UNIVERSITY OF CAGAYAN VALLEY

(Formerly Cagayan Colleges Tuguegarao)

VICTOR VENTURA PEREZ (VVP) CAMPUS
COLLEGE OF CRIMINAL JUSTICE EDUCATION

INTRODUCTION TO CYBERCRIME AND ENVIRONMENTAL LAWS AND

PROTECTION

Name of student: ______________________________ Year/Block:___________

Subject: CDI 109- Introduction to Cybercrime and Environmental Laws and Protection
Instructor: ___________________________________

CHAPTER II. MIDTERM

LESSON 1. RULES ON CYBERCRIME WARRANTS

Introduction

The digital age has revolutionized our lives, but it's also opened up a new frontier for criminal
activity. Cybercrime, ranging from identity theft to large-scale data breaches, poses a significant
threat to individuals, businesses, and even national security. To combat these crimes, law
enforcement must be equipped with the legal tools necessary to investigate and prosecute
offenders effectively.

In this lesson, we will focus on a critical tool in the fight against cybercrime: the cybercrime
warrant. We will explore the legal requirements for obtaining such a warrant, as well as the
specific situations where it becomes necessary.

By the end of this lesson, you will be able to:

 Apply the legal requirements for obtaining a cybercrime warrant.

 Identify specific situations where a cybercrime warrant is necessary.

As technology evolves, so too do the methods employed by cybercriminals. Understanding the

legal framework surrounding cybercrime warrants is essential for anyone involved in law
enforcement or the legal profession. Let's dive in and explore this crucial aspect of digital
justice.

---------------------------------------------------------------------------------------------------------------------
------------------
CYBERCRIME WARRANTS

1. Warrant to Disclose Computer Data – A WDCD requires any person or service provided to
disclose subscriber`s information, traffic data, or relevant data in his/her or its possession or
control within 72 hours from receipt of the order
2. Warrant to Intercept Computer Data – it authorized law enforcement officers to carry out
any or all of the following activities: listen, record, monitor surveillance of the content of
communications.
3. Warrant to Search, Seizure, and Examination of Computer Data - A WSSECD is like a
search warrant, except the subject matter of a WSSECD is computer data.
4. Warrant to Examine Computer Data – A WECD is a warrant issued when a computer
device or system is previously seized by another lawful method such as warrantless arrest.

LESSON 2. BASIC INCIDENT RESPONSE

Introduction

In the aftermath of a cyberattack or security incident, the digital landscape is often strewn with
clues. Logs and data, generated by systems and applications, hold the key to understanding the
scope, impact, and origin of the incident. However, these digital breadcrumbs can be
overwhelming and complex, requiring skilled analysis to extract meaningful insights.

In this lesson, we'll dive into the world of incident response and learn how to navigate the maze
of logs and data. We'll explore techniques for analyzing and interpreting this information,
enabling you to piece together the puzzle of an incident and determine its full extent.

By the end of this lesson, you will be able to:

 Analyze logs and data from various sources to identify indicators of compromise.

 Interpret the information gleaned from logs to determine the timeline and actions taken
during an incident.

 Determine the scope of an incident, including the systems affected and the potential
impact.

Mastering the art of log analysis is crucial for effective incident response. It empowers you to
respond swiftly and decisively, mitigating damage and preventing future attacks. Let's embark on
this journey to become proficient digital detectives, capable of unraveling the mysteries hidden
within logs and data.

---------------------------------------------------------------------------------------------------------------------
------------------

1) All violations under Sections 4 and 5 of RA No. 10175 classified as cybercrimes, except Child
Pornography and Libel, shall be primarily investigated by the ACG; and

2) For Child Pornography, Libel and cyber-related offenses under Section 6 of RA No. 10175,
the ACG and other police units have jurisdiction to conduct an investigation. However, police
units that do not have trained personnel in cybercrime investigation may request for technical
assistance from the ACG.

REPORTING and RECORDING

a) All reported cybercrime incidents shall be attended to by the desk officer/duty personnel and
referred to the duty investigator;

b) Cases received through e-Complaint shall be forwarded to the nearest ACG office, and the
Investigator-on-Case (IOC) will directly contact the complainant in order to give guidance as to
what pieces of evidence should be presented for the conduct of investigation and filing of
appropriate charges;

c) Reporters of cybercrime incidents through SMS shall be advised to proceed to the nearest
ACG or police unit concerned for proper recording and validation. They shall also be advised to
bring additional pieces of evidence, if necessary;

d) All cybercrime incidents investigated by the IOC shall be recorded and classified as either
cybercrime or cyber-related offense, as the case maybe.

e) All complaints shall be recorded in the police blotter, encoded in CIRAS and other NGIS and
must satisfy the essential elements of investigation which shall answer the five (5) W’s (What,
Who, When Where, and Why) and one H (How)

DISPOSITION

For purposes of reporting cybercrimes and cyber-related crimes, a case shall be considered
solved under the criteria of “beyond police control” when any of the following circumstances is
present:

(1) Failure of the complainant to submit evidentiary requirements;

(2) Complainant declines to prosecute the case;

(3) Complainant merely requests to record the incident;

(4) Complainant only requests to deactivate a fake/dummy account or delete pornographic

video/picture and/or videos in websites; and

(4) Complainant only requests to deactivate a fake/dummy account or delete pornographic

video/picture and/or videos in websites; and

(a.3) If a complainant requests to record an Incident for future reference but refuses to follow
through for whatever reason to have the case investigated.

(a.4) If the complainant only wants to deactivate a fake/dummy or similar social media account
or delete pornographic picture/s and/or videos in websites on a valid and verified complaint, but
will not pursue any case.

(a.5) Provided however, despite the aforementioned circumstances, if the complainant later
submits the evidentiary requirements needed and decides to file the case, the IOC shall take
appropriate action, unless barred by existing laws, rules and regulations,

(b) Public cybercrime incidents

(b.1) In cases of public cybercrime incidents involving the abuse and exploitation of women,
children, and other forms of gender-based violence, such as child pornography, child abuse,
violence against women and children, and trafficking in persons, the cases shall be investigated
by trained women and children

investigators or, in the absence of such investigator, the case shall be endorsed to the WCPC,
CIDG or ACG, despite the refusal of the victim to pursue a case.

LESSON 3. PROCEDURE ON SEIZING AND COLLECTING DIGITAL EVIDENCE

Introduction

In the realm of criminal investigations, digital evidence plays an increasingly pivotal role. From
computers and smartphones to cloud storage and IoT devices, the traces left behind in the digital
world can make or break a case. However, the volatile nature of digital evidence demands
meticulous handling to ensure its integrity and admissibility in court.
In this lesson, we will explore the critical procedures involved in seizing and preserving digital
evidence. We will delve into the best practices for collecting, documenting, and storing digital
evidence, maintaining the chain of custody throughout the process.

By the end of this lesson, you will be able to:

 Apply proper techniques for seizing digital evidence from various devices and storage
media.

 Preserve the integrity of digital evidence through appropriate handling and

documentation.

 Maintain the chain of custody to ensure the admissibility of evidence in legal

proceedings.

The proper handling of digital evidence is paramount in upholding justice in the digital age. Let's
embark on this journey to become adept digital forensic investigators, capable of safeguarding
the truth hidden within the bits and bytes.

---------------------------------------------------------------------------------------------------------------------
------------------

The following standard operating procedures are culled from the guidelines issued by the
Department of Justice, Office of Cybercrime and the Philippine National Police in identifying,
seizing, and handling of electronic evidence found at the scene of the crime or incident:

1. Immediate Actions at the Incident/Crime Scene

 Secure the scene

 Allow printers to finish printing
 Immediately restrict any access to any computer or power supply
 Do not take any device from the user or owner of the computer
 If power is OFF DO NOT TURN ON
Note: If you can get professional forensic help even by telephone do it, unless you are a qualified
forensic professional.

2. If Computer is SWITCHED OFF

 Make sure the computer is powered off otherwise, treat it as one that is switched ON
 Photograph everything including system makeup and what connects with what
  Photograph screen
 In case of Laptop, remove the battery
 Unplug power from all devices and remove power lead from the computer end and not on
the wall socket end
 Label all connectors on the end of the cable and socket to which they connect so the
system can be later reconstructed.

3. If computer is SWITCHED ON

 Photograph screen and/or record all the programs running

 Collect volatile data
 Unplug power from all devices and remove power lead from the computer end and not on
the wall socket end
 Label all connectors on the end of the cable and socket to which they connect so the
system can be later reconstructed
 Isolate computers from Digital Movie Cameras
 If the computer is networked, obtain professional forensic advice before doing anything
 If a destructive program is running that could cause loss of evidence (e.g. format, wipe,
evidence eliminator type programs) pull the power from the back of the device
 If the screen shows a screensaver or it is blank, then moving the mouse or pressing the up
and down arrow key to restore the screen
 Record all action performed using working notes
Note: For NETWORKED Computers (two or more computers are connected together), secure
the scene until a qualified forensic professional arrived at the scene.

4. Once the system is shut down, then it must be documented (photograph, video, sketch or
a combination of all three)

5. Carefully take equipment apart and label each component part of the exhibit uniquely
(e.g. a computer will have an exhibit number, but the keyboard, monitor, and mouse will
have the same exhibit number with a different part number.

6. Ensure that all equipment being seized has filled in and completed exhibit labels
attached to easily reassemble if needed.

Important Notes:

 Search the area for paperwork, diaries, documents, etc. with passwords or other items of
interest.
  Consider asking the user for any user IDs and Passwords, if given, record them.
 Make detailed notes of all actions taken.
 Ensure that all parts of the computer are located, especially power supplies for laptops.
 Identify on sketch all computers or equipment seized.
 Photograph the scene and any relevant screens if possible.
 Record time and date of any machine closedown.
 Seal power inputs with evidence tape.
 Seal in evidence bags and pack for transportation as contents were fragile.

7. Smart Phones and Similar Devices

If the power is OFF:

a. Do not turn on.

b. Place the smart phone in a sealed envelope before placing in an evidence bag to prevent being
turned on.

If the power is ON:

a. Consideration should be given before turning off the device as there might be a
password/passkey.
b. Immediately switch to flight mode or place on a faraday bag.

8. DVR and Similar Device

The list of actions is essential when retrieving video data and for future viewing and maintaining
evidential integrity, while minimizing any potential disruption to the premises where CCTV
system is installed.

a. Before extracting video data, make sure you bring along a clean storage media with large
capacity (USB stick, CD or DVD).

b. Notes should be kept detailing the method used and steps taken.

c. Determine if a manual is available to assist with system information.

d. Acquire and document the following:

 Digital Video Recorder Make, Model, and Serial Number.

 Determine if the CCTV System is PC-based or Stand-Alone.
 Make, model, and number of Cameras installed. Determine also the number of active
cameras versus those inactive.
 System date and time of DVR versus actual time.
  System username and password.
e. Confirm success of retrieval.

f. Properly label your storage media where you copied the video data.

g. Place the storage media where the video data is saved in a safe package to minimize the
likelihood of damage in transit.

The following among many other electronic devices maybe seized during anti-cybercrime
operations:

1. Computer (Server, tower, etc)

2. iPad and tablets.
3. Hard disks
4. Diskettes
5. CD/DVD/VCD
6. Zip disk
7. Tape Back-ups (DLT, TRAVAN, AIT, DDS)
8. USB Memory Drives
9. Pen Camera, USB Watch, DVR and Camera
10. Mobile Phones
11. Any externally connected devices (hard disks)
12. Computer keys

Note: Consideration should be given when seizing the following and check for the presence of
documents and other devices around:

1. Answering machines
2. Desktop phones
3. Dictating machines
4. Email systems directly connected to telephones
5. Fax machines
6. Any other equipment that could store data electronically

Golden Rules in Digital Forensic:

When responding to a cybercrime scene:

1. Officer safety first secure the scene and make it safe.

2. Document everything (Working notes, Pictures, Sketch, etc.) and use latex glove in
performing bag and tag procedure in proper seizure and evidence handling.

LESSON 4. ADMISSIBILITY OF DIGITAL EVIDENCE

Introduction

The digital revolution has transformed the legal landscape, with digital evidence becoming
increasingly prevalent in courtrooms. However, the admissibility of such evidence is often
fiercely contested. Ensuring that digital evidence meets the stringent legal standards for
admissibility is crucial for its successful use in prosecutions and legal proceedings.

In this lesson, we will delve into the complex world of digital evidence admissibility. We will
examine the legal criteria that determine whether digital evidence can be presented in court, and
explore the challenges and strategies involved in ensuring its admissibility.

By the end of this lesson, you will be able to:

 Analyze digital evidence to assess its relevance, authenticity, and reliability.

 Understand the legal requirements for admissibility, including the rules governing
hearsay, authentication, and the best evidence rule.

 Develop strategies for overcoming challenges to the admissibility of digital evidence.

The ability to navigate the legal intricacies surrounding digital evidence is essential for anyone
involved in the legal profession or law enforcement. Let's embark on this journey to become
proficient in assessing the admissibility of digital evidence and ensuring that justice prevails in
the digital age.

---------------------------------------------------------------------------------------------------------------------
------------------

1. What is Digital Evidence?

Digital evidence is any information stored or transmitted in digital form that can be used to prove
or disprove a fact in court. This includes:

 Emails: messages, attachments

 Social media posts: text, images, videos
  Chat logs: from messaging apps
 Website content: text, images
 Digital photos and videos
 Audio recordings
 GPS data
 Computer files
 Database records

2. Digital evidence is generally admissible in court, just like traditional paper-based

evidence.

3. The Two Big Hurdles

To get digital evidence admitted, you need to clear these two hurdles:

Relevance: The evidence must be relevant to the case. It needs to prove or disprove something
important.

Authentication: You need to prove the evidence is what you claim it to be. This means showing
it hasn't been altered or tampered with.

4. How to Authenticate?

There are a few ways to authenticate digital evidence:

Testimony: Someone with personal knowledge can testify about how the evidence was created,
stored, or obtained.

Technical Evidence: Experts can explain the technical details of how the evidence was created
and stored, showing it's reliable.

Digital Signatures: If the evidence has a valid digital signature, it can help prove its
authenticity.

Hash Values: A unique code (hash value) can be generated for the evidence. If it matches later,
it shows the evidence hasn't changed.

PIECES OF EVIDENCE
a. Incident Record Form;

b. Affidavit of Complainant (alleging that the suspect committed the act without right or in
excess of authority, or not covered by established legal defenses, excuses, court orders,
justifications, or relevant principles under the law);

c. Affidavit of Witness;

d. Print Screen and/or Screen Shots of call logs, computer logs, network logs, and system logs;

e. Print Screen and/or Screen shots of text messages from the alleged fraudster/ scammer, email/s
and phishing link/s in PDF form (if applicable);

f. For video recordings, store in optical disk or flash drives and follow proper chain of custody;

g. Affidavit of Authentication of Electronic Evidence must be executed by either the party to the
communication or person who had the direct knowledge about the online communication in
compliance with A.M. No. 01-07-01-SC;

h. Details of any method of payment (if applicable);

i. Consent of victim to examine computer or digital devices;

j. Duly approved request for Digital Forensic Examination;

k. Preservation, application for cybercrime warrant, court warrant and compliance (if applicable);

l. Affidavit/Certificate of preservation of evidence (manner of preservation);

m. Case Referral (inquest) or Case Investigation Report (regular filing);

n. NPS Investigation Data Form;

Additional requirements if the offended party is a juridical person:

o. Board resolution for the company representative; and

p. IT Report (fraud report)/affidavit. management

Notes:

a. Use of timestamp in preserving the online post. When using software tools that are freely
available, use two applications for validation;
b. Attribute the device with the suspect (description of the device, physical location, IP
addresses, domain names, other potential identifiers of digital devices, exact time);

c. Submission of digital forensic examination result and affidavit of digital forensic examiner;

d. In the Affidavit of the Complainant and Witness, indicate the place of the commission of the
offense to ensure that the elements of the offense are within the territorial jurisdiction of the
Prosecutor;

e. Proper collection, inventory, marking, and preservation of recovered/seized evidence;

f. The use of the term "hacking" in cases involving Illegal Access is discouraged;

g. Use of Body-worn camera or Alternative Recording Device in implementing warrant of arrest,

conduct of entrapment operation and implementation of WSSECD. Ensure submission of
Affidavit of Recording Officer and Affidavit of Data Custodian; and

h. Evaluate for possible Money Laundering investigation (conduct asset tracking and recommend
for freeze order, civil and criminal forfeiture).

“THE BEAUTIFUL THING ABOUT LEARNING IS THAT NOBODY CAN TAKE IT

AWAY FROM YOU.”

- B.B King