PROCEDURES IN HANDLING OF

COMPUTER/CYBERCRIME CASES

LEGAL BASIS
- R.A. 8792 Electronic Commerce Act of 2000
- R.A. 8484 Access Device Act
PURPOSE
The standard operating procedure prescribes a uniform and step-by-
step process to be observed by all personnel of CIDG in the conduct of
investigation regarding Computer/Cybercrime cases.

SCOPE OF APPLICATION
This procedure shall be strictly observed by investigators handling
computer/cybercrime cases. The head of office or Chief must always be
informed of the disposition or action taken on complaints. Computer
and Network can be involved in crimes in several ways:
a. Computer or network can be a tool of crime (used to commit the
crime)
b. Computer or network can be a target of the crime (the “victim”)
c. Computer or network can be used for incidental purposes related to
the crime

DEFINITION OF TERMS (Based on Webster Computer Dictionary

New Revised Edition)
a. Computer Server – is a computer or device on a network that
manages network resources. For example, a file server is a computer
and storage device dedicated to storing files. Any user in the network
can store files on the server.
A print server is a computer that manages one or more printer, and a
network server is a computer that manages network traffic. A database
server is a computer system that processes database queries.

b. Computer Network – is a collection of computers and devices

connected to each other. The network allows computers to
communicate with each other and share resources and information.
c. Computer Crime – Any illegal behavior directed by means of
electronic operations that targets the security of computer systems and
the data processed by them. (UN Definition)
 d. Cyber Crime – Any illegal behavior committed by means of, or in
relation to, a computer system or network, including such crimes as illegal
possession, offering or distributing information by means of a computer
system or network. (UN Definition)
e. Domain Name – is an identification label to define realms of
administrative autonomy, authority, or control in the internet, based on the
Domain Name System.

f. Electronic Mail – often abbreviated as e-mail or email, is a

method of exchanging digital messages, designed primarily for human
use. A message at least consists of its content, an author, address, and
one or more recipient addresses.
 g. Internet Protocol (IP) Address – a numerical identification and
logical address that is assigned to devices participating in a computer
network utilizing the Internet Protocol for communication.

h. Electronic Evidence – is any probative information stored or

transmitted in digital form that a party to a court case may use at trial.
i. Electronic Crime Scene - A crime scene where there are electronic
evidence found.

j. Web Hosting Service – is an individual or organizations providing

website or Internet hosting service that allows individuals or organizations to
provide their own website accessible via the World Wide Web.
 k. Web site (Group of Web pages) – is a collection of related web pages,
images, videos or other digital assets that are addressed with a common domain
name or IP address in an Internet Protocol-based network. A web site is hosted on
at least one web serer, accessible via the Internet or a private local area network.

l. Social Network Website – a web site that focuses on building online

communities of people who share interests and/or activities, or who are interested
in exploring the interests and activities of others.
 m. Hacking or Cracking (Lifted from R.A. 8792 Sec 33 para A) – Refers to
unauthorized access into or interference in a computer system/server or
information and communication system; or any access in order to corrupt, alter,
steal, or destroy using a computer or other similar information and
communication devices, without the knowledge and consent of the owner of the
computer or information and communications system, including the
introduction of computer viruses and the like, resulting in the corruption,
destruction, alteration, theft or loss of electronic data messages or electronic
documents shall be punished by a minimum fine of One Hundred Thousand
pesos (P 100,000.00) and a maximum commensurate to the damage incurred
and a mandatory imprisonment of six (6) months to three (3) years;
POLICY GUIDELINES OF COMMAND
a. Guidelines and Procedures in the Conduct of Arrested Person under
Custodial Investigation (R.A. No. 7438).
b. Guidelines on Police Intervention Operations such as arrest, raid,
Search and seizure and others.
c. Guidelines on PNP personnel to strictly respect and uphold Human
Rights.

PROCEDURES
a. Walk-in Complainant
NOTE: Complaints can be handled by RCIDU or coordinated
with ATCD.
1. Complaint(s) will be guided to fill up a complaint sheet and affix
his/her signature.
2. Sworn statements and other necessary documents will be prepared.
3. If the nature of complaint is pertaining to Computer/Cyber Crime
cases such as but not limited to:
a) Hacking/Cracking
b) Email Cases (Hacking/Threat/Extortion)
c) Identity theft or in relation to Social Networking cases

NOTE: The investigator shall determine the Internet Protocol (IP)

address or Domain Name Service (DNS) Address in question/involved
in the investigation.
4. The investigator shall then conduct online WHOIS tracing on the
identified IP address or Domain name (website) to determine its
Internet Service Provider (ISP) and Web Hosting Company.

5. If the result of the WHOIS traces to the local IP address and Local
Domain Name Hosting, the investigator shall coordinate with the ISP
and Web Hosting Company through letters rogatory to preserve the
log files and further identify the owner of the IP address and the
registrant of Domain Name (website).
6. Else, If the WHOIS traces foreign IP address and Foreign Domain Name
Hosting, the investigator shall coordinate with the foreign counter-part Law
Enforcement Agency through Mutual Legal Assistance Treaty (MLAT)
procedures to get the information on the owner of the IP address and the
registrant of Domain Name (website). Coordination should be made with Legal
Division, CIDG.
7. After the completion of the investigative requirements, the case will be filed
in court for possible arrest and conviction of the suspect. If not, pursued the
solution of the case.

NOTE: All seized devices should be sent to Computer Forensic Sec, ATCD,
CIDG for Computer/Cellphone Forensic examination. (Requirements stated in
Part VI para 3)
8. If the nature of the complaint is pertaining to cellphone-related cases such as but
not limited to:
a. Text Scam
b. Cellphone Threat
c. Cellphone Extortion, and etc.

NOTE: The investigator shall identify the Subscriber Identity Module (SIM) Card
number and its corresponding Telecommunication Company (TELCO) carrier.
(SMART/GLOBE/SUN/PLDT, etc)

If the SIM card number belongs to a local TELCO, then the investigator shall
coordinate through letter derogatory to determine the owner of the SIM card number
and any logs/records pertaining to the said SIM.
9. If the SIM card number belongs to a foreign TELCO, then the investigator shall
coordinate through letter rogatory with the foreign counter-part Law Enforcement
Agency through Mutual Legal Assistance Treaty (MLAT) procedures to get the
information on the owner of the SIM card number and other log/records pertaining
to the said SIM.
10. After completion of the investigative requirements, the case will be filed in
court for possible arrest and conviction of the suspect. If not, pursue the solution of
the case.
NOTE: All seized devices should be sent to Computer Forensic Sec, ATCD,
CIDG for Computer/Cellphone Forensic examination. (Requirements stated in
Part VI para 3)

b. Application of Search Warrant

NOTE: Preferably conducted by Trained Personnel not necessarily coming
from Computer Forensic Sec, ATCD, CIDG.
Step Action
ELECRONIC CRIME SCENE PROCEDURES
1. Secure and take control of the area containing the suspected electronic media. Always be
aware of officer‟s safety and securely take control of the scene.
The investigator should move individuals at
the scene away from all computer equipment
to ensure no last-minute changes or
corruption to the data occur. If suspect is
allowed to access computer equipment, he or
she may be able to destroy or alter the
evidence making it much more difficult to
conduct the forensic analysis at a later time.
 

Once all individuals have been removed from the

areas containing the electronic evidence,
investigators can start conducting interviews of either
the suspects on the scene or potential witnesses.
Interviewing the individuals on the scene may provide a substantial
amount of information pertaining to the case and may help lead the
investigators in the right direction. The interviews should take place in
an area where the interviews will not be interrupted and allow for the
individual to talk freely to the investigator.

At this time, conduct your interviews with individuals found on the

scene or the crime or the reporting person who provided the
information.
The investigator should avoid switching the computer
system on if it is turned off upon your arrival. Make
sure there is no active screen saver by pressing one of
the arrow keys located on the keyboard connected to
the computer system. The arrow keys will not alter any
documents if the system is active. Photograph the
monitor to show the status of the system upon your
arrival on the scene.

If the screen is blank and the system is turned on, again,

press the arrow keys to ensure a screen saver is not
active. If the monitor power is off, turn the monitor
power on.
Once the monitor comes on, photograph the monitor to
show what was on the screen at the time of your arrival.
Check to see if the system is connected to the internet or has network
capabilities. Some systems may not have a CAT5 or other type of
network cable attached; the system could be utilizing a wireless
connection.
If the system is networked, the investigator will want to capture the
volatile data contained in the system‟s memory. If the system‟s power is
disconnected before volatile data has been collected, the data will be lost
and the investigator will not be able to retrieve that data at a later time.

Once the investigator has collected the volatile data, he

will want to disconnect the power from the machine in
order to shut it down. The forensic practice is to
disconnect the power source from the rear of the machine
and NOT from the wall outlet.
This will make sure the investigator is removing the
correct power supply and not another systems power.
Shutting down (using the Operating System) will alter the
registry and it will be considered as tampering of
evidence.
The investigator will then document the crime scene by taking
photographs. These photographs will help the investigator
remember where everything was located on the crime scene and
how the crime scene looked when he or she arrived.
The investigator should take pictures of the entrance to the crime
scene, and then take photographs from each corner of the crime
scene. Additionally as evidence is located and recovered, the
investigator should photograph the evidence before it is moved to
document the location it was found on the scene.

The next step is to document the crime scene even further by

drawing a sketch of the entire crime scene. The sketch will show
the measurements of the crime scene and where the evidence is
located on the crime scene by their exact distance from other
objects on the crime scene.
The investigator can find two unmovable points on the crime scene
and conduct all measurements from that location.
After taking all the necessary photographs, the investigator must to label and
tag all the evidence located in the crime scene. When labeling the computer
system, the investigator should label each connector and port attached to the
system. This will help ensure the investigator will be able to reconstruct the
system in a court of law.
The investigator can place a tag on the video cable labeled “A.” Then label
the video port on the back of the system also with the letter “A.” This way the
investigator will know that cable “A” connects to port “A.” This method, also
known as “Bagging and Tagging,” should be done for each cable connected to
the system. At this time, label all the connections to the computer system.

Once the system has been labeled correctly, the investigator can place evidence tape
over the 3 ½ inch drive and the drive case. This will help the investigator know if
anyone tampers with the computer system in transit back to the forensic lab.
If there is any media located in the drives, the media should be photographed and then
removed to protect the evidence from being destroyed or altered. CD-ROMS may be
scratched in transit and therefore may become unreadable. At this time, remove any
media in the drive bays and place evidence tape over the drives.
Now it is time to package all the equipment for transportation. All electronic evidence should
be packaged in anti-static bags to help ensure the integrity of the data is maintained. As each
piece of evidence is packaged, an evidence label should be attached.
This evidence label will help identify the evidence, the date and time it was found on the
scene, the location it was recovered from, and the investigator who found the evidence.
Additional information can be added to include the Case Number and the primary
investigating officer. At this time, please ensure all evidence has been packaged and labeled
from the crime scene.
Before each item is removed from the crime scene, a
chain of custody must be filled out to ensure the evidence
is properly tracked from investigator to investigator. A
chain of custody will contain the name of the recovering
officer and the date and time he transferred the evidence
to the primary investigating officer. Additionally, the
chain of custody may contain the item number or
evidence number along with the case number of the
crime.

Search through all documentation to find passwords or

other physical evidence that may pertain to the crime.
Passwords or hidden notes may be located on the scene
inside documentation manuals or books.
c. Requirements for Computer/Cellphone Forensic Examination at Computer Forensic
Laboratory, ATCD, CIDG.
For Hard Disk
1. Letter Request for Examination (From RC, RCIDU/RD, PRO/ DD, NCRPO District/Dir,
NSU/Head of Agency/Corporate Secretary of Private Corporations/Private Complainant)
2. One (1) piece Hard Disk (Double the Size of the Hard Disk for examination)
3. One (1) piece Compact Disk (CD) Recordable for the Forensic Result
For Cellphone
One (1) piece Compact Disk (CD) Recordable for the Forensic Result
Note: The requesting party or the Court can only request for the Examination results and
pieces of evidence after filling up the Chain of Custody form.
ACCESS DEVICES REGULATION ACT OF 1998
a. What law punishes access device fraud (unlawful use of credit
card)?
- Republic Act No 8484
b. What are acts that constitute access device frauds?
The following acts shall constitute access device fraud and are hereby
declared to be unlawful:

1. An act of producing, using, trafficking in one or more counterfeit access

devices;
2. An act trafficking in one or more unauthorized access devices or access
devices fraudulently applied for;
 3. An act of using, with intent to defraud, an unauthorized access device;
4. An act of using an access device fraudulently applied for;
5. An act of possessing one or more counterfeit access devices or access
devices fraudulently applied for;
6. An act of producing, trafficking in, having control or custody of, or
possessing device-making or altering equipment without being in the business or
employment, which lawfully deals with the manufacture, issuance, or distribution
of such equipment;
7. An act of inducing, enticing, permitting or in any manner allowing another, for
consideration or otherwise to produce, use, traffic in counterfeit access devices,
unauthorized access devices or access devices fraudulently applied for;

8. An act of multiple imprinting on more than one transaction record, sales slip or
similar document, thereby making it appear that the device holder has entered into a
transaction other than those which said device holder had lawfully contracted for, or
submitting, without being an affiliated merchant, an order to collect from the issuer of
the access device, such extra sales slip through an affiliated merchant who connives
therewith, or, under false pretences of being an affiliated merchant, present for
collection such sales slips, and similar documents;
9. An act of disclosing any information imprinted on the access device, such as, but not
limited to, the account number or name or address of the device holder, without the latter's
authority or permission;
10. An act of obtaining money or anything of value through the use of an access device, with
intent to defraud or with intent to gain and fleeing thereafter;
11. An act of having in one's possession, without authority from the owner of the access
device or the access device company, an access device, or any material, such as slips, carbon
paper, or any other medium, on which the access device is written, printed, embossed, or
otherwise indicated;
12. An act of writing or causing to be written on sales slips, approval numbers from the
issuer of the access device of the fact of approval, where in fact no such approval was
given, or where, if given, what is written is deliberately different from the approval
actually given;
13. An act of making any alteration, without the access device holder's authority, of any
amount or other information written on the sales slip;
14. An act of effecting transaction, with one or more access devices issued to another
person or persons, to receive payment or any other thing of value;
15. An act, without the authorization of the issuer of the access device, soliciting a
person for the purpose of:
a) Offering an access device; or
b) Selling information regarding or an application to obtain an access device; or
16. An act, without the authorization of the credit card system member or its agent,
causing or arranging for another person to present to the member or its agent, for
payment, one or more evidence or records of transactions made by credit card.
17. Other analogous acts
What is the evidence needed to file a case of access device fraud?
1. Testimonial Evidence – affidavit of complainants and witnesses
2. Documentary Evidence - Certificate of Registration of the owner of access devices,
Photographs of access devices fraudulently used, Certificate of Obligation issued as a
result of fraudulent transactions or contract of sale and other pertinent documents
obtained through the use of fraudulent access device, police records and other relevant
records
3. Object Evidence - Subject access devices, computers and other electronic equipments
4. Other relevant documents
CREDIT CARD FRAUD INVESTIGATIONS (VIOLATION OF RA 8484)

ACCOUNT TAKE-OVER
Account Take-over (ATO) – a criminal trying to take over another person‟s account,
first by gathering information about the intended victim, then contacting their bank or credit
issuer – masquerading as the genuine cardholder – asking for mail to be redirected to a new
address. The criminal then reports the card lost and asks for a replacement to be sent. The
replacement card is then used fraudulently.

STEPS IN INVESTIGATING ATO CARD

a. There must be a complaint
1. Duly accomplished complaint sheet
2. Affidavit of the complainant and issuing Bank
 3. If complainant is a juridical person, ask for his/her authority to file a complaint (Special
Power of Attorney or Corporate Secretary‟s Certificate).
4. Evaluate the complaint to ascertain the crime committed and/or if the case is suited for
entrapment.
5. Determine what appropriate laws can be applied.

b. Pieces of Evidence Needed

1. Delivery receipt signed by the suspect/s (if
credit card was delivered)
2. Affidavit of the courier (if card was delivered)
3. Affidavit of the legitimate card holder
 4. Credit Card itself (if recovered)
5. Affidavit of merchant/s (if the credit card was used)
6. Sales Invoice and charge slip (if the credit card was used)
7. Affidavit of Arrest (if suspects were arrested)
8. Statement of Account

c. Filing of the Case (the documents needed can be secured from the complainant)

Inquest, if arrest was made, with the following

documents:
1. Referral addressed to the Prosecutor‟s Office
2. Duly accomplished complaint Sheet
3. Affidavit of complainant and issuing Bank
Note: If complainant is a juridical person, Special Power of Attorney (SPA) and/or
Corporate Secretary‟s Certificate is needed.

d. Affidavit of the legitimate cardholder e. Delivery receipt signed by the suspect, if

credit card was delivered
f. Affidavit of the courier, if credit card was delivered
g. Credit Card itself, if recovered
h. Affidavit of merchants, if credit card was used
i. Sales invoice and charge slip, if credit card was used
j. Statement of account
k. Affidavit of arrest
l. Booking sheet
m. Picture of the suspect/s (if arrested)
1. Regular/Ordinary Filing if no arrest was made
Note: Affidavit of arrest and booking sheet is not required
2. Suspect/s can be charged with Sec 9 of RA 8484, Art 172 and/or 172, Art 178,
and Art 315 and Art 308, all of RPC and CA 142 as amended by RA 6085, etc…

Note: The Case Folder shall contain all of paragraph 3.

Fraudulent Application (Fraudaps) – suspect used stolen or fake documents to
open an account in someone else‟s name.

STEPS IN INVESTIGATING FRAUDULENT APPLIED

CARD
a. There must be a complaint
1. Duly accomplished complaint sheet
2. Affidavit of the complainant/issuing Bank
3. If a complainant is a juridical person, ask for his/her authority to file a complaint
Special Power of Attorney or Corporate Secretary‟s Certificate
4. Evaluate the case to ascertain the crime committed and/or if the case is suited for
entrapment.
5. Determine what appropriate laws are applicable.
b. Documents needed
1. Application form (if any, application usually done thru phone)
2. Documents presented in support to that application i.e. ID‟s, certificate of employment,
etc (if any)
3. Delivery receipts signed by the suspect/s (if credit card was delivered)
4. Affidavit of courier (if card was delivered)
5. Credit Card itself (if recovered)
6. Affidavit of merchant/s (if card was used)
7. Sales Invoice and Charge Slip (if card was used)
8. Affidavit of Arrest (if suspect/s were arrested)
9. Statement of Account

FILING OF THE CASE (the documents needed can be secured from the complainant)

a. Inquest, if arrest was made

1. Referral addressed to the City Prosecutor
2. Duly accomplished complaint sheet (mandatory)
3. Affidavit of complainant/issuing Bank
Note: If complainant is a juridical person, Special Power of Attorney and/or Corporate
Secretary‟s Certificate is needed.
4. Application Form (if any, application usually done thru phone)
5. Documents presented in support for that application i.e. ID‟s, certificate of employment
etc (if any)
6. Affidavit of courier (if card was delivered)
7. Credit Card itself (if card was recovered)
8. Affidavit of merchant (if card was used)
 9. Sales invoice and charge slip (if card was used)
10. Statement of Account
11. Affidavit of Arrest
12. Booking Sheet
13. Picture of the suspect (if arrested)
b. Regular/Ordinary Filing if no arrest was made
Note: Affidavit of arrest and booking is not required

c. Suspect/s can be charged with Sec 9 of RA 8484, Art 172 and 171, Art 178, Art 315 all of RPC,
and CA 142 as amended by RA 6085, etc.
Note: The Case Folder shall contain all of paragraph 3
 d. Counterfeit credit cards

Steps in Investigating Counterfeit Cards

a. There must be a complaint
1. Duly accomplished complaint sheet
2. Affidavit of the complainant/certification from the issuing Bank
3. If a complainant is a juridical person, ask for his/her authority to file a complaint (Special
Power of Attorney or Corporate Secretary‟s Certificate).
4. Evaluate the case to ascertain the crime committed and/or if the case is suited for
entrapment.
5. Determine what appropriate laws are applicable
b. Pieces of Evidence Needed
1. Credit Card itself (if recovered)
2. Affidavit of merchant (if card was used)
3. Sales invoice (if card was used)
4. Charge slip (if card was used)
5. Letter of dispute/affidavit of the legitimate card holder
6. Affidavit of arrest (if suspect was arrested)
7. Statement of Account
c. Filing of the Case (the documents needed can be secured from the complainant)
Inquest, if arrest was made:
1. Referral addressed to the City Prosecutor
2. Duly accomplished complaint sheet
3. Affidavit of complainant/issuing Bank
4. If the complainant is a juridical person, Special Power of Attorney and/or
Corporate Secretary‟s Certificate is needed
5. Credit Card itself (if the card was recovered)
6. Police Blotter to the effect that the card was lost or stolen
7. Affidavit of Merchant (if the card was used)
8. Sales invoice and charge slip (if the card was used)
9. Letter of dispute/affidavit of the legitimate card holder
10. Affidavit of Arrest
11. Statement of account
12. Booking sheet
13. Picture/s of the suspect (if arrested)
d. Regular/Ordinary Filing if no arrest was made
Note: Affidavit of arrest and booking sheet is not needed

e. Suspect can be charged with sec 9 of RA 8484, Art 308 and Art 178 all of RPC, CA 142
as amended by RA 6085, etc.
Note: The Case Folder shall contain all of paragraph 3.
STEPS IN INVESTIGATING MANUFACTURING OF CREDIT CARDS
a. There must be a complaint
1. Duly accomplished complaint sheet
2. Affidavit of the complainant
3. If complainant is a juridical person, ask for his/her authority to file a
complaint.
4. Evaluate the case to ascertain the offense committed.
5. Determine what laws are applicable.
6. Determine what document/s or pieces of evidence are needed to complete
the picture of the case.
b. Piece/s of evidence needed
1. Skimming device (Card Reader) – a device used to record the data of credit card and
then transferred to a duplicate card
2. Hot Stamper – machine used to shape plastic material by bending, folding, pressing,
stretching and or twisting
3. Embosser – machine used to carve a design in relief on a surface
4. Printer – external
5. Scanner – computer peripheral or a stand-alone device that converts a document,
filing, graphic, or photographic to a digital image.
6. Blank PVC Cards – a standard-sized blank plastic card where a certain credit card is
to be printed
7. Computers – general purpose machine, commonly consisting of digital circuitry,
that accepts (inputs), stores, manipulates, and generates (outputs) data a number, text,
graphics, voice, video files, or electrical signals, in accordance with instructions called
programs.
c. If possible, apply for Search Warrant
d. Filing of the Case
1. Inquest if arrest was made
a) Referral addressed to the City Prosecutor
b) Duly accomplished sheet
c) Affidavit of the complainant/Certification from the Credit Card Association of the
Philippines
Note: If the complainant is a juridical person, Special Power of Attorney and/or
Corporate Secretary‟s Certificate is needed.
d) Skimming Device
e) Stamper
f) Embosser
g) Printer
h) Scanner
i) Blank PVC Card
j) Computers
k) Copy of Search Warrant/s
l) Receipt of property seized
m) Certificate of orderly searched
n) Affidavit of Arrest
o) Booking Sheet
2. Ordinary Filing if no arrest was made
Note: Affidavit of Arrest and booking sheet is not needed
3. Suspect/s can be charged with sec 9 of RA 8484
e. Return of Search Warrant/s
Note: The Case Folder shall contain all of paragraph 4 and 5.
END…?