REGIONAL ANTI

CYBERCRIME UNIT
CORDILLERA
Identification and Seizure
of Digital/Electronic
Evidence CRI
ME
SCE
NE
 VIRTUAL ETIQUETTE FOR
PARTICIPANTS

 Be an active listener.

 Participate in discussions.

 Mute your microphone. It's always best to mute

your microphone when you're not actively
speaking.
 DEFINITION OF TERMS
o Captured Enemy Materials (CEMs) – seized enemy materials such as electronic/technical equipment. It
may contain significant information with intelligence value pertaining to the adversary’s organization,
programs, activities, among others. The intelligence Value of theses CEMs may vary based on the type of
documents and contained information;
o Chain of Custody – sequential documentation or trail that accounts for the sequence of custody, control,
transfer, analysis, and disposition of electronic evidence. This evidence establishes the integrity of a piece of
evidence, showing that it was not tampered with or otherwise altered since it was first collected;
o Computer – an electronic, magnetic, optical, electrochemical, or other data processing or communication
device, or grouping of such devices, capable of performing logical, arithmetic, routing or storage functions,
and which includes any storage facility or equipment or communications facility or equipment directly related
to or operating in conjunction with such device. It covers any type of computer device, including devices with
data processing capabilities like mobile phones, smart phones, computer networks and other devices
connected to the internet;
o Computer Data – any presentation of facts, information or concepts in a form suitable for processing in a
computer system, including a program suitable to cause a computer system to perform a function, and
includes electronic documents and/or electronic data messages whether stored in local computer systems or
online;
 DEFINITION OF TERMS
o Computer System – any device or group of interconnected or related devices, one or more of which,
pursuant to a program, performs automated processing of data. It covers any type of device with data
processing capabilities, including, but not limited to, computers and mobile phones. The device consisting of
hardware and software may include input, output and storage components, which may stand alone or be
connected to a network or other similar devices. It also includes computer data storage devices or media;
o Digital Evidence – any information being subject to human intervention or not, that can be extracted from a
computer;
o Digital Forensic – scientific examination and analysis of data held on or retrieved from computer storage
media or network and its presentation in a manner legally acceptable to a court;
o Digital Forensic Examiner – Investigators who are experts in gathering, recovering, analyzing and
presenting data evidence from computers and other digital media related to computer-based and non-
cybercrimes;
o Electronic Data Message – Information generated, sent, received or stored by electronic, optical or similar
means;
o Electronic Document – information or the representation of information, data, figures, symbols or other
modes of written expression, described or however represented, by which a right is established or an
obligation extinguished, or by which a fact may be proved and affirmed, which s received, recorded,
transmitted, stored processed, retrieved or produced electronically.
 DEFINITION OF TERMS
It includes digitally signed documents and any print-out or output, readable by sight or other means,
which accurately reflects the electronic data message or electronic document. For purposes of these
Rules, the term “electronic document” may be used interchangeably with electronic data messages;
o Electronic Signature – any distinctive mark, characteristic and/or sound in electronic form, representing the
identity of a person and attached to or logically associated with the electronic data message or electronic
document or any methodology or procedures employed or adopted by a person and executed or adopted by
such person with the intention of authenticating or approving an electronic data message or electronic
document;
o Ephemeral Electronic Communication – telephone conversations, text messages, chatroom sessions,
streaming audio, streaming video, and other electronic forms of communication the evidence of which is not
recorded or retained;
o Hardware – physical components of a computer system that accepts input, process input, stores the results
of processing, and/or provides output. It also means any and all computer-related hardware, including but not
limited to, computers, file servers, facsimile servers, scanners, color printers, laser printers and networks;
o Information and Communication System – a system for generating sending, receiving, storing or otherwise
processing electronic data messages or electronic documents and includes the computer system or other
similar devices by or in which data are recorded or stored and any procedure related to the recording or
storage of electronic data message or electronic document;
 DEFINITION OF TERMS
o Software – any and all computer programs, including any and all software implementations of algorithms,
models and methodologies, whether in source code, object code, human readable form or other form; and
o Warrant to Examine Computer Data – authority granted by the court to examine a computer device or
computer system acquired via a lawful warrantless arrest, or by any other lawful method to allow law
enforcement authorities to search the said computer devices or system for the purpose of obtaining for
forensic examination the computer data therein.
PROCEDURES IN THE SEIZURE,
INVENTORY, TRANSPORT, TURN-
OVER, AND CONDUCT OF DIGITAL
FORENSIC EXAMINATION
PROCEDURES IN THE SEIZURE,
INVENTORY, TRANSPORT, TURN-
OVER, AND CONDUCT OF DIGITAL
CRI
FORENSIC EXAMINATION ME
SCE
NE
 SEIZURE
(COLLECTION TECHNIQUE TO PRESERVE
AND PROTECT POTENTIAL EVIDENCE)
1. Put on Gloves (If possible);
2. The Seizing Officer should immediately restrict the presence of other
individual/s near the electronic devices to ensure and preserve the
admissibility of the evidence;
3. Take photographs at the crime scene as part of the documentation;
4. Now it is time to package all the equipment for transportation. All
digital/electronic evidence should be packed in anti-static bags to help ensure
the integrity of the data is maintained. As each piece of evidence is packaged,
an evidence label should be attached; and
5. This evidence label will help identify the evidence, the date and time it was
found on the scene, the location it was recovered from, ad the investigator
who found the evidence. Additional information can be added to include the
Case Number and the primary investigating officer.
 SEIZURE
(COLLECTION TECHNIQUE TO PRESERVE
AND PROTECT POTENTIAL EVIDENCE)
 SEIZURE
(COLLECTION TECHNIQUE TO PRESERVE
AND PROTECT POTENTIAL EVIDENCE)
 SEIZURE
(COLLECTION TECHNIQUE TO PRESERVE
AND PROTECT POTENTIAL EVIDENCE)

M MUTILATE
A ALTER
C CONTAMINATE
 (COLLECTION TECHNIQUE TO PRESERVE
AND PROTECT POTENTIAL EVIDENCE)
MOBILE PHONES and Similar Devices
1. If the power is OFF
a) Do not turn ON;
b) Place phone in a sealed envelope before placing in an evidence
bag to prevent from being turned ON; and
c) If possible, seize the mobile phone charger.
2. If the power is ON
a) Consideration should be given before turning OFF the device
because of passwords/passcodes;
b) Immediately switch to flight mode (Airplane mode) or place
phone on a faraday bag, aluminum foil or signal blocking
container; and
c) If possible, seize the mobile phone charger.
 (COLLECTION TECHNIQUE TO PRESERVE
AND PROTECT POTENTIAL EVIDENCE)
COMPUTER/LAPTOPS
1. If the power is OFF
a) Make sure the computer/laptop is powered off otherwise treat it
as one that is switched ON;
b) Photograph everything including system makeup and what
connects with what;
c) Photograph screen;
d) Unplug power from all devices. Remove power lead from the
computer end, not the wall socket end; and
e) Label all connectors on the end of the cable and socket to which
they connect so the system can later be reconstructed.
 (COLLECTION TECHNIQUE TO PRESERVE
AND PROTECT POTENTIAL EVIDENCE)
COMPUTER/LAPTOPS
2. If the power is ON
a) If the screen shows a screensaver or is blank, then move the
mouse or pressing the up or down arrow key to restore the
screen;
b) Photograph screen and/or record all program running that you
can see;
c) If a destructive program is running that could cause loss of
evidence (Format, Wipe, Evidence Eliminator type Programs),
pull the power from the back of the evidence;
d) Collect volatile data ( refers to data stored in Random-Access
Memory (RAM));
 (COLLECTION TECHNIQUE TO PRESERVE
AND PROTECT POTENTIAL EVIDENCE)
COMPUTER/LAPTOPS
e) If there is any media located in the drives, the media should be
photographed and then removed to protect the evidence from
being destroyed or altered. CD-ROMS may be scratched in
transit and therefore may become unreadable. At this time,
remove any media in the drive bays and place evidence tape
over the drives;
f) Unplug power from all devices. Remove power lead from the
computer end not the wall socket end;
g) Label all connectors on the end of the cable and socket to which
they connect so the system can later be reconstructed.
h) Record all actions performed using working notes
Seizing Electronic Evidence
,

.
When disassembling the computer system,
 Label each part and peripherals so it can
be reassembled in court, if necessary.
 Use corresponding labels for any cables
or devices that were connected.
 Label any empty ports “MTY”
WHERE IS THE EVIDENCE ?

Digital Evidence

֎ Volatile data

֎ Non-volatile data
 TYPE OF COMPUTER DATA

Volatile Data

֎ This data is temporarily stored in

the Memory (RAM) of the Computer
system.

֎ This data will be deleted once

power is removed from the
computer.
 TYPE OF COMPUTER DATA

Non-Volatile Data

֎ This data resides in persistent storage

media (hard disk drive, USB flash drive,
optical storage media)

֎ It remain saved regardless if the power

of the computer is On or Off.
 ?
QUESTIONS
THANK
YOU