Cybercrime: Cybercrime-Is Criminal Activity That Either Targets or Uses A Computer, A Computer

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 37

Cybercrime

Cybercrime- is criminal activity that either targets or uses a computer, a computer


network or a networked device.
- the use of a computer as an instrument to further illegal ends, such as
committing fraud, trafficking in child pornography and intellectual property,
stealing identities, or violating privacy.
Ex. Cyberbullying, Identity Theft

Cyberspace- is a notional environment in which communication over computer


networks occurs.
- A global domain within the information environment consisting of the
interdependent network of information systems infrastructures including the
Internet, telecommunications networks, computer systems, and embedded
processors and controllers.
- An example of cyberspace is the home of Google, Yahoo and Facebook

When Did Cyber Crime Begin?

• The malicious association with hacking became evident in the 1970 when


early computerized phone systems became a target. Technologically savvy
individuals, called “phreakers,” discovered the correct codes and tones that
would result in free long distance service. They impersonated operators,
dug through Bell Telephone company garbage to find secret information,
and performed countless experiments on early telephone hardware to learn
how to exploit the system and steal long-distance telephone time.

This innovative type of crime was a difficult issue for law enforcement, due in part to
lack of legislation to aid in criminal prosecution, and a shortage of investigators
skilled in the technology that was being hacked. It was clear that computer systems
were open to criminal activity, and as more complex communications became
available to the consumer, more opportunities for cyber crime developed.

• The First Federal Law on Cyber Crime


- In 1986 the systems administrator at the Lawrence Berkeley National
Laboratory, Clifford Stoll, noted certain irregularities in accounting data. Inventing the
first digital forensic techniques, he determined that an unauthorized user was
hacking into his computer network. Stoll used what is called a “honeypot tactic,”
which lures a hacker back into a network until enough data can be collected to track
the intrusion to its source.

• Stoll’s effort paid off with the eventual arrest of Markus Hess and several
others located in West Germany, who were stealing and selling military
information, passwords and other data to the Soviet KGB.
• The Berkeley lab intrusion was soon followed by the discovery of the Morris
worm virus, created by Robert Morris, a Cornell University student. This
worm damaged more than 6,000 computers and resulted in estimated
damages of $98 million. More incidents began to follow in a continuous,
steady stream. Congress responded by passing its first hacking-related
legislation, the Federal Computer Fraud and Abuse Act, in 1986. The act
made computer tampering a felony crime punishable by significant jail time
and monetary fines.

Law Enforcement Responds


• In 1990, during a project dubbed Operation Sundevil, FBI agents
confiscated about 40 computers and over 20,000 floppy disks that were
allegedly being used by criminals for illegal credit card use and telephone
services. This two-year effort involved 150 agents. Despite the low number
of indictments, the operation was seen as a successful public relations
effort by law enforcement officials.

• While largely effective, the decisions and activities of law enforcement


regarding investigating cyber crime are not always perfect. If law
enforcement makes a mistake, law-abiding citizens might suffer.

• The first incident of such nature dates to 1990, when the Steve Jackson
Games publishing company was nearly forced out of business after being
accused of possessing an illegally copied document related to a fantasy
game that dealt with “cyberpunk.” The Secret Service believed this
document was in Jackson’s possession and confiscated the computers
used in his business, according to The New York Times.

What are the Cybercrime in the Philippines?


• It aims to address legal issues concerning online interactions and the
Internet in the Philippines. Among the cybercrime offenses included in the
bill are cybersquatting, cybersex, child pornography, identity theft, illegal
access to data and libel.

Who Handle Cybercrime in the Philippines?


• The Cybercrime Investigation and Coordinating Center (CICC), which was
created upon the approval of Republic Act 10175 or the Cybercrime
Prevention Act of 2012, is an attached agency of the Department of
Information and Communications Technology (DICT), and is chaired by the
DICT Secretary.

What is the Punishment for Cybercrime in the Philippines?


• Penalties. — Any person found guilty of any of the punishable acts
enumerated in Sections 4(a) and 4(b) of this Act shall be punished
with imprisonment of prision mayor or a fine of at least Two hundred
thousand pesos (PhP200,000.00) up to a maximum amount commensurate
to the damage incurred or both.

CYBERCRIME
 also called computer crime, the use of a computer as an instrument to further
illegal ends, such as committing fraud, trafficking in child pornography and
intellectual property, stealing identities, or violating privacy.
 Cybercrime, especially through the Internet, has grown in importance as the
computer has become central to commerce, entertainment, and government.
CYBERSPACE
 simply a richer version of the space where a telephone conversation takes
place, somewhere between the two people having the conversation.
 As a planet-spanning network, the Internet offers criminals multiple hiding
places in the real world as well as in the network itself.

TYPES OF CYBERCRIME
Cybercrime affects both a virtual and a real body
1. Identity theft and invasion of privacy
Cybercrime affects both a virtual and a real body
2. Internet Fraud
Schemes to defraud consumers abound on the Internet

3.ATM Fraud
Intercept the card’s magnetic strip and user’s PIN

4.Wire Fraud
involves the use of some form of telecommunications or the internet

5.Fire sharing and piracy


illegal duplication of copyrighted materials

6. Counterfeiting and forgery


Counterfeiting currency

7. Child Pornography
application that drove early deployment of technical innovation in search of profit

8.Hacking
sending illegal instruction to any other computer or network.

9.Computer Viruses
deliberate release of damaging computer viruses

10. Denial of service attacks


an attack meant to shut down a machine or network, making it inaccessible to its
intended users.

11. Spam, steganography, and e-mail hacking


unsolicited advertisements for products and services

12. Sabotage
involves the hijacking of a government or corporation Web site

History and Nature of Cybercrimes


What is Hacking?
 Hacking is a term used to describe the activity of modifying a product or
procedure to alter its normal function, or to fix a problem.
 The term purportedly originated in the 1960s, when it was used to describe
the activities of certain MIT model train enthusiasts who modified the
operation of their model trains.
 They discovered ways to change certain functions without re-engineering
the entire device.
 These curious individuals went on to work with early computer systems
where they applied their curiosity and resourcefulness to learning and
changing the computer code that was used in early programs.

When Did Cyber Crime Begin?


 The malicious association with hacking became evident in the 1970s when
early computerized phone systems became a target.
 Technologically savvy individuals, called “phreakers,” discovered the correct
codes and tones that would result in free long-distance service.
 They impersonated operators, dug through Bell Telephone company
garbage to find secret information, and performed countless experiments on
early telephone hardware to learn how to exploit the system and steal long-
distance telephone time.

The First Federal Law on Cyber Crime


 In 1986 the systems administrator at the Lawrence Berkeley National
Laboratory, Clifford Stoll, noted certain irregularities in accounting data.
 Inventing the first digital forensic techniques, he determined that an
unauthorized user was hacking into his computer network.
 Stoll used what is called a “honeypot tactic,” which lures a hacker back into
a network until enough data can be collected to track the intrusion to its
source.

Who is a Cybercriminal?
 are individuals or teams of people who use technology to commit malicious
activities on digital systems or networks with the intention of stealing
sensitive company information or personal data, and generating profit.
 Cybercriminals are known to access the cybercriminal underground
markets found in the deep web to trade malicious goods and services, such
as hacking tools and stolen data.

Preventive measures against Cybercrimes


• Causes of Cybercrime
 Cybercriminals always opt for an easy way to make big money. They target
rich people or rich organizations like banks, casinos, and financial firms
where a huge amount of money flows daily and hack sensitive information.
Catching such criminals is difficult.
 Hence, that increases the number of cyber-crimes across the globe.
Computers are vulnerable, so laws are required to protect and safeguard
them against cybercriminals.

Vulnerability of Computer

1.Easy access
Hackers can steal access codes, retina images, advanced voice recorders, etc.
2. Capacity to store data
a lot easier for the people to steal data from any other storage

3. Complex
Millions of Codes

4. Negligence
cyber-criminal can access and control over the computer system.

5. Loss of Evidence
data related to the crime can be easily destroyed.

Cross Domain Solution

Use Strong Passwords


 Using keyboard patterns for passwords. e.g. – qwertyui
 Using easy combinations. e.g. – Raju1990, Feb1990
 Using Default passwords. e.g. – Welcome123, Ravi123
 Keeping the password the same as the username. e.g. – Raju/Raju

Be social media savvy


 Be sure to keep your social networking profiles (Facebook, Twitter,
YouTube, etc.) are set to private. Be sure to check your security settings.
Be careful of what information you post online. Once it is on the Internet it is
there forever.

Secure your Mobile Devices


 Be sure to download applications only from trusted sources.
 It is also crucial that you keep your operating system up-to-date. 
 Be sure to install anti-virus software and to use a secure lock screen as
well.

Protect your data


 by using encryption for your most sensitive files such as financial records
and tax returns.

Protect your identity online


 be too cautious than not cautious enough. It is critical that you be cautious
when giving out personal ID such as your name, address, phone number,
and/or financial information on the Internet.
 Be certain to make sure websites are secure when making online
purchases, etc.
 This includes enabling your privacy settings when using/accessing social
networking sites.

 Keep your computer current with the latest patches and updates
 apply patches and other software fixes when they become available.
 By regularly updating your computer, you block attackers from being able to
take advantage of software flaws (vulnerabilities) that they could otherwise
use to break into your system.

 Protect your computer with security software


 Security software essentials include firewalls and antivirus programs.
 A firewall is usually your computer’s first line of defense.
 It controls who and what can communicate with your computer online.

 Parental Control
 parents should monitor all the activities of their children online.
 Giving adequate privacy to children would be problematic.
 Parents need to be cautious and should keep an eye on browser history
and email accounts regularly

Dateline of Cybercrime
1834 — French Telegraph System
 A pair of thieves hack the French Telegraph System and steal financial
market information, effectively conducting the world’s first cyberattack.
1870 — Switchboard Hack
 A teenager hired as a switchboard operator is able to disconnect and
redirect calls and use the line for personal usage. 
1878 — Early Telephone Calls
 Two years after Alexander Graham Bell invents the telephone, the Bell
Telephone Company kicks a group of teenage boys off the telephone
system in New York for repeatedly and intentionally misdirecting and
disconnecting customer calls.
1903 — Wireless Telegraphy
 During John Ambrose Fleming’s first public demonstration of Marconi’s
“secure” wireless telegraphy technology, Nevil Maskelyne disrupts it by
sending insulting Morse code messages discrediting the invention.
1939 — Military Codebreaking
 Alan Turing and Gordon Welchman develop BOMBE, an electro-
mechanical machine, during WWII while working as codebreakers at
Bletchley Park. It helps to break the German Enigma codes.
1940 — First Ethical Hacker
 Rene Carmille, a member of the Resistance in Nazi-occupied France and a
punch-card computer expert who owns the machines that the Vichy
government of France uses to process information, finds out that the Nazis
are using punch-card machines to process and track down Jews,
volunteers to let them use his, and then hacks them to thwart their plan. 

1955 — Phone Hacker
 David Condon whistles his “Davy Crockett Cat” and “Canary Bird Call Flute”
into his phone, testing a theory on how phone systems work. The system
recognizes the secret code, assumes he is an employee, and connects him
to a long-distance operator. She connects him to any phone number he
requests for free.
1957 — Joybubbles
 Joe Engressia (Joybubbles), a blind, 7-year-old boy with perfect pitch,
hears a high-pitched tone on a phone line and begins whistling along to it at
a frequency of 2600Hz, enabling him to communicate with phone lines and
become the U.S.’s first phone hacker or “phone phreak.”
1962 — Allan Scherr
 MIT sets up the first computer passwords, for student privacy and time
limits. Student Allan Scherr makes a punch card to trick the computer into
printing off all passwords and uses them to log in as other people after his
time runs out. He also shares passwords with his friends, leading to the first
computer “troll.” They hack into their teacher’s account and leave messages
making fun of him.
1969 — RABBITS Virus
 An anonymous person installs a program on a computer at the University of
Washington Computer Center. The inconspicuous program makes copies of
itself (breeding like a rabbit) until the computer overloads and stops
working. It is thought to be the first computer virus. 
1970-1995 — Kevin Mitnick
 Beginning in 1970, Kevin Mitnick penetrates some of the most highly-
guarded networks in the world, including Nokia and Motorola, using
elaborate social engineering schemes, tricking insiders into handing over
codes and passwords, and using the codes to access internal computer
systems. He becomes the most-wanted cybercriminal of the time. 
1971 — Steve Wozniak and Steve Jobs
 When Steve Wozniak reads an article about Joybubbles and other phone
phreaks, he becomes acquainted with John “Captain Crunch” Draper and
learns how to hack into phone systems. He builds a blue box designed to
hack into phone systems, even pretending to be Henry Kissinger and
prank-calling the Pope. He starts mass-producing the device with friend
Steve Jobs and selling it to classmates. 
1973 – Embezzlement
 A teller at a local New York bank uses a computer to embezzle over $2
million dollars.
1981 – Cybercrime Conviction
 Ian Murphy, aka “Captain Zap,” hacks into the AT&T network and changes
the internal clock to charge off-hour rates at peak times. The first person
convicted of a cybercrime, and the inspiration for the movie “Sneakers,” he
does 1,000 hours of community service and 2.5 years of probation.
1982 — The Logic Bomb
 The CIA blows up a Siberian Gas pipeline without the use of a bomb or a
missile by inserting a code into the network and the computer system in
control of the gas pipeline. The code was embedded into equipment
purchased by the Soviet Union from a company in Canada. 
1984 — US Secret Service
 The U.S. Comprehensive Crime Control Act gives Secret Service
jurisdiction over computer fraud.
1988 — The Morris Worm
 Robert Morris creates what would be known as the first worm on the
Internet. The worm is released from a computer at MIT to suggest that the
creator is a student there. The potentially harmless exercise quickly
became a vicious denial of service attack when a bug in the worm’s
spreading mechanism leads to computers being infected and reinfected at a
rate much faster than he anticipates. 
1988-1991 — Kevin Poulsen
 In 1988, an unpaid bill on a storage locker leads to the discovery of blank
birth certificates, false IDs, and a photo of hacker Kevin Poulsen, aka “Dark
Dante,” breaking into a telephone company trailer. The subject of a
nationwide manhunt, he continues hacking, including rigging the phone
lines of a Los Angeles radio station to guarantee he is the correct caller in a
giveaway contest. He is captured in 1991.
1989 — Trojan Horse Software
 A diskette claiming to be a database of AIDS information is mailed to
thousands of AIDS researchers and subscribers to a UK computer
magazine. It contains a Trojan (after the Trojan Horse of Greek mythology),
or destructive program masquerading as a benign application. 
1994 — Datastream Cowboy and Kuji
 Administrators at the Rome Air Development Center, a U.S. Air Force
research facility, discover a password “sniffer” has been installed onto their
network, compromising more than 100 user accounts. Investigators
determined that two hackers, known as Datastream Cowboy and Kuji, are
behind the attack.
1995 — Vladmir Levin
 Russian software engineer Vladimir Levin hacks into Citibank’s New York IT
system from his apartment in Saint Petersburg and authorizes a series of
fraudulent transactions, eventually wiring an estimated $10 million to
accounts worldwide.
1998-2007 — Max Butler
 Max Butler hacks U.S. government websites in 1998 and is sentenced to 18
months in prison in 2001. After being released in 2003, he uses WiFi to
commit attacks, program malware and steal credit card information. In
2007, he is arrested and eventually pleads guilty to wire fraud, stealing
millions of credit card numbers and around $86 million of fraudulent
purchases.
1999 — NASA and Defense Department Hack
 Jonathan James, 15, manages to penetrate U.S. Department of Defense
division computers and install a backdoor on its servers, allowing him to
intercept thousands of internal emails from different government
organizations, including ones containing usernames and passwords for
various military computers. Using the info, he steals a piece of NASA
software. Systems are shut down for three weeks.
1999 — The Melissa Virus
 A virus infects Microsoft Word documents, automatically disseminating itself
as an attachment via email. It mails out to the first 50 names listed in an
infected computer’s Outlook email address box. The creator, David Smith,
says he didn’t intend for the virus, which caused $80 million in damages, to
harm computers. He is arrested and sentenced to 20 months in prison.
2000 — Lou Cipher
 Barry Schlossberg, aka Lou Cipher, successfully extorts $1.4 million from
CD Universe for services rendered in attempting to catch the Russian
hacker.
2000 — Mafiaboy
 15-year-old Michael Calce, aka MafiaBoy, a Canadian high school student,
unleashes a DDoS attack on several high-profile commercial websites
including Amazon, CNN, eBay and Yahoo! An industry expert estimates the
attacks resulted in $1.2 billion dollars in damages.
2002 – Internet Attack
 By targeting the thirteen Domain Name System (DNS) root servers, a DDoS
attack assaults the entire Internet for an hour. Most users are unaffected
2003 — Operation CyberSweep
 The U.S. Justice Department announces more than 70 indictments and 125
convictions or arrests for phishing, hacking, spamming and other Internet
fraud as part of Operation CyberSweep. 
2003-2008 — Albert Gonzalez
 Albert Gonzales is arrested in 2003 for being part of ShadowCrew, a group
that stole and then sold card numbers online, and works with authorities in
exchange for his freedom. Gonzales is later involved in a string of hacking
crimes, again stealing credit and debit card details, from around 2006 until
he is arresting in 2008. He stole millions of dollars, targeted companies
including TJX, Heartland Payment Systems and Citibank.
2004 — Lowe’s
 Brian Salcedo is sentenced to 9 years for hacking into Lowe’s home
improvement stores and attempting to steal customer credit card
information.
2004 — ChoicePoint
 A 41-year-old Nigerian citizen compromises customer data of ChoicePoint,
but the company only informs 35,000 people of the breach. Media scrutiny
eventually leads the consumer data broker, which has since been
purchased by LexisNexis, to reveal another 128,000 people had information
compromised. 
2005 — PhoneBusters
 PhoneBusters reports 11K+ identity theft complaints in Canada, and total
losses of $8.5M, making this the fastest growing form of consumer fraud in
North America. 
2005 — Polo Ralph Lauren/HSBC
 HSBC Bank sends letters to more than 180,000 credit card customers,
warning that their card information may have been stolen during a security
breach at a U.S. retailer (Polo Ralph Lauren). A DSW data breach also
exposes transaction information from 1.4 million credit cards.
2006 — TJX
 A cybercriminal gang steals 45 million credit and debit card numbers from
TJX, a Massachusetts-based retailing company, and uses a number of the
stolen cards to fund an electronic shopping spree at Wal-Mart. While initial
estimates of damages came up to around $25 million, later reports add up
the total cost of damages to over $250 million.
2008 — Heartland Payment Systems
 134 million credit cards are exposed through SQL injection to install
spyware on Heartland’s data systems. A federal grand jury indicts Albert
Gonzalez and two Russian accomplices in 2009. Gonzalez, alleged to have
masterminded the international operation that stole the credit and debit
cards, is later sentenced to 20 years in federal prison. 
2008 – The Church of Scientology
 A hacker group known as Anonymous targets the Church of Scientology
website. The DDoS attack is part of a political activist movement against the
church called “Project Chanology.” In one week, the Scientology website is
hit with 500 DDoS attacks. 
2010 — The Stuxnet Worm
 A malicious computer virus called the world’s first digital weapon is able to
target control systems used to monitor industrial facilities. It is discovered in
nuclear power plants in Iran, where it knocks out approximately one-fifth of
the enrichment centrifuges used in the country’s nuclear program.
2010 — Zeus Trojan Virus
 An Eastern European cybercrime ring steals $70 million from U.S. banks
using the Zeus Trojan virus to crack open bank accounts and divert money
to Eastern Europe. Dozens of individuals are charged.
2011 — Sony Pictures
 A hack of Sony’s data storage exposes the records of over 100 million
customers using their PlayStation’s online services. Hackers gain access to
all the credit card information of users. The breach costs Sony more than
$171 million.
2011 — Epsilon
 A cyberattack on Epsilon, which provides email-handling and marketing
services to clients including Best Buy and JPMorgan Chase, results in the
compromise of millions of email addresses.
2011 — RSA SAFETY
 Sophisticated hackers steal information about RSA’s SecurID authentication
tokens, used by millions of people, including government and bank
employees. This puts customers relying on them to secure their networks at
risk.
2011 — ESTsoft
 Hackers expose the personal information of 35 million South
Koreans. Attackers with Chinese IP addresses accomplish this by
uploading malware to a server used to update ESTsoft’s ALZip compression
application and steal the names, user IDs, hashed passwords, birthdates,
genders, telephone numbers, and street and email addresses contained in
a database connected to the same network. 
2014 — eBay
 A cyberattack exposes names, addresses, dates of birth, and encrypted
passwords of all of eBay’s 145 million users.  
2015 — LockerPin
 LockerPin resets the pin code on Android phones and demands $500 from
victims to unlock the device.
2015 — Prepaid Debit Cards
 A worldwide gang of criminals steals a total of $45 million in a matter of
hours by hacking a database of prepaid debit cards and then draining cash
machines around the globe.
2017 — Chipotle
 An Eastern European criminal gang that is targeting restaurants uses
phishing to steal credit card information of millions of Chipotle customers
2017 — WannaCry
 WannaCry, the first known example of ransomware operating via a worm
(viral software that replicates and distributes itself), targets a vulnerability in
older versions of Windows OS. Within days, tens of thousands of
businesses and organizations across 150 countries are locked out of their
own systems by WannaCry’s encryption. The attackers demand $300 per
computer to unlock the code.

Elements Of A Computer System


Input Unit. These components help users enter data and commands into
a computer system. Data can be in the form of numbers, words, actions,
commands, etc. The main function of input devices is to direct commands and
data into computers. Computers then use their CPU to process this data and
produce output.
Central Processing Unit (CPU). After receiving data and commands from users,
a computer system now has to process it according to the instructions provided.
Here, it has to rely on a component called the central processing unit.

The CPU further uses these three elements:


Memory Unit. Once a user enters data using input devices, the computer system
stores this data in its memory unit.

Arithmetic and Logic Unit. This part of the CPU performs arithmetic operations.
It does basic mathematical calculations like addition, subtraction, division,
multiplication, etc

Control Unit. This unit is the backbone of computers. It is responsible for


coordinating tasks between all components of a computer system.
Machine Cycle
Step 1. Fetch instruction from memory
Step 2. Decode instruction
Step 3. Execute commands
Step 4. Store results in memory

Output Unit. The third and final component of a computer system is the output
unit. After processing of data, it is converted into a format which humans can
understand. After conversion, the output units displays this data to users.

Computer hardware
It encompasses everything with a circuit board that operates within a PC or
laptop; including the motherboard, graphics card, CPU (Central Processing Unit),
ventilation fans, webcam, power supply, and so on.

Motherboard
 The motherboard is at the center of what makes a PC work. It houses the
CPU and is a hub that all other hardware runs through.
The CPU
 responsible for processing all information from programs run by your
computer.
Random Access Memory, or RAM
 The role of RAM is to temporarily store on-the-fly information created by
programs and to do so in a way that makes this data immediately
accessible.
Hard Drive
 a storage device responsible for storing permanent and temporary data.
This data comes in many different forms, but is essentially anything saved
or installed to a computer
Graphics Processing Unit (GPU).
 GPU does exactly what its name suggests and processes huge batches of
graphic data. You will find that your computer’s graphics card has at least
one GPU.
Power Supply Unit (PSU).
 It is the point where power enters your system from an external power
source and is then allocated by the motherboard to individual component
hardware.
S/W, software 
 a collection of instructions that enable the user to interact with a computer,
its hardware, or perform tasks. Without software, most computers would be
useless.

Software Examples Program?

Antivirus AVG, Housecall, McAfee, and Norton Yes

Audio / Music program iTunes and WinAmp Yes

Communication Discord, Skype, and Ventrilo Yes

Database Access, MySQL, and SQL. Yes

Device dri0vers Computer drivers No

E-mail Outlook and Thunderbird Yes

Game Madden NFL football, Quake, and World of Yes


Warcraft

Internet browser Firefox, Google Chrome, and Internet Yes


Explorer.

Movie player VLC and Windows Media Player Yes

Operating system Android, iOS, Linux, macOS, and Windows No

Photo / Graphics program Adobe Photoshop and CorelDRAW Yes

Presentation PowerPoint Yes

Programming language C++, HTML, Java, Perl, PHP, Python, Yes


and Visual Basic.

Simulation Flight simulator and SimCity Yes


Spreadsheet Excel Yes
Utility Compression, Disk Cleanup, encryption, registry No
cleaner, and screen saver

Word processor Microsoft Word Yes

Relevant characteristics of digital information


1. rapidly duplicated and easily distributed
an email sent to a list of recipients within a very short time frame

2. stored in multiple locations


a photo can be stored simultaneously on a device

3. created and communicated automatically


a smartphone can synchronize emails with another device or an online
service

4. stored with varying levels of 'discoverability'


image files that can only be accessed using a password or other method of
authentication

Other Computer Terminology


Monitor
 The monitor is your display, or the screen connected to your computer.
Laptops have built in monitors that are commonly referred to as ‘screens.’
SSD Card
 SSD is a computer data storage option that works without moving parts
(unlike a hard drive, it does not include a rotating disk).
Operating System
 The operating system is the software of a computer that all other software is
built upon. The main types of operating systems are produced by Microsoft,
Apple, and Google.
Download
 Download or downloading, is the process that occurs once you select a
software to install on your computer. The download time refers to how long
it will take for the installation to complete.
Upload
 An upload is the process of transferring a file from your computer to either:
another computer or a host platform somewhere on the internet
Apps
 Apps is an abbreviation of applications, which are effectively programs or
pieces of software.
Internet Terms
 internet terms are what apply to the practices or related-materials of the
internet.
WiFi
 WiFi is an acronym used for ‘wireless fidelity.’ It refers to internet that is
generated and broadcast using a wireless signal rather than a hardline.
Search Engine
 A search engine is a program or platform that fires off ‘digital retrievers’ to
collect online documents. This collection is based off the words entered the
search bar

Rules and Regulations Implementing Republic Act No. 10175, Otherwise


Known as the “Cybercrime Prevention Act of 2012”

Pursuant to the authority of the Department of Justice, Department of Interior and


Local Government, and Department of Science and Technology under Republic Act
No. 10175, otherwise known as the “Cybercrime Prevention Act of 2012”, the
following rules and regulations are hereby promulgated to implement the provisions
of said Act:

RULE Preliminary Provisions

Section 1. Title. – These Rules shall be referred to as the Implementing Rules and
Regulations of Republic Act No. 10175, or the “Cybercrime Prevention Act of 2012”.

Section 2. Declaration of Policy. – The State recognizes the vital role of


information and communications industries, such as content production,
telecommunications, broadcasting, electronic commerce and data processing, in the
State’s overall social and economic development.
The State also recognizes the importance of providing an environment conducive to
the development, acceleration, and rational application and exploitation of
information and communications technology to attain free, easy, and intelligible
access to exchange and/or delivery of information; and the need to protect and
safeguard the integrity of computer, computer and communications systems,
networks and databases, and the confidentiality, integrity, and availability of
information and data stored therein from all forms of misuse, abuse and illegal
access by making punishable under the law such conduct or conducts.

The State shall adopt sufficient powers to effectively prevent and combat such
offenses by facilitating their detection, investigation and prosecution at both the
domestic and international levels, and by providing arrangements for fast and
reliable international cooperation.

Section 3. Definition of Terms. – The following terms are defined as follows:


a) Access refers to the instruction, communication with, storing data in, retrieving
data from, or otherwise making use of any resources of a computer system or
communication network;
b) Act refers to Republic Act No. 10175 or the “Cybercrime Prevention Act of 2012”;
c) Alteration refers to the modification or change, in form or substance, of an
existing computer data or program;
d) Central Authority refers to the DOJ – Office of Cybercrime;
e) Child Pornography refers to the unlawful or prohibited acts defined and
punishable by Republic Act No. 9775 or the “Anti-Child Pornography Act of 2009”,
committed through a computer system: Provided, that the penalty to be imposed
shall be one (1) degree higher than that provided for in Republic Act No. 9775;
f) Collection refers to gathering and receiving information;
g) Communication refers to the transmission of information through information and
communication technology (ICT) media, including voice, video and other forms of
data;
h) Competent Authority refers to either the Cybercrime Investigation and
Coordinating Center or the DOJ – Office of Cybercrime, as the case may be;
i) Computer refers to an electronic, magnetic, optical, electrochemical, or other data
processing or communications device, or grouping of such devices, capable of
performing logical, arithmetic, routing or storage functions, and which includes any
storage facility or equipment or communications facility or equipment directly related
to or operating in conjunction with such device. It covers any type of computer
device, including devices with data processing capabilities like mobile phones, smart
phones, computer networks and other devices connected to the internet;
j) Computer data refers to any representation of facts, information, or concepts in a
form suitable for processing in a computer system, including a program suitable to
cause a computer system to perform a function, and includes electronic documents
and/or electronic data messages whether stored in local computer systems or online;
k) Computer program refers to a set of instructions executed by the computer to
achieve intended results

RULE 2
Punishable Acts and Penalties Cybercrimes
Section 4. Cybercrime Offenses. – The following acts constitute the offense of core
cybercrime punishable under the Act:
A. Offenses against the confidentiality, integrity and availability of computer
data and systems shall be punished with imprisonment of prision mayor or a fine of
at least Two Hundred Thousand Pesos (P200,000.00) up to a maximum amount
commensurate to the damage incurred, or both, except with respect to number 5
herein:
Illegal Access – The access to the whole or any part of a computer system without
right.
Illegal Interception – The interception made by technical means and without right,
of any non-public transmission of computer data to, from, or within a computer
system, including electromagnetic emissions from a computer system carrying such
computer data: Provided, however, That it shall not be unlawful for an officer,
employee, or agent of a service provider, whose facilities are used in the
transmission of communications, to intercept, disclose or use that communication in
the normal course of employment, while engaged in any activity that is necessary to
the rendition of service or to the protection of the rights or property of the service
provider, except that the latter shall not utilize service observing or random
monitoring other than for purposes of mechanical or service control quality checks.
Data Interference – The intentional or reckless alteration, damaging, deletion or
deterioration of computer data, electronic document or electronic data message,
without right, including the introduction or transmission of viruses.
System Interference – The intentional alteration, or reckless hindering or
interference with the functioning of a computer or computer network by inputting,
transmitting, damaging, deleting, deteriorating, altering or suppressing computer
data or program, electronic document or electronic data message, without right or
authority, including the introduction or transmission of viruses.
Misuse of Devices, which shall be punished with imprisonment of prision mayor, or
a fine of not more than Five Hundred Thousand Pesos (P500,000.00), or both, is
committed through any of the following acts:
a. The use, production, sale, procurement, importation, distribution or otherwise
making available, intentionally and without right, of any of the following:
i. A device, including a computer program, designed or adapted primarily for the
purpose of committing any of the offenses under this rules; or
ii. A computer password, access code, or similar data by which the whole or any part
of a computer system is capable of being accessed with the intent that it be used for
the purpose of committing any of the offenses under this rules.
b. The possession of an item referred to in subparagraphs 5(a)(i) or (ii) above, with
the intent to use said devices for the purpose of committing any of the offenses
under this section.
Provided, That no criminal liability shall attach when the use, production, sale,
procurement, importation, distribution, otherwise making available, or possession of
computer devices or data referred to in this section is for the authorized testing of a
computer system.
If any of the punishable acts enumerated in Section 4(A) is committed against critical
infrastructure, the penalty of reclusion temporal, or a fine of at least Five Hundred
Thousand Pesos (P500,000.00) up to maximum amount commensurate to the
damage incurred, or both shall be imposed.

B. Computer-related Offenses, which shall be punished with imprisonment


of prision mayor, or a fine of at least Two Hundred Thousand Pesos (P200,000.00)
up to a maximum amount commensurate to the damage incurred, or both, are as
follows:
1. Computer-related Forgery –
a. The input, alteration or deletion of any computer data without right, resulting in
inauthentic data, with the intent that it be considered or acted upon for legal
purposes as if it were authentic, regardless whether or not the data is directly
readable and intelligible; or
b. The act of knowingly using computer data, which is the product of computer-
related forgery as defined herein, for the purpose of perpetuating a fraudulent or
dishonest design.
2. Computer-related Fraud – The unauthorized “Input, alteration or deletion of
computer data or program, or interference in the functioning of a computer system,
causing damage thereby with fraudulent intent: Provided, That if no damage has yet
been caused, the penalty imposable shall be one (1) degree lower.

3. Computer-related Identity Theft – The intentional acquisition, use, misuse,


transfer, possession, alteration or deletion of identifying information belonging to
another, whether natural or juridical, without right: Provided, That if no damage has
yet been caused, the penalty imposable shall be one (1) degree lower.

Content-related Offenses:
1. Any person found guilty of Child Pornography shall be punished in accordance
with the penalties set forth in Republic Act No. 9775 or the “Anti-Child Pornography
Act of 2009”: Provided, That the penalty to be imposed shall be one (1) degree
higher than that provided for in Republic Act No. 9775 if committed through a
computer system.
Section 5. Other Cybercrimes. – The following constitute other cybercrime
offenses punishable under the Act:
1. Cyber-squatting – The acquisition of a domain name over the internet, in bad
faith, in order to profit, mislead, destroy reputation, and deprive others from
registering the same, if such a domain name is:
- Similar, identical, or confusingly similar to an existing trademark registered with the
appropriate government agency at the time of the domain name registration;
- Identical or in any way similar with the name of a person other than the registrant,
in case of a personal name; and
-Acquired without right or with intellectual property interests in it.
Cyber-squatting shall be punished with imprisonment of prision mayor, or a fine of at
least Two Hundred Thousand Pesos (P200,000.00) up to a maximum amount
commensurate to the damage incurred, or both: Provided, That if it is committed
against critical infrastructure, the penalty of reclusion temporal, or a fine of at least
Five Hundred Thousand Pesos (P500,000.00) up to maximum amount
commensurate to the damage incurred, or both shall be imposed

2.Cybersex – The willful engagement, maintenance, control or operation, directly or


indirectly, of any lascivious exhibition of sexual organs or sexual activity, with the aid
of a computer system, for favor or consideration. Any person found guilty cybersex
shall be punished with imprisonment of prision mayor, or a fine of at least Two
Hundred - Thousand Pesos (P200,000.00), but not exceeding One Million Pesos
(P1,000,000.00), or both.
Cybersex involving a child shall be punished in accordance with the provision on
child pornography of the Act.
- Where the maintenance, control, or operation of cybersex likewise constitutes an
offense punishable under Republic Act No. 9208, as amended, a prosecution under
the Act shall be without prejudice to any liability for violation of any provision of the
Revised Penal Code, as amended, or special laws, including R.A. No. 9208,
consistent with Section 8 hereof.

3. Libel – The unlawful or prohibited acts of libel, as defined in Article 355 of the
Revised Penal Code, as amended, committed through a computer system or any
other similar means which may be devised in the future shall be punished
with prision correccional in its maximum period to prision mayor in its minimum
period or a fine ranging from Six Thousand Pesos (P6,000.00) up to the maximum
amount determined by Court, or both, in addition to the civil action which may be
brought by the offended party: Provided, That this provision applies only to the
original author of the post or online libel, and not to others who simply receive the
post and react to it.

Other offenses – The following acts shall also constitute an offense which shall be
punished with imprisonment of one (1) degree lower than that of the prescribed
penalty for the offense, or a fine of at least One Hundred Thousand Pesos
(P100,000.00) but not exceeding Five Hundred Thousand Pesos (P500,000.00), or
both:
Aiding or Abetting in the Commission of Cybercrime. – Any person who willfully
abets, aids, or financially benefits in the commission of any of the offenses
enumerated in the Act shall be held liable, except with respect to Sections 4(c)(2) on
Child Pornography and 4(c)(4) on online Libel.
Attempt to Commit Cybercrime. – Any person who willfully attempts to commit any of
the offenses enumerated in the Act shall be held liable, except with respect to
Sections 4(c)(2) on Child Pornography and 4(c)(4) on online Libel.

Other Liabilities and Penalties


Section 6. Corporate Liability. – When any of the punishable acts herein defined
are knowingly committed on behalf of or for the benefit of a juridical person, by a
natural person acting either individually or as part of an organ of the juridical person,
who has a leading position within, based on: (a) a power of representation of the
juridical person; (b) an authority to take decisions on behalf of the juridical person; or
(c) an authority to exercise control within the juridical person, the juridical person
shall be held liable for a fine equivalent to at least double the fines imposable in
Section 7 up to a maximum of Ten Million Pesos (P10,000,000.00).
- If the commission of any of the punishable acts herein defined was made possible
due to the lack of supervision or control by a natural person referred to and
described in the preceding paragraph, for the benefit of that juridical person by a
natural person acting under its authority, the juridical person shall be held liable for a
fine equivalent to at least double the fines imposable in Section 7 up to a maximum
of Five Million Pesos (P5,000,000.00).
- The liability imposed on the juridical person shall be without prejudice to the
criminal liability of the natural person who has committed the offense.

Section 7. Violation of the Revised Penal Code, as Amended, Through and


With the Use of Information and Communication Technology. – All crimes
defined and penalized by the Revised Penal Code, as amended, and special criminal
laws committed by, through and with the use of information and communications
technologies shall be covered by the relevant provisions of the Act: Provided, That
the penalty to be imposed shall be one (1) degree higher than that provided for by
the Revised Penal Code, as amended, and special laws, as the case may be.

Section 8. Liability under Other Laws. – A prosecution under the Act shall be
without prejudice to any liability for violation of any provision of the Revised Penal
Code, as amended, or special laws: Provided, That this provision shall not apply to
the prosecution of an offender under (1) both Section 4(c)(4) of R.A. 10175 and
Article 353 of the Revised Penal Code; and (2) both Section 4(c)(2) of R.A. 10175
and R.A. 9775 or the “Anti-Child Pornography Act of 2009”.

RULE 3
Enforcement and Implementation

Section 9. Law Enforcement Authorities. – The National Bureau of Investigation


(NBI) and the Philippine National Police (PNP) shall be responsible for the efficient
and effective law enforcement of the provisions of the Act. The NBI and the PNP
shall organize a cybercrime division or unit to be manned by Special Investigators to
exclusively handle cases involving violations of the Act.
The NBI shall create a cybercrime division to be headed by at least a Head Agent.
The PNP shall create an anti-cybercrime unit headed by at least a Police Director.
The DOJ – Office of Cybercrime (OOC) created under the Act shall coordinate the
efforts of the NBI and the PNP in enforcing the provisions of the Act.
Section 10. Powers and Functions of Law Enforcement Authorities. – The NBI
and PNP cybercrime unit or division shall have the following powers and functions:
Investigate all cybercrimes where computer systems are involved;
Conduct data recovery and forensic analysis on computer systems and other
electronic evidence seized;
Formulate guidelines in investigation, forensic evidence recovery, and forensic data
analysis consistent with industry standard practices;
Provide technological support to investigating units within the PNP and NBI including
the search, seizure, evidence preservation and forensic recovery of data from crime
scenes and systems used in crimes, and provide testimonies;

Develop public, private sector, and law enforcement agency relations in addressing
cybercrimes;
Maintain necessary and relevant databases for statistical and/or monitoring
purposes;
Develop capacity within their organizations in order to perform such duties necessary
for the enforcement of the Act;
Support the formulation and enforcement of the national cybersecurity plan; and
Perform other functions as may be required by the Act.

Section 11. Duties of Law Enforcement Authorities. – To ensure that the


technical nature of cybercrime and its prevention is given focus, and considering the
procedures involved for international cooperation, law enforcement authorities,
specifically the computer or technology crime divisions or units responsible for the
investigation of cybercrimes, are required to submit timely and regular reports
including pre-operation, post-operation and investigation results, and such other
documents as may be required to the Department of Justice (DOJ) – Office of
Cybercrime for review and monitoring.
Law enforcement authorities shall act in accordance with the guidelines, advisories
and procedures issued and promulgated by the competent authority in all matters
related to cybercrime, and utilize the prescribed forms and templates, including, but
not limited to, preservation orders, chain of custody, consent to search, consent to
assume account/online identity and request for computer forensic examination.

Section 12. Preservation and Retention of Computer Data. – The integrity of


traffic data and subscriber information shall be kept, retained and preserved by a
service provider for a minimum period of six (6) months from the date of the
transaction. Content data shall be similarly preserved for six (6) months from the
date of receipt of the order from law enforcement authorities requiring its
preservation.
Law enforcement authorities may order a one-time extension for another six (6)
months: Provided, That once computer data that is preserved, transmitted or stored
by a service provider is used as evidence in a case, the mere act of furnishing such
service provider with a copy of the transmittal document to the Office of the
Prosecutor shall be deemed a notification to preserve the computer data until the
final termination of the case and/or as ordered by the Court, as the case may be.
The service provider ordered to preserve computer data shall keep the order and its
compliance therewith confidential.
Section 13. Collection of Computer Data. Law enforcement authorities, upon the
issuance of a court warrant, shall be authorized to collect or record by technical or
electronic means, and the service providers are required to collect or record by
technical or electronic means and/or to cooperate and assist in the collection or
recording of computer data that are associated with specified communications
transmitted by means of a computer system.
The court warrant required under this section shall be issued or granted upon written
application, after the examination under oath or affirmation of the applicant and the
witnesses he may produce, and the showing that: (1) there are reasonable grounds
to believe that any of the crimes enumerated hereinabove has been committed, is
being committed or is about to be committed; (2) there are reasonable grounds to
believe that the evidence that will be obtained is essential to the conviction of any
person for, or to the solution of, or to the prevention of any such crimes; and (3) there
are no other means readily available for obtaining such evidence.

Section 14. Disclosure of Computer Data. – Law enforcement authorities, upon


securing a court warrant, shall issue an order requiring any person or service
provider to disclose or submit, within seventy-two (72) hours from receipt of such
order, subscriber’s information, traffic data or relevant data in his/its possession or
control, in relation to a valid complaint officially docketed and assigned for
investigation by law enforcement authorities, and the disclosure of which is
necessary and relevant for the purpose of investigation.
Law enforcement authorities shall record all sworn complaints in their official
docketing system for investigation.

Section 15. Search, Seizure and Examination of Computer Data. – Where a


search and seizure warrant is properly issued, the law enforcement authorities shall
likewise have the following powers and duties:
a. Within the time period specified in the warrant, to conduct interception, as defined
in this Rules, and to:
1. Search and seize computer data;
2. Secure a computer system or a computer data storage medium;
3. Make and retain a copy of those computer data secured;
4. Maintain the integrity of the relevant stored computer data;
5. Conduct forensic analysis or examination of the computer data storage medium;
and

6. Render inaccessible or remove those computer data in the accessed computer or


computer and communications network.
b. Pursuant thereto, the law enforcement authorities may order any person, who has
knowledge about the functioning of the computer system and the measures to
protect and preserve the computer data therein, to provide, as is reasonable, the
necessary information to enable the undertaking of the search, seizure and
examination.
c. Law enforcement authorities may request for an extension of time to complete the
examination of the computer data storage medium and to make a return thereon, but
in no case for a period longer than thirty (30) days from date of approval by the court.
Section 16. Custody of Computer Data. – All computer data, including content and
traffic data, that are examined under a proper warrant shall, within forty-eight (48)
hours after the expiration of the period fixed therein, be deposited with the court in a
sealed package, and shall be accompanied by an affidavit of the law enforcement
authority executing it, stating the dates and times covered by the examination, and
the law enforcement authority who may have access to the deposit, among other
relevant data. The law enforcement authority shall also certify that no duplicates or
copies of the whole or any part thereof have been made or, if made, that all such
duplicates or copies are included in the package deposited with the court. The
package so deposited shall not be opened, or the recordings replayed, or used in
evidence, or their contents revealed, except upon order of the court, which shall not
be granted except upon motion, with due notice and opportunity to be heard to the
person or persons whose conversation or communications have been recorded.

Section 17. Destruction of Computer Data. – Upon expiration of the periods as


provided in Sections 12 and 15 hereof, or until the final termination of the case
and/or as ordered by the Court, as the case may be, service providers and law
enforcement authorities, as the case may be, shall immediately and completely
destroy the computer data that are the subject of a preservation and examination
order or warrant.
Section 18. Exclusionary Rule. – Any evidence obtained without a valid warrant or
beyond the authority of the same shall be inadmissible for any proceeding before
any court or tribunal.

The Rules of Court shall have suppletory application in implementing the Act.
Section 19. Non-compliance. – Failure to comply with the provisions of Chapter IV
of the Act, and Rules 7 and 8 of Chapter VII hereof, specifically the orders from law
enforcement authorities, shall be punished as a violation of Presidential Order No.
1829 (entitled “Penalizing Obstruction Of Apprehension And Prosecution Of Criminal
Offenders”) with imprisonment of prision correccional in its maximum period, or a
fine of One Hundred Thousand Pesos (P100,000.00), or both for each and every
noncompliance with an order issued by law enforcement authorities.

Section 20. Extent of Liability of a Service Provider. – Except as otherwise


provided in this Section, no person or party shall be subject to any civil or criminal
liability in respect of a computer data for which the person or party acting as a
service provider merely provides access if such liability is founded on:
a. The obligations and liabilities of the parties under a computer data;
b. The making, publication, dissemination or distribution of such computer data or
any statement made in such computer data, including possible infringement of any
right subsisting in or in relation to such computer data: Provided, That:
1. The service provider does not have actual knowledge, or is not aware of the facts
or circumstances from which it is apparent, that the making, publication,
dissemination or distribution of such material is unlawful or infringes any rights
subsisting in or in relation to such material;
2. The service provider does not knowingly receive a financial benefit directly
attributable to the unlawful or infringing activity; and
3. The service provider does not directly commit any infringement or other unlawful
act, does not induce or cause another person or party to commit any infringement or
other unlawful act, and/or does not directly benefit financially from the infringing
activity or unlawful act of another person or party: Provided, further, That nothing in
this Section shall affect:
i. Any obligation arising from contract;
ii. The obligation of a service provider as such under a licensing or other regulatory
regime established under law;
iii. Any obligation imposed under any law; or
iv. The civil liability of any party to the extent that such liability forms the basis for
injunctive relief issued by a court under any law requiring that the service provider
take or refrain from actions necessary to remove, block or deny access to any
computer data, or to preserve evidence of a violation of law.

 Rules and Regulations Implementing


Republic Act No. 10175, Otherwise Known as the
“Cybercrime Prevention Act of 2012”

RULE 4
Jurisdiction
Section 21. Jurisdiction. – The Regional Trial Court shall have jurisdiction over any
violation of the provisions of the Act, including any violation committed by a Filipino
national regardless of the place of commission. Jurisdiction shall lie if any of the
elements was committed within the Philippines, or committed with the use of any
computer system that is wholly or partly situated in the country, or when by such
commission any damage is caused to a natural or juridical person who, at the time
the offense was committed, was in the Philippines.

Section 22. Venue. – Criminal action for violation of the Act may be filed with the
RTC of the province or city where the cybercrime or any of its elements is
committed, or where any part of the computer system used is situated, or where any
of the damage caused to a natural or juridical person took place: Provided, That the
court where the criminal action is first filed shall acquire jurisdiction to the exclusion
of other courts.

Section 23. Designation of Cybercrime Courts. – There shall be designated


special cybercrime courts manned by specially trained judges to handle cybercrime
cases.

Section 24. Designation of Special Prosecutors and Investigators. – The


Secretary of Justice shall designate prosecutors and investigators who shall
comprise the prosecution task force or division under the DOJ-Office of Cybercrime,
which will handle cybercrime cases in violation of the Act.

RULE 5
International Cooperation
Section 25. International Cooperation. – All relevant international instruments on
international cooperation on criminal matters, and arrangements agreed on the basis
of uniform or reciprocal legislation and domestic laws shall be given full force and
effect, to the widest extent possible for the purposes of investigations or proceedings
concerning crimes related to computer systems and data, or for the collection of
electronic evidence of crimes.
The DOJ shall cooperate and render assistance to other contracting parties, as well
as request assistance from foreign states, for purposes of detection, investigation
and prosecution of offenses referred to in the Act and in the collection of evidence in
electronic form in relation thereto. The principles contained in Presidential Decree
No. 1069 and other pertinent laws, as well as existing extradition and mutual legal
assistance treaties, shall apply. In this regard, the central authority shall:
a. Provide assistance to a requesting State in the real-time collection of traffic data
associated with specified communications in the country transmitted by means of a
computer system, with respect to criminal offenses defined in the Act for which real-
time collection of traffic data would be available, subject to the provisions of Section
13 hereof;
b. Provide assistance to a requesting State in the real-time collection, recording or
interception of content data of specified communications transmitted by means of a
computer system, subject to the provision of Section 13 hereof;
c. Allow another State to:
 Access publicly available stored computer data located in the country or
elsewhere; or
 Access or receive, through a computer system located in the country,
stored computer data located in another country, if the other State obtains
the lawful and voluntary consent of the person who has the lawful authority
to disclose the data to said other State through that computer system.

d. Receive a request of another State for it to order or obtain the expeditious


preservation of data stored by means of a computer system located within the
country, relative to which the requesting State shall submit a request for mutual
assistance for the search or similar access, seizure or similar securing, or disclosure
of the stored computer data: Provided, That:
 A request for preservation of data under this section shall specify:
 i. The authority seeking the preservation;
 ii. The offense that is the subject of a criminal investigation or proceedings
and a brief summary of the related facts;
 iii. The stored computer data to be preserved and its relationship to the
offense;
 iv. The necessity of the preservation; and
 v. That the requesting State shall submit a request for mutual assistance for
the search or similar access, seizure or similar securing, or disclosure of the
stored computer data.

2. Upon receiving the request from another State, the DOJ and law enforcement
agencies shall take all appropriate measures to expeditiously preserve the specified
data, in accordance with the Act and other pertinent laws. For the purposes of
responding to a request for preservation, dual criminality shall not be required as a
condition;
3. A request for preservation may only be refused if:
 i. The request concerns an offense that the Philippine Government
considers as a political offense or an offense connected with a political
offense; or
 ii. The Philippine Government considers the execution of the request to be
prejudicial to its sovereignty, security, public order or other national interest.
 4. Where the Philippine Government believes that preservation will not
ensure the future availability of the data, or will threaten the confidentiality
of, or otherwise prejudice the requesting State’s investigation, it shall
promptly so inform the requesting State. The requesting State will
determine whether its request should be executed; and

5. Any preservation effected in response to the request referred to in paragraph (d)


shall be for a period not less than sixty (60) days, in order to enable the requesting
State to submit a request for the search or similar access, seizure or similar
securing, or disclosure of the data. Following the receipt of such a request, the data
shall continue to be preserved pending a decision on that request.
 e. Accommodate request from another State to search, access, seize,
secure, or disclose data stored by means of a computer system located
within the country, including data that has been preserved under the
previous subsection.
 The Philippine Government shall respond to the request through the proper
application of international instruments, arrangements and laws, and in
accordance with the following rules:
 1. The request shall be responded to on an expedited basis where:
 i. There are grounds to believe that relevant data is particularly vulnerable
to loss or modification; or
 ii. The instruments, arrangements and laws referred to in paragraph (b) of
this section otherwise provide for expedited cooperation.

2. The requesting State must maintain the confidentiality of the fact or the subject of
request for assistance and cooperation. It may only use the requested information
subject to the conditions specified in the grant.
 f. Make a request to any foreign state for assistance for purposes of
detection, investigation and prosecution of offenses referred to in the Act;
 g. The criminal offenses described under Chapter II of the Act shall be
deemed to be included as extraditable offenses in any extradition treaty
where the Philippines is a party: Provided, That the offense is punishable
under the laws of both Parties concerned by deprivation of liberty for a
minimum period of at least one year or by a more severe penalty.
 The Secretary of Justice shall designate appropriate State Counsels to
handle all matters of international cooperation as provided in this Rule.

RULE 6
Competent Authorities
Section 26. Cybercrime Investigation and Coordinating Center;
Composition. – The inter-agency body known as the Cybercrime Investigation and
Coordinating Center (CICC), under the administrative supervision of the Office of the
President, established for policy coordination among concerned agencies and for the
formulation and enforcement of the national cyber security plan, is headed by the
Executive Director of the Information and Communications Technology Office under
the Department of Science and Technology (ICTO-DOST) as Chairperson; the
Director of the NBI as Vice-Chairperson; and the Chief of the PNP, the Head of the
DOJ Office of Cybercrime, and one (1) representative each from the private sector,
non-governmental organizations, and the academe as members.
 The CICC members shall be constituted as an Executive Committee and
shall be supported by Secretariats, specifically for Cybercrime,
Administration, and Cybersecurity. The Secretariats shall be manned from
existing personnel or representatives of the participating agencies of the
CICC.

 The CICC may enlist the assistance of any other agency of the government
including government-owned and -controlled corporations, and the
following:
 Bureau of Immigration;
 Philippine Drug Enforcement Agency;
 Bureau of Customs;
 National Prosecution Service;
 Anti-Money Laundering Council;
 Securities and Exchange Commission;
 National Telecommunications Commission; and
 Such other offices, agencies and/or units, as may be necessary.
 The DOJ Office of Cybercrime shall serve as the Cybercrime Operations
Center of the CICC and shall submit periodic reports to the CICC.
 Participation and representation in the Secretariat and/or Operations Center
does not require physical presence, but may be done through electronic
modes such as email, audio-visual conference calls, and the like.

Section 27. Powers and Functions. – The CICC shall have the following powers
and functions:
 Formulate a national cybersecurity plan and extend immediate assistance
for the suppression of real-time commission of cybercrime offenses through
a computer emergency response team (CERT);
 Coordinate the preparation of appropriate and effective measures to
prevent and suppress cybercrime activities as provided for in the Act;
 Monitor cybercrime cases being handled by participating law enforcement
and prosecution agencies;
 Facilitate international cooperation on intelligence, investigations, training
and capacity-building related to cybercrime prevention, suppression and
prosecution through the DOJ-Office of Cybercrime;
 Coordinate the support and participation of the business sector, local
government units and NGOs in cybercrime prevention programs and other
related projects;
 Recommend the enactment of appropriate laws, issuances, measures and
policies;
 Call upon any government agency to render assistance in the
accomplishment of the CICC’s mandated tasks and functions;
 Establish and perform community awareness program on cybercrime
prevention in coordination with law enforcement authorities and
stakeholders; and
 Perform all other matters related to cybercrime prevention and suppression,
including capacity-building and such other functions and duties as may be
necessary for the proper implementation of the Act.
Section 28. Department of Justice (DOJ); Functions and Duties. – The DOJ-
Office of Cybercrime (OOC), designated as the central authority in all matters related
to international mutual assistance and extradition, and the Cybercrime Operations
Center of the CICC, shall have the following functions and duties:
 Act as a competent authority for all requests for assistance for investigation
or proceedings concerning cybercrimes, facilitate the provisions of legal or
technical advice, preservation and production of data, collection of
evidence, giving legal information and location of suspects;
 Act on complaints/referrals, and cause the investigation and prosecution of
cybercrimes and other violations of the Act;
 Issue preservation orders addressed to service providers;
 Administer oaths, issue subpoena and summon witnesses to appear in an
investigation or proceedings for cybercrime;
 Require the submission of timely and regular reports including pre-
operation, post-operation and investigation results, and such other
documents from the PNP and NBI for monitoring and review;
 Monitor the compliance of the service providers with the provisions of
Chapter IV of the Act, and Rules 7 and 8 hereof;
 Facilitate international cooperation with other law enforcement agencies on
intelligence, investigations, training and capacity-building related to
cybercrime prevention, suppression and prosecution;
 Issue and promulgate guidelines, advisories, and procedures in all matters
related to cybercrime investigation, forensic evidence recovery, and forensic
data analysis consistent with industry standard practices;
 Prescribe forms and templates, including, but not limited to, those for
preservation orders, chain of custody, consent to search, consent to
assume account/online identity, and request for computer forensic
examination;
 Undertake the specific roles and responsibilities of the DOJ related to
cybercrime under the Implementing Rules and Regulation of Republic Act
No. 9775 or the “Anti-Child Pornography Act of 2009”; and
 Perform such other acts necessary for the implementation of the Act.

Section 29. Computer Emergency Response Team (CERT). – The DOST-ICT


Office shall establish and operate the Computer Emergency Response Team (CERT)
that shall serve as coordinator for cybersecurity related activities, including but not
limited to the following functions and duties:
 a. Extend immediate assistance to the CICC to fulfil its mandate under the
Act with respect to matters related to cybersecurity and the national
cybersecurity plan;
 b. Issue and promulgate guidelines, advisories, and procedures in all
matters related to cybersecurity and the national cybersecurity plan;
 c. Facilitate international cooperation with other security agencies on
intelligence, training, and capacity-building related to cybersecurity; and
 d. Serve as the focal point for all instances of cybersecurity incidents by:

 Providing technical analysis of computer security incidents;


 Assisting users in escalating abuse reports to relevant parties;
 Conducting research and development on emerging threats to computer
security;
 Issuing relevant alerts and advisories on emerging threats to computer
security.
 Coordinating cyber security incident responses with trusted third parties at
the national and international levels; and
 Conducting technical training on cyber security and related topics.
 The Philippine National Police and the National Bureau of Investigation
shall serve as the field operations arm of the CERT. The CERT may also
enlist other government agencies to perform CERT functions.

RULE 7
Duties of Service Providers
 Section 30. Duties of a Service Provider. – The following are the duties
of a service provider:
 Preserve the integrity of traffic data and subscriber information for a
minimum period of six (6) months from the date of the transaction;
 Preserve the integrity of content data for six (6) months from the date of
receipt of the order from law enforcement or competent authorities requiring
its preservation;
 Preserve the integrity of computer data for an extended period of six (6)
months from the date of receipt of the order from law enforcement or
competent authorities requiring extension on its preservation;
 Preserve the integrity of computer data until the final termination of the case
and/or as ordered by the Court, as the case may be, upon receipt of a copy
of the transmittal document to the Office of the Prosecutor;
 Ensure the confidentiality of the preservation orders and its compliance;

 Collect or record by technical or electronic means, and/or cooperate and


assist law enforcement or competent authorities in the collection or
recording of computer data that are associated with specified
communications transmitted by means of a computer system, in relation to
Section 13 hereof;
 Disclose or submit subscriber’s information, traffic data or relevant data in
his/its possession or control to law enforcement or competent authorities
within seventy-two (72) hours after receipt of order and/or copy of the court
warrant;
 Report to the DOJ – Office of Cybercrime compliance with the provisions of
Chapter IV of the Act, and Rules 7 and 8 hereof;
 Immediately and completely destroy the computer data subject of a
preservation and examination after the expiration of the period provided in
Sections 13 and 15 of the Act; and
 Perform such other duties as may be necessary and proper to carry into
effect the provisions of the Act.

Section 31. Duties of a Service Provider in Child Pornography Cases. – In line


with RA 9775 or the “Anti-Child Pornography Act of 2009”, the following are the
duties of a service provider in child pornography cases:
 An internet service provider (ISP)/internet content host shall install available
technology, program or software, such as, but not limited to,
system/technology that produces hash value or any similar calculation, to
ensure that access to or transmittal of any form of child pornography will be
blocked or filtered;
 Service providers shall immediately notify law enforcement authorities
within seven (7) days of facts and circumstances relating to any form child
pornography that passes through or are being committed in their system;
and
 A service provider or any person in possession of traffic data or subscriber’s
information, shall, upon the request of law enforcement or competent
authorities, furnish the particulars of users who gained or attempted to gain
access to an internet address that contains any form of child pornography.
ISPs shall also preserve customer data records, specifically the time, origin,
and destination of access, for purposes of investigation and prosecution by
relevant authorities under Sections 9 and 11 of R.A. 9775.
Section 31. Duties of a Service Provider in Child Pornography Cases. – In line
with RA 9775 or the “Anti-Child Pornography Act of 2009”, the following are the
duties of a service provider in child pornography cases:
 An internet service provider (ISP)/internet content host shall install available
technology, program or software, such as, but not limited to,
system/technology that produces hash value or any similar calculation, to
ensure that access to or transmittal of any form of child pornography will be
blocked or filtered;
 Service providers shall immediately notify law enforcement authorities
within seven (7) days of facts and circumstances relating to any form child
pornography that passes through or are being committed in their system;
and
 A service provider or any person in possession of traffic data or subscriber’s
information, shall, upon the request of law enforcement or competent
authorities, furnish the particulars of users who gained or attempted to gain
access to an internet address that contains any form of child pornography.
ISPs shall also preserve customer data records, specifically the time, origin,
and destination of access, for purposes of investigation and prosecution by
relevant authorities under Sections 9 and 11 of R.A. 9775.

INITIAL ANALYSIS OF DIGITAL EVIDENCE (ARTIFACTS)

DIGITAL EVIDENCE
 Digital or electronic evidence is any probative information stored or
transmitted in digital form that a party to court case may use at trial.
 Section 79A of IT (Amendment Act, 2008 defines electronic form of evidence
as any information of probative value that is either stored or transmitted in
electronic form and includes computer evidence, digital audio, digital video,
cell phones, digital fax machines.
 The main characteristic of digital evidence are it is latent as fingerprint and
DNA, can transcend national borders with ease and speed, highly fragile
and can be easily altered, damaged or destroyed and also time sensitive.
 For this reason special precautions should be taken to document, collect,
preserve and examine this type of evidence.
 When dealing with digital evidence the principles that should be applied are
actions taken to secure and collect digital evidence should not change that
evidence.
 Persons conducting the examination of digital evidence should be trained for
this purpose and activity relating tom the seizure, examination, storage or
transfer of digital evidence should be fully documented, preserved and
available for review.
 Digital evidence relating to all types of crimes can be located in many
devices including GPS, laptops, PC’s and servers.
 Types of crimes where digital evidences may have been located: Cyber
Threats, Online Credit Card Fraud, Cyber- Identity Theft, Cyber-Harrasment,
Cyber stalking, Computer Forgery and many.

DIGITAL
Digital Investigative Analysts no longer limit their analysis to standard computer
systems. Analyst examine everything including:
 Desktop computers
 Laptops
 Mobile devices
 GPS navigation Devices
 Vehicle computer systems
 Internet of Things devices

INVESTIGATIVE
 While technology progresses at lightning speed, the legal system and those
who uphold our laws are just beginning to appreciate the need for analysts to
conduct deeper “investigative” analysis on digital devices to obtain a better
understanding of issues being investigated.
 Each year we are generating or replicating eight zettabytes of information.
That is equivalent to a stack of paper 1.6 trillion miles high. To manage the high
volume of data that needs to be analyzed, some organizations have employed
a raw data extraction process to digital evidence.

ANALYSIS
 an analyst must “analyze” the response to each question and determine its
relevance to other digital artifacts, as well as how it relates to information
available from the non-digital investigation.
1. Autrhorization and Preparation
2. Identification
3. Documentation, Collection (Seizure), and Preservation
4. Examination and Analysis
5. Reconstruction
6. Reporting results

AUTHORIZATION AND PREPARATION


 Computer security professionals should obtain instructions and written
authorization from their attorneys before gathering digital evidence relating to an
investigation within their organization.

IDENTIFICATION
 digital investigators have to recognize the hardware (e.g. computers, floppy disks,
network cables) that contains digital information.
 digital investigators must be able to distinguish between irrelevant information
and the digital data that can establish that a crime has been committed or can
provide a link between a crime and its victim or a crime and its perpetrator.

1. Identifying hardware
There are many computerized products that can hold digital evidence such as:
 telephones
 hand held devices
 laptops
 desktops
 larger servers
 mainframes
 routers
 firewalls
 other network devices.

1. Identifying Digital Evidence


 Different crimes result in different types of digital evidence.
 The ability to identify evidence depends on a digital investigator’s familiarity
with the type of crime that was committed and the operating system(s) and
computer program(s) that are involved

DOCUMENTATION
 Documentation is essential at all stages of handling and processing digital
evidence.
 if digital evidence is copied onto a floppy diskette, the label should include the
current date and time, the initials of the person who made the copy, how the
copy was made, and the information believed to be contained on the diskette.

Message Digest and Digital Signatures


 A message digest algorithm always produces the same number for a given
input. Also, a good message digest algorithm will produce a different number
for different inputs.
 the most used algorithm for calculating message digests is MD5. There are
other message digest algorithms such as SHA, HAVAL, and SNEFRU.
COLLECTION AND PRESERVATION
 Once identified, digital evidence must be preserved in such a way that it can
later be authenticated.
 A major aspect of preserving digital evidence is collecting it in a way that does
not alter it.
 In a child pornography investigation, papers, photographs, videotapes, digital
cameras, and all external media should be collected. At the very least,
hardware should be collected that may help determine how child pornography
was obtained, created, viewed, and or distributed.
1. Collecting and Preserving Hardware
 When dealing with hardware as contraband, instrumentality, or evidence, it is
usually necessary to collect computer equipment.
 it is determined that some hardware should be collected but there is no
compelling need to collect everything in sight, the most sensible approach is to
employ the independent component doctrine. The independent component
doctrine states that digital investigators should only collect hardware “for
 which they can articulate an independent basis for search or seizure
Examining RAM – It may be possible to collect the necessary information by
running programs from (and saving the data) to an external device. Specialized
utilities like netstat, fport, and handle can be used to display information about
network connections and processes on Windows machines. If this approach is taken,
every action must be documented copiously along with the time and MD5 value of
command output.
2. Collecting and Preserving Digital Evidence
 When dealing with digital evidence (information as contraband, instrumentality,
or evidence) the focus is on the contents of the computer as opposed to the
hardware.
 There are two options when collecting digital evidence from a computer: just
copying the information needed, or copying everything.

Empirical Law of Digital Evidence Collection and Preservation: If you only


make one copy of digital evidence, that evidence will be damaged or
completely lost.

EXAMINATION AND ANALYSIS


 Recall that an examination involves preparing digital evidence to facilitate the
analysis stage. The nature and extent of a digital evidence examination
depends on the known circumstances of the crime and the constraints placed
on the digital investigator.
-digital investigators are required to perform an onsite examination under time
constraints. Swift examinations are also necessary in exigent circumstances.
-the forensic examination and subsequent analysis should preserve the integrity of
the digital evidence and should be repeatable and free from distortion or bias.

1. Filtering/ Reduction
 Eliminating valid system files and other known entities that have no relevance
to the investigation.
 Focusing an investigation on the most probable user-created data.
 Managing redundant files, which is particularly useful when dealing with
backup tapes.
 Identifying discrepancies between digital evidence examination tools, such as
missed files and MD5 calculation errors.

2. Class/Individual Characteristics and Evaluation of Source


 Two fundamental questions that need to be addressed when examining a piece
of digital evidence are what it (classification/identification) is and where did it
come from (evaluation of source).
 The process of identification involves classifying digital objects based on
similar characteristics, called class characteristics.

COMPUTER CRIMES AND DIGITAL INVESTIGATION


Digital Forensics- tool and techniques used to recover, preserve and examine
digital evidence on or transmitted by digital devices
Definition for the Masses- deleted files on almost any kind of digital storage
media are almost never completely gone

Who needs it????


1. Law Enforcement Officials- Prosecution of crimes which involves computers or
other digital devices.
Defending the innocent and prosecuting the guilty
Prosecution of computer related crimes

2. Security Agencies- Secret Service, CIA, FBI NSA


Anti-terrorism efforts
Digital Espionage

Digital Forensic- Possibilities & Limitations


What’s Possible???
Recovery of deleted data
Discovery of when files were modified , created, deleted, organize etc.
Can determine which storage devices were attached to a specific computer
Which applications were installed even if they were uninstalled by the user
Which website a user visited

What’s Not????
If digital media is completely physically destroyed then recovery is impossible
If digital media is securely overwritten recovery is very complicated and practically
impossible

A Digital Computer Forensics investigation:


Involves:
Acquisition- obtaining the original evidence
Preservation- protecting evidence
Analysis- findings relevant evidence
Presentation- presenting the evidence in court

Sources of Evidence:
Computers:
Email
Digital images
Documents
Spreadsheets
Chat logs
Illegally copied software or other copyrighted material
Wireless telephones
Number called - Email Addresses
Incoming calls - Call forwarding numbers
Voice mail access numbers

Deletion “Fallacies”
I deleted the file, its gone
Deleted files are recoverable using digital forensic tools.
I changed the name of the file, now no one will find it
Digital forensic tools immediately identify files based on content names don’t
matter at all
I formatted the drive
This destroys almost nothing
I cut the floppy into little pieces- media mutilation
At this point its question of how important it is to recover the data, because it is
harder to recover the data
I only used web-based email
Some email fragments are still present locally

Tools of Digital Forensics


 Encase- includes tools for data acquisition, file recovery indexing/ search
and file parsing
 Forensic Toolkit- scans a hard drive looking for various information
 PTK Forensics- acquiring indexing digital media for investigation
 The Sleuth Kit- provides a large number of specialized command-line based
utilities
 The Coroners Toolkit- analysis of data recovery from computer disaster
 Computer Online Forensic Evidence Extractor (COFEE)- automated
forensic tool during a live analysis.
Case Study
ZACARIAS MOUSSAOUI
- 20TH Hijaker in the Sept.11 2001 terrorist against US
- His laptop, 4 computers and several emails accounts
- ([email protected]) were searched for e-evidence
- FBI discovered that the 19 hijackers used Kinkos computers
- in various cities to gain access to the internet to plan 9/11.

Future of Digital Forensics


Digital forensics is now part of criminal investigations
Crimes and methods to hide crimes are becoming more sophisticated
Digital forms will be in demand for as long as there are criminals and misbehaving
people.
Will attract students and law professionals who need to update their skills.

Importance of Digital Forensic


 Digital forensic has gained an important place in criminal investigators
pertaining to digital media. Increasing number of computer crime means
increasing demand for digital forensics services.
 Today everyone is exposed to potential attacks and has a responsibility to
its network neighbors to minimize their own vulnerabilities in an effort to
provide a more secure and stable network
 The digital forensic needs challenges can be accomplished only with the
cooperation of the private, public and international sectors.

What is the purpose of Digital Evidence???


Digital forensics is the process of uncovering and interpreting electronic data.
The goal of the process is to preserve any evidence in its most original form while
performing a structured investigation by collecting, identifying, and validating the
digital informations to reconstruct past events.

How Digital Evidence used in Court????


Digital evidence or electronic evidence is any probative information stored or
transmitted in digital form that a party to a court case may use at trial.
As such, some courts have sometimes treated digital evidence differently for
purposes of authentication, hearsay, the best evidence rule, and privilege.

Is digital evidence admissible in Court???


Digital evidence is admissible if it establishes a fact of matter asserted in the
case, it remained unaltered during the digital forensics process, and the results of
the examination are valid, reliable, and peer reviewed.

Rules of Digital Evidence


Comply with the five rules of evidence. Do not exceed your knowledge. Follow
your local security policy. Capture as accurate an image of the system as
possible.

DIGITAL INVESTIGATIVE ANALYSIS


Digital forensics is not solely about the processes of acquiring, preserving,
analyzing and reporting on data concerning a crime or incident. A digital forensic
scientist must be a scientist first and foremost and therefore must keep up to date
with the latest research on digital forensic techniques. 

Computer Forensics is the analysis of information contained within computer


systems. The Computer Forensics Investigator’s first step is to clearly determine
the purpose and objective of the investigation in a free consultation.

The computer forensic analysis will examine and extract the data that can be
viewed by the operating system, as well as data that is invisible to the operating
system including deleted data that has not been overwritten.

A brief history of digital forensics


- Until the late 1990s, what became known as digital forensics was commonly
termed ‘computer forensics’. The first computer forensic technicians were law
enforcement officers who were also computer hobbyists. In the USA in 1984 work
began in the FBI Computer Analysis and Response Team (CART). One year later,
in the UK, the Metropolitan Police set up a computer crime unit under John
Austen within what was then called the Fraud Squad.
- A major change took place at the beginning of the 1990s. Investigators and
technical support operatives within the UK law enforcement agencies, along with
outside specialists, realized that digital forensics (as with other fields) required
standard techniques, protocols and procedures. Apart from informal guidelines,
these formalisms did not exist but urgently needed to be developed.
DIGITAL INVESTIGATIVE ANALYSIS
The digital forensic process has the following five basic stages:
 Identification – the first stage identifies potential sources of relevant
evidence/information (devices) as well as key custodians and location of
data.
 Preservation – the process of preserving relevant electronically stored
information (ESI) by protecting the crime or incident scene, capturing visual
images of the scene and documenting all relevant information about the
evidence and how it was acquired.
 Collection – collecting digital information that may be relevant to the
investigation. Collection may involve removing the electronic device(s) from
the crime or incident scene and then imaging, copying or printing out its
(their) content.
 Analysis – an in-depth systematic search of evidence relating to the
incident being investigated. The outputs of examination are data objects
found in the collected information; they may include system- and user-
generated files. Analysis aims to draw conclusions based on the evidence
found.
 Reporting – firstly, reports are based on proven techniques and
methodology and secondly, other competent forensic examiners should be
able to duplicate and reproduce the same results.

Different types of digital forensics


Digital forensics is a constantly evolving scientific field with many sub-disciplines.
Some of these sub-disciplines are:
1. Computer Forensics – the identification, preservation, collection, analysis and
reporting on evidence found on computers, laptops and storage media in support of
investigations and legal proceedings.
2. Network Forensics – the monitoring, capture, storing and analysis of network
activities or events in order to discover the source of security attacks, intrusions or
other problem incidents, i.e. worms, virus or malware attacks, abnormal network
traffic and security breaches.
3. Mobile Devices Forensics – the recovery of electronic evidence from mobile
phones, smartphones, SIM cards, PDAs, GPS devices, tablets and game consoles.
4. Digital Image Forensics – the extraction and analysis of digitally acquired
photographic images to validate their authenticity by recovering the metadata of the
image file to ascertain its history.
5. Digital Video/Audio Forensics – the collection, analysis and evaluation of sound
and video recordings. The science is the establishment of authenticity as to whether
a recording is original and whether it has been tampered with, either maliciously or
accidentally.
6. Memory forensics – the recovery of evidence from the RAM of a running
computer, also called live acquisition.

In practice, there are exceptions to blur this classification because the grouping
by the provider is dictated by staff skill sets, contractual requirements, lab space,
etc. For example:
1. Tablets or smartphones without SIM cards could be considered computers.
2. Memory cards (and other removable storage media) are often found in
smartphones and tablets, so they could be considered under mobile forensics or
computer forensics.
3. Tablets with keyboards could be considered laptops and fit under computer or
mobile forensics.
4. The science of digital forensics has a seemingly limitless future and as technology
advances, the field will continue to expand as new types of digital data are created
by new devices logging people’s activity. Although digital forensics began outside the
mainstream of forensic science, it is now fully absorbed and recognized as a branch
of forensic science.

Process of Data Forensic Examination


The Computer Forensics Investigator also addresses the legal issues
associated with electronic evidence, such as relevant case law, how to
navigate the discovery process, protection of privilege, and in general,
working with attorneys and other professionals.
- In addition, an examiner will work to uncover all files on the subject’s system.
This includes existing active files, and invisible files, hidden files, password-
protected files, and encrypted files. In many cases, information is gathered during
a computer forensics investigation that is not typically available or viewable by the
average computer user, such as fragments of data that can be found in the space
allocated for existing files (known by computer forensic practitioners as “slack
space”). Special skills, tools and software are needed to obtain this type of
information or evidence.
A Computer Forensics expert can recover all deleted files and other data that
have not yet been overwritten. As a computer is used, the operating system is
constantly writing data to the hard drive. From time to time, the operating system
will save new data on a hard drive by overwriting data that exists on the drive but
is no longer needed by the operating system. A deleted file, for example, will
remain present on a hard drive until the operating system overwrites all or some
of the file. The ongoing use of a computer system may destroy data that could
have been extracted before being overwritten. That is why we stress that time
may be of the essence. Fortunately, the costs of acquisition are very reasonable,
and the process is generally not disruptive.

When to consult a computer forensic???


Computer forensics differs from data recovery, which is the recovery of
electronic data after an event affecting the physical data, such as a hard drive
crash. Computer forensics goes much further and can be used as a tool to (1)
determine the facts from your employee/client, (2) discharge your duty to avoid
spoliation, (3) obtain all relevant evidence from the opposing party in a manner
similar to using a Request for Production of Documents, and (4) determine
whether computers were used as the instrumentality of a tort, crime, or violation
of policy.

- In response to pending litigation, analyzing the relevant computers is an


excellent way to discharge the duties to preserve evidence and avoid spoliation. It
also allows the computer forensic to acquire all relevant information essential to
your legal theories and strategies.
- In litigation, an attorney must determine whether a Request for Production of
Documents will obtain all relevant evidence. You might simply ask yourself
whether you want to discover part of the relevant information (i.e. that seen by
your opponent’s operating system) or all of it (i.e. deleted, hidden, orphaned data,
etc). It is not unrealistic to believe that information that is helpful to a matter would
be saved on a computer, while that which is harmful would be deleted hidden, or
rendered invisible.

- For example, in sexual harassment cases, it is not unusual to discover


deleted e-mails and other data invisible to the operating system that significantly
affects the case. Computer forensic analysis extracts all the e-mails, memos, and
data that can be viewed with the operating system, as well as all invisible data. In
many cases, the invisible data completely changes the nature of a claim or
defense and ultimately effects settlement strategy.
- In any situation in which one or more computers may have been used in an
inappropriate manner, it is essential to call a forensic expert. Only a computer
forensic investigator will be able to preserve, extract, and analyze the vital data
that records the “tracks” left behind by inappropriate use.

You might also like