What is Computer Forensics?

 Videos
 The use of scientifically derived  Contact List
and proven methods toward the  Porn
following: CVIAD  Calendars
 Collection and preservation,  Porn
 Validation,  Operating Systems
 Identification,  Porn
 Analysis and interpretation,
 Documentation and presentation of Other Digital Storage Devices
digital evidence derived from digital  Printers
sources for the purpose of  Faxes
facilitating or furthering the  VoIP phones
reconstruction of events found to
be criminal. Summary
 Digital Evidence Comes in Many
Computer Forensics Examples Shapes and Sizes
 Recovering thousands of  Investigators must know What and
deleted emails Where to look
 Performing investigation  Educated Prosecutors and Judges
post-employment understand SCOPE of Search
termination
 Recovering evidence post Seizure of Mobile Phone Devices
formatting hard drive The following principles should be
 Performing investigation followed when seizing mobile phone
after multiple users had devices:
taken over the system  Have the proper equipment
available
Who Uses Computer Forensics?  Proper evidence handling
 Criminal Prosecutors  Fingerprints?
 Rely on evidence obtained  Preserve the integrity of the
from a computer to evidence
prosecute suspects and  Turn off / faraday
use as evidence. bag?
 Civil Litigations  Properly & sufficiently
 Personal and business data document the equipment
discovered on a computer that was seized
can be used in fraud,  Evidence forms
divorce, harassment, or
discrimination cases. Seizure Equipment
 Insurance Companies Investigators should have the following
 Evidence discovered on tools in a standard “raid” kit:
computer can be used to PPPPAMMALUU2
mollify costs (fraud, worker’s  Precision Screwdrivers
compensation, arson, etc)  Pens
 Private Corporations  Pencils
 Obtained evidence from  Permanent markers
employee computers can be  Anti-static bags
used as evidence in harassment,  MicroSD cards with adapter
fraud, and theft cases.  MiniDV Camcorder
 Law Enforcement Officials  Aluminum Foil
 Rely on computer forensics to  Legal notepads
backup search warrants and  USB write block
post-seizure handling.  USB forensic card reader
 Individual/Private Citizens  2 GB Flash Drive
 Obtain the services of
professional computer forensic Safety
specialists to support claims of As with all types of seized evidence,
harassment, abuse, or wrongful ensuring officer safety is the most
termination from employment. important initial step.
 Before handling *any* evidence,
Finding Potential Digital Evidence take the time to visually inspect it,
Types of Electronic Media without touching it.
Desktops to Servers  In the Counter-Terrorism world,
CellPhones, PDA’s &iPods cell-phones are often used as
remote detonators, use extreme
What can be on Those iPods? caution.
 Music
 If the phone looks unusual, has – Identification and seizure
external wires visible or is attached to – Packaging, transportation and
another object, call the proper safety storage
personnel for a safety evaluation. – Chain of custody

Seizure Planning the Search (Station)

If phone is OFF Officer Roles SOSESID C
 Photograph, document & seize  Scene Safety
 Seize charger and accessories  Prevents unauthorized entry
 Phone should not be turned on  Occupant Control
unless there is a need to process  Maintains control of all
immediately and proper precautions occupants
are taken to shield it from the  Search Team
network.  Performs searches
 Evidence Custodian
If phone is ON  Takes custody and
 Photograph &document documents every seized
 A decision needs to be made – turn item
off/leave on  Scene Documentation
 If you leave on, shield from  Documents scene before
network and after search
 Use faraday or jammer  Interview Team
 If you turn off, phone can lock  Interviews all relevant
and you must know the unlock occupants
PIN.  Digital evidence collection kit
 Proper forms
If the phone is on and you decide to leave  Crime scene evidence collection
on: kit:
 Shield from cell network  Camera and extra film
 Do you have the equipment (video if available)
available to process the phone at  Note / sketch pads
the scene? If not, can you shield  Blank floppy diskettes
from network and still transport to  Evidence tape
laboratory for processing.  Labels
 What is the battery life? Can you  Pens, markers
seize the charger?  Storage containers
 Will phone auto-lock if no keys are  Anti Static Bags
pressed within a certain time?  Tool kit
 Can you change the locking code,
just in case? How do you document Procedure: SABBA
that?  Select a group leader
 Assemble a search team
On-Scene Incident Response  Brief team on the nature of the
If time is critical, on-scene processing may search
be necessary.  Assign each officer a role
 Assemble evidence collection kit
Conclusion
 Investigators should have a Securing the Electronic Crime Scene
properly equipped toolbox in order (On the Scene)
to respond to the various types of Officer Safety First!
situations they may encounter. Upon entry:
 Depending on the type of  Secure premises
investigation, on-scene processing  Secure occupants
may be necessary. Investigators  Secure perimeter to prevent
should be prepared with all the unauthorized access to premises
necessary forms, processing  Prevent destruction of evidence
equipment and documentation
capabilities. Documenting the Electronic Crime
Scene (On the Scene)
Crime Scene Processing To ensure detailed documentation of the
search, use forms: ICA
Maintaining the Integrity of Electronic  Items Seized
Evidence (On the Scene)  Description
Computer evidence is fragile.  Who seized it and
Investigators should maintain the integrity where it was found
of the evidence through: DIPC  Chain of Custody
– Documentation  After Action Report
  Document the current state of
Once you have entered and secured the the computer
electronic crime scene, you should  If the computer is “OFF,” do not
document the surroundings as initially turn it “ON”
found: Step 3b: Begin the Interview
 Photograph  Asking the right questions
 Sketch  Documenting the interview
Photograph the crime scene:  Using evidence to formulate
 Overall questions
 Detailed (evidence) Step 4: Photograph & Sketch the
 Photograph each and every Scene if the monitor is on and:
item before it is seized  the screen is blank, or
 Avoid using flash for close  in “sleep” mode, or
ups  a screen saver is visible:
 Photograph items on the  Move the mouse without
screen pressing any buttons
 Photograph the screen and
Sketch: information displayed
 Layout Step 5 Check for Network Connectivity
 Suspect location  Collect Volatile Data
 Room identification Step 6: Pull Plug
 Location of Evidence The safest way to turn off a computer
 Court Presentation running Windows or DOS is to pull the
plug from the computer - not from the wall
Interviewing the Occupants (On the outlet.
Scene) Step 7: Collection
On Scene Interview: Other items of interest:
 Discovery or preservation of  Note pads
additional evidence  Video cassettes
 Additional Arrests  Audio cassettes
 Manuals and other printed
Recognizing and Identifying Electronic materials
Evidence (On the Scene)  Use of collected evidence to
The items in the following slides may formulate questions
contain evidence such as:  Ensure that all evidence has been
 Spreadsheets documented and properly labeled.
 Documents  Pack evidence in proper evidence
 Contact lists packaging.
 Electronic mail messages
 Instant messages and chat Step 8: Labeling
traffic When disassembling the computer
 Data bases system,
 Maps  Label each part and peripherals so
it can be reassembled in court, if
Computer Hardware: necessary.
 CPU  Use corresponding labels for any
 Hard drive(s) cables or devices that were
 Volatile memory connected.
 Label any empty ports “MTY”
Demonstration- On the Scene – Step- Step 9a: Transport Prep
by-Step To help prevent accidental booting of the
system:
Seizing Electronic Evidence  Insert a blank disk in the
Step 1: Make the entry – Teamwork floppy diskette drive
 Secure the suspect(s) and the  Place evidence tape over
scene!! the disk drives
 Establish a perimeter  Be sure to check CDROM
Step 2: Search the Suspect(s)  Place evidence tape over
 Take your time- be methodical power outlet
 Analyze each item seized (is it Step 9b:
electronic?)  Do not leave disks in the disk
 Communicate with other officers drives
 Remember to package evidence  Remove the CD / DVD from the
and property separately drive using a paperclip (with power
Step 3a: On the Scene off)
 Examine the scene Step 10: Hard Drive Collection
Remove case and document:
  Components (memory, Warrant to Examine Computer
cards, etc.) Data (WECD). - Upon acquiring
 Hard drives: possession of a computer device or
 The device model and serial computer system via a lawful
numbers (if available) warrantless arrest, or by any other
 Size lawful method, law enforcement
 Master or slave authorities shall First Apply For A
Warrant before searching the said
computer device or computer
system for the purpose of obtaining
Packaging and Transporting Electronic for forensic examination the
Evidence computer data contained therein.
Computer systems are sensitive to The warrant therefore shall be
temperature, humidity, physical shock, denominated as a Warrant to
static electricity, and magnetic sources Examine Computer Data WECD).
 Ensure that all evidence has been
documented and properly labeled. DOCUMENTS TO BE BROUGHT AND
 Pack magnetic media in antistatic SUBMITTED BY THE INVESTIGATOR
packaging. ON CASE (IOC) TO RACU 4A
 Heat The IOC shall accomplish and bring the
 Police Radios following:
 Use bubble wrap not Styrofoam DFE OF A GADGET/ DIGITAL DEVICE
 Place computer in area of car that OWNED BY A DEAD SUSPECT.
is smoothest (1) Written request from Police Stations
signed by the Chief/Head;
Storing Electronic Evidence (At the (2) Certified true copy of Spot/Incident
Station) Report indicating that the
Store the computer in a secure area, just evidence subject for examination
as you would any type of evidence. is included as evidence in the
Storage for evidence must be: incident;
 Cool (3) Certified true copy of inventory of
 Dry the pieces of evidence seized
 Away from: (4) Warrant to Examine Computer
 Generators Data (WECD)
 Magnets
DFE OF A GADGET/ DIGITAL DEVICE
REGIONAL ANTI-CYBERCRIME UNIT OWNED BY A VICTIM, EITHER ALIVE,
RACU DEAD OR INCAPACITATED
1. CYBER SECURITY AND (1) Written request from Police
PATROLLING Stations signed by the Chief/Head.
2. CYBERCRIME INVESTIGATION (2) Certified true copy of
3. DIGITAL FORENSICS Spot/Incident Report indicating that
the evidence subject for
In the Issued DOJ Advisory on Institution examination is included as
of Cybercrime and Cyber-related Offences evidence in the incident;
on dated July 16, 2018, Justice Menardo (3) Duly notarized Written Consent
Gueverra opined that ‘’ the phrase to from the owner
exclusively handle cases involving
violations of RA 10175 does not confer DFE of CCTV FOOTAGE
the NBI-CCD and PNP-ACG the sole (1) Written request from Police
authority and competence to investigate Stations signed by the
cases involving violations of the said act. Chief/Head;
Rather, the exclusivity phrase provides a (2) Certified true copy of
limitation on the type of cases that may be Spot/Incident Report indicating
handled by NBA-CCD and PNP-ACG, that the evidence subject for
thus, bolstering their status as specialized examination is included as
unit. Other investigative units or agencies evidence in the incident
may also undertake investigation involving (3) Duly notarized Written
cyber-related offenses committed though, Consent from the owner certifying
or with the use of ICT. that the IOC is authorized to
extract and submit the CCTV
Digital Forensic Examination (DFE) footage for DFE.
Rules and Requirements
• Section 6.9. of the Rule on WHO CAN BRING THE DFE
Cybercrime Warrants — REQUEST ?
Examination where lawful
possession of device is obtained;
 • ONLY THE Investigator On Case were still kids. Those people who never
(IOC) can submit the digital had the chance to experience the positive
evidence to RACU 4A side of life, which includes love of a
WHY ? mother or family, toys, entertainment, or
• The Investigator On Case (IOC) will other simple joys in life. Those people
sign a check list of items listed from whom are made to believe that the very
the chain of custody form for purpose of their existence is to kill the
future/legal references. non-believers.

WHO CAN RECEIVE DFE RESULTS ? Justification - Sharing of justifications of

• ONLY THE IOC who submitted the Jihad are being shared by POIs on the
digital evidence is allowed to internet particularly on social media where
withdraw the evidence and the DFE it can get huge TARGETED audiences to
results. entice especially the youth to support and
join their cause.
Terrorist use of the internet In the
Philippines
(Extremism/Radicalism)

THIS WILL BE THE ORDER OF MY

PRESENTATION.
The ACG (Brief Introduction), Terrorist
use of the Internet in the Philippines,
Challenges, and Recommendations.

Terrorist Use of the Internet in the

Philippines

Communication - With the thousands

and thousands of online communication
platforms free to use, it is hard for law
enforcers to detect where they are in the
cyber environment.

Propaganda- is known for its

effectiveness in times of war. Nations at
war have used it during the world war to
boost the morale of their troops and
demoralized the enemies

Spread fear/terror- Extremist groups

want to be feared by the non-believers.
With the ultimate goal to make this world
bow in one religion or faith, extremist
groups do unthinkable things against
other people.

Funding- The internet is also being used

for getting funds from local and
international supporters. It maybe a direct
appeal for the community to help their
cause such as a the example shown in
the slide where an alleged Mujahideen
from Zamboanga is asking for financial
assistance

Recruitment

Training - Instructional materials about

bomb making, extremist ideologies, and
radical interpretations of Islam can be
easily shared online and can be accessed
by anyone

Radicalization- The most dangerous

people are said to be the ones who were
radicalized at their early stage when they