Cybercrime Processing Bag and Tag Prodedure

PNP-CIDG
Anti-Transnational and
Cyber Crime Division
1
PNP-CIDG
Objectives
At the end of this lesson, participants will:

* Process computer crime scenes
* Illustrate how to:
* Protect
* Preserve
* Document computer crime scenes
Cyber Crime Processing 2

PNP-CIDG
Maintaining the Integrity

of Electronic Evidence
On the Scene

PNP-CIDG
Maintaining the Integrity of Cyber Crime Division
Electronic Evidence
Computer evidence is
fragile. Investigators should
maintain the integrity of the
evidence through:
– Documentation
– Identification and seizure
– Packaging, transportation
and storage
– Chain of custody

PNP-CIDG
Planning the Search

Station

PNP-CIDG
Planning the Search
Ask yourself:
* Do I have sufficient manpower to execute
the search?
* Are they trained in seizing electronic evidence?
* Do I know everything I can about the place
to be searched?
* Layout?
* Resistance?
* Network?
* Follow up searches?

PNP-CIDG
Planning the Search

* Officer Roles
* Typical assignments include:
* Occupant Control * Search Team

* Maintains control of all occupants * Performs searches
* Scene Safety * Interview Team
* Prevents unauthorized entry * Interviews all relevant occupants
* Evidence Custodian * Scene Documentation
* Takes custody and documents * Documents scene before and after
every seized item search

PNP-CIDG
Planning the Search
* Digital evidence collection kit

* Proper forms
* Crime scene evidence collection
kit:
* Camera and extra film (video if
available)
* Note / sketch pads
* Blank floppy diskettes
* Evidence tape
* Labels
* Pens, markers
* Storage containers
* Anti Static Bags
* Tool kit

PNP-CIDG
Planning the Search
Procedure:
* Select a group leader
* Assemble a search team
* Brief team on the nature of
the search
* Assign each officer a role
* Assemble evidence collection
kit
PNP-CIDG
Securing the Electronic Crime Scene
On the Scene

PNP-CIDG
Securing the Electronic Anti-Transnational and

Crime Scene
Officer Safety First!

Upon entry:
* Secure premises
* Secure occupants
* Secure perimeter to prevent
unauthorized access to premises
* Prevent destruction of evidence

PNP-CIDG
Documenting the Electronic

Crime Scene
On the Scene

PNP-CIDG
Documenting the Electronic Cyber Crime Division
Crime Scene
To ensure detailed documentation of

the search, use forms when they are
appropriate:
* Items Seized
* Description
* Who seized it and where
it was found
* Chain of Custody
* After Action Report

PNP-CIDG
Crime Scene
Once you have entered and

secured the electronic crime
scene, you should document
the surroundings as initially
found:
* Photograph
* Sketch

PNP-CIDG
Crime Scene
Photograph the crime scene:

* Overall
* Detailed (evidence)

PNP-CIDG
Crime Scene
* Photograph each and every item

before it is seized
* Avoid using flash for close ups
* Photograph items on the screen

PNP-CIDG
Documenting the Electronic Anti-Transnational and

Crime Scene
Sketch:
* Layout
* Suspect location
* Room identification
* Location of Evidence
* Court Presentation

PNP-CIDG
Interviewing the
Occupants
On the Scene

PNP-CIDG
Interviewing the Anti-Transnational and

Occupants
On Scene Interview:
* Discovery or preservation of
additional evidence
* Additional Arrests
Interview Basics:
* Asking the right questions
* Documenting the interview
* Using evidence to formulate
questions

PNP-CIDG
Interviewing the Anti-Transnational and

Occupants
* Electronic Interview:
* Ownership and / or control of the
items being seized
* Booby traps
* Login names and passwords
* Encryption
* Files of interest
* E-mail accounts and screen
names
* Internet service providers
* Off-site storage
* Hidden storage devices

PNP-CIDG
Recognizing and Identifying

Electronic Evidence
On the Scene

PNP-CIDG
Recognizing and Identifying Anti-Transnational and

Electronic Evidence
What is evidence and

what isn’t?

PNP-CIDG
Recognizing and Identifying Cyber Crime Division
Electronic Evidence
The items in the following slides

may contain evidence such as:
* Spreadsheets
* Documents
* Contact lists
* Electronic mail messages
* Instant messages and chat traffic
* Data bases
* Maps

PNP-CIDG
Recognizing and Identifying Cyber Crime Division
Electronic Evidence
Computer Hardware:
* CPU Removable media:
* Hard drive(s) * Floppy diskettes
* Volatile memory
* CD / DVD
* Data tapes
* Zip / Jazz disks
* Memory cards

PNP-CIDG
Recognizing and Identifying Anti-Transnational and
Electronic Evidence
* Personal Data Assistants (PDA)

* Digital cameras
* Video recorders
* Mp3 players
* Printers
* Memory
* Imposed images on rollers
* Usage logs
* Network ID
Recognizing and Identifying PNP-CIDG
Electronic Evidence
Do not forget traditional

evidence collection techniques:
* Monitor, keyboard and mouse
(fingerprints)
* Notes and other printed material
* Video and audio cassettes
* Photographs and diagrams
* Address book and journals
* Original software

PNP-CIDG
Demonstration
On the Scene – Step
Step--by
by--Step

PNP-CIDG
Seizing Electronic Anti-Transnational and

Evidence
Step 1: Make the entry –

Teamwork
* Secure the suspect(s)
and the scene!!
* Establish a perimeter

PNP-CIDG
Seizing Electronic Cyber Crime Division
Evidence
Step 2: Search the Suspect(s)

* Take your time- be methodical
* Analyze each item seized (is it
electronic?)
* Communicate with other officers
* Remember to package evidence
and property separately

PNP-CIDG
Evidence
Step 3a: On the Scene
* Examine the scene

* Document the current state of the
computer
* If the computer is “OFF,” do not
turn it “ON”

PNP-CIDG
Evidence
Step 3b: Begin the Interview
* Asking the right questions

* Documenting the interview
* Using evidence to
formulate questions

PNP-CIDG
Evidence
Step 4: Photograph & Sketch the

Scene if the monitor is on and:
* the screen is blank, or
* in “sleep” mode, or
* a screen saver is visible:
* Move the mouse without pressing
any buttons
* Photograph the screen and
information displayed

PNP-CIDG
Evidence
Step 5
* Check for Network Connectivity

* Collect Volatile Data

PNP-CIDG

Evidence
Step 6: Pull Plug
The safest way to turn off a

computer running Windows or
DOS is to pull the plug from the
computer - not from the wall
outlet.

PNP-CIDG
Evidence
Step 7: Collection
Other items of interest:
* Note pads
* Video cassettes
* Audio cassettes
* Manuals and other
printed materials
* Use of collected evidence
to formulate questions

PNP-CIDG
Packaging Non-
Non-Electronic Anti-Transnational and
Evidence
* Ensure that all evidence has been

documented and properly
labeled.
* Pack evidence in proper evidence
packaging.

PNP-CIDG

Evidence
Step 8: Labeling
When disassembling the computer ,
system,
* Label each part and peripherals .
so it can be reassembled in court,
if necessary.
* Use corresponding labels for any
cables or devices that were
connected.
* Label any empty ports “MTY”

Seizing Electronic Evidence
Step 8: Before
Step 8: After
Working Notes:
PNP-CIDG

Evidence
Step 9a: Transport Prep
To help prevent accidental
booting of the system:
* Insert a blank disk in the floppy
diskette drive
* Place evidence tape over the disk
drives
* Be sure to check CDROM
* Place evidence tape over power
outlet

PNP-CIDG

Evidence
Step 9b:
* Do not leave disks in the
disk drives
* Remove the CD / DVD from
the drive using a paperclip
(with power off)

PNP-CIDG
Documenting the Electronic Anti-Transnational and

Crime Scene
Step 10: Hard Drive Collection

Remove case and document:
* Components (memory, cards, etc.)
* Hard drives:
* The device model and serial
numbers (if available)
* Size
* Master or slave

PNP-CIDG
Packaging and Transporting

Electronic Evidence

PNP-CIDG
Packaging Electronic Anti-Transnational and

Evidence
Computer systems are

sensitive to temperature,
humidity, physical shock,
static electricity, and
magnetic sources
* Ensure that all evidence has
been documented and
properly labeled.
* Pack magnetic media in
antistatic packaging.

PNP-CIDG
Transporting Electronic Anti-Transnational and

Evidence
* Heat
* Police Radios
* Use bubble wrap not
Styrofoam
* Place computer in area of
car that is smoothest

PNP-CIDG
Storing Electronic Evidence

At the Station

PNP-CIDG
Storing Electronic Cyber Crime Division
Evidence
Store the computer in a secure

area, just as you would any
type of evidence.
Storage for evidence must be:
* Cool
* Dry
* Away from:
* Generators
* Magnets

PNP-CIDG
Network Intrusion Case
Website Defacement
Chronology of events:
* April 28, 2004 – Complaint from The Journal
Group and Mr. Wilson Chua regarding the
Denial of Service (DOS) attack and website
defacement of www.gov.ph and
www.journal.com.ph webpages.
* May 1, 2004 – Mr. Wilson Chua submitted the

intrusion logs to ATCCD-CCU.
PNP-CIDG
Start of Investigation
* ATCCD- CCU conducted analysis on the intrusion log

files submitted by Mr. Chua.
PNP-CIDG
Start of Investigation
* Log files from the IDS indicates that there are series
of scan attempts for vulnerability exploit.
PNP-CIDG
IP Addresses of the Anti-Transnational and
Attacker
Name of Company IP Address

PLDT
a. PLDT dial-up subscriber 203.177.73.162

Infocom Technologies Inc.
b. Infocom dial-up subscriber 203.131.73.96

c. SSS Diliman Quezon City 202.163.226.140
d. Amellar Corporation 203.131.73.96
Globe Telecom Inc.
e. Mercury Interactive/Singtel 202.52.161.137

f. U.P Miagao Iloilo City 203..177
203 177..73
73..162
PNP-CIDG
Diagram of Anti-Transnational and

Network Intrusion
Dedicated Line
Suspect’s Computer
PNP-CIDG
Subpoena to Anti-Transnational and
GLOBE TELECOM
* Issuance of various “SUBPOENA DUCES
TECUM” to concerned TELCO’s and
Internet Service Provider (ISP).
PNP-CIDG
Result of Subpoena from Cyber Crime Division
GLOBE TELECOM
PNP-CIDG
Subpoena to IT Officer Cyber Crime Division
OFFICER U.P VISAYAS

PNP-CIDG
U.P Visayas Cyber Crime Division
On--Site Investigation
On
* Set of IP addresses identified and analyzed by
ATCCD-CCU came from U.P.Visayas Linux
Gateway computer.
PNP-CIDG
Cont’…U.P Visayas Cyber Crime Division
On--Site Investigation
On
(Photo taken during the on-site investigation at U.P Visayas.

PNP-CIDG
Digital Forensic Cyber Crime Division
Examination
* ATCCD-CCU Conducted Digital

Forensic Examination on the
Hard Disk drive of Mr. JJ Giner’s
Computer.
* The examiner was able to

discover hacking tools installed
and saved on Giner’s Computer.
PNP-CIDG
Result of U.P Visayas Cyber Crime Division
Administrative Investigation
* Mr. Reniel Cambel, Systems and Network Admin of U.P

Visayas revealed that the source of the intrusion attack
came from the Information and Publications Office (IPO) on
the computer being used by a certain Mr. JJ Maria Glomo
Giner.
* Professor Villareal discovered that there were several

instances that the hard drive of the subject computer was
taken out by Mr. Giner without clearance from U.P.V
Administrators and further brought home as evidenced by
the letter of explanation of Mr. Giner dated May 31, 2004.
* Suspected hard drive was seized by U.P.V officials and was

turned-over to ATCCD-CIDG.
PNP-CIDG
Cont’…
Cont’… CASE REFERRAL TO Cyber Crime Division
DOJ
PNP-CIDG
RESOLUTION BY THE STATE Anti-Transnational and
PROSECUTOR
PNP-CIDG
’… RESOLUTION BY
Cont’…
Cont THE Anti-Transnational and
STATE PROSECUTOR
PNP-CIDG
Cont’… RESOLUTION BY
Cont’… THE STATE Anti-Transnational and
PROSECUTOR
PNP-CIDG
Warrant of Arrest
PNP-CIDG
Judgment
PNP-CIDG
THE FIRST FILIPINO Anti-Transnational and

CONVICTED HACKER
The conviction of JJ Maria G.

Giner was considered a landmark
case, as he is the first local hacker
to be convicted under Section
33(a) of R.A. No. 8792 (E-
Commerce Act ) which was
investigated by ATCD-CCU.
PNP-CIDG
LIBEL CASE
THROUGH EMAIL
MESSAGING

Cybercrime Processing Bag and Tag Prodedure

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cybercrime Processing Bag and Tag Prodedure

Uploaded by

Copyright:

Available Formats

PNP-CIDG

At the end of this lesson, participants will:

Cyber Crime Processing 2

Maintaining the Integrity

Cyber Crime Processing 3

Maintaining the Integrity of Cyber Crime Division

Cyber Crime Processing 4

Planning the Search

Cyber Crime Processing 5

Planning the Search

Cyber Crime Processing 6

Planning the Search

* Occupant Control * Search Team

Cyber Crime Processing 7

Planning the Search

* Digital evidence collection kit

Cyber Crime Processing 8

Planning the Search

Securing the Electronic Crime Scene

Cyber Crime Processing 10

Securing the Electronic Anti-Transnational and

Officer Safety First!

Cyber Crime Processing 11

Documenting the Electronic

Cyber Crime Processing 12

Documenting the Electronic Cyber Crime Division

To ensure detailed documentation of

Cyber Crime Processing 13

Documenting the Electronic Cyber Crime Division

Once you have entered and

Cyber Crime Processing 14

Documenting the Electronic Cyber Crime Division

Photograph the crime scene:

Cyber Crime Processing 15

Documenting the Electronic Cyber Crime Division

* Photograph each and every item

* Avoid using flash for close ups

* Photograph items on the screen

Cyber Crime Processing 16

Documenting the Electronic Anti-Transnational and

Cyber Crime Processing 17

Cyber Crime Processing 18

Interviewing the Anti-Transnational and

Cyber Crime Processing 19

Interviewing the Anti-Transnational and

Cyber Crime Processing 20

Recognizing and Identifying

Cyber Crime Processing 21

Recognizing and Identifying Anti-Transnational and

What is evidence and

Cyber Crime Processing 22

Recognizing and Identifying Cyber Crime Division

The items in the following slides

Cyber Crime Processing 23

Recognizing and Identifying Cyber Crime Division

Cyber Crime Processing 24

* Personal Data Assistants (PDA)

Do not forget traditional

Cyber Crime Processing 26

Cyber Crime Processing 27

Seizing Electronic Anti-Transnational and

Step 1: Make the entry –

Cyber Crime Processing 28