PSUPT EDUARDO F KEMPIS

Asst Regional Chief, 5RCDU, CIDG

Introduction to Cyber Crimes

Legal Basis

RA 8792 Electronic Commerce Act of 2000 RA 8484 Access Device Act RA 9775 Anti-Child Pornography Act of 2009

Introduction to Cyber Crimes

Scope of Application

Computer or network can be a tool of crime (use to commit the crime) Computer or network can be a target of the crime (the victim) Computer or network can be used for incidental purposes related to the crime

Introduction to Cyber Crimes

Definition of Terms

Computer Server is a computer or device on a network that manages network resources. Eg. A file server is a computer and storage device dedicated to storing files. Any user in the network can store files on the server. A print server is a computer that manages one or more printer, and a network server is a computer that manages network traffic. A database server is a computer system that processes database queries.

Introduction to Cyber Crimes

Computer Network is a collection of computers and devices connected to each other. The networks allows computers to communicate with each other and share resources and information. Cyber Crime any illegal behavior committed by means of, or in relation to, a computer system or network, including such crimes as illegal possession, offering or distributing information my means of a computer system or network. (UN Definition)

Introduction to Cyber Crimes

Computer Crime any illegal behavior directed by means of electronic operations that targets the security of computer systems and the data processed by them. (UN Definition)

Domain Name is an identification label to define realms of administrative autonomy, authority, or control in the internet, based on the Domain Name System.

Introduction to Cyber Crimes

Electronic Mail often abbreviated as email, is a method of exchanging digital messages, designed primarily for human use. A message at least consists of its contents, an author, address, and one or more recipient addresses. Internet Protocol (IP) Address a numerical identification and logical address that is assigned to devices participating in a computer network utilizing the Internet Protocol for communication. Electronic Evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial.

Introduction to Cyber Crimes

Electronic Crime Scene A crime scene where there are electronic evidence found. Web Hosting Service is an individual or organizations providing website or internet hosting service that allows individuals or organizations to provide their own website accessible via World Wide Web. Web site (Group of Web pages) is a collection of related web pages, images, videos or other digital assets that are addressed with a common domain name or IP address in an Internet Protocol-based network. A web site is hosted on at least one web serer, accessible via the Internet or a private local area network.

Introduction to Cyber Crimes

Social Network Website - a web site that focuses on building online communities of people who share interests and/or activities, or who are interested in exploring the interests and activities of others. Hacking or Cracking (Lifted from R.A. 8792 Sec 33 para A) refers to unauthorized access into or interference in an computer system/server or information and communication system; or any access in order to corrupt, alter, steal, or destroy using a computer or other similar information and communication devices, without the knowledge and consent of the owner of the computer or information

Introduction to Cyber Crimes

and communications system, including the introduction of computer viruses and the like, resulting in the corruption, destruction, alteration, theft, or loss of electronic data messages or electronic documents shall be punished by a minimum fine of One Hundred Thousand pesos (100,000.00) and a maximum commensurate to the damage incurred and a mandatory imprisonment of six (6) months to three (3) years;

Introduction to Cyber Crimes

Cyber stalking can be defined as the repeated acts of harassment or threatening behavior of the cyber criminal towards the victim by using internet services. Virus Dissemination malicious software that attaches itself into other software (virus, worms, Trojan, horse, time bomb, logic bomb, etc.). Software Piracy theft of software through the illegal copying of genuine programs or counterfeiting and distribution of products intended to pass for the original. Net Extortion copying the companys confidential data to extort said company of huge amount.

Introduction to Cyber Crimes

COMMON INTERNET SCAMS/CYBER CRIMES
On line Child Pornography Violation of Intellectual Property Rights Internet Auction Fraud Non-Delivery of Merchandise Fraud Credit Card Fraud Investment Fraud Business Fraud Nigerian Letter Scam Cellphone Text Scam

Introduction to Cyber Crimes

PROCEDURES a. Walk-in Complainant NOTE: Complaints can be handled by RCIDU or coordinated with ATCD.

1. Complaint(s) will be guided to fill up a complaint sheet and affix his/her signature. 2. Sworn statements and other necessary documents will be prepared.

Introduction to Cyber Crimes

3. Nature of complaint is pertaining to Computer/Cyber Crime cases such as but not limited to: a) Hacking/Cracking b) Email Cases (Hacking/Threat/Extortion) c) Identity theft or in relation to Social Networking cases. NOTE: The investigator shall determine the Internet Protocol (IP) address or Domain Name Service (DNS) Address in question/involved in the investigation.

Introduction to Cyber Crimes

4. The investigator shall then conduct online WHOIS tracing on the identified IP address or Domain name (website) to determine its Internet Service Provider (ISP) and Web Hosting Company. 5. If the result of the WHOIS traces to the local IP address and Local Domain Name Hosting, the investigator shall coordinate with the ISP and Web Hosting Company through letters rogatory to preserve the log files and further identify the owner of the IP address and the registrant of Domain Name (website).

Introduction to Cyber Crimes

6. Else, if the WHOIS traces foreign IP address and Foreign Domain Name Hosting, the investigator shall coordinate with the foreign counter-part Law Enforcement Agency through Mutual Legal Assistance Treaty (MLAT) procedures to get the information on the owner of the IP address and the registrant of Domain Name (website). Coordination should be made with Legal Division, CIDG. 7. After the completion of the investigative requirements, the case will be filed in court for possible arrest and conviction of the suspect. If not, pursued he solution of the case.

Introduction to Cyber Crimes

NOTE: All seized devices should be sent to Computer Forensic Sec, ATCD, CIDG for Computer/Cellphone Forensic examination. (Requirements stated in Part VI para 3) 8. If the nature of the complaint is pertaining to cellphone-related cases such as but not limited to: a. Text Scam b. Cellphone Threat c. Cellphone Extortion, and etc.. NOTE: The investigator shall identify the Subscriber Identity Module (SIM) Card number and its corresponding Telecommunication Company (TELCO) carrier. (Smart/Globe/Sun/PLDT, etc..)

Introduction to Cyber Crimes

If the SIM card number belongs to a local TELCO, then the investigator shall coordinate through letter derogatory to determine the owner of the SIM card number and any logs/records pertaining to the said SIM. 9. If the SIM card number belongs to a foreign TELCO, then the investigator shall coordinate through letter rogatory with the foreign counter-part Law Enforcement Agency through Mutual Legal Assistance Treaty (MLAT) procedures to get the information on the owner of the SIM card number and other log/records pertaining to the said SIM.

Introduction to Cyber Crimes

10. After completion of the investigative requirements, the case will be filed in court for possible arrest and conviction of the suspect. If not, pursue the solution of the case.

NOTE: All seized devices should be sent to Computer Forensic Sec, ATCD, CIDG for Computer/Cellphone Forensic examination. (Requirements stated in Part VI para 3).

Introduction to Cyber Crimes

b. Application of Search Warrant NOTE: Preferably conducted by Trained Personnel not necessarily coming from Computer Forensic Sec, ATCD, CIDG.

Introduction to Cyber Crimes

ELECTRONIC CRIME SCENE PROCEDURES 1. Secure and take control of the area containing the suspected electronic media. Always be aware of officers safety and securely take control of the scene. 2. The investigator should move individuals at the scene away from all computer equipment to ensure no last-minute changes or corruption to the data occur. (if suspect is allowed to access computer equipment, he or she may be able to destroy or alter the evidence making it much more difficult to conduct the forensic analysis at a later time.)

Introduction to Cyber Crimes

3. Once all individuals have been removed from areas containing the electronic evidence, investigators can start conducting interviews of either the suspects on the scene or potential witnesses. Interviewing the individuals on the scene may provide a substantial amount of information pertaining to the case and may hep lead the investigators in the right direction. The interviews should take place in an area where the interviews will not be interrupted and allow for the individual to talk freely to the investigator. At this time conduct your interviews with individual found on the scene or the crime or the reporting person who provided the information.

Introduction to Cyber Crimes

4.a The investigator should avoid switching the computer system on, if it is turn-off upon your arrival. Make sure there is no active screen saver by pressing one of the arrow keys located on the key board connected to the computer system. The arrow keys will not alter any documents if the system is active. (Photograph the monitor to show the status of the system upon your arrival on the scene.)

Introduction to Cyber Crimes

4.b If the screen is blank and the system is turned on, again, press the arrow keys to ensure a screen saver is not active. If the monitor power is off, turn the monitor power on. Once the monitor comes on, photograph the monitor to show what was on the screen at the time of your arrival.

Introduction to Cyber Crimes

5. Check to see the system is not connected to the internet or has network capabilities. Some system may not have a CAT5 of type or network cable attached; the system could be utilizing a wireless connection. If the system is networked, the investigator will want to capture the volatile data contained in the systems memory. If the system power is disconnected before volatile data has been collected, the data will be lost and the investigator will not be able to retrieve that data at a later time.

Introduction to Cyber Crimes

6. Once the investigator has collected the volatile data, he will want to disconnect the power from the machine in order to shut it down. The forensic practice is to disconnect the power source from the rear of the machine and NOT from the wall outlet. This will make sure the investigator is removing the correct power supply and not another systems power. Shutting down (using the Operating System) will alter the registry and it will be considered as tampering of evidence.

Introduction to Cyber Crimes

7. The investigator will then document the crime scene by taking photographs. This photographs will help the investigator remember where everything was located on the crime scene and how the crime scene looked when he or she arrived. The investigator should take pictures of the entrance to the crime scene, and then take photographs from each corner of the crime scene. Additionally as evidence is located and recovered, the investigator should photograph the evidence before it is moved to document the location it was found in the scene.

Introduction to Cyber Crimes

8. The next step is to document the crime scene even further by drawing a sketch of the entire crime scene. The sketch will show the measurements of the crime scene and where the evidence is located on the crime scene by their exact distance from other objects on the crime scene. The investigator can find two unmovable points on the crime scene and conduct all measurements from that location.

Introduction to Cyber Crimes

9. After taking all the necessary photographs, the investigator must to label and tag all the evidence located in the crime scene. When labeling the computer system, the investigator should label each connector and port attached to the system. This will help ensure the investigator will be able to reconstruct the system in a court of law. The investigator can place a tag on the video cable labeled A. Then label the video port on the back of the system also with the letter A. This way the investigator will know that cable A connects to port A. This method, also known as bagging and tagging should be done for each cable connected to the system.

Introduction to Cyber Crimes

10. Once the system has been labeled correctly, the investigator can place evidence tape over the 3 inch drive and the drive case. This will held the investigator know if anyone tampers with the computer system in transit back to the forensic lab. If there is any media located in the drives, the media should be photographed and then removed to protect the evidence from being destroyed or altered. CD-ROMS may be scratched in transit and therefore may become unreadable. At this time, remove any media in the drive bays and place evidence tape over the drives.

Introduction to Cyber Crimes

11. Now it is time to package all the equipment for transportation. All electronic evidence should be packaged in anti-static bags to help ensure the integrity of the data is maintained. As each piece of evidence is packaged, an evidence label should be attached. (This evidence label will help identify the evidence, the date and time it was found on the scene, the location it was recovered from, and the investigator who found the evidence. Additional information can be added to include the Case Number and the primary investigating officer.) At this time, please ensure all evidence has been packaged and labeled from the crime scene.

Introduction to Cyber Crimes

12. Before each item is removed from the crime scene, a chain of custody must be filled out to ensure the evidence is properly tracked from investigator to investigator. A chain of custody may contain the name of the recovering officer and the date and time he transferred the evidence to the primary investigating officer. Additionally, the chain of custody may contain the item number or evidence number along with the case number of the crime.

Introduction to Cyber Crimes

13.

Search through all documentation to find passwords or other physical evidence that may pertain to crime. Password or hidden notes may be located on the scene inside documentation manuals or books.

ELECTRONIC COMERCE ACT (RA 8792)

ACTS IN VIOLATIONS OF ELECTRONIC COMMERCE ACT

1. Any acts of hacking or cracking or unauthorized access into or interference in a computer system/server or information and communication system; or any access in order to corrupt, alter, steal, or destroy using a computer or other similar information and communication devices including the introduction of computer viruses and the like, resulting in the corruption, destruction, alteration, theft or loss of electronic data messages or electronic documents.

ELECTRONIC COMERCE ACT (RA 8792)

2. Any act of Piracy or the unauthorized copying, reproduction, dissemination, or distribution, importation, use, removal, alteration, substitution, modification, storage, uploading, downloading, communication, making available to the public or broadcasting of protected materials, electronic signature or copyrighted works including legally protected sound recording or phonograms or information material on protected works, through the use of telecommunication networks, such as, but not limited to, the internet, in a manner that infringes intellectual property rights.

ELECTRONIC COMERCE ACT (RA 8792)

3. The access is without the knowledge and consent of the owner of the computer or information and communications system. 4. Other analogous acts.

ELECTRONIC COMERCE ACT (RA 8792)

EVIDENCE NEEDED TO FILE FOR VIOLATION OF RA 8792 1. Testimonial Evidence Affidavit of Complainants and Witnesses. 2. Documentary Evidence Cyber or Computer forensic Results, Police Records, transaction records and other documents. 3. Object of Evidence Computer and any devise used to hack or crack or pirate the computer information. Original documents copied or pirated Documents. 4. Other relevant evidence.

ACCESS DEVICES REGULATION ACT (RA 8484)

ACTS THAT CONSTITUTE ACCESS DEVICE FRAUDS

1. An act of producing, using, trafficking in one of more counterfeit access devices; 2. An act trafficking in one or more unauthorized access devices or access devices fraudulently applied for; 3. An act of using, with intent to defraud, an unauthorized access device; 4. An act of using an access device fraudulently applied for; 5. An act of possessing one or more counterfeit access devices or access devices fraudulently applied for; 6. An act of producing, trafficking-in, having control or custody or possessing device-making or altering equipment without being in the business or employment, which lawfully deals with the manufacture, issuance, or distribution of such equipment;

ACCESS DEVICES REGULATION ACT (RA 8484)

7. An act of inducing, enticing, permitting or in any manner allowing another, for consideration or otherwise to produce, use, traffic in counterfeit access devices fraudulently applied for; 8. An act of multiple imprinting on more than one transaction record, sales slip or similar document, thereby making it appear that the device holder has entered into a transaction other than those which said device holder has lawfully contracted for, or submitting, without being an affiliated merchant, an order to collect the issuer of the access device, such extra sales slip through an affiliated merchant who connives therewith, or, under false pretences of being an affiliated merchant, present for collection such sales slips, and similar documents;

ACCESS DEVICES REGULATION ACT (RA 8484)

9. An act of disclosing any information imprinted on the access device, such as but not limited to, the account number or name or address of the device holder, without the latters authority or permission; 10. An act obtaining money or anything of value through the use of an access device, with intent to defraud or with intent to gain and fleeing thereafter; 11. An act of having in ones possession, without authority from the owner or the access device, or any material, such as slips, carbon paper, or any other medium, on which the access device is written, printed, embossed, or otherwise indicated; 12. An act of writing or causing to be written on sales slips, approval numbers from the issuer of the access device of the fact of approval, where in fact no such approval was given, or where, if given, what is written is deliberately different from approval actually given;

ACCESS DEVICES REGULATION ACT (RA 8484)

13. An act of making any alteration, without the access device holders authority, of any amount or other information written on the sales slip; 14. An act of effecting transaction, with one or more access devices issued to another person or persons, to receive payment or any other thing of value; 15. An act, without the authorization of the issuer of the access device, soliciting a person for the purpose of; a)Offering an access device; or b) selling information regarding or an application to obtain an access device; or 16. An act, without the authorization of credit card system member or its agent, causing or arranging for another person to present to the member of its agent, for payment, one or more evidence or records of transactions made by credit card.

ACCESS DEVICES REGULATION ACT (RA 8484)

EVIDENCE NEEDED TO FILE A CASE OF ACCESS DEVICE FRAUD 1. Testimonial Evidence affidavit of complainants and witnesses 2. Documentary Evidence Certificate of Registration of the owner of access devices, photographs of access devices fraudulently used, certificate of obligation issued as a result of fraudulent transactions or contact of sale and other pertinent documents obtained through the use fraudulent access device, police records and other relevant records. 3. Object Evidence subject access device, computers, and other electronic equipments 4. Other relevant documents

Anti-Child Pornography Act of 2009 (RA 9775)

UNLAWFUL OR PROHIBITED ACTS: (a) To hire, employ, use, persuade, induce or coerce a child to perform in the creation or production of any form of child pornography; (b) To produce, direct, manufacture or create any form of child pornography; (c) To publish offer, transmit, sell, distribute, broadcast, advertise, promote, export or import any form of child pornography;

(d) To possess any form of child pornography with the intent to sell, distribute, publish, or broadcast: Provided. That possession of three (3) or more articles of child pornography of the same form shall be prima facie evidence of the intent to sell, distribute, publish or broadcast;

Anti-Child Pornography Act of 2009 (RA 9775)

UNLAWFUL OR PROHIBITED ACTS: (e) To knowingly, willfully and intentionally provide a venue for the commission of prohibited acts as, but not limited to, dens, private rooms, cubicles, cinemas, houses or in establishments purporting to be a legitimate business;

(f) For film distributors, theaters and telecommunication companies, by themselves or in cooperation with other entities, to distribute any form of child pornography;
(g) For a parent, legal guardian or person having custody or control of a child to knowingly permit the child to engage, participate or assist in any form of child pornography;

Anti-Child Pornography Act of 2009 (RA 9775)

UNLAWFUL OR PROHIBITED ACTS: (h) To engage in the luring or grooming of a child; (i) To engage in pandering of any form of child pornography;

(j) To willfully access any form of child pornography; (k) To conspire to commit any of the prohibited acts stated in this section. Conspiracy to commit any form of child pornography shall be committed when two (2) or more persons come to an agreement concerning the commission of any of the said prohibited acts and decide to commit it; and (l) To possess any form of child pornography

Anti-Photo and Video Voyeurism Act (RA 9995)

UNLAWFUL OR PROHIBITED ACTS: a) To take photo or video coverage of a person or group of persons performing sexual act or any similar activity or to capture an image of the private area of a person/s such as the naked or undergarment clad genitals, public area, buttocks or female breast without the consent of the person/s involved and under circumstances in which the person/s has/have a reasonable expectation of privacy; (b) To copy or reproduce, or to cause to be copied or reproduced, such photo or video or recording of sexual act or any similar activity, with or without consideration, notwithstanding that consent to record or take photo or video coverage of the same was given by such person/s;

Anti-Photo and Video Voyeurism Act (RA 9995)

UNLAWFUL OR PROHIBITED ACTS: c) To sell or distribute, or cause to be sold or distributed, such photo or video or recording of sexual act, whether it be the original copy or reproduction thereof, notwithstanding that consent to record or take photo or video coverage of the same was given by such person/s; or (d) To publish or broadcast, or cause to be published or broadcast, whether in print or broadcast media, or show or exhibit the photo or video coverage or recordings of such sexual act or any similar activity through VCD/DVD, internet, cellular phones and other similar means or device, notwithstanding that consent to record or take photo or video coverage of the same was given by such person/s.

Anti-Photo and Video Voyeurism Act (RA 9995)

PENALTY:

Imprisonment of not less than 3 years but not more than seven 7 years and a fine of not less than P100,000.00 but not more than P500,000.00, or both, at the courts discretion.

Anti-Photo and Video Voyeurism Act (RA 9995)

If the violator is a juridical person, its license or franchise will be automatically deemed revoked and the persons liable will be the officers, including the editor and reporter in the case of print media, and the station manager, editor and broadcaster in the case of a broadcast media. If the offender is a public officer or employee, or a professional, he/she will be administratively liable. If the offender is an alien, he/she will be subject to deportation proceedings after serving his/her sentence and payment of fines. Any photo or video, or any copy of such photo or video, obtained in violation of the law, will not be admissible in evidence in any judicial, quasi-judicial, legislative or administrative hearing or investigation.

Cases handled by CIDG

The CIDG said it received 25 complaints involving the use of Facebook between January 1 and June 14 this year. In comparison, the agency received 26 cases involving Facebook for the entire year of 2010. Of the cases involving Facebook this year, 6 were estafa; 6 were libel; 3 each for harassment and hacking; 5 cases of identity theft and fake accounts; and 2 cases of pornography. Aside from the Facebook complaints, the CIDG also received 11 cases of threats made via cellphone calls and texts for the first half of the year. The agency also received 5 complaints involving email; 2 complaints of credit card fraud; and one complaint each involving Twitter (libel) and Multiply (estafa). In addition, 5 complaints involving other websites were reported

Cases handled by CIDG

In all, the CIDG received 56 computer related crimes and complaints from January to June. Last year, the CIDG recorded 72 computer related walk-in complaints for the entire year. Aside from the Facebook-linked crimes, the agency also received 14 complaints of crimes involving e-mail and 9 cases involving the website eBay, all dealing with estafa. In addition, 12 cases involving other websites, in cases ranging from identity theft to estafa, were recorded in 2010.The CIDG also received 6 cases of credit card fraud; and 5 cases of cellphone threats and harassment. There were no reported cases involving Twitter and Multiply. The CIDG's Cyber Crime Unit handles the said cases. The cases are handled based on Section 33 of Republic Act 8792, or the E-Commerce Act.

CRIMINAL INVESTIGATION