are
examined under a proper warrant shall, within forty-eight (48) hours after the expiration of the
period fixed therein, be deposited with the court in a sealed package, and shall be accompanied
by an affidavit of the law enforcement authority executing it, stating the dates and times covered
by the examination, and the law enforcement authority who may have access to the deposit,
among other relevant data.
Destruction of Computer Data. – Upon expiration of the periods as provided in Sections 12
(6months) and Section 15 ( Within the time period specified in the warrant), or until the final
termination of the case and/or as ordered by the Court, as the case may be, service providers and
law enforcement authorities, as the case may be, shall immediately and completely destroy the
computer data.
Take Note: Exclusionary Rule – Any evidence obtained without a valid warrant or beyond the
authority of the same shall be inadmissible for any proceeding before any court or tribunal.
Take Note: Failure to comply with the provisions of stated above specifically the orders from law
enforcement authorities, shall be punished as a violation of Presidential Decree No. 1829, entitled
‘Penalizing Obstruction Of Apprehension And Prosecution Of Criminal Offenders.’ The criminal
charge for obstruction of justice shall be filed before the designated cybercrime court that has
jurisdiction over the place where the non-compliance was committed.
Where does Cybercrime case be filed and who have the Jurisdiction over the Cybercrime
Cases in the Philippines?
The criminal actions for violation of RA 10175, shall be filed before the designated special
cybercrime court (RTC) of the province or city where the offense or any of its elements is
committed, or where any part of the computer system used is situated, or where any of the
damage caused to a natural or juridical person took place.
Take Note: As provided under RA 10175, There shall be designated special cybercrime courts
manned by specially trained judges to handle cybercrime cases and the Secretary of Justice shall
designate prosecutors and investigators who shall comprise the prosecution task force or division
under the DOJ-Office of Cybercrime, which will handle cybercrime cases in violation of the said
Act.
These are information or valuable data stored on a computer or a mobile device other
electronic device that was seized by a law enforcement organization as part of a criminal
investigation and it can be used as evidence in court.
• Volatile: Memory that loses its content once the power is turned off like data stored in
RAM. includes information of the programs that are currently being processed by the computer,
• Non-volatile: No change in content even if the power is turned off. For example, data
stored in a tape, hard drive, CD/DVD, and ROM.
Take Note: Law enforcement officer gather and use digital evidence not only for computer crime
or computer related crime but for traditional crime as well.
The scientific examination and analysis of data held on or retrieved from computer storage
media or network and its presentation in a manner legally acceptable to a Court.
In the field of digital forensics, digital traces are left behind as the result of individuals' use
of information and communication technology (ICT). A person utilizing ICT can leave a
digital footprint,
An active digital footprint is created by data provided by the user, such as personal
information, videos, images, and comments posted on apps, websites, social media, and
other online forums.
An "active digital footprint" includes data that you intentionally submit online. Sending an
email contributes to your active digital footprint, since you expect the data be seen and/or
saved by another person. The more email you send, the more your digital footprint grows.
A passive digital footprint is data that is obtained and unintentionally left behind by the
users of the Internet and digital technology
For example, when you visit a website, the web server may log your IP address, which
identifies your Internet service provider and your approximate location. Although your IP
address may change and does not include any personal information, it is still considered
part of your digital footprint. A more personal aspect of your passive digital footprint is
your search history, which is saved by some search engines while you are logged in.
Take Note: Data that are part of active and passive digital footprints can be used as
evidence
With respect to cybercrime, the crime scene is not limited to the physical location of digital
devices used in the commissions of the cybercrime and/or that were the target of the cybercrime.
The cybercrime crime scene also includes the digital devices that potentially hold digital evidence,
and spans multiple digital devices, systems, and servers.
1. Identification. This phase includes the search for and recognition of relevant evidence, as
well as its documentation. In this phase, the priorities for evidence collection are identified
based on the value and volatility of evidence. Also, In the identification phase, preliminary
information is obtained about the cybercrime case prior to collecting digital evidence. This
preliminary information (Six Cardinal Points of Investigation) is similar to that which is
sought during a traditional criminal investigation.
The answers to these questions will provide investigators with guidance on how to proceed with
the case. For example, the answer to the question "where did this crime occur?" - that is, within
or outside of a country's borders will inform the investigator on how to proceed with the case (e.g.,
which agencies should be involved and/or contacted).
2. Collection. This phase involves the collection of all digital devices that could potentially
contain data of evidentiary value. The investigator, or crime scene technician, collects the
evidence. The collection procedures vary depending on the type of digital device.
the most volatile evidence should be collected first, and the least volatile should be
collected last
Take Note: The seized digital devices are considered as the primary source of evidence. The
digital forensics analyst does not acquire data from the primary source. Instead, a duplicate is
made of the contents of that device and the analyst works on the copy.
Take Note: To determine whether the duplicate is an exact copy of the original a hash value. If
the hash values for the original and copy match, then the contents of the duplicate are the exact
same as the original.
Logical Extraction - It creates a copy of the user accessible files such as phonebook, calls,
messages, some app data and other data you can see if you manually examine each screen on the
device.
Physical Extraction - It is the most comprehensive and invasive of all the extractions and
includes all unallocated space on the phone which is why it may include deleted files.
5. Analysis. The digital forensics process also involves the examination and interpretation of
digital evidence. This phase requires the use of appropriate digital forensic tools and
methods to uncover digital data. There are numerous digital forensics tools on the market
of varying qualities. (Examples of digital forensics tools include Encase, IEF, and Autopsy).
The type of digital forensics tools varies depending on the type of digital forensics
investigation conducted. Files are analyzed to determine their origin, and when and where
the data was created, modified, accessed, downloaded, or uploaded.
The purpose of the analysis phase is to determine the significance and probative
value of evidence. Analysis/ Examination of the evidence or other information or data
recovered from the storage media evidence to determine if and how it could be used against
the suspect.
Ownership and possession analysis is used to determine the person who created,
accessed, and/or modified files on a computer system.
Data hiding analysis searches for hidden data on a system. Criminals use several
data-hiding techniques to conceal their illicit activities and identifying information,
such as using as steganography and encryption.
Take Note: In the world of cybersecurity, steganography is the technique of hiding secret data
within a non-secret, ordinary file or message to avoid being detected. Encryption physically
blocking third-party access to a file, either by using a password or by rendering the file or
aspects of the file unusable.
6. Reporting. The results of the analysis are documented in a report. This phase includes a
detailed description of the steps taken throughout the digital forensics process, the digital
evidence uncovered, and the conclusions reached based on the results of the digital
forensics process and the evidence revealed
*To identify the Internet service provider (ISP) associated with the IP address, the cybercrime
investigator can use ICANN's WHOIS query tool (https://whois.domaintools.com/). The WHOIS
query tool can be used to identify the contact information and location of the organization
associated with a domain name. The WHOIS query tool can also be used to identify the contact
information and location of the organization associated with an IP address.
Once an ISP has been identified, cybercrime investigators may contact the ISP associated with the
IP address to retrieve the information about the subscriber using that IP address (Lin, 2016);
however, ISPs cannot always be compelled to provide personal information without appropriate
legal documents
2. The lack of mutual legal assistance on cybercrime matters, and timely collection,
preservation, and sharing of digital evidence between countries.
Especially cybercrimes that are politically motivated, a general lack of will of countries to
cooperate
Take Note: In the Philippines, Cyber Warrants can also be enforced even outside the Philippines
coursed through the DOJ – Office of Cybercrime. DOJ -OOC is also the Central Authority in all
matters relating to international mutual assistance and extradition, as far as cybercrime is
concerned.
3. Cybercrime investigators face technical challenges. Investigators may not have the
necessary knowledge, equipment and digital forensics tools needed to adequately conduct
cybercrime investigations involving digital devices.
Common Defenses of Cybercriminals and Evidence to rebut this defenses
1. Ghost in the Machine
Computer infected with virus
Computer controlled by botnet and defendant had nothing to do with the crime
Take Note: A botnet is a collection of internet-connected devices infected by malware that allow
hackers to control them.
Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks
Rebut with evidence
There is anti- virus software installed in the computer of the defendant
No known malwares found on the computer
Use other corroborative Evidence like: (google searches for terms relevant to the crime,
hacker tools etc.)
Provide/ look for non-electronic evidence
Take Note: A firewall is a security device — computer hardware or software — that can help
protect your network by filtering traffic and blocking outsiders from gaining unauthorized access
to the private data on your computer
3. Being Framed
My computer was clean when it was taken
Something must have happened when the computer was imaged
Rebut with evidence
Time/date stamps on imaging
Imaging process and verification with hash values to prove authenticity of the data
Explain the forensic imaging process
1. Encase
○ Recover active and deleted files
○ Email and file system analysis
○ Malicious code discovery
3. Autopsy
○ Similar to EnCase in overall features
○ Email and file system analysis
○ Advanced searches
○ File type identification
○ Data carving