CDI 9: INTRODUCTION TO CYBERCRIME

“Ever since men began to modify their lives by using technology they have found themselves in a
series of technological traps”
Roger Revelle
What is Cyber Crime?
Cyber-crimes are essentially a combination of the elements of Computer and Net Crime and
can be best defined as "Offenses that are committed against individuals or groups of individuals
with a criminal motive to intentionally harm the reputation of the victim or cause physical or
mental harm to the victim directly or indirectly using modem telecommunication networks such
as the Internet and mobile phones.
In its simplest definition, Cybercrime is criminal activity that either targets or uses a
computer, a computer network or a networked device.
What is Cyber Criminology?
Cyber Criminology is the study of causation of crimes that occur in the cyberspace and its
impact in the physical space (Jaishankar 2007).
General categories of Cyber Crime:
1. Computer as a Target
2. Computer as a weapon

History of Computer and Cybercrime

 The computer as we know it today had its beginning on 19th century. English Mathematics
Professor named Charles Babbage designed the Analytical Engine and this design was used
as basic framework of the computers of today are based on.

 The first recorded cybercrime took place in the year 1820.

 The first person to be found guilty of cybercrime was Ian Murphy, also known as Captain
Zap, and that happened in the year 1981.

 The first unsolicited bulk commercial email was sent by a Digital Equipment Corp
marketing representative to every ARPANET (Advanced Research Projects Agency Network)
address on the west coast of the United States on May 3, 1978. The message promoted the
availability of a new model of computer and was sent by Gary Thuerk to 393 recipients.
Take Note: Advanced Research Projects Agency Network (ARPANET) was the first wide-area
packet-switching network with distributed control and one of the first networks to implement the
TCP/IP protocol suite. This technology became the technical foundation of the Internet.
What is I Love You Virus?
I LOVE YOU virus, also known as a love bug virus, was a type of computer virus that
attacked billions of computers with windows operating systems. It started the attack May 2000
from the Philippines. The virus spread through internet network as an email attachment, with the
subject line as “ILOVEYOU” and an attachment “LOVE-LETTER-FOR-YOU.txt.vbs”.
This virus was created by computer programmer student of AMA namely Onel De Guzman.
What happened to the case of Onel De Guzman?
Absolutely nothing happened. Government prosecutors filed cases against him, but even at
the first stage, the indictment was dismissed because there was no law penalizing the said act
during the time of commission in the Philippines.
What was the effect of I Love You Virus Case on the Philippine Legislation?
In order to curb the threat posed by cybercrime, the Philippine Congress enacted Republic
Act (RA) 8792, otherwise known as the “Electronic Commerce Act of 2000”. This was signed
into law on 14 June 2000.
The salient features of the Act are as follows:
•Provides for the admissibility of electronic documents in court cases
•Penalizes limited online crime, such as hacking, introduction of viruses and copyright violations
of at least Php100,000 and a maximum commensurate to the damage incurred, and
imprisonment of six months to three years, among others;
• Promotes e-commerce in the country
•Aims to reduce graft and corruption in government

Take Note: RA 8792 is considered the landmark law in the history of the Philippines since it has
placed the Philippines among the countries penalizing cybercrime.
Likewise, the Supreme Court drafted the Rules on Electronic Evidence, which took effect on
1 August 2000, to emphasize the admissibility of evidence in electronic form, subject to its
authenticity and reliability.

Who was the first Filipino convicted of Cybercrime?

The first Filipino to be convicted of cybercrime, was JJ Maria Giner. He was convicted in
September 2005 by Manila MTC Branch 14 Judge Rosalyn Mislos-Loja. Giner pleaded guilty to
hacking the government portal “gov.ph” and other government websites. He was sentenced to one
to two years of imprisonment and fined Php100,000. However, he immediately applied for
probation, which was eventually granted by the court.
Take Note: The conviction of Giner is considered a landmark case, as he is the first local hacker
to be convicted under section 33a of the E-Commerce Law or Republic Act 8792.
What are the Components of Computer?
A computer is made up of multiple parts and components that facilitate user functionality.
A computer has two primary categories:
1. Hardware - The physical components of a computer system
2. Software - These are the instructions that tell the computer what to do and how to do it.

Input devices - An input device is any hardware component that allows the user to enter
data into the computer.

 Keyboard
 Mouse
 Scanner
 Microphone
 Digital Camera
  PC Video Camera

Output Devices - An output device is any hardware component that gives information to
the user
 Monitor
 Printer
 Speaker

The two main categories of software:

 System software - The system software also called the operating system (OS) which
actually runs the computer.
 Application software - Application software is a program that allows users to a specific
task on the computer.

Four common examples of application software

 Word Processing Application
 Spreadsheet Application
 E-mail Application
 Internet Application

Storage Media
Storage keeps data, information and instructions for use in the future.

Primary storage
 RAM (Random Access Memory) - is the primary storage of a computer. When
you’re working on a file on your computer, it will temporarily store data in your RAM.
It allows you to perform everyday tasks like opening applications, loading webpages,
editing a document or playing games, and allows you to quickly jump from one task
to another without losing your progress.

Secondary Storage (Hard Disk Drives (HDD) & Solid-State Drives (SSD))
 Hard Disk Drives (HDD) - Hard disk drives are commonly used as the main storage
device in a computer. HDDs often store operating system, software programs and
other files. These are magnetic storage devices
 Solid-state drives (SSD) is a new generation of storage device used in computers.
SSDs replace traditional mechanical hard disks by using flash-based memory, which
is significantly faster. SSDs don’t rely on magnets and disks, instead they use a type
of flash memory called NAND

External storage devices

 External hard drive - is a device which is plugged into your machine to give almost-
immediate storage space, without the need to open or use your computer’s internal storage.
 Floppy disks were the first widely-available portable, removable storage devices.
They work in the same way as hard disk drives, although at a much smaller scale.
 CDs, DVDs, and Blu-Ray disks are used for a lot more than just playing music and
videos—they also act as storage devices, and collectively they’re known as optical storage
devices or optical disk media.
  Flash memory devices – these are small, portable storage devices that have long
been a popular choice for extra computer storage. The most recognizable type of flash
memory device is the USB flash drive

What are the typologies of Cyber Crime?

The Budapest Convention on Cyber Crime provided the four general types of cybercrime:
 Offenses against the confidentiality, integrity and availability of computer data and systems,
 Computer-related offenses
 Content-related offenses
 Copyright-related offenses

1. Unauthorized Access - Unauthorized access is when someone gains access to a website,

program, server, service, or other system using someone else's account.
2. Hacking - Any attempt to intrude into a computer or a network without authorization. This
involves changing of system or security features in a bid to accomplish a goal that differs
from the intended purpose of the system. It can also refer to non-malicious activities,
usually involving unusual or improvised alterations to equipment or processes. An
individual who involves themselves in hacking activities is known as a hacker.
Take Note: Hacking can be described as gaining unauthorized access to a computer system by
improper means. Unauthorized access can be describes as gaining access to a computer system
using usual means of access but without consent.

What are the various kinds of hackers?

 White hats - also known as ethical hackers, strive to operate in the publics best interest,
rather than to create turmoil. Many white hat hackers work doing penetration, to attempt
to break into the company’s networks to find and report on security vulnerabilities.

 Black hat hackers – this kind of hackers, hack to take control over the system for personal
gains. They destroy, steal and even prevent authorized users from accessing the system

 Gray hat hackers - They belong to the neutral zone. They act in the middle ground
between white hat hackers, who operate on behalf of those maintaining secure systems,
and sometimes act as black hat hackers who act maliciously to exploit vulnerabilities in
systems.

3. Cracking – is breaking into a network; bypasses passwords or licenses in computer

programs; or in other ways intentionally breaches computer security. Crackers also act as Black
Hats by gaining access to the accounts of people maliciously and misusing this information
across networks. They can steal credit card information, they can destroy important files,
disclose crucial data and information or personal details and sell them for personal gains.

Take Note: Hacking is the process of intruding computer systems without authorization in
order to gain access to them, for good or bad purposes while cracking is breaking into the
security system for criminal and illegal reasons or for personal gains only.

4. Cyber Fraud - is the crime committed via a computer and internet with the intent to corrupt
another individual’s personal and financial information stored online from people illegally by
deceiving them.
 a. Spoofing or Phishing - Spoofing is a type of scam in which criminals attempt to obtain
someone's personal information by pretending to be a legitimate source. It can be in the form
of:
 Email Spoofing- Email spoofing is a technique used in spam and phishing attacks to
trick users into thinking a message came from a person or entity they either know or
can trust. In email spoofing attacks, the sender forges email headers so that client
software displays the fraudulent sender address, which most users take at face value. 
 Text Message Spoofing - Sometimes referred to as smishing. The text message may
appear to come from a legitimate source, such as your bank. It may request that you
call a certain phone number or click on a link within the message, with the goal of
getting you to divulge personal information.
 URL Spoofing - URL spoofing happens when scammers set up a fraudulent website
to obtain information from victims or to install malware on their computers. Virus
hoax emails - Virus hoaxes are false reports about non-existent viruses, often claiming
to do impossible things like blow up the recipient's computer and set it on fire, or less
sensationally, delete everything on the user's computer. 

b. Lottery Frauds - These are emails, which inform the recipient that he/ she has won a
prize in a lottery.

c. Credit Card Fraud -Credit card fraud is the unauthorized use of a credit or debit card, or
similar payment tool to fraudulently obtain money or property. Credit and debit card
numbers can be stolen from unsecured websites or can be obtained in an identity theft
scheme.

Take Note: Identity theft is the scheme of obtaining the personal, financial information or
other information of another person to use their identity to commit fraud or other illegal
activities.
d. Theft of Internet Hours - Unauthorized use of Internet hours paid for by another person.

e. Cyber Terrorism - It refers to unlawful attacks and threats of attacks against computers,
networks and the information stored therein when done to intimidate or coerce a government
or its people in furtherance of political or social objectives.

f. Cyber Pornography – is the act of using cyberspace to create, display, distribute, import,
or publish pornography or obscene materials, especially materials depicting children engaged
in sexual acts with adults.

g. Cyber-libel or cyber defamation- is a term used when someone has posted or emailed
something that is untrue and damaging about someone else on the social media, including
blogs, chat rooms, personal websites, social media, social networking sites, or other published
articles. Cyber defamation is also called as Cyber smearing.

h. Cyber Stalking - Cyber-stalking refers to the use of the Internet, e-mail, or other electronic
communications device to stalk and later on harass another person.

i. Denial of Service attacks- DoS attacks accomplish this by flooding the target with traffic,
or sending many information that triggers a crash on someone’s computer or computer
network..
 j. Distributed denial-of-service attack (DDoS attack) - occurs when multiple systems flood
the bandwidth or resources of a targeted system, usually one or more web servers.

k. Salami Slicing Attack - A “salami slicing attack” is a technique by which cyber-criminals

steal money or resources a bit at a time so that it will be remain unnoticeable.

j. Malware attack - is a common cyberattack where malware executes unauthorized

actions on the victim’s computer system. The malicious software encompasses many
specific types of attacks like infecting computers.

What are the common types of Malware?

a. Adware – (Advertising-supported software) is a type of malware that automatically delivers

advertisements.
b. Ransomware is malicious software that infects your computer and displays messages
demanding a fee to be paid in order for your system to work again.

c. Rootkit – A rootkit is a type of malicious software designed to remotely access or control a

computer without being detected by users or security programs. Once a rootkit has been
installed it is possible for the malicious party behind the rootkit to remotely execute files,
access/steal information. Rootkit can modify system configurations, alter software.

d. Trojan Horse - Trojan horse, commonly known as a “Trojan,” is a type of malware that
disguises itself as a normal file or program to trick users into downloading and installing
malware. A Trojan can give a malicious party remote access to an infected computer. Once an
attacker has access to an infected computer, it is possible for the attacker to steal data.

e. Virus - Viruses are designed to damage the target computer or device by corrupting data,
reformatting your hard disk, or completely shutting down your system.

f. Worm - A computer worm is a type of malware that spreads copies of itself from computer

to computer. A worm can replicate itself without any human interaction, and it does not need
to attach itself to a software program in order to cause damage.

What are some preventive measures against cybercrimes?

1. Keep software and operating system updated
2. Use anti-virus software and keep it updated
3. Use strong passwords
4. Never open attachments in spam emails
5. Hands typing on laptop keyboard
6. Do not give out personal information unless secure
7. Contact companies directly about suspicious requests
8. Be mindful of which website URLs you visit
9. Keep an eye on your bank statements

REPUBLIC ACT 10175

 Despite of RA 8792 already in place, it was found to have failed to address all forms of
cybercrime that are enumerated in the Budapest Convention on Cybercrime of 2001, namely:
• Offences against confidentiality, integrity and availability of computer data and systems
• Computer-related offences
• Content-related offences
• Offences related to infringement of copyright and related rights.

What is RA 10175?
Republic Act No. 10175, otherwise known as the “Cybercrime Prevention Act of 2012”

What are the acts the constitute Cybercrime Offenses under RA 10175?

A. Offenses against the confidentiality, integrity and availability of computer data and
systems 

1. Illegal Access – The access to the whole or any part of a computer system without right.

2. Illegal Interception – The interception made by technical means and without right, of any
non-public transmission of computer data to, from, or within a computer system, including
electromagnetic emissions from a computer system carrying such computer data: Provided,
however, That it shall not be unlawful for an officer, employee, or agent of a service
provider, whose facilities are used in the transmission of communications, to intercept,
disclose or use that communication in the normal course of employment, while engaged in
any activity that is necessary to the rendition of service or to the protection of the rights or
property of the service provider, except that the latter shall not utilize service observing or
random monitoring other than for purposes of mechanical or service control quality checks.

3. Data Interference – The intentional or reckless alteration, damaging, deletion or

deterioration of computer data, electronic document or electronic data message, without
right, including the introduction or transmission of viruses.

4. System Interference – The intentional alteration, or reckless hindering or interference

with the functioning of a computer or computer network by inputting, transmitting,
damaging, deleting, deteriorating, altering or suppressing computer data or program,
electronic document or electronic data message, without right or authority, including the
introduction or transmission of viruses.

5. Misuse of Devices
a. The use, production, sale, procurement, importation, distribution or otherwise making
available, intentionally and without right, of any of the following:
i. A device, including a computer program, designed or adapted primarily for the
purpose of committing any of the offenses under this rules; or
ii. A computer password, access code, or similar data by which the whole or any part of
a computer system is capable of being accessed with the intent that it be used for the
purpose of committing any of the offenses under this rules.
b. The possession of an item referred to in 5a(i) or(ii) above, with the intent to use said
devices for the purpose of committing any of the offenses under this section.

B. Computer-related Offenses

1. Computer-related Forgery 
 a. The input, alteration or deletion of any computer data without right, resulting in
inauthentic data, with the intent that it be considered or acted upon for legal purposes
as if it were authentic, regardless whether or not the data is directly readable and
intelligible; or

b. The act of knowingly using computer data, which is the product of computer-related
forgery as defined herein, for the purpose of perpetuating a fraudulent or dishonest
design.

2. Computer-related Fraud – The unauthorized “Input, alteration or deletion of computer data or

program, or interference in the functioning of a computer system, causing damage thereby with
fraudulent intent

3. Computer-related Identity Theft – The intentional acquisition, use, misuse, transfer,

possession, alteration or deletion of identifying information belonging to another, whether natural
or juridical, without right

C. Content-related Offenses:

1. Any person found guilty of Child Pornography shall be punished in accordance with the
penalties set forth in Republic Act No. 9775 or the “Anti-Child Pornography Act of 2009”.

Take Note: The penalty to be imposed shall be one (1) degree higher than that provided for in
Republic Act No. 9775 if committed through a computer system.

What are the other  Cybercrime offenses punishable under RA 10175?

 The following constitute other cybercrime offenses punishable under the RA 10175:

1. Cyber-squatting – The acquisition of a domain name over the internet, in bad faith, in order to
profit, mislead, destroy reputation, and deprive others from registering the same, if such a
domain name is:

a. Similar, identical, or confusingly similar to an existing trademark registered with the

appropriate government agency at the time of the domain name registration;
b. Identical or in any way similar with the name of a person other than the registrant, in case
of a personal name; and
c. Acquired without right or with intellectual property interests in it.

2. Cybersex – The willful engagement, maintenance, control or operation, directly or indirectly, of

any lascivious exhibition of sexual organs or sexual activity, with the aid of a computer system,
for favor or consideration.

Take Note: Cybersex involving a child shall be punished in accordance with the provision on
child pornography of the Act.

3. Libel – The unlawful or prohibited acts of libel, as defined in Article 355 of the Revised Penal
Code, as amended, committed through a computer system or any other similar means

Take Note: This provision applies only to the original author of the post or online libel, and not to
others who simply receive the post and react to it.

Other offenses under RA 10175

 A. Aiding or Abetting in the Commission of Cybercrime. – Any person who willfully abets,
aids, or financially benefits in the commission of any of the offenses enumerated in the Act
shall be held liable, except with respect to Child Pornography and online Libel.
B. Attempt to Commit Cybercrime. – Any person who willfully attempts to commit any of
the offenses enumerated in the Act shall be held liable, except with respect to Child
Pornography and online Libel.

What are the other salient provisions of RA 10175?

1. Law Enforcement Authorities. – The National Bureau of Investigation (NBI) and the

Philippine National Police (PNP) shall be responsible for the efficient and effective law
enforcement of the provisions of the Act. The NBI and the PNP shall organize a cybercrime
division or unit to be manned by Special Investigators to exclusively handle cases involving
violations of this Act.

Take Note: The NBI shall create a cybercrime division to be headed by at least a Head Agent. The
PNP shall create an anti-cybercrime unit headed by at least a Police Director.

Take Note: The DOJ – Office of Cybercrime (OOC) created under the Act shall coordinate the
efforts of the NBI and the PNP in enforcing the provisions of the Act. It also provided under this
law the creation of an inter-agency body known as the Cybercrime Investigation and Coordinating
Center (CICC) under the Office of the President.

Duties of Law Enforcement Authorities. –  To ensure that the technical nature of cybercrime
and its prevention is given focus, and considering the procedures involved for international
cooperation, law enforcement authorities, specifically the computer or technology crime divisions
or units responsible for the investigation of cybercrimes, are required to submit timely and
regular reports including pre-operation, post-operation and investigation results, and such other
documents as may be required to the Department of Justice (DOJ) – Office of Cybercrime for
review and monitoring.

Preservation and Retention of Computer Data. – The integrity of traffic data and subscriber
information shall be kept, retained and preserved by a service provider for a minimum period of
six (6) months from the date of the transaction. Content data shall be similarly preserved for six
(6) months from the date of receipt of the order from law enforcement authorities requiring its
preservation.

Collection of Computer Data. Law enforcement authorities, upon the issuance of a court

warrant, shall be authorized to collect or record by technical or electronic means, and the service
providers are required to collect or record by technical or electronic means and/or to cooperate
and assist in the collection or recording of computer data that are associated with specified
communications transmitted by means of a computer system.

Disclosure of Computer Data.  – Law enforcement authorities, upon securing a court warrant,
shall issue an order requiring any person or service provider to disclose or submit, within
seventy-two (72) hours from receipt of such order, subscriber’s information, traffic data or
relevant data in his/its possession or control.

Search, Seizure and Examination of Computer Data. – Where a search and seizure warrant
is properly issued, the law enforcement authorities shall likewise have the following powers and
duties:
a. Within the time period specified in the warrant, to conduct interception, as defined in this
Rules, and to:

1. Search and seize computer data;

2. Secure a computer system or a computer data storage medium;
3. Make and retain a copy of those computer data secured;
4. Maintain the integrity of the relevant stored computer data;
5. Conduct forensic analysis or examination of the computer data storage medium; and
6. Render inaccessible or remove those computer data in the accessed computer or computer
and communications network.

b. Pursuant thereto, the law enforcement authorities may order any person, who has knowledge
about the functioning of the computer system and the measures to protect and preserve the
computer data therein, to provide, as is reasonable, the necessary information to enable the
undertaking of the search, seizure and examination.

c. Law enforcement authorities may request for an extension of time to complete the examination
of the computer data storage medium and to make a return thereon, but in no case for a period
longer than thirty (30) days from date of approval by the court.

Custody of Computer Data. – All computer data, including content and traffic data, that are
examined under a proper warrant shall, within forty-eight (48) hours after the expiration of the
period fixed therein, be deposited with the court in a sealed package, and shall be accompanied
by an affidavit of the law enforcement authority executing it, stating the dates and times covered
by the examination, and the law enforcement authority who may have access to the deposit,
among other relevant data.
Destruction of Computer Data. – Upon expiration of the periods as provided in Sections 12
(6months) and Section 15 ( Within the time period specified in the warrant), or until the final
termination of the case and/or as ordered by the Court, as the case may be, service providers and
law enforcement authorities, as the case may be, shall immediately and completely destroy the
computer data.
Take Note: Exclusionary Rule  – Any evidence obtained without a valid warrant or beyond the
authority of the same shall be inadmissible for any proceeding before any court or tribunal.
Take Note: Failure to comply with the provisions of stated above specifically the orders from law
enforcement authorities, shall be punished as a violation of Presidential Decree No. 1829, entitled
‘Penalizing Obstruction Of Apprehension And Prosecution Of Criminal Offenders.’ The criminal
charge for obstruction of justice shall be filed before the designated cybercrime court that has
jurisdiction over the place where the non-compliance was committed.
Where does Cybercrime case be filed and who have the Jurisdiction over the Cybercrime
Cases in the Philippines?

 The criminal actions for violation of RA 10175, shall be filed before the designated special
cybercrime court (RTC) of the province or city where the offense or any of its elements is
committed, or where any part of the computer system used is situated, or where any of the
damage caused to a natural or juridical person took place.

Take Note: As provided under RA 10175, There shall be designated special cybercrime courts
manned by specially trained judges to handle cybercrime cases and the Secretary of Justice shall
designate prosecutors and investigators who shall comprise the prosecution task force or division
under the DOJ-Office of Cybercrime, which will handle cybercrime cases in violation of the said
Act.

What are types of warrants in relation to Cybercrime?

(1) Warrant to Disclose Computer Data (WDCD)
The Warrant to Disclose Computer Data (WDCD) authorizes law enforcement to issue an
order to disclose or submit subscriber’s information, traffic data, or relevant data in the
possession or control of a person or service provider within seventy-two (72) hours from the
receipt of the order. Within forty-eight (48) hours from implementation or after the expiration of
the effectivity of the WDCD, the authorized law enforcement officer must accomplish a return and
to turn over the disclosed computer data or subscriber’s information to the court.
(2) Warrant to Intercept Computer Data (WICD)
It authorizes law enforcement to listen, record, monitor, or surveil the content of the
communications through electronic eavesdropping or tapping devices, at the same time the
communication is occurring.
(3) Warrant to Search, Seize, and Examine Computer Data (WSSECD)
A WSSECD authorizes the search the particular place for items to be seized and/or
examined.
Upon the conduct of the seizure, law enforcement must file a return stating the (a) devices
that were subject of the WSSECD and (b) the hash value of the computer data and/or the seized
computer device or computer system containing such data.

(4) Warrant to Examine Computer Data (WECD)

The Warrant to Examine Computer Data (WECD) is to allow law enforcement agencies to
search a computer device or computer seized during a lawful warrantless arrest or by any other
lawful method such as valid warrantless seizure, in flagrante delicto, or by voluntary surrender.
Take Note: The four warrants described above are only obtained by law enforcement agencies
( PNP or the NBI) from Regional Trial Courts specially designated to handle cybercrime cases.
Thus, private complainants will need to coordinate with such agencies if such warrants are to be
obtained.
 CYBER CRIME INVESTIGATION
What is Electronic Evidence?
Data obtained from ICT that can be used in a court of law is known as electronic
evidence(a.k.a. digital evidence).

These are information or valuable data stored on a computer or a mobile device other
electronic device that was seized by a law enforcement organization as part of a criminal
investigation and it can be used as evidence in court.

Two types of electronic/digital evidence:

• Volatile: Memory that loses its content once the power is turned off like data stored in
RAM. includes information of the programs that are currently being processed by the computer,
• Non-volatile: No change in content even if the power is turned off. For example, data
stored in a tape, hard drive, CD/DVD, and ROM.

Take Note: Law enforcement officer gather and use digital evidence not only for computer crime
or computer related crime but for traditional crime as well.

What is Digital Forensics?

The process of identifying, acquiring, preserving, analyzing, and presenting electronic
evidence is known as Digital Forensics. 

 The scientific examination and analysis of data held on or retrieved from computer storage
media or network and its presentation in a manner legally acceptable to a Court.

Take Note: FORENSIC – is relating to or dealing with the application of scientific

knowledge to legal problems

What is Digital Footprint?

Refers to the data left behind by ICT users that can reveal information about them.

 Digital forensics "is underpinned by forensic principles, of Edmond Locard's exchange

principle" which holds that "objects and surfaces that come into contact will transfer
material from one to another"

 In the field of digital forensics, digital traces are left behind as the result of individuals' use
of information and communication technology (ICT). A person utilizing ICT can leave a
digital footprint,

This digital footprint can be active or passive.

 An active digital footprint is created by data provided by the user, such as personal
information, videos, images, and comments posted on apps, websites, social media, and
other online forums.
An "active digital footprint" includes data that you intentionally submit online. Sending an
email contributes to your active digital footprint, since you expect the data be seen and/or
saved by another person. The more email you send, the more your digital footprint grows.
  A passive digital footprint is data that is obtained and unintentionally left behind by the
users of the Internet and digital technology

For example, when you visit a website, the web server may log your IP address, which
identifies your Internet service provider and your approximate location. Although your IP
address may change and does not include any personal information, it is still considered
part of your digital footprint. A more personal aspect of your passive digital footprint is
your search history, which is saved by some search engines while you are logged in.

Take Note: Data that are part of active and passive digital footprints can be used as
evidence

Crime Scene in Cybercrime Cases

With respect to cybercrime, the crime scene is not limited to the physical location of digital
devices used in the commissions of the cybercrime and/or that were the target of the cybercrime.
The cybercrime crime scene also includes the digital devices that potentially hold digital evidence,
and spans multiple digital devices, systems, and servers.

Phases of Digital Forensics

1. Identification. This phase includes the search for and recognition of relevant evidence, as
well as its documentation. In this phase, the priorities for evidence collection are identified
based on the value and volatility of evidence. Also, In the identification phase, preliminary
information is obtained about the cybercrime case prior to collecting digital evidence. This
preliminary information (Six Cardinal Points of Investigation) is similar to that which is
sought during a traditional criminal investigation.

The answers to these questions will provide investigators with guidance on how to proceed with
the case. For example, the answer to the question "where did this crime occur?" - that is, within
or outside of a country's borders will inform the investigator on how to proceed with the case (e.g.,
which agencies should be involved and/or contacted).

2. Collection. This phase involves the collection of all digital devices that could potentially
contain data of evidentiary value. The investigator, or crime scene technician, collects the
evidence. The collection procedures vary depending on the type of digital device.
the most volatile evidence should be collected first, and the least volatile should be
collected last

3. Acquisition. Those collected devices are then transported back to a forensic laboratory or

other facility for acquisition and analysis of digital evidence. This process is known as static
acquisition. However, there are cases in which static acquisition is unfeasible. In such
situations, live acquisition of data is conducted. It is the way to collect digital evidence
when a computer is powered on and the suspect has been logged on to.
 At the forensics laboratory, digital evidence should be acquired in a manner that
preserves the integrity of the evidence. This obtainment of data without altering will be
accomplished by creating a copy of the original content of the digital device specifically a
storage device (the process is known as forensic imaging) while using a device known as
write blocker that is designed to prevent the alteration of data during the copying process.

Take Note: The seized digital devices are considered as the primary source of evidence. The
digital forensics analyst does not acquire data from the primary source. Instead, a duplicate is
made of the contents of that device and the analyst works on the copy.

Take Note: To determine whether the duplicate is an exact copy of the original a hash value. If
the hash values for the original and copy match, then the contents of the duplicate are the exact
same as the original.

Mobile Device Acquisition/Extraction

There are two methods for retrieving data from a cell phone. The logical extraction and
physical extraction. Logical extraction is easier and less time-consuming, but returns less
information. Physical extraction is more difficult and takes much longer, but has a greater return
of hidden or deleted information.

Logical Extraction - It creates a copy of the user accessible files such as phonebook, calls,
messages, some app data and other data you can see if you manually examine each screen on the
device.

Physical Extraction - It is the most comprehensive and invasive of all the extractions and
includes all unallocated space on the phone which is why it may include deleted files.

4. Preservation. Evidence preservation seeks to protect digital evidence from modification.

The integrity of digital devices and digital evidence can be established thru maintaining
the chain of custody, which is defined as the process by which investigators preserve the
crime scene and evidence throughout the life cycle of a case.

5. Analysis. The digital forensics process also involves the examination and interpretation of
digital evidence. This phase requires the use of appropriate digital forensic tools and
methods to uncover digital data. There are numerous digital forensics tools on the market
of varying qualities. (Examples of digital forensics tools include Encase, IEF, and Autopsy).
The type of digital forensics tools varies depending on the type of digital forensics
investigation conducted. Files are analyzed to determine their origin, and when and where
the data was created, modified, accessed, downloaded, or uploaded.

The purpose of the analysis phase is to determine the significance and probative
value of evidence. Analysis/ Examination of the evidence or other information or data
 recovered from the storage media evidence to determine if and how it could be used against
the suspect.

Four Types of Analyses that can be performed:

 Time-frame analysis seeks to create a timeline or time sequence of actions using
time stamps (date and time) that led to an event or to determine the time and date a
user performed some action.

 Ownership and possession analysis is used to determine the person who created,
accessed, and/or modified files on a computer system.

 Application and file analysis is performed to examine applications and files on a

computer system to determine the perpetrator's knowledge of and intent and
capabilities to commit cybercrime

 Data hiding analysis searches for hidden data on a system. Criminals use several
data-hiding techniques to conceal their illicit activities and identifying information,
such as using as steganography and encryption.

Take Note: In the world of cybersecurity, steganography is the technique of hiding secret data
within a non-secret, ordinary file or message to avoid being detected. Encryption physically
blocking third-party access to a file, either by using a password or by rendering the file or
aspects of the file unusable.

6. Reporting. The results of the analysis are documented in a report. This phase includes a
detailed description of the steps taken throughout the digital forensics process, the digital
evidence uncovered, and the conclusions reached based on the results of the digital
forensics process and the evidence revealed

Common obstacles to cybercrime investigations

1. Anonymity of information and communication technology affords to users. Anonymizers,
or anonymous proxy servers, hide users' identity data by masking/hiding their IP (Internet
Protocol) address or substituting it with a different IP address.

Anonymity enables individuals to engage in activities without revealing themselves and/or

their actions to others

Take Note: IP address is a unique identifier assigned to a computer or other Internet-connected

digital device by the Internet service provider when it connects to the Internet.

Did you know?

The Onion Router (or Tor), one of the anonymity network/system which enables
anonymous access was originally developed by the United States Naval Research Laboratory to
protect intelligence. Since the release of Tor to the public, it has been used by individuals to
protect themselves against private and government surveillance of their online activities.
Nonetheless, Tor and other anonymizing networks have also been utilized by cybercriminals to
commit and/or share information and/or tools to commit cyber-dependent and cyber-enabled
crimes.

*To identify the Internet service provider (ISP) associated with the IP address, the cybercrime
investigator can use ICANN's WHOIS query tool (https://whois.domaintools.com/). The WHOIS
query tool can be used to identify the contact information and location of the organization
associated with a domain name. The WHOIS query tool can also be used to identify the contact
information and location of the organization associated with an IP address.

Once an ISP has been identified, cybercrime investigators may contact the ISP associated with the
IP address to retrieve the information about the subscriber using that IP address (Lin, 2016);
however, ISPs cannot always be compelled to provide personal information without appropriate
legal documents

2. The lack of mutual legal assistance on cybercrime matters, and timely collection,
preservation, and sharing of digital evidence between countries.

Especially cybercrimes that are politically motivated, a general lack of will of countries to
cooperate

Take Note: In the Philippines, Cyber Warrants can also be enforced even outside the Philippines
coursed through the DOJ – Office of Cybercrime. DOJ -OOC is also the Central Authority in all
matters relating to international mutual assistance and extradition, as far as cybercrime is
concerned.

Jurisdiction of Cybercrime Courts

 All Filipino citizens regardless of place of commission of cybercrime
 Any of the elements of cybercrime committed within the Philippines or committed with the
use of any computer system wholly or partly situated within the Philippines.
 The cybercrime causes damage to a natural or juridical person who at the time of the
offense was committed, was in the Philippines.

3. Cybercrime investigators face technical challenges. Investigators may not have the
necessary knowledge, equipment and digital forensics tools needed to adequately conduct
cybercrime investigations involving digital devices.
Common Defenses of Cybercriminals and Evidence to rebut this defenses
1. Ghost in the Machine
 Computer infected with virus
 Computer controlled by botnet and defendant had nothing to do with the crime
Take Note: A botnet is a collection of internet-connected devices infected by malware that allow
hackers to control them.
Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks
Rebut with evidence
  There is anti- virus software installed in the computer of the defendant
 No known malwares found on the computer
 Use other corroborative Evidence like: (google searches for terms relevant to the crime,
hacker tools etc.)
 Provide/ look for non-electronic evidence

2. SODDI Defense (Some other dude did it)

 Roommates/other people had access to my computer
 Used a wireless router
 Others have access to server
Rebut with evidence
 Show firewall logs and remote desktop logs
 There is password set up on computer
 Defendant’s router was locked down
 Provide non-computer evidence

Take Note: A firewall is a security device — computer hardware or software — that can help
protect your network by filtering traffic and blocking outsiders from gaining unauthorized access
to the private data on your computer

3. Being Framed
 My computer was clean when it was taken
 Something must have happened when the computer was imaged
Rebut with evidence
 Time/date stamps on imaging
 Imaging process and verification with hash values to prove authenticity of the data
 Explain the forensic imaging process

Common Digital data acquisition and analysis tool

1. Encase
○ Recover active and deleted files
○ Email and file system analysis
○ Malicious code discovery

2. Internet Evidence Finder (IEF)

○ Is similar to EnCase but focuses mostly on internet artifacts
○ Find, analyze digital evidence from computers, smartphones and tablets
○ User-friendly Interface

3. Autopsy
○ Similar to EnCase in overall features
○ Email and file system analysis
○ Advanced searches
○ File type identification
○ Data carving