cybercrimes investigation

8/12/2019 Cybercrimes Investigation

1/52

PSUPT EDUARDO F KEMPISAsst Regional Chief, 5RCDU, CIDG


2/52

Legal BasisRA 8792 Electronic Commerce Act of2000RA 8484 Access Device Act

RA 9775 Anti-Child Pornography Actof 2009

Introduction to Cyber Crimes


3/52

Scope of ApplicationComputer or network can be a tool

of crime (use to commit the crime)Computer or network can be atarget of the crime (the victim)

Computer or network can be usedfor incidental purposes related to thecrime



4/52

Definition of TermsComputer Serveris a computer or device on anetwork that manages network resources. Eg. A file

server is a computer and storage device dedicated tostoring files. Any user in the network can store fileson the server. A print server is a computer thatmanages one or more printer, and a network server

is a computer that manages network traffic. Adatabase server is a computer system that processesdatabase queries.



5/52

Computer Network is a collection of computersand devices connected to each other. The networksallows computers to communicate with each other

and share resources and information.

Cyber Crime any illegal behavior committed bymeans of, or in relation to, a computer system ornetwork, including such crimes as illegal possession,offering or distributing information my means of acomputer system or network. (UN Definition)



6/52

Computer Crime any illegal behavior directedby means of electronic operations that targets thesecurity of computer systems and the data processed

by them. (UN Definition)

Domain Name is an identification label to definerealms of administrative autonomy, authority, or

control in the internet, based on the Domain NameSystem.



7/52

Electronic Mail often abbreviated as email, is amethod of exchanging digital messages, designedprimarily for human use. A message at least consistsof its contents, an author, address, and one or more

recipient addresses.Internet Protocol (IP) Address a numericalidentification and logical address that is assigned todevices participating in a computer network utilizingthe Internet Protocol for communication.Electronic Evidence is any probativeinformation stored or transmitted in digital form thata party to a court case may use at trial.



8/52

Electronic Crime Scene A crime scene where

there are electronic evidence found.Web Hosting Service is an individual ororganizations providing website or internet hostingservice that allows individuals or organizations to

provide their own website accessible via World WideWeb.Web site (Group of Web pages) is a collectionof related web pages, images, videos or other digitalassets that are addressed with a common domain

name or IP address in an Internet Protocol-basednetwork. A web site is hosted on at least one webserer, accessible via the Internet or a private localarea network.



9/52

Social Network Website - a web site thatfocuses on building online communities of people whoshare interests and/or activities, or who areinterested in exploring the interests and activities of

others.Hacking or Cracking (Lifted from R.A. 8792Sec 33 para A) refers to unauthorized access intoor interference in an computer system/server orinformation and communication system; or any

access in order to corrupt, alter, steal, or destroyusing a computer or other similar information andcommunication devices, without the knowledge andconsent of the owner of the computer or information



10/52

and communications system, including theintroduction of computer viruses and the like,resulting in the corruption, destruction, alteration,

theft, or loss of electronic data messages orelectronic documents shall be punished by aminimum fine of One Hundred Thousand pesos(100,000.00) and a maximum commensurate to thedamage incurred and a mandatory imprisonment ofsix (6) months to three (3) years;



11/52

Introduction to Cyber CrimesCyber stalking can be defined as the repeated acts

of harassment or threatening behavior of the cybercriminal towards the victim by using internet services.Virus Disseminationmalicious software that

attaches itself into other software (virus, worms, Trojan,

horse, time bomb, logic bomb, etc.).Software Piracytheft of software through the

illegal copying of genuine programs or counterfeitingand distribution of products intended to pass for the

original.Net Extortioncopying the companys confidential

data to extort said company of huge amount.


12/52


COMMON INTERNET SCAMS/CYBER CRIMES

On line Child PornographyViolation of Intellectual Property Rights

Internet Auction FraudNon-Delivery of Merchandise FraudCredit Card FraudInvestment Fraud

Business FraudNigerian Letter ScamCellphone Text Scam


13/52

PROCEDURES

a. Walk-in Complainant

NOTE: Complaints can be handled by RCIDU or

coordinated with ATCD.

1. Complaint(s) will be guided to fill up acomplaint sheet and affix his/her signature.

2. Sworn statements and other necessarydocuments will be prepared.



14/52

3. Nature of complaint is pertaining toComputer/Cyber Crime cases such as but not limitedto:

a) Hacking/Cracking

b) Email Cases (Hacking/Threat/Extortion)c) Identity theft or in relation to SocialNetworking cases.

NOTE: The investigator shall determine the InternetProtocol (IP) address or Domain Name Service

(DNS) Address in question/involved in theinvestigation.



15/52

4. The investigator shall then conduct online WHOIStracing on the identified IP address or Domainname (website) to determine its Internet ServiceProvider (ISP) and Web Hosting Company.

5. If the result of the WHOIS traces to the local IPaddress and Local Domain Name Hosting, theinvestigator shall coordinate with the ISP andWeb Hosting Company through letters rogatory to

preserve the log files and further identify theowner of the IP address and the registrant ofDomain Name (website).



16/52

6. Else, if the WHOIS traces foreign IP address andForeign Domain Name Hosting, the investigatorshall coordinate with the foreign counter-part LawEnforcement Agency through Mutual LegalAssistance Treaty (MLAT) procedures to get the

information on the owner of the IP address andthe registrant of Domain Name (website).Coordination should be made with Legal Division,CIDG.

7. After the completion of the investigativerequirements, the case will be filed in court forpossible arrest and conviction of the suspect. Ifnot, pursued he solution of the case.



17/52

NOTE: All seized devices should be sent to

Computer Forensic Sec, ATCD, CIDG forComputer/Cellphone Forensic examination.(Requirements stated in Part VI para 3)

8. If the nature of the complaint is pertaining to

cellphone-related cases such as but not limitedto:a. Text Scamb. Cellphone Threatc. Cellphone Extortion, and etc..

NOTE: The investigator shall identify the SubscriberIdentity Module (SIM) Card number and itscorresponding Telecommunication Company(TELCO) carrier. (Smart/Globe/Sun/PLDT, etc..)



18/52

If the SIM card number belongs to a local TELCO,then the investigator shall coordinate through letterderogatory to determine the owner of the SIM cardnumber and any logs/records pertaining to the said

SIM.9. If the SIM card number belongs to a foreignTELCO, then the investigator shall coordinatethrough letter rogatory with the foreign counter-partLaw Enforcement Agency through Mutual Legal

Assistance Treaty (MLAT) procedures to get theinformation on the owner of the SIM card numberand other log/records pertaining to the said SIM.



19/52

10.After completion of the investigativerequirements, the case will be filed in court for

possible arrest and conviction of the suspect. If not,pursue the solution of the case.

NOTE: All seized devices should be sent toComputer Forensic Sec, ATCD, CIDG for

Computer/Cellphone Forensic examination.(Requirements stated in Part VI para 3).



20/52

b. Application of Search Warrant

NOTE: Preferably conducted by Trained Personnelnot necessarily coming from Computer Forensic Sec,ATCD, CIDG.



21/52

ELECTRONIC CRIME SCENE PROCEDURES1. Secure and take control of the area containing

the suspected electronic media. Always be awareof officerssafety and securely take control of thescene.

2. The investigator should move individuals at thescene away from all computer equipment toensure no last-minute changes or corruption tothe data occur. (if suspect is allowed to access

computer equipment, he or she may be able todestroy or alter the evidence making it muchmore difficult to conduct the forensic analysis at alater time.)



22/52

3. Once all individuals have been removed fromareas containing the electronic evidence,investigators can start conducting interviews ofeither the suspects on the scene or potentialwitnesses. Interviewing the individuals on the

scene may provide a substantial amount ofinformation pertaining to the case and may heplead the investigators in the right direction. Theinterviews should take place in an area where the

interviews will not be interrupted and allow forthe individual to talk freely to the investigator.At this time conduct your interviews with

individual found on the scene or the crime or thereporting person who provided the information.



23/52

4.a The investigator should avoid switching thecomputer system on, if it is turn-off upon yourarrival. Make sure there is no active screen saverby pressing one of the arrow keys located on thekey board connected to the computer system.The arrow keys will not alter any documents ifthe system is active. (Photograph the monitor to

show the status of the system upon your arrivalon the scene.)



24/52

4.b If the screen is blank and the system is turnedon, again, press the arrow keys to ensure ascreen saver is not active. If the monitor poweris off, turn the monitor power on. Once themonitor comes on, photograph the monitor toshow what was on the screen at the time of your

arrival.



25/52

5. Check to see the system is not connected to theinternet or has network capabilities. Somesystem may not have a CAT5 of type or networkcable attached; the system could be utilizing awireless connection. If the system is networked,the investigator will want to capture the volatiledata contained in the systems memory. If thesystem power is disconnected before volatile data

has been collected, the data will be lost and theinvestigator will not be able to retrieve that dataat a later time.



26/52

6. Once the investigator has collected the volatiledata, he will want to disconnect the power fromthe machine in order to shut it down. Theforensic practice is to disconnect the power

source from the rear of the machine and NOTfrom the wall outlet. This will make sure theinvestigator is removing the correct power supplyand not another systems power. Shutting down

(using the Operating System) will alter theregistry and it will be considered as tampering ofevidence.



27/52

7. The investigator will then document the crimescene by taking photographs. This photographswill help the investigator remember whereeverything was located on the crime scene andhow the crime scene looked when he or shearrived. The investigator should take pictures ofthe entrance to the crime scene, and then takephotographs from each corner of the crime scene.Additionally as evidence is located and recovered,

the investigator should photograph the evidencebefore it is moved to document the location itwas found in the scene.



28/52

8. The next step is to document the crime sceneeven further by drawing a sketch of the entirecrime scene. The sketch will show the

measurements of the crime scene and where theevidence is located on the crime scene by theirexact distance from other objects on the crimescene. The investigator can find two unmovable

points on the crime scene and conduct allmeasurements from that location.



29/52

9. After taking all the necessary photographs, the

investigator must to label and tag all the evidencelocated in the crime scene. When labeling thecomputer system, the investigator should labeleach connector and port attached to the system.This will help ensure the investigator will be ableto reconstruct the system in a court of law. Theinvestigator can place a tag on the video cablelabeled A. Then label the video port on theback of the system also with the letter A. This

way the investigator will know that cable Aconnects to port A. This method, also known asbagging and tagging should be done for eachcable connected to the system.



30/52

10. Once the system has been labeled correctly, theinvestigator can place evidence tape over the 3 inch drive and the drive case. This will heldthe investigator know if anyone tampers with thecomputer system in transit back to the forensiclab. If there is any media located in the drives,the media should be photographed and thenremoved to protect the evidence from beingdestroyed or altered. CD-ROMS may be scratched

in transit and therefore may become unreadable.At this time, remove any media in the drive baysand place evidence tape over the drives.



31/52

11. Now it is time to package all the equipment fortransportation. All electronic evidence should bepackaged in anti-static bags to help ensure theintegrity of the data is maintained. As each pieceof evidence is packaged, an evidence label should

be attached. (This evidence label will help identifythe evidence, the date and time it was found onthe scene, the location it was recovered from,and the investigator who found the evidence.

Additional information can be added to includethe Case Number and the primary investigatingofficer.) At this time, please ensure all evidencehas been packaged and labeled from the crimescene.



32/52

12. Before each item is removed from the crimescene, a chain of custody must be filled out toensure the evidence is properly tracked from

investigator to investigator. A chain of custodymay contain the name of the recovering officerand the date and time he transferred theevidence to the primary investigating officer.

Additionally, the chain of custody may contain theitem number or evidence number along with thecase number of the crime.



33/52


34/52

ELECTRONIC COMERCE ACT (RA 8792)

ACTS IN VIOLATIONS OF ELECTRONIC COMMERCE ACT

1. Any acts of hacking or cracking or unauthorized access into

or interference in a computer system/server or information

and communication system; or any access in order to

corrupt, alter, steal, or destroy using a computer or other

similar information and communication devices including

the introduction of computer viruses and the like, resulting

in the corruption, destruction, alteration, theft or loss of

electronic data messages or electronic documents.


35/52


2. Any act of Piracy or the unauthorized copying,

reproduction, dissemination, or distribution, importation,

use, removal, alteration, substitution, modification,

storage, uploading, downloading, communication,

making available to the public or broadcasting of

protected materials, electronic signature or copyrighted

works including legally protected sound recording or

phonograms or information material on protected

works, through the use of telecommunication networks,

such as, but not limited to, the internet, in a manner thatinfringes intellectual property rights.


36/52


3. The access is without the knowledge and consent of

the owner of the computer or information and

communications system.

4. Other analogous acts.


37/52

EVIDENCE NEEDED TO FILE FOR VIOLATION OF RA 8792

1. Testimonial Evidence Affidavit of Complainants and Witnesses.

2. Documentary Evidence Cyber or Computer forensic Results,

Police Records, transaction records and other documents.3. Object of Evidence Computer and any devise used to hack or

crack or pirate the computer information. Original documents

copied or pirated Documents.

4. Other relevant evidence.



38/52

ACTS THAT CONSTITUTE ACCESS DEVICE FRAUDS

1. An act of producing, using, trafficking in one of more counterfeit

access devices;

2. An act trafficking in one or more unauthorized access devices or

access devices fraudulently applied for;

3. An act of using, with intent to defraud, an unauthorized access

device;

4. An act of using an access device fraudulently applied for;

5. An act of possessing one or more counterfeit access devices or

access devices fraudulently applied for;

6. An act of producing, trafficking-in, having control or custody orpossessing device-making or altering equipment without being in

the business or employment, which lawfully deals with the

manufacture, issuance, or distribution of such equipment;

ACCESS DEVICES REGULATION ACT (RA 8484)


39/52

7. An act of inducing, enticing, permitting or in any manner allowing

another, for consideration or otherwise to produce, use, traffic in

counterfeit access devices fraudulently applied for;

8. An act of multiple imprinting on more than one transaction record,

sales slip or similar document, thereby making it appear that thedevice holder has entered into a transaction other than those which

said device holder has lawfully contracted for, or submitting, without

being an affiliated merchant, an order to collect the issuer of the

access device, such extra sales slip through an affiliated merchant

who connives therewith, or, under false pretences of being anaffiliated merchant, present for collection such sales slips, and

similar documents;



40/52

9. An act of disclosing any information imprinted on the accessdevice, such as but not limited to, the account number or name or

address of the device holder, without the latters authority or

permission;

10. An act obtaining money or anything of value through the use of

an access device, with intent to defraud or with intent to gain and

fleeing thereafter;

11. An act of having in onespossession, without authority from the

owner or the access device, or any material, such as slips, carbon

paper, or any other medium, on which the access device is written,

printed, embossed, or otherwise indicated;

12. An act of writing or causing to be written on sales slips, approvalnumbers from the issuer of the access device of the fact of approval,

where in fact no such approval was given, or where, if given, what is

written is deliberately different from approval actually given;



41/52

13. An act of making any alteration, without the access deviceholdersauthority, of any amount or other information written on

the sales slip;

14. An act of effecting transaction, with one or more access devices

issued to another person or persons, to receive payment or any

other thing of value;

15. An act, without the authorization of the issuer of the access

device, soliciting a person for the purpose of;

a)Offering an access device; or

b) selling information regarding or an application to obtain an

access device; or

16. An act, without the authorization of credit card system memberor its agent, causing or arranging for another person to present

to the member of its agent, for payment, one or more evidence

or records of transactions made by credit card.



42/52

EVIDENCE NEEDED TO FILE A CASE OF ACCESS DEVICE FRAUD

1. Testimonial Evidence affidavit of complainants and witnesses

2. Documentary Evidence Certificate of Registration of the owner

of access devices, photographs of access devices fraudulently used,

certificate of obligation issued as a result of fraudulent transactions

or contact of sale and other pertinent documents obtained through

the use fraudulent access device, police records and other relevant

records.

3. Object Evidence subject access device, computers, and other

electronic equipments

4. Other relevant documents



43/52

Anti-Child Pornography Act of 2009 (RA 9775)

UNLAWFUL OR PROHIBITED ACTS:

(a) To hire, employ, use, persuade, induce or coerce a child to

perform in the creation or production of any form of child

pornography;

(b) To produce, direct, manufacture or create any form of childpornography;

(c) To publish offer, transmit, sell, distribute, broadcast, advertise,

promote, export or import any form of child pornography;

(d) To possess any form of child pornography with the intent to sell,

distribute, publish, or broadcast: Provided. That possession of three

(3) or more articles of child pornography of the same form shall be

prima facie evidence of the intent to sell, distribute, publish or

broadcast;


44/52



(e) To knowingly, willfully and intentionally provide a venue for the

commission of prohibited acts as, but not limited to, dens, private

rooms, cubicles, cinemas, houses or in establishments purporting to

be a legitimate business;

(f) For film distributors, theaters and telecommunication companies,

by themselves or in cooperation with other entities, to distribute any

form of child pornography;

(g) For a parent, legal guardian or person having custody or controlof a child to knowingly permit the child to engage, participate or

assist in any form of child pornography;


45/52



(h) To engage in the luring or grooming of a child;

(i) To engage in pandering of any form of child pornography;

(j) To willfully access any form of child pornography;

(k) To conspire to commit any of the prohibited acts stated in this

section. Conspiracy to commit any form of child pornography shall be

committed when two (2) or more persons come to an agreement

concerning the commission of any of the said prohibited acts and decideto commit it; and

(l) To possess any form of child pornography


46/52

Anti-Photo and Video Voyeurism Act (RA 9995)


a) To take photo or video coverage of a person or group of persons

performing sexual act or any similar activity or to capture an image of

the private area of a person/s such as the naked or undergarment clad

genitals, public area, buttocks or female breast without the consent of

the person/s involved and under circumstances in which the person/shas/have a reasonable expectation of privacy;

(b) To copy or reproduce, or to cause to be copied or reproduced, such

photo or video or recording of sexual act or any similar activity, with or

without consideration, notwithstanding that consent to record or takephoto or video coverage of the same was given by such person/s;
http://lexforiphilippines.com/2010/03/02/republic-act-no-9995-%e2%80%93-anti-photo-and-video-voyeurism-act/http://lexforiphilippines.com/2010/03/02/republic-act-no-9995-%e2%80%93-anti-photo-and-video-voyeurism-act/http://lexforiphilippines.com/2010/03/02/republic-act-no-9995-%e2%80%93-anti-photo-and-video-voyeurism-act/http://lexforiphilippines.com/2010/03/02/republic-act-no-9995-%e2%80%93-anti-photo-and-video-voyeurism-act/http://lexforiphilippines.com/2010/03/02/republic-act-no-9995-%e2%80%93-anti-photo-and-video-voyeurism-act/http://lexforiphilippines.com/2010/03/02/republic-act-no-9995-%e2%80%93-anti-photo-and-video-voyeurism-act/http://lexforiphilippines.com/2010/03/02/republic-act-no-9995-%e2%80%93-anti-photo-and-video-voyeurism-act/http://lexforiphilippines.com/2010/03/02/republic-act-no-9995-%e2%80%93-anti-photo-and-video-voyeurism-act/http://lexforiphilippines.com/2010/03/02/republic-act-no-9995-%e2%80%93-anti-photo-and-video-voyeurism-act/


47/52



c) To sell or distribute, or cause to be sold or distributed, such photo or

video or recording of sexual act, whether it be the original copy or

reproduction thereof, notwithstanding that consent to record or take

photo or video coverage of the same was given by such person/s; or

(d) To publish or broadcast, or cause to be published or broadcast,

whether in print or broadcast media, or show or exhibit the photo or

video coverage or recordings of such sexual act or any similar activity

through VCD/DVD, internet, cellular phones and other similar means or

device, notwithstanding that consent to record or take photo or videocoverage of the same was given by such person/s.
http://lexforiphilippines.com/2010/03/02/republic-act-no-9995-%e2%80%93-anti-photo-and-video-voyeurism-act/http://lexforiphilippines.com/2010/03/02/republic-act-no-9995-%e2%80%93-anti-photo-and-video-voyeurism-act/http://lexforiphilippines.com/2010/03/02/republic-act-no-9995-%e2%80%93-anti-photo-and-video-voyeurism-act/http://lexforiphilippines.com/2010/03/02/republic-act-no-9995-%e2%80%93-anti-photo-and-video-voyeurism-act/http://lexforiphilippines.com/2010/03/02/republic-act-no-9995-%e2%80%93-anti-photo-and-video-voyeurism-act/http://lexforiphilippines.com/2010/03/02/republic-act-no-9995-%e2%80%93-anti-photo-and-video-voyeurism-act/http://lexforiphilippines.com/2010/03/02/republic-act-no-9995-%e2%80%93-anti-photo-and-video-voyeurism-act/http://lexforiphilippines.com/2010/03/02/republic-act-no-9995-%e2%80%93-anti-photo-and-video-voyeurism-act/


48/52


PENALTY:

Imprisonment of not less than 3 years but not more than

seven 7 years and a fine of not less than P100,000.00 but

not more than P500,000.00, or both, at the courtsdiscretion.


49/52


If the violator is a juridical person, its license or franchise will be

automatically deemed revoked and the persons liable will be the

officers, including the editor and reporter in the case of print

media, and the station manager, editor and broadcaster in thecase of a broadcast media. If the offender is a public officer or

employee, or a professional, he/she will be administrativelyliable. If the offender is an alien, he/she will be subject to

deportation proceedings after serving his/her sentence and

payment of fines.

Any photo or video, or any copy of such photo or video, obtainedin violation of the law, will not be admissible in evidence in any

judicial, quasi-judicial, legislative or administrative hearing or

investigation.


50/52

Cases handled by CIDG

The CIDG said it received 25 complaints involving the use of

Facebook between January 1 and June 14 this year. Incomparison, the agency received 26 cases involving Facebook

for the entire year of 2010.

Of the cases involving Facebook this year, 6 were estafa; 6

were libel; 3 each for harassment and hacking; 5 cases ofidentity theft and fake accounts; and 2 cases of pornography.

Aside from the Facebook complaints, the CIDG also received 11

cases of threats made via cellphone calls and texts for the first

half of the year. The agency also received 5 complaintsinvolving email; 2 complaints of credit card fraud; and one

complaint eachinvolving Twitter (libel) and Multiply (estafa).

In addition, 5 complaints involving other websites were reported


51/52

Cases handled by CIDG

In all, the CIDG received 56 computer related crimes and

complaints from January to June.

Last year, the CIDG recorded 72 computer related walk-in

complaints for the entire year. Aside from the Facebook-linkedcrimes, the agency also received 14 complaints of crimes involving

e-mail and 9 cases involving the website eBay, all dealing with

estafa. In addition, 12 cases involving other websites, in cases

ranging from identity theft to estafa, were recorded in 2010.The

CIDG also received 6 cases of credit card fraud; and 5 cases of

cellphone threats and harassment. There were no reported cases

involving Twitter and Multiply.

The CIDG's Cyber Crime Unit handles the said cases. The

cases are handled based on Section 33 of Republic Act 8792, or

the E-Commerce Act.


52/52

CRIMINAL INVESTIGATION