INTRODUCTION TO CYBERCRIME AND ENVIRONMENTAL LAWS AND PROTECTION

CHAPTER 5 – CYBERCRIME INVESTIGATION AND

DIGITAL FORENSIC
DIGITAL FORENSIC PROCESS
Computer forensics investigations according to Lin (2018), go through several
stages, in order to form and test the hypotheses about the crime. Suppose someone
is suspected of accessing child pornography on the internet. To support this claim, a
USB drive containing images was found at his home. While it is crucial to physically
secure the USB drive, the data on the USB drive must also be protected by using
disk imaging, which essentially creates a virtual copy of the entire disk and stores it
on the investigator’s computer. Then, the acquired USB drive image can be brought
into a forensic lab for further analysis. It may be that none of the offending images
can be found in the disk areas that are normally accessible, but digital forensic
investigators are able to examine the disk image, and would eventually recover any
deleted or hidden files. Finally, any child porn found in the USB drive image can be
presented as evidence in trial of the suspect.
Lin (2018), further stressed that there exist many methodological models
which have been developed in the field of digital forensics. Among these models are
(a) Kruse and Heisser Model, (b) Yale University Model, and (c) Rodney
McKemmish Model.
1. Kruse and Heisser Model. This model is called the three “A” because it has
three phases that start with the letter “A”.
 Acquire
 Authentication
 Analyze
2. Yale University Model. This model is developed by Casey who was then the
security supervisor of Yale University’s IT systems. It is very similar to a
widely recognized standard incident response process and procedures, and
compromises of six stages, preliminary consideration, consideration, planning,
recognition, preservation, collection, and documentation, classification,
comparison, and individualization, and reconstruction.
 Preliminary consideration
 Planning
 Recognition
 Preservation, Collection, and Documentation
 Classification, Comparison, and Individualization
3. Rodney McKemmish Model. This model is proposed from Australian
Police’s Officer. This model is comprised of four phases:
 Identification
 Preservation
 Analyze
 Presentation

CBSUA SIPOCOT BS CRIMINOLOGY

 INTRODUCTION TO CYBERCRIME AND ENVIRONMENTAL LAWS AND PROTECTION

From the analysis standpoint, according to Lin (2018), there are similarities
between the three models even though they are from different governments across
the world or academia based. Every model has emphasis on some specific stage.
Although there are some similarities or differences, but still the main purpose is to
extract the digital evidence that is can introduced into the court. By mentioning the
court, the court only can accept the legal evidence after they agree on the violation
of law.
4. The Philippine National Police Anti-Cybercrime Group used a five-step
model
 Identification
 Acquisition
 Examination/analysis
 Reporting
 Court presentation
Step 1. Identification
As explained by Marras (2014), identification is the stage of computer
forensics investigation in which an investigators explains and documents the origin of
evidence and its significance. Given that evidence can be interpreted from a number
of different perspectives, this phase determines the context in which the evidence
was found. It looks at both physical environment and the logical context of the
location of electronic evidence. Physically, evidence may reside on specific medium
such as hard drive.
Moreover, data can, therefore, be physically extracted from a hard drive using
methods such as keyword searching. Data can also be extracted in other ways – for
instance, by using file carving. File carving looks for specific files in a hard drive
based on the header, footer, and other identifiers in the file. By searching in this
manner, an investigator can recover files or file fragments of damaged or deleted
files in corrupt directories or damaged media.
Step 2. Data Acquisition
Acquisition is the first step in the forensic process and is critical to ensure the
integrity of the evidence. As acquisition is the first contact with the evidence. It is the
point where evidence is most likely to be damaged or destroyed. Simply turning on a
computer can lead to the modification of hundreds of evidentiary terms including
files, date and time stamps, introduction of new Internet history, and the destruction
of files that could be recovered from areas of the hard drive that are in the area of
unallocated space.
As stated by Holtz (2013), digital evidence needs to be preserved just like
other traditional forms of physical evidence, such as blood or hair. However, what
makes digital forensics unique is the fact that preservation refers specifically to the
ability to make a duplicate copy of the original digital evidence.
There are a variety of software that enables digital forensic analysts that can
create a forensic image of computer data like: (a) Access Data FTK. (b) Encase

CBSUA SIPOCOT BS CRIMINOLOGY

 INTRODUCTION TO CYBERCRIME AND ENVIRONMENTAL LAWS AND PROTECTION

Forensics, (c) Autopsy-Sleuth Kit, (d) Magnet Forensic Axiom, (e) X-Way Forensics,
(f) Blacklight forensics. These software makes the job of the digital forensics analyst
easier as it can process and categorized large amount of data in a short period of
time.
Moreover, Holtz (2018) stated that imaging is the initial step in the acquisition
process of digital evidence. Imaging is the process of making an exact copy (bit-by-
bit) of the original drive onto a new digital storage device. This new digital storage
device should be clean, meaning there is no digital data present or left over which
could contaminate the imaging process. The process of cleaning a digital storage
device ensure that there are no remnants of data present is known as wiping. When
imaging a drive, the digital forensic tool must be forensically sound. To be
forensically sound, the digital forensic tool must eliminate possibility of making any
changes to the original data source. To ensure that no changes are made to the
original data source, a write blocker is used. A write blocker is a device that allows
read-only access to all accessible data on a drive, as well as preventing anything
from being written to the original drive, which would alter or modify the original
evidence. Essentially, the imaging system is sending read-only commands to the
drive, and not write or modify commands.
Verification is the final step in the preservation process of digital evidence.
Verification establishes the integrity of the digital evidence by proving that the
duplicate is authentic. Digital forensic investigators verify the duplicate copies by
comparing values. A hash algorithm is a set of calculations that takes any amount
of data (input) and creates a fixed-length value (output), known as a hash, which
acts as a unique reference number for the original data. Hash values are fixed in
length and made up of a unique combination of hexadecimal digits; which can be the
numbers 0-9 or the letters a-f. These hash values act as digital fingerprints since
they are unique to the original data they reference.
Step 3. Examination/Analysis
The analysis phase of the investigation refers to the interpretation and
reconstruction of the digital crime scene. This process is not an easy task due to the
large amounts of data uncovered during a digital forensic investigation.
Moreover, as emphasized by Sachowski (2018), as the investigation starts to
focus on analyzing digital evidence to start making sense of it, the investigation
starts to move away from the scientific foundation and into the realm of art and
perception. On one hand, if practitioners rely too much on subjective points of view
based on experience, they could potentially overlook evidence. On the other hand, if
they rely too much on technology as the catchall way to find all evidence, they could
be led to wrong or incomplete conclusions. It is not that practitioners conjure up
some form of magic when they are determining what constitutes order (evidence)
versus chaos (clutter), it is that phase of the investigative workflow is more an art
than it is a science. Essentially, analytics is a practitioner’s ability to sort through
masses of data, find hidden patterns and correlations, and extract relevance and
meaning to establish facts. One part of this equation lies within the use of technology
that helps to automate the examination and analysis of digital evidence, but

CBSUA SIPOCOT BS CRIMINOLOGY

 INTRODUCTION TO CYBERCRIME AND ENVIRONMENTAL LAWS AND PROTECTION

practitioners cannot solely rely on technology to solve problems. The other part of
the equation is building and refining analytical skills through professional education,
training, and past experience.
After recovering the data during the analysis phase, the next step is data
reduction and filtering which occurs during the analysis phase. By reducing the
dataset, the digital forensics examiner only interprets those files relevant to the
investigation. Filtering may involve removing duplicate files, searching for keywords,
or grouping data based on file types. For example, a digital forensic examiner may
search for and group together image file types (e.g. JPEG, GIF, BMP) when
investigating a child pornography case. In addition, file hashes may be used to
eliminate duplicate data (Holtz, 2018).
Step 4. Reporting/Documentation
The next step in the digital forensic investigation is the report/presentation
phase. In the report/presentation stage, the findings determined to be relevant to the
investigation are finalized in a report. Only relevant evidence should be included in
the final report, rather than hypothetical or theoretical evidence. In addition, the
report should reflect complete transparency, meaning each step is described in detail
to leave no mystery in the digital forensics process. Specifically, the digital forensic
technicians should be prepared to testify in court regarding the survey/identification
(e.g. chain of custody), collection/acquisition (preservation, forensic tools), and
examination/analysis (data recovery and reduction) stages of the digital forensic
investigation.
As further stated by Britz (2013), successful prosecution of computer related
offenses often hinges upon formal reporting. Incomplete reports of inconsistent
testimony can negate even the best run investigations. Witnesses who are uncertain
to all aspects of their analysis or hesitant in their findings may be discredited or
impeached during cross-examination. Corollary, most forensic packages are capable
of creating logs and subsequent reports automatically. While many contemporary
investigators eschew the traditional approach, it is recommended that both strategies
are employed to enhance the credibility and veracity of the investigation.
According to Daniel and Daniel (2012), in general, a digital forensics report
should include:
a. Background and experience of the examiner
b. Tools used in the examination
c. Methods used to verify the data
d. Processes used to recover and extract the data
e. Statement of what the examiner found
f. Actual data recovered to support the statement of findings
Step 5. Court Presentation
Court presentation as discussed by Marras (2014), stated that in computer
forensics investigators must be prepared to testify in court. During their testimony,
they are usually required to defend their personal qualifications, methods, affidavit,

CBSUA SIPOCOT BS CRIMINOLOGY

 INTRODUCTION TO CYBERCRIME AND ENVIRONMENTAL LAWS AND PROTECTION

etc. Computer forensics experts must also be able to communicate their findings to a
variety of audience (e.g. juries, judges, lawyers, corporate management, and
administrative officials).
RULES ON ELECTRONIC EVIDENCE
Admissibility of Digital Evidence
To ensure the admissibility of digital proof in a court of law, certain legal and
technological criteria have to be met. With regard to the former, the court discusses
the legal permission to scan and seize information and communication technologies
and related data and the relevance, accuracy, integrity, and reliability of digital
evidence. With regard to the above, the court critically discusses the methods and
techniques of digital forensics used to collect, store, and analyze digital evidence;
the digital laboratories in which analyses are carried out; the reports of digital
forensic experts; and the professional and academic qualifications of analysts and
expert witnesses in digital forensics.
Assessment of Digital Evidence
Courts decide if the appropriate legal authorization for the search and seizure
of information and communication technology (ICT) and associated data has been
used. A search warrant, court order, or subpoena are among the forms of legal
authorization. The legal order necessary to obtain data relevant to ICT and ICT
varies according to jurisdiction. However, a search warrant is the legal order
predominantly used by countries to seize ICT. Nevertheless, due to the
circumstances of the situation, the circumstances surrounding the search and
seizure, and the credentials of those performing search, laws vary in legal order
criteria. In this step, the forensic significance of digital evidence is also assessed.
Forensic relevance is determined by whether the digital evidence:
 Links or rules out a link between the suspect and the target (victim, digital
computer, website, etc.) and/or the scene of the crime (the location where the
crime or cybercrime took place
 Supports or refutes evidence by suspects, victims and/or witnesses
 Identifies the cybercrime culprit(s)
 Provides details on the perpetrator’s Mode of Action (Modus Operandi or
M.O) (the patterns, strategies, and specific characteristics of the actions of the
perpetrator and
 Reveals that a crime has happened (corpus delicti)
Consideration of Digital Evidence
The digital forensics techniques and methods used to collect the proof,
expertise, and qualifications of the digital forensics experts who acquired, stored,
and examined digital evidence are assessed in terms of integrity of digital evidence.
Basically, this assessment aims to evaluate if digital data has been stored, obtained
and examined using scientific criteria and requirements have been met to treat and
examine digital evidence (whether digital forensics tools were validated, up-to-date,
properly maintained, and tested before their use, to ensure their proper functioning).

CBSUA SIPOCOT BS CRIMINOLOGY

 INTRODUCTION TO CYBERCRIME AND ENVIRONMENTAL LAWS AND PROTECTION

Digital forensic experts provide testimony in court to explain:

a. Their qualifications
b. How to deal with digital devices, online channels and other outlets relevant to
ICT
c. Phase for digital forensics
d. Why and not others, a specific digital forensics for digital evidence
e. The meaning and outcomes of the studies carried out, and the reliability of
these interpretations
f. Any changes that may have happened to the data and why these changes
have taken place
In order to determine the expertise of people handling and examining digital
evidence, the skills of digital forensics experts are also examined. This expertise is
important to ensure the quality of the work product and trust in the results obtained
(SWGDE, 2017). Nevertheless, for digital forensics professionals, there are no
universal competency requirements. The qualifications of experts in digital forensics
differ by region (UNODC, 2013).
Digital forensics experts may or may not need to be certified; this depends on
the jurisdiction (UNODC, 2013). Therefore, this stage assesses whether experts
have the necessary credentials to act as expert witnesses and/or to conduct the
appropriate ICT and ICT-related data examinations. What is also determined is
whether they have confirmed and checked the expertise of these experts and
analysts.
The standards and techniques of the digital forensics laboratory are also
reviewed in order to determine the laboratory's competency in the processing and
analysis of digital evidence and the production of accurate findings. What is
specifically studied is whether a laboratory employs adequate procedures,
appropriate technologies and facilities, and qualified personnel in order to draw
reasonable conclusions. Accreditation helps with this effort by allowing for quality
improvement, performance assessment, impartial inspection, compliance with
current regulations, and ensuring that the best levels of forensic science are
promoted, promoted, and preserved (Barbara, 2012).
Determination of Digital Evidence
Digital evidence's authenticity, credibility and reliability was measured on the
basis of the findings of the digital forensics process evaluation performed in the
previous phase (The digital evidence consideration phase), such as the use of
forensically sound techniques and tools to collect digital evidence and the testimony
of expert witnesses and digital forensics experts to validate the validity, credibility
and reliability of this evidence. (Antwi-Boasiako and Venter, 2017; US National
Institute of Justice, 2004).

Digital evidence is admissible if:

 A fact of matter asserted in the case is established.

CBSUA SIPOCOT BS CRIMINOLOGY

 INTRODUCTION TO CYBERCRIME AND ENVIRONMENTAL LAWS AND PROTECTION

 During the digital forensics process, it remained unaltered; and

 The analysis findings are true, accurate and peer-reviewed (Brezinski and
Killalea, 2002).
Findings should be presented in an impartial manner in order to be admissible,
and mistakes and uncertainties in the findings should be disclosed, as well as
shortcomings in the interpretation of results (Brezinski and Killalea, 2002).
These essentially consolidate common legal and technical standards for
admissibility of proof across jurisdictions (Antwi-Boasiako and Venter, 2017). To
ensure the admissibility of digital evidence across jurisdictions, the standardization of
digital forensics practices is key. The harmonization of digital forensics techniques,
given the transnational nature of cybercrime, is not only of vital importance in the
investigation of cybercrime, but also necessary for international cooperation on
cybercrime issues.
RULES ON ELECTRONIC EVIDENCE
When an electronic record or electronic data message is offered or used as
testimony, these Rules apply (Section 1. Scope). These rules apply to both civil
lawsuits and investigations, as well as quasi-judicial and disciplinary proceedings
(Section 2. Cases covered). In all matters not directly protected by such rules, the
Rules of Court and the relevant provisions of the legislation containing the rules on
proof apply (Rule 1, Section 3. Application of other rules on evidence).
BEST EVIDENCE RULE
An electronic document is considered the equivalent of an original document
under the Best Evidence Rule whether it is a printout or output readable by sight or
other means, and it is shown to adequately represent the results (Rule 4 Section 1).
Copies As Equivalent Of The Originals
When two or more copies of a document of similar contents are executed at
or about the same time, or when a counterpart is made with the same impression as
the original, or of the same matrix, or of a mechanical or electronic re-recording, or of
a chemical copy, or of other comparable techniques accurately reproducing the
original, such copies or duplicates shall be treated as equivalent.
Regardless of the above, copies or duplicates are not admissible in the same
way as the initial if:
a. A genuine question is raised as to the authenticity of the original; or
b. In the circumstances it would be unjust or inequitable to admit the copy in lieu
of the original.

AUTHENTICATION OF ELECTRONIC DOCUMENTS

Burden of Proving Authenticity

CBSUA SIPOCOT BS CRIMINOLOGY

 INTRODUCTION TO CYBERCRIME AND ENVIRONMENTAL LAWS AND PROTECTION

The individual attempting to bring an electronic record into a legal action

bears the duty of demonstrating its validity in the manner set forth in this Rule (Rule
5, Section 1).
Any private electronic record that is given a genuine must have its validity
checked by one of the following methods
a. by evidence that it had been digitally signed by the person purported to have
signed the same;
b. by evidence that other appropriate security procedures or devices as may be
authorized by the Supreme Court or by law for authentication of electronic
documents were applied to the document; or
c. by other evidence showing its integrity and reliability to the satisfaction of the
judge.
A paper notarized electronically in conjunction with the Supreme Court's laws will
be considered as a public document as well as a notarial document under the Rules
of Court (Rule 5, Section 3).
ELECTRONIC SIGNATURES
In the manner prescribed herein, an authenticated electronic signature or
digital signature is admissible in proof as the practical Counterpart of a person's
signature on a written record (Rule 6, Section 1).
Authentication
An electronic signature may be authenticated in any of the following manner:
a. By evidence that a method or process was utilized to establish a digital
signature and verify the same;
b. By any other means provided by law; or
c. By any other means satisfactory to the judge as establishing the genuineness
of the electronic signature.
Disputable presumptions relating to electronic signatures
When an electronic signature is authenticated, believed that:
a. The electronic signature is that of the person to whom it corresponds;
b. The electronic signature was affixed by that person with the intent of
authenticating or approving the electronic document to which it is related, or to
indicate such person's consent to the transaction embodied therein; and
c. The methods or processes used to affix or verify the electronic signature
operated without the presence of the person to whom it corresponds.

Disputable Presumptions Relating To Digital Signatures

CBSUA SIPOCOT BS CRIMINOLOGY

 INTRODUCTION TO CYBERCRIME AND ENVIRONMENTAL LAWS AND PROTECTION

In addition to those listed in the immediately preceding section, when a digital

signature is authenticated, it is assumed that:
a. The details in a certificate is correct;
b. The digital signature was provided within the certificate's operating period;
c. There is no need for a certificate to be rendered null or revocable;
d. The letter associated with a digital signature has not been changed since it
was signed.
e. A certificate was released by the validation authority specified therein.

EVIDENTIARY WEIGHT OF ELECTRONIC DOCUMENTS

Factors for Assessing Evidentiary Weight
In assessing the evidentiary weight of an electronic document, the following
factors may be considered:
a. In light of all the circumstances and any applicable arrangement, the
functionality of the manner or system in which it was produced, processed, or
transmitted, including but not limited to input and output processes, controls,
measurements, and checks for consistency and reliability of the electronic
data message or document;
b. The validity of the method used to identify the source of the information;
c. The integrity of the information and data system in which it is recorded or
stored, including but not limited to the hardware and computer systems or
applications used, as well as programming errors;
d. The witness's or person's experience with the communication and information
system.
e. The existence and content of the material that went through the
correspondence and information system that the electronic data message or
electronic document was built on; or
f. Any considerations that the court might deem concerning the authenticity or
credibility of the electronic data message or electronic document.
Integrity of an Information and Communication System
The court may weigh the following factors, among others, in any dispute about
the integrity of the information and communication mechanism in which an electronic
record or electronic data message is recorded or processed:
a. If the information and communication system, or any comparable mechanism,
was operated in a way that did not jeopardize the electronic record's
credibility, and whether there was other reasonable grounds to doubt the
system’s integrity;
b. Whether an opposing party to the trial registered or preserved the electronic
document; or
c. If the electronic document was registered or preserved in the ordnance.
BUSINESS RECORDS AS EXCEPTION TO THE HEARSAY RULE

CBSUA SIPOCOT BS CRIMINOLOGY

 INTRODUCTION TO CYBERCRIME AND ENVIRONMENTAL LAWS AND PROTECTION

Inapplicability of the Hearsay Rule

A memorandum, report, record, or data compilation of acts, events,
conditions, opinions, or diagnoses, created by electronic, optical, or other similar
means at or near the time of or from transmission or supply of information by a
person with knowledge thereof, and held in the regular course or conduct of a
business activity, and such was the regular practice to make the memorandum,
report, record, or data compilation, and such was the regular practice to make the
memorandum, report, record, or data. The hearsay law should not apply to
compilations produced by electronic, optical, or similar techniques that are both
accompanied by the testimony of the custodian or other reliable witnesses.
Overcoming the Presumption
Evidence of the untrustworthiness of the source of knowledge, or the process
or circumstances of its preparation, delivery, or storage, will override the assumption
set forth in Section 1 of this Rule.
METHOD OF PROOF (Rule 9)
Affidavit Evidence
An affidavit stating evidence with direct personal knowledge of the affiant or
relying on authentic documents can be used to determine the admissibility and
evidentiary weight of an electronic document. The affiant's ability to appear on the
questions found in the affidavit must be shown affirmatively in the affidavit.
Cross-Examination of Deponent
The affiant shall be made to affirm the contents of the affidavit in open court
and may be cross-examined as a matter of right by the adverse party.
EXAMINATION OF WITNESSES (Rule 10)
Section 1. Electronic testimony
The court can allow the presentation of testimonial evidence by electronic
means after summarily hearing the parties pursuant to Rule 9 of these Rules. Before
allowing any presentation, the court must decide the need for it and impose any
terms and conditions that might be required under the circumstances, including the
security of the parties' and witnesses' rights.
Transcript of Electronic Testimony
When a witness is examined electronically, the entire proceedings, including
the questions and answers, must be transcribed by a stenographer, stenotypist, or
other certified auditor, who must certify the transcript as correct. The transcript
should indicate whether or not the hearings were electronically reported in entirety or
in part.

CBSUA SIPOCOT BS CRIMINOLOGY

 INTRODUCTION TO CYBERCRIME AND ENVIRONMENTAL LAWS AND PROTECTION

Storage of Electronic Evidence

The electronic evidence and recording thereof as well as the stenographic
notes shall form part of the record of the case. Such transcript and recordings shall
be deemed prima facie evidence of such proceedings,
AUDIO, PHOTOGRAPHIC, VIDEO, AND EPHEMERAL EVIDENCE (Rule 11)
Audio, Video and Similar Evidence.
Audio, visual, and video testimony of incidents, acts, or transactions is
admissible whether it is shown, interpreted, or shown in court and is identified,
clarified, or validated by the individual who made the recording or by any person
qualified to testify on its authenticity.
Ephemeral Electronic Communications
The evidence of a person who was a witness to or has personal knowledge of
ephemeral electronic messages must be used to prove them. Other qualified
testimony can be admitted in the absence or unavailability of such witnesses.
The immediately preceding sentence applies to any recording of a telephone
call or ephemeral electronic correspondence. The terms of Rule 5 apply whether the
above conversations are registered or embodied in an electronic text.

CBSUA SIPOCOT BS CRIMINOLOGY