INTRODUCTION TO

CYBERCRIMES
A Textbook for BS Criminology Students and Practitioners

ARLAN G. REBURON

Wiseman’s Books Trading, Inc.

ISBN: 978-621-418-271-8
 Chapter I
Introduction to Cybercrime
Chapter objectives
At the end of this chapter, students should be able to:
1. to generate an understanding on the importance of
studying cybercrime, and
2. to develop a deep understanding on the different types of
cybercrimes.

What is Cybercrime
Cybercrime goes beyond the technical,
transnational dimension and involves
offenders who deliberately fashion their
attacks to exploit the potential
weaknesses present in the infrastructure’s
transnational nature.
It threatens the substantial and growing reliance
of commerce, governments, and the public upon the
information infrastructure to conduct business, carry
messages, and process information.
Cybercrime is criminal activity that either targets or
uses a computer, a computer network or a networked
device.
Most, but not all,
cybercrime is committed
by cybercriminals or
hackers who want to make
money. Cybercrime is
carried out by individuals
or organizations.
Some cybercriminals are organized, use advanced
techniques and are highly technically skilled. Others are
novice hackers.
Rarely, cybercrime aims to damage computers for
reasons other than profit. These could be political/
ideological or personal in nature.
 Cybercrime is one of the fastest growing non-
violent crimes in the Asian region. It takes a great deal
of technical expertise and co-operation, both local and
foreign, in order to address such problems. This crime
affects different countries in varying degrees, depending
on the extent of the legislative enactment of each country.
In the Philippines, as technical and electronic
landscapes change, there is a need to enact laws or
amend existing laws to fully address cyber threats.

Types
Here are some specific examples of the
different types of cybercrime:
• Email and internet fraud.
• Identity fraud (where personal information is
stolen and used).
• Theft of financial or card payment data.
• Theft and sale of corporate data.
• Cyberextortion (demanding money to prevent a
threatened attack).
• Ransomware attacks (a type of cyberextortion).
• Crypto jacking (where hackers mine cryptocurrency
using resources they do not own).
• Cyberespionage (where hackers access
government or company data).

Most cybercrime falls under two main

categories:

• Criminal activity that targets

• Criminal activity that uses computers to commit
other crimes.

Cybercrime that targets computers often involves

viruses and other types of malware.

2 Introduction to Cybercrime
 Cybercriminals may infect computers with viruses
and malware to damage devices or stop them working.
They may also use malware to delete or steal data.
Cybercrime that stops users using a machine or
network, or prevents a business providing a software
service to its customers, is called a Denial-of-Service (DoS)
attack.
Cybercrime that uses computers to commit other
crimes may involve using computers or networks to
spread malware, illegal information or illegal images.
Sometimes cybercriminals conduct both categories
of cybercrime at once. They may target computers with
viruses first. Then, use them to spread malware to other
machines or throughout a network.
Cybercriminals may also carry out what is known
as a Distributed-Denial-of-Service (DDos) attack. This is
similar to a DoS attack but cybercriminals use
numerous compromised computers to carry it out.
The US Department of Justice recognizes a third
category of cybercrime which is where a computer is
used as an accessory to crime. An example of this is
using a computer to store stolen data.
The US has signed the European Convention of
Cybercrime. The convention casts a wide net and there are
numerous malicious computer-related crimes which it
considers cybercrime. For example:
• Illegally intercepting or stealing data.
• Interfering with systems in a way that compromises
a network.
• Infringing copyright.
• Illegal gambling.
• Selling illegal items online.
• Soliciting, producing or possessing child
pornography.

Chapter I: Introduction 3
Examples of cybercrime

So, what exactly counts as cybercrime? And are

there any well-known examples?
In this section, we look at famous examples
of different types of cybercrime attack used by
cybercriminals. Read on to understand what counts as
cybercrime.
Malware attacks

A malware attack is where a computer system or

network is infected with a computer virus or other type of
malware.
A computer compromised by malware could be
used by cybercriminals for several purposes. These
include stealing confidential data, using the computer to
carry out other criminal acts, or causing damage to data.
A famous example of a malware attack is the
WannaCry ransomware attack, a global cybercrime
committed in May 2017.
Ransomware is a type of malware used to extort
money by holding the victim’s data or device to ransom.
WannaCry is type of ransomware which targeted a
vulnerability in computers running Microsoft Windows.
When the WannaCry ransomware attack hit,
230,000 computers were affected across 150 countries.
Users were locked out of their files and sent a message
demanding that they pay a BitCoin ransom to regain
access.
Worldwide, the WannaCry cybercrime is estimated
to have caused $4 billion in financial losses.

4 Introduction to Cybercrime
Phishing

A phishing campaign is when spam emails, or other

forms of communication, are sent en masse, with the
intention of tricking recipients into doing something that
undermines their security or the security of the
organization they work for.
Phishing campaign messages may contain infected
attachments or links to malicious sites. Or they may ask
the receiver to respond with confidential information
A famous example of a phishing scam from 2018
was one which took place over the World Cup. According
to reports by Inc, the World Cup phishing scam involved
emails that were sent to football fans.
These spam emails tried to entice fans with fake
free trips to Moscow, where the World Cup was being
hosted. People who opened and clicked on the links
contained in these emails had their personal data stolen.
Another type of phishing campaign is known as
spear-phishing. These are targeted phishing campaigns
which try to trick specific individuals into jeopardizing the
security of the organization they work for.
Unlike mass phishing campaigns, which are very
general in style, spear-phishing messages are typically
crafted to look like messages from a trusted source. For
example, they are made to look like they have come from
the CEO or the IT manager. They may not contain any
visual clues that they are fake.
Distributed DoS attacks

Distributed DoS attacks (DDoS) are a type of

cybercrime attack that cybercriminals use to bring down
a system or network. Sometimes connected IoT (internet
of things) devices are used to launch DDoS attacks.

Chapter I: Introduction 5
 A DDoS attack overwhelms a system by using one
of the standard communication protocols it uses to
spam the system with connection requests.
Cybercriminals who are carrying out
cyberextortion may use the threat of a DDoS attack to
demand money. Alternatively, a DDoS may be used as a
distraction tactic while other type of cybercrime takes
place.
A famous example of this type of attack is the 2017
DDoS attack on the UK National Lottery website. This
brought the lottery’s website and mobile app offline,
preventing UK citizens from playing.
Cybercrime in PH

The public is aware of the importance of legislation

that supports police efforts against computer crimes. Onel
de Guzman, the Philippine dropout who, in August 2000,
created and unleashed a remarkably dangerous computer
virus called “I LOVE YOU”, cost several companies,
governments, and citizens billions of US dollars in
damages. In August of the same year, charges against him
in our country were dismissed, mainly because we had
not yet passed legislation addressing the crimes he had
committed. The public around the world is justifiably
outraged.

1. The “I LOVE YOU” Computer Virus

The virus was

received in e-mail
inboxes in Hong Kong on
4 May, 2000, with subject
“I LOVE YOU” and an
attachment “LOVE-
LE T T E R - FOR-
YOU.TXT.vbs.”. It erases
or blurs the graphics and
data in the computer and gets the contact addresses in
the computer directory, and sends the same email to

6 Introduction to Cybercrime
all contacts listed in that directory. Once received and
opened in another computer, it replicates all that it did
previously. The replication went on and on, sweeping all
computers where the email was received and opened,
from Hong Kong, to Europe, to the United States,
infecting and damaging computers and networks of
small and big companies, private and government
institutions. The damage was about US$ 5.5 billion;
some reports say US$ 10 billion.
2. Arrest of the Suspect

An international manhunt was conducted; the

investigators traced the origin of the virus to its creator,
a programming student (Onel de Guzman) at the AMA
Computer University in Manila.

When arrested (11 May 2000), the suspect

apologized to the public and said he had no intention of
causing such great harm. Government prosecutors filed
cases against him, but even at the first stage, the
indictment was dismissed as there was no law penalizing
the act at the time (May 2000) in the Philippines.

NULLUM CRIMEN, SINE LEGE!

3. Effect of the “I LOVE YOU” Virus

The “I LOVE YOU” virus illustrated that a person

armed with a computer could, from a distant location,
attack and/or disrupt computers and networks
worldwide and cause severe damage.

Chief, Anti-Transnational Crime Division of

Criminal Investigation and Detection Group, Philippine
National Police.

Chapter I: Introduction 7
The Philippine National Police (PNP) Efforts

At the forefront of this cybercrime information

campaign is the Anti-Transnational Crime Division
(ATCD) of the Criminal Investigation and Detection Group
(CIDG) of the Philippine National Police (PNP).

The ATCD-CIDG has a dedicated computer

forensic laboratory manned by certified computer
forensic examiners (EnCE) and trained computer crime
investigators.

At present, numerous reports of emerging

cybercrimes are emanating from the country, particularly
cyber-sex and child trafficking rings.

With this development, the PNP has focused its

efforts on a cybercrime information campaign within the
organization. It aims to promote a deeper understanding
of the impact of cybercrime and to solicit the concerns
and insights of the community on cybercrime-related
incidents. Likewise, it has also established links with
foreign counterparts in order to successfully fight the
threat posed by cybercrime operations.

The first Filipino to be convicted of cybercrime,

particularly hacking, was JJ Maria Giner. He was
convicted in September 2005 by Manila MTC Branch
14 Judge Rosalyn Mislos-Loja. Giner leaded guilty to
hacking the government portal “gov.ph” and other
government websites. He was sentenced to one to
two years of imprisonment and fined Php100,000.
However, he immediately applied for probation, which
was eventually granted by the court. The conviction
is now considered a landmark case, as he is the first
local hacker to be convicted under section 33a of the E-
Commerce Law or Republic Act 8792.

8 Introduction to Cybercrime
 REPUBLIC ACT NO. 10175

AN ACT DEFINING CYBERCRIME, PROVIDING FOR

THE PREVENTION, INVESTIGATION, SUPPRESSION
AND THE IMPOSITION OF PENALTIES THEREFOR
AND FOR OTHER PURPOSES

PRELIMINARY PROVISIONS
Section 1. Title. — This Act shall be known as the
“Cybercrime Prevention Act of 2012″.
Section 2. Declaration of Policy.— The State recognizes the vital
role of information and communications industries such
as content production, telecommunications,
broadcasting electronic commerce, and data processing,
in the nation’s overall social and economic development.
The State also recognizes the importance of providing
an environment conducive to the development,
acceleration, and rational application and exploitation
of information and communications technology (ICT) to
attain free, easy, and intelligible access to exchange
and/or delivery of information; and the need to protect
and safeguard the integrity of computer, computer and
communications systems, networks, and databases,
and the confidentiality, integrity, and availability of
information and data stored therein, from all forms of
misuse, abuse, and illegal access by making punishable
under the law such conduct or conducts. In this light, the
State shall adopt sufficient powers to effectively prevent
and combat such offenses by facilitating their detection,
investigation, and prosecution at both the domestic and
international levels, and by providing arrangements for
fast and reliable international cooperation.

Section 3. Definition of Terms. — For purposes of this Act,

the following terms are hereby defined as follows:
(a) Access refers to the instruction, communication
with, storing data in, retrieving data from, or otherwise
making use of any resources of a computer system or

Chapter I: Introduction 9
communication network.
(b) Alteration refers to the modification or change, in
form or substance, of an existing computer data or
program.
(c) Communication refers to the transmission of
information through ICT media, including voice,
video and other forms of data.
(d) Computer refers to an electronic, magnetic,
optical, electrochemical, or other data processing
or communications device, or grouping of such
devices, capable of performing logical, arithmetic,
routing, or storage functions and which includes
any storage facility or equipment or
communications facility or equipment directly
related to or operating in conjunction with such
device. It covers any type of computer device
including devices with data processing
capabilities like mobile phones, smart phones,
computer networks and other devices connected
to the internet.
(e) Computer data refers to any representation of facts,
information, or concepts in a form suitable for
processing in a computer system including a
program suitable to cause a computer system to
perform a function and includes electronic
documents and/or electronic data messages
whether stored in local computer systems or online.
(f) Computer program refers to a set of instructions
executed by the computer to achieve intended
results.
(g) Computer system refers to any device or group of
interconnected or related devices, one or more of
which, pursuant to a program, performs automated
processing of data. It covers any type of device
with data processing capabilities including, but not
limited to, computers and mobile phones. The
device consisting of hardware and software may
include input, output and storage components
which may stand alone or be connected in a
network or other similar devices. It also includes
computer data storage devices or

10 Introduction to Cybercrime
 media.
(h) Without right refers to either: (i) conduct
undertaken without or in excess of authority;
or (ii) conduct not covered by established legal
defenses, excuses, court orders, justifications, or
relevant principles under the law.
(i) Cyber refers to a computer or a computer
network, the electronic medium in which online
communication takes place.
(j) Critical infrastructure refers to the computer
systems, and/or networks, whether physical or
virtual, and/or the computer programs,
computer data and/or traffic data so vital to this
country that the incapacity or destruction of or
interference with such system and assets would
have a debilitating impact on security, national or
economic security, national public health and
safety, or any combination of those matters.
(k) Cybersecurity refers to the collection of tools,
policies, risk management approaches, actions,
training, best practices, assurance and
technologies that can be used to protect the cyber
environment and organization and user’s assets.
(l) Database refers to a representation of information,
knowledge, facts, concepts, or instructions which
are being prepared, processed or stored or have
been prepared, processed or stored in a formalized
manner and which are intended for use in a
computer system.
(m) Interception refers to listening to, recording,
monitoring or surveillance of the content of
communications, including procuring of the
content of data, either directly, through access and
use of a computer system or indirectly, through
the use of electronic eavesdropping or tapping
devices, at the same time that the communication
is occurring.
(n) Service provider refers to:
(1) Any public or private entity that provides to
users of its service the ability to communicate

Chapter I: Introduction 11
 by means of a computer system; and
(2) Any other entity that processes or stores
computer data on behalf of such communication
service or users of such service.
(o) Subscriber’s information refers to any information
contained in the form of computer data or any other
form that is held by a service provider, relating to
subscribers of its services other than traffic or
content data and by which identity can be
established:
(1) The type of communication service used, the
technical provisions taken thereto and the
period of service;
(2) The subscriber’s identity, postal or geographic
address, telephone and other access numbers,
any assigned network address, billing and
payment information, available on the basis of
the service agreement or arrangement; and
(3) Any other available information on the site of the
installation of communication equipment,
available on the basis of the service agreement
or arrangement.
(p) Traffic data or non-content data refers to any
computer data other than the content of the
communication including, but not limited to, the
communication’s origin, destination, route, time,
date, size, duration, or type of underlying service.

PUNISHABLE ACTS
Section 4. Cybercrime Offenses. — The following acts
constitute the offense of cybercrime punishable under this
Act:
(a) Offenses against the confidentiality, integrity and
availability of computer data and systems:
(1) Illegal Access. – The access to the whole or any
part of a computer system without right.

12 Introduction to Cybercrime
 (2) Illegal Interception. – The interception made by
technical means without right of any nonpublic
transmission of computer data to, from, or
within a computer system including
electromagnetic emissions from a computer
system carrying such computer data.
(3) Data Interference. — The intentional or reckless
alteration, damaging, deletion or deterioration
of computer data, electronic document,
or electronic data message, without right,
including the introduction or transmission of
viruses.
(4) System Interference. — The intentional
alteration or reckless hindering or interference
with the functioning of a computer or computer
network by inputting, transmitting, damaging,
deleting, deteriorating, altering or suppressing
computer data or program, electronic
document, or electronic data message, without
right or authority, including the introduction
or transmission of viruses.
(5) Misuse of Devices.
(i) The use, production, sale, procurement,
importation, distribution, or otherwise
making available, without right, of:
(aa) A device, including a computer program,
designed or adapted primarily for the
purpose of committing any of the
offenses under this Act; or
(ab) A computer password, access code, or
similar data by which the whole or any
part of a computer system is capable of
being accessed with intent that it be used
for the purpose of committing any of the
offenses under this Act.
(ii) The possession of an item referred to in
paragraphs 5(i)(aa) or (bb) above with intent
to use said devices for the purpose of
committing any of the offenses under this
section.

Chapter I: Introduction 13
 (6) Cyber-squatting. – The acquisition of a domain
name over the internet in bad faith to profit,
mislead, destroy reputation, and deprive
others from registering the same, if such a
domain name is:
(i) Similar, identical, or confusingly similar to an
existing trademark registered with the
appropriate government agency at the time
of the domain name registration:
(ii) Identical or in any way similar with the
name of a person other than the registrant,
in case of a personal name; and
(iii) Acquired without right or with intellectual
property interests in it.
(b) Computer-related Offenses:
(1) Computer-related Forgery. —
(i) The input, alteration, or deletion of any
computer data without right resulting in
inauthentic data with the intent that it be
considered or acted upon for legal purposes
as if it were authentic, regardless whether or
not the data is directly readable and
intelligible; or
(ii) The act of knowingly using computer data
which is the product of computer-related
forgery as defined herein, for the purpose of
perpetuating a fraudulent or dishonest
design.
(2) Computer-related Fraud. — The unauthorized
input, alteration, or deletion of computer data
or program or interference in the functioning
of a computer system, causing damage
thereby with fraudulent intent: Provided, That
if no damage has yet been caused, the penalty
imposable shall be one (1) degree lower.
(3) Computer-related Identity Theft. – The
intentional acquisition, use, misuse, transfer,
possession, alteration or deletion of identifying
information belonging to another, whether

14 Introduction to Cybercrime
 natural or juridical, without right: Provided,
That if no damage has yet been caused, the
penalty imposable shall be one (1) degree lower.
(c) Content-related Offenses:
(1) Cybersex. — The willful engagement,
maintenance, control, or operation, directly or
indirectly, of any lascivious exhibition of
sexual organs or sexual activity, with the aid of
a computer system, for favor or consideration.
(2) Child Pornography. — The unlawful or
prohibited acts defined and punishable by
Republic Act No. 9775 or the Anti-Child
Pornography Act of 2009, committed through
a computer system: Provided, That the penalty
to be imposed shall be (1) one degree higher
than that provided for in Republic Act No. 9775.
(3) Unsolicited Commercial Communications. —
The transmission of commercial electronic
communication with the use of computer
system which seek to advertise, sell, or offer
for sale products and services are prohibited
unless:
(i) There is prior affirmative consent from the
recipient; or
(ii) The primary intent of the communication is
for service and/or administrative
announcements from the sender to its
existing users, subscribers or customers; or
(iii) The following conditions are present:
(aa) The commercial electronic communication
contains a simple, valid, and reliable way
for the recipient to reject. receipt of further
commercial electronic messages (opt-out)
from the same source;
(ab) The commercial electronic
communication does not purposely
disguise the source of the electronic
message; and

Chapter I: Introduction 15
 (ac) The commercial electronic
communication does not purposely
include misleading information in any
part of the message in order to induce
the recipients to read the message.
(4) Libel. — The unlawful or prohibited acts of libel
as defined in Article 355 of the Revised Penal
Code, as amended, committed through a
computer system or any other similar means
which may be devised in the future.
Section 5. Other Offenses. — The following acts shall
also constitute an offense:
(a) Aiding or Abetting in the Commission of
Cybercrime. – Any person who willfully abets
or aids in the commission of any of the offenses
enumerated in this Act shall be held liable.
(b) Attempt in the Commission of Cybercrime. — Any
person who willfully attempts to commit any of the
offenses enumerated in this Act shall be held liable.
Section 6. All crimes defined and penalized by the
Revised Penal Code, as amended, and special laws, if
committed by, through and with the use of information
and communications technologies shall be covered by
the relevant provisions of this Act: Provided, That the
penalty to be imposed shall be one (1) degree higher
than that provided for by the Revised Penal Code, as
amended, and special laws, as the case may be.
Section 7. Liability under Other Laws. — A prosecution
under this Act shall be without prejudice to any liability
for violation of any provision of the Revised Penal Code, as
amended, or special laws.

16 Introduction to Cybercrime
 Chapter II
First Responder’s Guide

The first responder is an operative who responds

to a scene first, either dispatched or present at the time
the crime happened.
Always obtain passwords and/or security codes for
all pieces of digital evidence.
Points to consider:
1. Where are the digital crime scenes? These crime
scenes may include:
(a) locations within the jurisdiction, like homes,
where computers and other digital devices are
located;
(b) offices and business networks; and
(c) third-party providers like internet or cellular
service providers. The legal and technical
considerations for digital evidence collection
vary depending upon the type of crime scene.
2. Is there an ongoing risk of injury or loss to any
person or property?
3. What is the motive for the offense? Determining
motive will help the investigator locate essential
witnesses and critical evidence.
4. What computers, mobile devices, digital media, or
internet accounts do the victims, witnesses, and
suspects use? How and where do these individuals
access these systems and/or devices?
5. Is evidence of the crime also held by a third party
internet, cellular, or remote computing service
provider? If so, collection of the information may
be subject to the provisions of federal and state
statutes pertaining to law enforcement access
to records and communications held by these
providers. Preserve any records, communications,

Chapter V: First Responder’s Guide 49

 or subscriber information held by these providers
using the freeze order in this Guide, then consult
with legal counsel or your local prosecutor.
6. For computer systems, what is the name of each
person who uses the computer? What are each
users’ account name(s), privileges, passwords,
and usage habits?
7. For computer systems and mobile devices, what
operating system is installed? What applications on
the computer or mobile device relate to the current
investigation?
8. Are there any data encryption, security, or backup
applications installed on the device? What are the
names of the applications, and passwords to
bypass the security? Where is backup data saved?
(ie. cloud account, removable media, computer
system, etc.)
9. What internet-based (ie. social network, web,
electronic mail, etc.) or cellular services or
accounts do the witnesses and suspects in your
case use? How are they accessed by the user?
What are the user names and passwords? Does
anyone else have access to or use these accounts?
10. Has the witness or suspect lost, lent out, allowed
access to, or experienced problems with a device
or computer that contains evidence? If the answer
is yes, ask for a detailed explanation.
Frequently Seized Devices - Smartphones and Other
Mobile Devices
Step 1 - Document the device and all collection
procedures and information
• Photograph
• Video
• Sketch
• Notes
• Chain of custody
Step 2 - Determine if the device is on or off
• Look for lights

50 Introduction to Cybercrime
 • Listen for sounds
• Feel for vibrations or heat
NOTE: Many mobile devices save power by turning off
screens after a specified amount of time. Despite the
screen status, the device is likely still active. Ask if the
device is currently powered on. Where legal, pressing the
home button quickly will activate the screen.
Step 3 - If the device is off, do not turn it on
• Collect and package
• Ask for password/pass pattern
• Transport ASAP
Step 4 - If the device is on, proceed with caution
WARNING - The two most significant challenges for
officers seizing mobile devices are:
(1) isolating the device from cellular and Wi-Fi
networks; and
(2) obtaining security passwords or pass patterns for
the device so the evidence can be examined
forensically.
Always ask if there is any security feature enabled
on the phone. These can include passwords (simple
or complex), security/wiping apps, pass patterns, or
biometrics (facial scan). Document (see the attached
consent form for guidance) and confirm the password or
pass pattern. Turning the device off could result in the loss
of evidence. The best option is to keep the device powered,
unlocked (if locked, collect any available passwords, PIN
codes, or security unlock information), and in airplane
mode until it is in the hands of an experience technician.
Step 5 - Collection and Package
WARNING - You may need to collect other forensic
evidence including fingerprints, biological samples,
DNA, etc. from smartphones and mobile devices. Work
with crime scene technicians or trained forensic
personnel to preserve such evidence without disturbing
the integrity of the data on the device. Be sure to advise
forensic examiners in advance of submission of the
possible existence of hazardous material on the device.

Chapter V: First Responder’s Guide 51

 •Secure data and power cables
•Consider collecting computers that may contain
device backups
• Package the device so it will not be physically
damaged or deformed
• Package the device in evidence bags or boxes
Step 6 - Transport
• Deliver evidence to a secure law enforcement
facility or digital evidence laboratory as soon as
possible
• Protect from temperature extremes and moisture
Frequently Seized Devices – Laptop and Desktop
Computer Systems
Step 1 - Document the System
• Photograph
• Video
• Sketch
• Notes
• Chain of custody
Step 2 - Determine if the system is on or off
• Apply the “Look, Listen, and Feel” test
• Look for flashing lights, listen for sounds, and
feel for heat or vibrations
Step 3 - If the system is off, do not turn it on
• Disassemble (see Step 5)
• Transport (see Step 6)
Step 4 – If the system is on, proceed with CAUTION
• Do not type, click the mouse, or explore files or
directories without advanced training or expert
consultation
• Ask about passwords and/or encryption of the
system
• Observe the screen, and look for any running
programs that indicate access to internet-based
accounts, open files, encryption, or the presence
of files or data of potential evidentiary value
• If you see anything on the screen that concerns you
or needs to be preserved, consult with an

52 Introduction to Cybercrime
 expert (if you don’t know who to contact, call the
number on the inside cover of this manual)
• Photograph the screen
• Once you are prepared to power down the system,
pull the plug from the back of the computer system
• Remove the battery from a laptop system.
Step 5 – Disassemble and package the system WARNING
You may need to collect other forensic evidence including
fingerprints, biological samples, DNA, etc. from computer
systems, digital devices, and electronic media. Work with
crime scene service technicians or trained forensic
personnel to preserve such evidence without disturbing
the integrity of the digital media.
• Photograph the system from all perspectives
• Clearly mark evidence and document chain of
custody, location, and other important details about
the seized item(s)
• Disconnect and secure cables
• Check media ports and cd/dvd trays for the
presence of removable media
• Package the system, and peripheral devices, for
transport using laptop bags (if applicable), boxes, or
evidence bags
Step 6 – Transport
• Protect from temperature extremes and moisture
Do not place evidence in the cruiser’s trunk
• Protect from electro-static discharge
• Package evidence so it will not be physically
damaged or deformed
• Deliver evidence to a secure law enforcement
facility or digital evidence laboratory as soon as
practicable
Other Commonly Seized Devices That May Store
Digital Evidence
There are many other storage media and technical
devices that may process and store digital evidence.
Examples of these devices include media cards (ie.

Chapter V: First Responder’s Guide 53

secure digital, SIM, flash, memory sticks), thumb drives,
optical media (ie. CD, DVD, and Blu-ray), digital
cameras, MP3 players, iPods, servers, surveillance
systems, gaming stations (ie. Xbox, PlayStation, Wii),
and GPS devices.
Each of these devices is capable of holding
significant digital evidence that will help your case. And
each is handled in a separate way. Seizure of these items
should be performed with special care. Consider working
with an experienced digital evidence analyst to collect
these items.
Step 1 - Document the device and all collection
procedures and information
• Photograph
• Video
• Sketch
• Notes
• Chain of custody
Step 2 - For items that have power, determine if the
device is on or off
• Look for lights • Listen for sounds
• Feel for vibrations or heat
Step 3 - Ask if there are any security features enabled
on the device including passwords or encrypted file
protection.
Step 4 - If the device is off, do not turn it on
• Collect and package
• Transport
Step 5 - While assessing, collecting, packaging, and
transporting, follow these device-specific rules
• Only trained personnel should collect data from a
server. If you don’t know what you are doing, stop
and call an expert. Be careful when asking for the
assistance of information technology or other
personnel on-site
• GPS devices, MP3 players, and digital cameras
should be turned off to secure data. Be sure to
ask for any passwords or security features

54 Introduction to Cybercrime
 • If available, paper evidence bags, or static-free
evidence bags, are best for the storage of media
• Media contained in binders or carriers should
remain in the container
• Be careful not to scratch optical media during
seizure.
• Gaming stations should be seized in the same
manner as computers
WARNING - Collecting evidence from surveillance
systems can be difficult. Time is of the essence as digital
surveillance systems often have proprietary software and
hardware needs for playback. Speak to your prosecutor
or agency legal counsel when making a decision about
the seizure of a digital surveillance system as opposed to
footage or segments of video extracted from the system.
Also, be sure to get the company and installer name and
contact information for the person that installed or
maintains the system.
Step 6 - Collection and Package
• Follow chain-of-custody procedures
• Secure data and power cables
• Label the evidence container(s), not the device(s)
• Package the device so it will not be physically
damaged or deformed
• Package the device in evidence bags or boxes
Step 7 - Transport
• Deliver evidence to a secure law enforcement
facility or digital evidence laboratory as soon as
practicable
• Protect from temperature extremes and moisture

Chapter V: First Responder’s Guide 55

 Safety Is a Top Priority

Do…
Make sure you are lawfully present and have the
appropriate legal authority to conduct the search.
Secure the scene. Make sketches and/or take photos.
Consult technical experts as needed. Use seizure form if
collecting digital evidence.
Do Not…
Turn on computers or other digital devices. Touch a
computer if it is ‘on’ unless you are properly trained. Do
not allow anyone access to computers or other digital
devices.

56 Introduction to Cybercrime
 References

Baker, K – (2022) available at https THE 12 MOST

COMMON TYPES OF MALWARE ://www.
crowdstrike.com/cybersecurity-101/malware/
types-of-malware/, retrieved on August 11, 2022
Digicert (ND) What are Malware, Viruses, Spyware,
and Cookies?, available at https://www.
websecurity.digicert.com/security-topics/
what-are-malware-viruses-spyware-
and-cookies-and-what-differentiates-
them#:~:text=%22Malware%22%20is%20
short%20for%20malicious,a%20virus%2C%20
worm%20or%20Trojan. Retrieved on Sept. 1,
2021
GOV.PH (2012), Republic Act No. 10175 available
at https://www.officialgazette.gov.
ph/2012/09/12/republic-act-no-10175/
retrieved om Aug. 23, 2021
Kaspersky, (2021), Tips on how to protect yourself
against cybercrime available at https://www.
kaspersky.com/resource-center/threats/what-
is-cybercrime retrieved on June 7, 2021
Kaspersky, (2021), Types of Malware, available at
https://www.kaspersky.com/resource-center/
threats/malware-classifications, retrieved on
Sept. 12, 2021
Kaspersky, (2021), Vulnerability Exploits & Malware
Implementation Techniques available at https://
www.kaspersky.com/resource-center/threats/
malware-implementation-techniques , retrieved
on September 12, 2021
PNP-ACG(2021) available at https://acg.pnp.
gov.ph/main/cyber-security-bulletin/20-
publications/42-cybercrime-threat-landscape-

References 57
 in-the-philippines.html retrieved of July 12,
2021
Science Media Museum, (2020) A SHORT HISTORY
OF THE INTERNET available at https://www.
scienceandmediamuseum.org.uk/objects-and-
stories/short-history-internet retrived on August
30, 2021
US DOJ, (2008), Electronic Crime Scene Investigation:
A Guide for First Responders, Second Edition,
available at https://www.ojp.gov/pdffiles1/
nij/219941.pdf retrieved on Sept 13, 2021
Sosa, GC, (2018) ,COUNTRY REPORT ON
CYBERCRIME: THE PHILIPPINES available
at https://unafei.or.jp/publications/pdf/RS_
No79/No79_12PA_Sosa.pdf retrieved on June 6,
2021

58 Introduction to Cybercrime
 Glossary

back door -- a vulnerability intentionally left in the

security of a computer system or its software by its
designers
biometrics -- the use of a computer user’s unique
physical characteristics -- such as fingerprints, voice,
and retina -- to identify that user
black hat -- a term used to describe a hacker who has
the intention of causing damage or stealing information
bypass -- a flaw in a security device
ciphertext -- data that has been encrypted
Computer Emergency Response Team (CERT) -- an
organization that collects and distributes information
about security breaches
countermeasure -- any action or device that reduces a
computer system’s vulnerability
cracker -- a term sometimes used to refer to a hacker who
breaks into a system with the intent of causing damage or
stealing data
cracking -- the process of trying to overcome a security
measure
cryptography -- protecting information or hiding its
meaning by converting it into a secret code before sending
it out over a public network
crypto keys -- the algorithms used to encrypt and
decrypt messages
cybercrime -- crime related to technology, computers,
and the Internet
decrypt -- the process of converting encrypted
information back into normal, understandable text

Glossary 59
denial of service (DoS) -- an attack that causes the targeted
system to be unable to fulfill its intended function
digital signature -- an electronic equivalent of a signature
domain name -- the textual name assigned to a host on
the Internet
dumpster diving -- looking through trash for access codes
or other sensitive information
email -- an application that allows the sending of
messages between computer users via a network
encryption -- the process of protecting information or
hiding its meaning by converting it into a code
firewall -- a device designed to enforce the boundary
between two or more networks, limiting access
hacker -- a term sometimes used to describe a person who
pursues knowledge of computer and security systems for
its own sake; sometimes used to describe a person who
breaks into computer systems for the purpose of stealing
or destroying data
hacking -- original term referred to learning programming
languages and computer systems; now associated with the
process of bypassing the security systems on a computer
system or network
high risk application -- a computer application that,
when opened, can cause the user to become vulnerable
to a security breach
hijacking -- the process of taking over a live connection
between two users so that the attacker can masquerade
as one of the users
host -- a computer system that resides on a network and
can independently communicate with other systems on
the network
Hypertext Markup Language (HTML) -- the language in
which most webpages are written

60 Introduction to Cybercrime
information security -- a system of procedures and
policies designed to protect and control information
Internet -- a computer network that uses the Internet
protocol family
Internet Relay Chat (IRC) -- a large, multiple-user, live
chat facility
Internet service provider (ISP) -- any company that
provides users with access to the Internet
intranet -- a private network used within a company or
organization that is not connected to the Internet
intrusion detection -- techniques designed to detect
breaches into a computer system or network
IP spoofing -- an attack where the attacker disguises
himself or herself as another user by means of a false IP
network address
keystroke monitoring -- the process of recording every
character typed by a computer user on a keyboard
leapfrog attack -- using a password or user ID obtained in
one attack to commit another attack
letterbomb -- an email containing live data intended to
cause damage to the recipient’s computer
malicious code -- any code that is intentionally included
in software or hardware for an unauthorized purpose
one-time password -- a password that can be used only
once, usually randomly generated by special software
packet -- a discrete block of data sent over a network
packet sniffer -- a device or program that monitors the
data traveling over a network by inspecting discrete
packets
password -- a data string used to verify the identity of
a user

Glossary 61
password sniffing -- the process of examining data
traffic for the purpose of finding passwords to use later
in masquerading attacks
pen register -- a device that records the telephone
numbers of calls received by a particular telephone
phracker -- a person who combines phone phreaking
with computer hacking
phreaker -- a person who hacks telephone systems,
usually for the purpose of making free phone calls
piggyback -- gaining unauthorized access to a computer
system via another user’s legitimate connection
piracy -- the act of illegally copying software, music, or
movies that are copyright-protected
Pretty Good Privacy (PGP) -- a freeware program designed
to encrypt email
probe -- an effort to gather information about a computer
or its users for the purpose of gaining unauthorized
access later
risk assessment -- the process of studying the
vulnerabilities, threats to, and likelihood of attacks on a
computer system or network
smart card -- an access card that contains encoded
information used to identify the user
sniffer -- a program designed to capture information
across a computer network
social engineering -- term often used to describe the
techniques virus writers and hackers utilize to trick
computer users into revealing information or activating
viruses
spam -- unsolicited commercial email
spoofing -- the process of disguising one computer user
as another

62 Introduction to Cybercrime
trap and trace device -- a device used to record the
telephone numbers dialed by a specific telephone
Trojan horse -- an apparently innocuous program that
contains code designed to surreptitiously access
information or computer systems without the user’s
knowledge
virus -- a computer program designed to make copies
of itself and spread itself from one machine to another
without the help of the user
war dialer -- software designed to detect dial-in access
to computer systems
warez -- slang for pirated software
white hat -- a hacker whose intentions are not criminal
or malicious
wiretapping -- the interception of electronic
communications in order to access information
worm -- a computer program that copies itself across a
network.

Glossary 63