1

SAL Foundation College

MAIN Campus
Making, Parang, Maguindanao
[email protected]
---------------------------------------------------------------------------------------------------------------------
First Semester in A.Y. 2024-2025

SEMI-FINAL MODULE

COURSE NO: CDI 9

DESCRIPTIVE TITLE: Introduction to Cybercrime and Environmental Laws and
Protection
INSTRUCTOR: MARIA THERESA C. KASUYO, MSCRIM., RCRIM., MPA

TOPICS:
 Digital Forensics
 Historical Background of Digital Forensics
 DEVELOPMENT OF FORENSIC TOOLS


DIGITAL FORENSICS
Digital forensics, also known as Digital Forensic Science, is a field of forensic
science that deals with the recovery and processing of information stored in digital files,
usually in the context of cyber crime (Reith, M. et al). (2002). The term digital forensics
was first used as a synonym for electronic forensics, but it has since expanded to
encompass all applications capable of storing digital data (Carrier, B., 2001). The
discipline grew in a risky way during the 1990s, with roots in the personal computer
revolution of the late 1970s and early 1980s, and national policies did not emerge until the
early twenty-first century.
There are a number of uses in digital forensics investigations. Supporting or refuting a
hypothesis before criminal or civil courts is the most common one. Crime cases include
the alleged violation of laws specified by laws imposed by the police and prosecuted by
the state, such as murder, robbery and attack against the individual. On the other hand,
civil cases deal with the defense of the rights and property of persons (often related to
family disputes), but can also concern contractual disputes between private entities where
there may be a type of digital forensics called electronic discovery.
In addition to finding direct facts of a crime, digital forensics may be used to assign
evidence to individual persons, validate alibis or claims, assess motive, locate origins (as
in copyright cases), or authenticate records (Various, 2009). Investigations are far broader
in complexity than most types of forensic investigation, often requiring complicated
timelines or theories (where the normal goal is to answer a set of simpler questions)
(Carrier, 2006).
HISTORICAL BACKGROUND
1978, Florida
 2

The first electronic crimes were recognized in the 1978 Florida Computer Crimes
Act, which contained laws against the unlawful manipulation or destruction of data on a
computer device. Over the next two years, the number of computer crimes committed
grew, and legislation was passed to address copyright, privacy/ harassment concerns like
cyberbullying, happy slapping, cyber hacking, online predators, and child pornography
(Casey, E.,2004).
1980s
Federal statutes are beginning to include cyber offences (Phillip, A. et al. 2009).
Canada was the first country to enact law in 1983. The US Federal Computer Fraud and
Abuse Act was passed in 1986, followed by Australian changes to its criminal laws in
1989, and the British Computer Misuse Act in 1990. (Casey, E., 2004).
1980s-1990s
Specialist departments were formed to manage the technological aspects of
inquiries.
In 1984, the FBI formed a Data Analysis and Response Team, and the British
Metropolitan Police fraud squad established a computer crime section the next year. Many
of the early founders of these associations were not only law enforcement officers, but
also tech hobbyists who were responsible for the field's initial study and direction (Mohay,
G. 2003).

Cliff Stoll's investigation of hacker Markus Hess in 1986 was one of the first realistic
or at least well- publicized cases of digital forensics (Sommer, P., 2004).
The word "computer forensics" did not appear in scholarly literature until 1992 (though it
had been in use informally before that); Collier and Spaul tried to defend this emerging
discipline to the field of forensic science in a paper published in 1992. (Reith, M., et al.
2002).
Since the late 1990s, mobile devices have been more commonly available, moving past
mere contact devices and being discovered to be rich sources of data, including for crimes
not typically identified with digital forensics (SG Punja, 2008). Despite this, due to
problems with the proprietary design of computers, digital phone research has lagged
behind conventional computing media. Throughout the 1990s, there was a strong demand
for these fresh and essential investigation services. The pressure on central units
contributes to the formation of state and even local level organizations to better handle the
burden.
2000s
2001
To build a nationwide cyber crime system, the British National Hi-Tech Crime Unit
was formed with personnel both centrally based in London and with the numerous regional
police forces. In 2006, the unit was (SOCA). absorbed by the Serious Organized Crime
Organization
The ad-hoc instruments and techniques created by these hobbyist practitioners during this
time period gave rise to the science of digital forensics. This is in contrast to other
forensics fields that have been built on the backs of modern research.
 3

2002
In addition to the several agencies and associations have released digital forensics
standards. The Scientific Working Group on Digital Evidence published a report titled
"Best practices for Computer Forensics" (SWGDE).
2004
The European Lead International Treaty on Cybercrime has come into effect, with
the aim of bringing together national laws on computer crime, forensic procedures, and
international collaboration. The treaty has been signed by 43 countries (including the
United States, Canada, Japan, South Africa, the United Kingdom, and other European
nations) and ratified by 16. (Eoghan, C., 2004).
2005
The ISO standard (ISO 17025), General (ISO 17025), requirements for the
competence of testing and calibration laboratories was published.

2009
Paris A paper by Peterson and Shenoi, "Digital Forensic Research: The Good, the
Bad and the Unaddressed" established a bias against Windows operating systems in
digital forensics research (Peterson, G. and Shenoi, S.,2009).
2010
A February 2010 report by the United States Joint varo Forces Command
concluded:
Through cyberspace, enemies will target industry, arve academies, government, as
well as the military obrin the air, land, maritime, and space domains. In much the same
way that air power transformed the battlefield of World War II, cyberspace has Biber
fractured the physical barriers that shield a nation from attacks on its commerce and
communication.

DEVELOPMENT OF FORENSIC TOOLS

During the 1980s very few advanced digital forensic equipment existed, and
therefore investigators mostly conducted live research on media, inspecting computers
from inside the operating system using existing tools to collect evidence.
This activity carried the possibility of altering data on the disk, either accidentally or
otherwise, which contributed to accusations of evidence tampering. A variety of methods
were developed during the early 1990s to resolve the issue.
The need for such software was first recognized in 1989 at the Federal Law
Enforcement Training Center, resulting in the development of IMDUMP by Michael White
(Mohay, G. 2003), and in 1990, SafeBack created and Higgins, K., 1999). by Sydex
(Fatah, A. and Higgins, K., 1999)
Similar software was developed in other countries; DIBS (a hardware and software
solution) was launched commercially in the UK in 1991, and Rob McKemmish released
Fixed Disk Image free to Australian law enforcement (Mohay, G., 2003). (Mohay, G.,
 4

2003). These tools allowed examiners to produce an exact copy of a piece of digital media
to work on, leaving the original disk intact for verification.
By the end of the 1990s, as demand for digital evidence grew more advanced
commercial tools such as EnCase and FTK were created, enabling analysts to analyze
copies of media without using any live forensics (Eoghan, C.,2004). More recently, a
movement towards "live memory forensics" has evolved resulting in the availability of tools
such as Windows SCOPE.
BRANCHES OF DIGITAL FORENSICS
Digital forensics investigation is not restricted to collect data merely from the
computer, as laws are violated by the offenders and small digital devices (e.g. laptops,
smartphones, flash drives) are now widely used. Some of these devices have volatile
memory and some have non-volatile memory.
Suficient methodologies are available to retrieve data from volatile memory,
however, there is lack of comprehensive methodology or a structure for data retrieval from
non-volatile memory sources (Wayne, J. 2004). (Wayne, J., 2004). Depending on the type
of computers, media or objects, digital forensics investigaton is branched into different
forms.
1. COMPUTER FORENSICS
Data forensics determining the actual status of a digital item, such as a computer,
storage media, or electronic record (Yasinsac, A., et al., 2003). (A. Yasinsac et al, 2003)
Computers, embedded systems (digital nachines with limited computing capacity and on
board memory), and static memory (such as USB pen drives) are all examples of this
discipline such as USB pen drives). Computer forensics san handle a wide variety of data,
from logs (such as internet history) to the individual files on the hard drive.
2. MOBILE DEVICE FORENSICS
The retrieval of digital evidence or data from a mobile device is the subject of
mobile device forensics, which is a sub-branch of digital computer forensics, handheld
devices have built-in networking systems and, in most cases, proprietary retrieval
mechanisms. Rather than in-depth retrieval of lost records, investigations typically rely on
basic data such as call data and correspondence (SMS/ Email) (Eoghan, C., 2004).
Mobile devices may also provide position data, either through built-in gps/location
monitoring or through cell site logs, which monitor the devices within their range.
3. NETWORK FORENSICS
Network forensics is concerned with the tracking and analysis of computer network
data, both local and WAN/internet, for the purposes of collecting intelligence, obtaining
data, or detecting intrusions (Palmer, G. 2001). G. Palmer, G. Palmer, G. Palmer, G.
Palmer, G. Palmer, G. Palmer, G. In most cases, traffic is detected at the packet stage
and then saved for further processing or filtered in real time. Data on the network is always
unreliable and seldom logged.
4. FORENSIC DATA ANALYSIS
Digital forensics has a division called forensic data analysis. It looks at organized
data with the aim of uncovering and examining patterns in financial crime-related fraud.
5. DATABASE FORENSICS
 5

Database forensics is a subset of digital forensics that deals with the investigaton of
databases and their metadata (Olivier M., 2009). To build a timeline or recover relevant
records, investigators use database contents, log files, and in-RAM data.

LEARNING ASSESSMENT

Instruction: Read carefully and answer the following questions. Observe correct spelling
and grammar.
1. Briefly discuss the law enforcement response to and electronic evidence.
__________________________________________________________________
_________________________________________________________________.
2. Explain in 3 sentences why is it called electronic evidence?
__________________________________________________________________
_________________________________________________________________.
3. Make a one paragraph discussion on Digital Forensics.
__________________________________________________________________
__________________________________________________________________.

CYBERCRIME INVESTIGATION

CYBERCRIME INVESTIGATION is the method of investigating, examining and retrieving

vital forensic digital data from the networks involved in the attack this may be the Internet
and/or a local network-in order to locate the perpetrators of the digital crime and their true
intentions.
CYBERCRIME INVESTIGATOR
A computer crime investigator investigates a variety of crimes that range from
retrieving file systems on computers that have been compromised or destroyed to
investigating crimes against children. In addition, computer crime analysts also retrieve
data from devices that can be used in solving crimes. When the vital electronic evidence is
collected, computer crime analysts write reports that can then be used in court. Computer
fraud investigators must also appear in court (Shinder, L. and Cross, M. 2008). (Shinder,
L. and Cross, M. 2008).

CYBERCRIME INVESTIGATORS' COMPETENCIES AND QUALIFICATION

Cybercrime detectives should be as familiar with the inner workings of computers
and the program that runs on them as a murder detective might be with basic human
pathology. Understanding the role of all hardware parts that go together to make up a
device, as well as how these components communicate with one another, is part of this.
 6

It would be impossible for an investigator to conduct a comprehensive inquiry in a

foreign country where he or she does not know the native language, because if the
investigator does not understand the evidence being collected, many hints will be missed.
A cybercrime investigator, likewise, needs a basic understanding of the "language" that
computers use to interpret and interact with data. While an investigator may not be able to
speak all human languages in the field, it is good to at least be able to identify what written
information is in the language, since this evidence may be relevant and will definitely help
the investigator locate someone who can interpret it. Similarly, while it is not anticipated
that a cybercrime investigator would be able to program in binary form, it helps to
understand the value of data in binary or hexadecimal format and when it can or can not
be useful as proof. A good cybercrime and how their file systems organize disk files
investigator knows the most popular operating systems (Shinder, L. and CROSS, M.
2008).

WHO CONDUCTS CYBERCRIME INVESTIGATIONS? Criminal Justice Agencies

Departments of criminal justice are in charge of cybercrime awareness campaigns,
as well as the detection, monitoring, and conviction of digital criminals. Depending of the
country of origin, a criminal justice agency may handle all cybercrime incidents. In the
United States, for example, the FBI, US Secret Service, Online Crime Complaint Center,
US Postal Inspection Service, or the Federal Trade Commission can investigate a cyber
crime, depending on the circumstances. In other nations, such as Spain, the national
police and civil guard are in charge of the whole process, regardless of the kind of
cybercrime being prosecuted.
NATIONAL SECURITY AGENCIES
This often varies from one nation to another, but this form of agency normally
investigates to directly linked the agency in cybercrime general
An intelligence agency, for example, should be responsible for investigating
cybercrimes that have some connection to its organization, such as its networks, staff or
data, or that have been carried out by intelligence actors.
Another good example in the United States is the military, which performs its own
investigations into cybercrime by using specialized internal personnel instead of relying on
federal agencies.

PRIVATE SECURITY AGENCIES D

In the fight against cybercrime, particularly during the investigation process, private
security agencies are also essential. Although governments and national agencies
manage their own networks, servers and software, they make up just a small fraction of
the vast infrastructure and code that private businesses, programs, organizations and
individuals around the world continue to operate.
With this in mind, it is no surprising that when it comes to preventing, tracking,
mitigating and prosecuting every form of cybersecurity crime against networks, systems or
data operating on 3rd party private data centers, networks, servers or simple home-based
computers, private cyber security specialists, testing firms and blue teams play a critical
role. There are no limits to the broad scope of cybercrime investigated by private entities,
 7

including, but not limited to, hacking, cracking, dissemination of viruses and malware,
DDoS attacks, internet fraud, identity theft and social engineering.

CYBERCRIME INVESTIGATION TECHNIQUES

While procedures vary based on the nature of cybercrime being prosecuted and
who is leading the investigation, most computer criminals are subject to certain common
techniques used during the investigation process.
Background Check
When dealing with the original report on cybercrime, creating and defining the
background of the crime with proven facts would assist authorities in establishing a
starting point to determine what they are up against and how much documentation they
have.
Information Gathering
One of the most critical tasks for any cybersecurity researcher is to collect as much
information as possible about the incident. Was it a computer-assisted assault or a
human-targeted crime? Is it possible that this attack will take place? What is the impact
and what is the scope? Is it possible for everyone, even those with special abilities, to
carry out this attack? Who are the most likely suspects? Have there been any digital
offenses committed? Where will the proof be discovered? Should we have access to
specific evidence sources?
These and other issues are valuable considerations throughout the process of collecting
information.
To gather evidence of cybercrime, several provincial and national agencies use interviews
and surveillance reports. Surveillance includes not only security cameras, videos and
photographs, but also surveillance of electronic devices detailing what is being used and
where, how it is being used, and all the digital activity involved.
Configuring a honeypot that will serve as a victim while gathering information that can later
be used against attacks is one of the most common ways to gather data from
cybercriminals.
Tracking And Identifying The Authors
Depending on how much data is already in hand, this next step is often done during
the information-gathering process.
Both private and public security agencies also collaborate with ISPS and
networking firms to collect useful log data about their connections, as well as historical
operation, websites and protocols used during the time they were linked in order to locate
the perpetrators behind the cyber attack.
As it needs legal approval from prosecutors and a court order to obtain the required
data, this is always the slowest step.
 8

Digital Forensics
When ample data on cybercrime has been obtained by investigators, it is time to
analyze the digital networks that were affected or those that were supposed to be involved
in the origin of the attack. This method includes analyzing raw data, hard drives, file
systems, caching devices, RAM memory, and more from the network link. When the
forensic work begins, the participating investigator can monitor all the paths involved in
searching for fingerprints in device archives, network and service logs, emails, web
browsing history, and etc.

ELECTRONIC DEVICES: TYPES AND POTENTIAL EVIDENCE

In several of the latest types of mobile devices available to today's customers,
electronic proof can be found. This section shows a broad range of types of electronic
devices typically used in scenes of crime, provides a general overview of each type of
device, and discusses its typical uses. In addition, the possible proof that can be found in
each equipment type is provided.
1. COMPUTER SYSTEMS
Description:
Usually, a computer system consists of a primary base unit, often referred to as a
central processing unit, data storage devices, a monitor, a keyboard, and a mouse. It can
be a standalone system or it can be linked to a network. Computer systems such as
notebooks, desktops, tower systems, systems, modular rack-mounted systems,
minicomputers, and mainframe computers exist in many forms.
Modems, printers, scanners, docking stations and external data storage devices
are provided as additional components. A computer machine consisting of a case,
motherboard, CPU, and data storage, with an external keyboard and mouse, for example,
is a laptop.
Primary Uses: For all forms of computing functions and storage of information, including
word processing, calculations, graphics, and communications.
Potential Evidence: Proof is most easily found in files stored on hard drives, computers
and media storage.
Examples are:
USER-CREATED FILES
User-created files can contain substantial evidence of criminal activity, such as
address books and database files that can show criminal association, still or moving
photos that can be evidence of pedophile activity, and criminal correspondence, such as
e-mail or letters. Even, in spreadsheets, drug dealing lists can found often be found.

 Address books
 E-mail files
 Audio/video files
 Image/graphics files
 Calendars
 9

 Internet bookmarks/favorites
 Database files
 Spreadsheet files
 Documents or text files
USER-PROTECTED FILES
In a number of ways, users have the ability to hide evidence. They can, for
instance, encrypt or password-protect information that is important to them. They can also
hide files on a hard disk or inside other files or, under an innocuous name, intentionally
hide incriminating proof files.
 Compressed files.
 Misnamed files.
 Encrypted files.
 Password-protected files.
 Hidden files.
 Steganography.
Proof can also be found in files and other data areas created as a routine function
of the computer's operating system. In certain cases, the user is not aware that data is
being written in these areas. Passwords, Internet behavior, and temporary backup files are
some examples of data that can also be recovered and analyzed.
NOTE:
Evidence value can be given for file components, including date and time of
creation, modification, deletion, access, user name or identity, and file attributes. You can
change all of this information even by turning on the machine.
COMPUTER-CREATED FILES
 Backup files.
 Log files.
 Configuration files.
 Printer spool files.
 Cookies.
 Swap files.
 Hidden files.
 System files.
 History files.
 Temporary files.
OTHER DATA AREAS
 Bad clusters
 Computer date, time, and password.
 Deleted files.
 Free space.
 Hidden partitions.
 Lost clusters.
 Metadata.
 Other partitions.
 Reserved areas
 10

 Slack space.
 Software registration information.
 System areas
 Unallocated space.

CENTRAL PROCESSING UNITS (CPUS)

Description:
It is a microprocessor located within the computer, also called the' chip. On a
printed circuit board with other electronic components, the microprocessor is installed in
the main computer case.
Primary Uses:
Performs all arithmetic and logical functions in computer. Controls the operation of
the computer.
Potential Evidence:
The device itself may be evidence of component theft, itself may be counterfeiting, or
remarking.

MEMORY
Description:
Within the computer's removable circuit board(s). When the machine is shut off,
information stored here is normally not kept.
Primary Uses:
Stores user's programs and data while computer is in operation.
Potential Evidence:
The device itself may be evidence of component theft, counterfeiting, or remarking.

ACCESS CONTROL DEVICES

Smart Cards, Dongles, Biometric Scanners
Description:
A smart card is a small handheld device containing a microprocessor that can store
a currency value, an encryption key or a password, a digital certificate or other
information. A dongle is a small device that connects to a computer port that contains data
types that are similar to smart card information. A biometric scanner is a device linked to a
 11

computer system recognizes an individual's physical characteristics (e.g., fingerprint,

voice, retina).
Primary Uses:
Provides access control to computers or programs or functions as an encryption
key.
Potential Evidence:
Identification/authentication information of the card and the user, level of access,
configurations, permissions, and the device itself.

Answering Machines
Description:
An electronic device that is part of a telephone or connected between a telephone
and the landline connection. Some models use a magnetic tape or tapes, while others use
an electronic (digital) recording system.
Primary Uses:
Records caller voice messages when the caller is unavailable or decides not to
respond to a telephone call. Typically, before recording the message, a message from the
calling party is played.
Potential Evidence:
Voice messages and, in some situations, time and date information about when the
message was left can be stored by responding machines. Other voice recordings can also
include them.
Caller identification information
 Deleted messages.
 Last number called.
 Memo. Phone numbers and
 names.
 Tapes.
Digital Cameras
Description:
The camera is a digital image and video recording system with associated storage
media and conversion hardware capable of converting images and video to computer
media.
Primary Uses:
Digital cameras record pictures and/or video in a or editing to computer storage
devices. RA digital format that is easily transferred for viewing and/
Potential Evidence:
 12

 Images.
 Time and date stamp.
 Removable cartridges.
 Video.
 Sound.
Handheld Devices (Personal Digital Assistants [PDAs], Electronic Organizers)

Description:
A small interface that can provide computing, telephone/fax, paging, networking,
and other features is a private digital assistant (PDA). Normally, it is used as a personal
organizer. A portable machine exceeds a desktop computer system's maximum
functionality. Some can contain PC card slots that can hold a modem, hard drive, or other
device, but some do not contain disk drives. They generally have the ability to synchronize
their data with other computer systems, most often via a cradle connection (see photo).
Try to locate the associated handheld device if a cradle is present.
Primary Uses:
Handheld computing, storage, and communication devices capable of storage of
information.
Potential Evidence:
 Address book.
 Appointment calendars/information.
 Documents.
 E-mail.
 Handwriting.
 Password.
 Phone book.
 Text messages.
 Voice messages.

Hard Drives
Description:
A sealed box with rigid plates (disks) coated with a material capable of magnetically
storing data. In the case of a PC, it can be found both externally and in a standalone case.
Primary Uses:
Storage of information such as computer programs, text, pictures, video,
multimedia files, etc Potential Evidence:
See potential evidence under computer systems.
Memory Cards
Description:
 13

Removable electronic storage devices which, when power is removed from the
card, do not lose information. Recovery of deleted images from memory cards can also be
possible. Memory cards in a credit card module can store hundreds of pictures. Used on a
wide range of devices, such as laptops, digital cameras and PDAS. Memory sticks, smart
cards, flash memory and flash cards are examples.
Primary Uses:
Provides additional, removable methods of storing and transporting information.
Potential Evidence:
See potential evidence under computer systems.
Modems
Description:
Modems, internal and external (analog, DSL, ISDN, cable), wireless modems, PC
cards.
Primary Uses:
A modem is used to promote promote electronic communication by allowing other
computers and/ or networks to be accessed by a computer through telephone, wireless or
other means of communication.
Potential Evidence:
The device itself.
Network
Local Area Network (LAN) Card or Network Interface Card (NIC)
Description:
Network cards, associated cables. Network cards also can be wireless.
Primary Uses:
A LAN/NIC card is used to connect computers. Cards allow for the exchange of
information and resource sharing.
Potential Evidence:
The device itself, MAC (media access control) access address.
Routers, Hubs, and Switches
Description:
In networked computer networks, networks, certain computers or networks is
provided by routers, switches, electronic devices are used. A means of linking various and
hubs. The existence of several cable connections will often identify them.
Primary Uses:
Equipment used to distribute and facilitate the distribution of data through networks.
Potential Evidence:
 14

The devices themselves. Also, for routers, configuration files.

Servers
Description:
A server is a device that provides other computers that are linked to it over a
network with some operation. As a server, any device, even a laptop, may be configured.
Primary Uses:
Provides shared resources such as e-mail, file storage, Web page services, and
print services for a network.
Potential Evidence:
See potential evidence under computer systems.

Ink cartridges.
Network identity/information. Superimposed images on the roller. Time and date
stamp.
Scanners
Description:
An optical device connected to a computer, which passes a document past a
scanning device (or vice versa) and sends it to the computer as a file.
Primary Uses:
Converts documents, pictures, etc., to electronic files, which can then be viewed,
manipulated, or transmitted on a computer.
Potential Evidence:
Proof may be the unit itself. Getting the ability to search may help show criminal
activity (e.g., child pornography, check fraud, counterfeiting, identity theft). In addition,
imperfections such as marks on the glass can allow a scanner used to process documents
to be identified uniquely.

Telephones
Description:
A handset that is either on its own (like mobile phones) or a remote base station
(wireless) or directly connected to a landline device. It draws power from the internal
battery, the electrical plug-in, or the telephone device directly.
Primary Uses:
Two-way communication from one instrument to another using land lines, radio
transmission, cellular networks, or a combination. Phones are capable of retrieving
information.
 15

Potential Evidence:
Names, phone numbers, and caller id information can be stored on several
telephones. In addition, some mobile phones may store information about appointments,
receive electronic mail and sites, and can serve as a voice recorder.
 Appointment calendars/information.
 Password.
 Caller identification information.
 Phone book.
 Electronic serial number
 Text messages.
 E-mail.
 Voice mail
 Memo.
 Web browsers.
Copiers
Some copiers keep records of user access and the history of copies made.
Once/print scan copiers with many features allow documents to be scanned into memory
once and then printed later.
Potential Evidence:
 Documents.
 User usage log.
 Time and date stamp.

Credit Card Skimmers

Credit card skimmers are used to read details on plastic cards contained in the magnetic
strip.
Potential Evidence:
Cardholder information contained on the tracks of the magnetic stripe includes:
 Card expiration date.
 User's address.
 Credit card numbers.
 User's name.
Digital Watches
Many forms of digital watches are available that can serve as pagers for digital
message storage. Additional information can be kept, such as address books, calendars
for meetings, emails, and notes. Some also have the capacity to synchronize information
with computers.
Potential Evidence:
 Address book.
 Notes.
 Appointment calendars.
 Phone numbers.
 16

 E-mail.

Facsimile Machines
Preprogrammed phone numbers and a history of sent and received documents can
be stored by facsimile (fax) machines. In addition, some contain memory that allows
scanning and sending multiple-page faxes at a later time, as well as enabling incoming
faxes to be stored in memory and printed later. Some can store incoming and/or outgoing
faxes on hundreds of pages.
Potential Evidence:
 Documents.
 Phone numbers.
 Film cartridge.
 Send/receive log.
Global Positioning Systems (GPS)
Via destination information, way points, and routes, Global Global Positioning
Systems may provide information on prior travel. Some store the prior destinations
automatically and provide travel logs.

Potential Evidence:
 Home.
 Way point coordinates.
 Previous destinations.
 Way point name.
 Travel logs.

INVESTIGATIVE TOOLS AND EQUIPMENT

Principle:
Special tools and equipment may be required to collect electronic evidence.
Experience has shown that improvements in the required tools and equipment can be
determined by technological advances.
Policy:
There should be access to the tools and equipment needed to register, delete,
extract, bundle, and transport electronic evidence.
Procedure:
Preparations should be made for the procurement of the technologies required for
the processing of electronic evidence. The required tools and equipment are decided by
each aspect of the process: documentation, selection, packaging, and transportation.
Tool Kit
 17

Departments should provide processing software for general crime scenes (e.g.,
cameras, notepads, sketchpads, evidence forms, crime scene tape, markers)
Additional elements that may be helpful at an electronic crime scene are as follows.
Documentation Tools
 Cable tags.
 Indelible felt tip markers.
 Stick-on labels.
Disassembly and Removal Tools
A variety of nonmagnetic sizes and types of:
 Flat-blade and Philips-type screwdrivers.
 Hex-nut drivers.
 Needle-nose pliers.
 Secure-bit drivers.
 Small tweezers.
 Specialized screwdrivers (manufacturer-specific, e.g., Compaq, Macintosh).
 Standard pliers.
 Star-type nut drivers.
 Wire cutters.
Package and Transport Supplies
 Antistatic bags.
 Antistatic bubble wrap.
 Cable ties.
 Evidence bags.
 Evidence tape.
 Packing materials (avoid materials that can produce static electricity such as
styrofoam or styrofoam peanuts).
 Packing tape. sbivong bluoda at da etnomtisq
 Sturdy boxes of various sizes.
Other Items
Items that also should be included within a department's tool kit are:
 Gloves.
 Hand truck.
 Large rubber bands.
 List of contact telephone numbers for assistance.
 Magnifying glass.
 Printer paper.
 Seizure disk.
 Small flashlight.

LEARNING ACTIVITTY
 18

Instruction: Read carefully the questions and answer based in your own words. Observe
correct spelling and grammar.
1. Differentiate Cybercrime Investigation from Criminal Investigation.
__________________________________________________________________
________________________________________________________________.

2. Who is a Cybercrime Investigator and how can you be qualified as Cybercrime

investigator?
__________________________________________________________________
________________________________________________________________.

3. Make a comprehensive discussion of the Cybercrime Investigation Techniques.

__________________________________________________________________
_________________________________________________________________.

4. What are Electronic Devices and how could it be a potential evidence?

__________________________________________________________________
_________________________________________________________________.

SECURING AND EVALUATING THE SCENE

Measures should be taken by the first respondent to ensure the safety of all
individuals at the scene and to protect the integrity of all data, both conventional
electronic. All operations should comply with departmental policy, state, and local laws.

PROCEDURE:
After securing the scene and all personnel on the scene, possible evidence, both
traditional (physical) and electronic, should be visually detected by the first responder and
determined whether perishable evidence remains. The first responder should determine
and devise a search plan for the scene.
1. Secure and Evaluate the Scene:
a. Follow the jurisdictional policy to safeguard the crime scene. This will require
ensuring that all individuals from the immediate area from which evidence is to be
obtained are excluded. At this stage in the investigation, do not alter the state of any
electronic system: if it is off, leave it off. If it is on, keep it on.
b. Secure perishable records, physically and electronically. Perishable data can be
found on pagers, caller ID boxes, electronic organizers, mobile phones, and other similar
items. The first responder should always bear in mind that any computer containing
perishable data should be protected, recorded, and/or photographed immediately.
c. Identify device-attached telephone lines, such as caller ID boxes and modems.
Log disconnect and mark each telephone line from the wall instead of the device, where
 19

feasible. There may also be other communication lines present for LAN/ethernet
connections.
Contact the required personnel/agency in all situations.

2. Conduct Preliminary Interviews:

a. Separate and identify all persons (witnesses, subjects, or others) at the scene
and record and their location at time of entry.
b. Consistent with departmental policy and applicable law, obtain from these
individual information such as:
1. Owners and/or users of electronic devices found at the scene, as well as
passwords, user names, and Internet service provider.
2. Purpose of the system.
3. Any unique security schemes or destructive devices.
4. Any offsite data storage.
5. Any documentation explaining the hardware bor software installed on the
system.

TAKE NOTE:
On keyboards, the computer mouse, CDs, or 0981 other components, residual
fingerprints or other physical traces may be preserved. Chemicals used processing latent
prints may impair equipment and data. Latent prints should then be collected after
electronic evidence recovery is complete.
3. Documenting the Scene
By documentation of the scene, permanent historical record of the scene is created.
Reporting is a continuous operation does throughout the investigation. It is important to
accurately document the location and condition of computers, storage media, other
electronic devices, and traditional evidence.
PROCEDURE:
The scene should be documented in detail.
1. Initial documentation of the physical scene:
a. Observe and record the physical scene, such as the position of the cursor and
the location of pieces relative to each other (e.g., a mouse on the left side of the
computer may indicate a left-handed user).
b. Document the computer system's condition and position, including the
computer's power status (on, off, or in sleep mode). There are status lights on most
computers that show that the machine is on. Similarly, the machine is presumably
on if fan noise is detected. In addition, if the computer device is warm, it could also
mean that it is on or has recently been switched off.
 20

c. Identify relevant electronic components that will not be collected and document
them.
d. Photograph the entire scene as noted by the first responder to create a visual
record. Where possible, the complete room should be captured with 360 degrees of
coverage.
e. Photograph the front of the computer as well as the screen of the monitor and
other items. Take written notes on what happens on the display screen as well.
Active programs can require videotaping or more comprehensive display screen
operation documentation.
2. Evidence Collection
A search warrant may include the search for and collection of evidence at an
electronic crime scene.
Computer evidence must be treated cautiously and in a way that maintains its evidentiary
value, as all other evidence. This applies not only to an object or device's physical
integrity, but also to the electronic data it holds.

Therefore, some kinds of computer proof require special collection, packaging, and
transport. Data that may be susceptible to damage or alteration from electromagnetic
fields, such as those produced by static electricity, magnets, radio transmitters and other
devices, should be considered to be safe.
According to According to departmental guidelines, electronic evidence should be
gathered. The following procedures are suggested in the absence host of departmental
guidance detailing procedures for electronic processing of evidence.
Note:
It is presumed that location and documentation have been completed before the
compilation of evidence. Recognize that there might be other forms of evidence, such as
trace, biological, or latent prints. Destructive methods (e.g., the use of chemical
processing fingerprints) also should be delayed until the retrieval of electronic evidence is
completed.
Non-Electronic Evidence
In the prosecution of electronic crime, retrieving non-electronic evidence may be
critical. Proper care should be taken to ensure the recovery and preservation of such
evidence. There may be other types of objects appropriate for subsequent review of
electronic evidence (e.g. written passwords and other handwritten documents, blank
indented paper pads, hardware and software manuals, schedules, literature, text or
graphic machine prints, and photographs) and should be protected and stored for future
analysis.
Such items are often in close proximity to the system or associated hardware
objects. In accordance with departmental policies, all proof should be found, protected,
and stored.

STAND-ALONE EVIDENCE AND LAPTOP COMPUTER

 21

A computer not connected to a network or other computer is a 'stand-alone'

personal computer. Desktop computers or laptops can be stand-alone. In a single portable
device, laptops contain a screen, display, keyboard, and mouse. Laptops, in that they can
be powered by electricity or a battery source, differ from other devices. They therefore
involve, in addition to stand- alone power-down procedures, the removal of the battery.
Document the current circumstances if the machine is on and call the expert or consultant.
If there is no expert or consultant available, proceed with the following procedure:

Procedure:
a. All actions you take and any modifications you find resulting from your actions on
the display, screen, printer, or other peripherals are documented in notes.
b. Observe the monitor and decide whether, on or off, it is in sleep mode. Then
identify which of the following circumstances refers to that situation and follow the
steps.
Situation 1: Monitor is on and work product and/or desktop is visible.
1. Photograph screen and record information displayed.
Situation 2: Monitor is on and screen is blank (sleep mode) or screen saver (picture) is
visible.
1. Slightly move the mouse (without pushing buttons). The screen will adjust and display a
work item or request a password.
2. DO NOT execute any other keystrokes or mouse operations if mouse movement
doesnot trigger a change in the screen .
3. Photograph your computer and record the displayed detail.
Situation 3: Monitor is off.
1. Make a note of the status of "off."
2. Switch on the monitor, then decide if the monitor status in either situation 1 or 2 above
is as stated and follow those steps.
3. Remove the power source cable from the monitor - NOT from the wall socket -
regardless of the power state of the computer (on, off, or sleep mode). When dealing with
a laptop, remove the battery pack, in addition to removing the power cord. The battery is
removed to prevent the device from having any power. In lieu of a floppy drive or CD drive,
some laptops have a second battery in the multipurpose bay. Check for this possibility and
remove that battery as well.
4. Check for connectivity outside (e.g., telephone modem, cable, ISDN, DSL). Try to locate
the telephone number if a telephone connection is present.
5. Remove any floppy disks that are present, package the disc separately, and mark the
package to prevent harm to possible evidence. Insert either a seizure or a blank floppy
disk, if appropriate. Do NOT uninstall CDs or touch the drive on the CD.
6. Put tape over all the slots of the drive and over the power connector.
7. Make a record, model, and serial numbers. 8. Photograph and diagram the contacts
and the related cables of the device.
 22

9. Mark all connectors and cable ends (including peripheral system connections) in order
to enable precise reassembly at a later time. Mark unused communication ports as
"unused." an attempt to classify other storage media, identify laptop computer docking
stations.
10. According to departmental procedures, record or log facts.
11. Package the components as fragile cargo if transport is necessary.
PACKAGING, TRANSPORTATION, AND STORAGE
Data stored on a device or other medium should not be added, changed, or lost by actions
taken. Computers are susceptible to temperature, humidity, physical shock, static
electricity, and magnetic sources, are fragile electronic instruments. Therefore, and when
packing, shipping, and storing electronic data, special precautions should be taken.
Documenting its packaging, shipping, and storage to preserve the chain of custody of
electronic data.
Ensure that appropriate protocols for the packaging, transport and storage of
electronic evidence are followed to prevent data modification, loss, physical harm or
destruction.
PACKAGING PROCEDURE:
1. Ensure that all electronic data obtained is correctly registered, labeled, inventorized
prior to packaging.
2. Pay careful attention to latent or trace proof and take steps to maintain it.
3. In antistatic packaging, box magnetic media (paper or antistatic plastic bags).
4. Stop the use of materials, such as regular plastic bags, that can generate static
electricity.
5. Stop folding computer media, bending, or scratching them.
6. Ensure proper labeling of all containers used to store proof.

Note:
When collecting multiple computer systems, as found (e.g. System A-mouse,
keyboard, monitor, mark each system so that it can be reassembled main base unit;
System B-mouse, keyboard, monitor, main base unit).

TRANSPORTATION PROCEDURE:
a. Keep magnetic sources away from electronic data. Examples of objects that can
destroy electronic evidence are radio transmitters, speaker magnets and heated seats.
b. For lengthy periods of time, stop storing electronic evidence in vehicles. Electronic data
may be impaired by conditions of extreme heat, cold, or the humidity.
c. To prevent shock and unnecessary movements, ensure that computers and other
components which are not packaged in containers are secured in the car. Computers can,
for example, be positioned on the vehicle floor and monitors may be placed with the
screen down on the seat and protected by a seat belt.
 23

d. Maintain the custody chain on all transported evidence.

STORAGE PROCEDURE:
a. Ensure that proof is stored in compliance with departmental policies.
b. In a safe area away from extremes of temperature and humidity, store proof.
Shield it from moisture, dust and other harmful particles or pollutants from magnetic
sources.
Note:
Be mindful that, as a result of prolonged storage, possible evidence such as dates, times,

and device configurations can be lost. As batteries have a limited life, if they fail, data may
be lost. Reasonable staff (e.g. evidence custodian, laboratory chief, forensic examiner)
should also be told that a battery-powered system is in need of urgent attention.

HANDLING OF DIGITAL EVIDENCE

Digital evidence is volatile and fragile and it can be modified by the incorrect
handling of this evidence. Protocols need to be observed because of its instability and
fragility to ensure that data is not altered during its handling. When handling digital proof,
these guidelines outline the steps to be taken.

FOUR PHASES INVOLVED IN THE INITIAL HANDLING OF DIGITAL EVIDENCE

1. Identification
2. Collection
3. Acquisition
4. Preservation

IDENTIFICATION
In the identification phase, preliminary knowledge of the cybercrime case is
collected before collecting digital data. This preliminary information is the same as that
requested during a typical criminal investigation. The investigator seeks to answer the
questions below: Who was involved?
a. What happened?
b. When did the cybercrime occur?
c. Where did the cybercrime occur?
d. How did the cybercrime occur?
 24

The answers to these questions will provide investigators with guidance on how to
proceed with the case.

Cybercrime investigators use many conventional with regard to the collection of

information and evidence. investigation techniques in this process, particularly Victims,
witnesses, and perpetrators of cybercrime, for example, are interviewed to obtain
information and facts regarding the cybercrime being investigated.
In order to locate, investigate, and prosecute cyber criminals, undercover law
enforcement operations have also been performed. Furthermore, cybercrime analysts
have carried out undercover surveillance. A especially invasive tool for gathering evidence
is this tactic. A cautious balance of a suspect's right to privacy against the need to
prosecute serious crime requires the use of covert surveillance measures. Covert
surveillance laws should completely respect the suspect's rights. Different rulings on the
permissibility of secret surveillance and the requirements of these steps have been made
by international human rights bodies and courts. (UNODC, 2010, p. 13). Law enforcement
authorities have also used malware to perform surveillance in order to obtain information
and proof of cyber crime. For example, in their investigations into online child sexual
exploitation US law enforcement agencies use and violence, networking investigation
techniques (NITs), "specially designed exploits or malware," (Finklea, 2017).
The investigator must identify the types of evidence sought before digital evidence
collection begins. Digital evidence can be found on digital devices such as:
a. computers
b. external hard drives
c. flash drives
d. routers
e. smartphones
f. tablets
g. camerasbb
h. smart televisions
i. internet-enabled home appliances and gaming consoles
j. public resources (social media platforms, websites, and discussion forums)
k. private resources (Internet service providers logs of user activity; communication
service providers business records; and cloud storage providers records of user
activity and content).

COLLECTION
With regard to cybercrime, the scene of the crime is not limited to the physical
location of digital devices used in cybercrime commissions and/or threatened by
cybercrime.
The cybercrime crime scene also includes:
 25

1. The digital devices that potentially hold digital evidence, and

2. Spans multiple digital devices, systems, and servers.
When a cybercrime is detected, confirmed, and/ or suspected, the crime scene is
covered. The first respondent understands and protects the crime scene from
contamination and retains volatile evidence by isolating users from all digital devices
located at the crime scene. (e.g., holding them in a separate room or location).
The ability to further operate digital devices must not be granted to consumers. In
the search and documentation process, neither the first responder nor the investigator
should seek the assistance of any user. If distinct from the first responder, the investigator
searches the scene of the crime and identifies the evidence. The crime scene is recorded
before evidence is obtained.
Throughout the entire investigative process, documentation is required (before,
during, and after the evidence has been acquired). Detailed information on the digital
devices collected, including the operating status of the system - on, off, standby mode -
and its physical characteristics, such as make, model, serial number, connections and any
markings or other damage, should be included in this documentation (Casey, 2011;
Sammons, 2012; Maras, 2014; Nelson, Phillips, and Steuart, 2015).
Sketches, photos and/or video records of the crime scene and evidence are often
required to document the scene and evidence, in addition to written notes. (Maras, 2014,
pp. 230-233).
The evidence is obtained by the prosecutor, or crime scene technician. Depending
on the type of digital device and the public and private resources where digital evidence
resides, the collection methods differ (e.g., computers, phones, social media, and cloud).
There are standard operating procedures for law enforcement agencies that outline the
measures to be taken when managing digital evidence on mobile devices and internet-
enabled items such as watches, fitness trackers, home appliances, cloud and social media
sites (Cloud Security Alliance, 2013; Police Service of Scotland, 2018).
A standard operating procedure (SOP) is intended to assist prosecutors by
providing the procedures and sequential actions to be performed in order to prosecute
cybercrime in a way that guarantees that the information obtained in a court of law is
admissible, as well as the instruments and other tools required to perform the
investigation. SOPS usually provide the protocols to be followed during an investigation.
Unique constraints should be established that could be encountered during the
investigation. Cybercrime investigators, for example, can encounter numerous digital
devices, operating systems, and complex network configurations that involve advanced
expertise, variations in collection procedures, and aid in identifying ties between systems
and devices. (e.g., a topology of networks).
During an investigation, anti-forensic techniques such as steganography (i.e. the
stealthy protection of data by both hiding content and making it invisible) and encryption
(physically blocking third-party access to a file, either by using a password or rendering
the file or elements of the file unusable) may also be encountered (Conlan, et al., 2016).
Therefore, in order to deal with these limitations, the investigator should be prepared for
these conditions and have the requisite human and technological resources. The acts
taken in these situations by the investigator (e.g. the ability of the investigator to acquire
and/or decrypt passwords for such devices), if any, depend on national laws.
 26

For example, by defining steganography and decrypting files, as well as performing

other important digital forensics tasks, digital forensics tools can aid in this endeavor.
Examples of such tools include:
1. Forensic Toolkit (FTK)
2. Volatile Framework
3. X-Ways Forensics
A Forensic Toolkit includes the materials needed to record the crime scene, the
tools needed to disassemble equipment and extract other forms of evidence from the
crime scene, and, among other items, the material used to mark and package evidence
(Casey, 2011; Sammons, 2012; Maras, 2014; Nelson, Phillips, and Steuart, 2015).
The actual collection of data requires the protection of volatile evidence and digital
devices being shut down. Collection methods would be determined by the state of
operation of the digital devices encountered. When a computer is detected, for example, if
the device is on, volatile evidence (e.g. temporary data, registry, cache, and network
status and connections, to name a few) is stored until the device is shut down and
retrieved (Casey, 2011; Sammons, 2012; Maras, 2014; Nelson, Phillips, and Steuart,
2015). If the system is off, it stays off and collects (US National Institute of Justice; 2004b;
US National Institute of Justice, 2008); There are situations where digital devices are not
and cannot be collected (e.g. because of the scale and/or complexity of systems and/or
their configuration of hardware and software because essential services are rendered by
these systems). Volatile and non-volatile data are gathered in these situations through
special procedures involving live acquisition (SWGDE Capture of Live Systems, 2014).
During an investigation, the type of digital device found can also determine the way digital
evidence is obtained.
Other related objects (e.g. notes and/or notebooks that may contain passwords or
other information on online credentials, telephones, fax machines, printers, routers, etc.)
should also be gathered in addition to digital devices. It is necessary to record the actions
taken by the investigator during the gathering of evidence. Each device should be labeled,
packaged, and transported back to a digital forensics laboratory (along with its connecting
cables and power cords) (US National Institute of Justice; 2004; US National Institute of
Justice, 2008). They are "inventoried, recorded, and secured in a locked room away from
extreme temperatures, humidity, dust, and other possible contaminants" once the items
are transported to the laboratory (Maras, 2014).

ACQUISITION
Different approaches to acquisition performance exist. The approach adopted
depends on the digital device type. The procedure for obtaining evidence from a computer
hard drive, for example, differs from the procedure needed for obtaining digital evidence
from mobile devices, such as smartphones.
Evidence is extracted from the seized digital devices at the forensic laboratory
unless live acquisition is performed (static acquisition). Digital evidence should be
acquired at the forensics laboratory in a way that preserves the integrity of the evidence
(ensuring that the data is unaltered), that is, in a forensically sound manner. To achieve
this, the tools and techniques used to acquire digital evidence must prevent, or at least
 27

minimize, changes to the data when this is not possible. The instruments and methods
used should be valid and reliable. Before their use, the limitations of these instruments
and techniques should be identified and considered.
As the primary source of evidence, the seized digital devices are considered. No
data from the primary source is obtained by the digital forensics analyst. Instead, the
contents of that device are made into a duplicate and the analyst works on the copy. In
order to maintain the integrity of digital evidence, this duplicate copy of the content of the
digital device (imaging) is created before a static acquisition is carried out.
A cryptographic hash value is calculated for the original to check if the duplicate is
an exact copy of the original, and a duplicate is calculated using mathematical
computations; if it matches, the contents of the copy are a mirror image (duplicate) of the
original material. In order to prevent the modification of data during the copying process, a
write blocker designed to prevent the alteration of data during the copying process should
be used before extraction wherever possible. It is important to remember that the above
mentioned acquisition process applies specifically to computers. A different method is
followed when collecting data from cell phones and similar devices, where the memory
storage can not be physically removed from the device to create an image.
There are two types of extraction performed: the
1. Physical Extraction
This includes looking for and collecting evidence from the place inside a digital
system where the evidence resides, such as a computer's hard drive (Maras, 2014). A
physical extraction may be conducted by:
a. Keyword Searches (based on terms provided by the investigator)
b. File Carving (search "based on the header, footer, and other identifiers"),
c. Examining Unallocated Space (space available on a system because it was
never used or because the information in it was deleted and partitions, which
separates segments of the hard drive from each other.
2. Logical Extraction
This includes looking for and collecting proof from the position it resides relative to
a computer operating system's file system, which is used to keep track of the names and
locations of files located on a storage medium, such as a hard disk (Maras, 2014).
The type of logical extraction that is carried out depends on the digital computer,
the file system, the device apps, and the operating system. Logical extraction requires
collecting data from active and deleted files, file systems, unallocated and unused space,
and data that is compressed, encrypted and password protected (Nelson, et al., 2015).
There should be documentation of the entire acquisition process. This paperwork should
contain (Maras, 2014):
1. Detailed information about the digital devices from which evidence was extracted
2. The hardware and software used to acquire the Analysis evidence
3. The manner in which the evidence was acquired (how it was obtained),
4. When it was obtained
 28

5. Where it was obtained

6. Why it was obtained
7. What evidence was obtained, and
8. What reason it was obtained

PRESERVATION
Preservation of data aims to safeguard digital evidence from alteration. In each step
of the handling of digital evidence (ISO/IEC 27037), the credibility of digital evidence
should be maintained.
First responders, investigators, crime scene technicians and/or specialists in digital
forensics must show, whenever possible, that during the identification, processing and
acquisition process, digital evidence has not been altered; the ability to do so, of course,
depends on the digital device (computer and cell phones) and the situations they meet
(need to quickly preserve data).
A chain of custody (the mechanism by which police protect the scene of the crime
(or incident) and evidence over the life cycle of a case) must be preserved to illustrate this
(Maras, 2014). It includes information about:
a. Who collected the evidence.
b. Where and how the evidence was collected.
c. Which individuals took possession of the evidence; and
d. When they took possession of it.
In the chain of custody the following must be documented:
a. Names, titles, and contact information of the individuals who identified, collected,
and acquired the evidence.
b. Any other individuals the evidence was transferred.
c. Details about the evidence that was transferred.
d. The time and date of transfer; and
e. The purpose of the transfer.

ANALYSIS AND REPORTING (US National Institute of Justice, 2004)

In addition to the handling of digital evidence, the digital forensics process also
involves:
1. Analysis Phase - The examination interpretation of digital evidence.
2. Reporting Phase - The communication of the findings of the analysis.

ANALYSIS PHASE
 29

The system's digital history is collected, data is stored, and events are recreated.
Before analyzing the digital evidence, the laboratory's computer forensics analyst must be
mindful of the search's targets, as well as any background information of the case and all
other specifics obtained during the examination that may aid the forensics analyst in this
phase (IP address or MAC addresses).
Different types of assessments are performed depending on the type of digital proof
sought, such as network, file system, program, film, photograph, and media analysis
(analysis of data on storage device). Files are analysed to identify their sources, as well as
when and where data was created, modified, viewed, copied, or uploaded, as well as to
connect these files to remote storage devices, such as cloud-based storage (Carrier,
2005). Depending on the cybercrime situation, different types of digital proof are found
(emails, text messages, geolocation, word processing documents, photos, images, and
chat logs).

FOUR TYPES OF ANALYSES

1. Time-Frame Analysis
This attempts to use time stamps (date and time) to create a timeline or time series
of acts that contributed to an event or to establish the time and date that any action was
performed by a user.
This research is done in order to assign a crime to an offender or at least to
attribute an act to a specific person that contributed to a crime.
2. Ownership and Possession Analysis
This is used to identify the person who created, accessed, and/or modified data on
a computer device. This study could reveal a picture of child sexual abuse content on the
suspect's machine (the "representation, by whatever means, of a child engaging in actual
or simulated overt sexual acts or representation of a child's sexual parts for primarily
sexual purposes"). However, this piece of evidence is insufficient to establish ownership of
material relating to child sexual abuse. More evidence is needed to support this, such as
the exclusive use of the computer where the substance was discovered.
3. Application and File Analysis
This is done to analyze applications and files on a computer system to assess the
knowledge and purpose of the attacker and the potential to commit cybercrime (for
example, the marking or naming of the file may imply the file content; for example, the
name of the file may be the name of the cybercrime victim).
Data Hiding Analysislis grote board buolo escloure.as nobis As the name implies,
data hiding research searches for hidden data on a computer. Criminals employ a variety
of data-hiding techniques to conceal their illicit actions and documents, including
encryption, password-protecting devices and specific content (e.g., files), manipulating file
extensions, and hiding partitions.
During the analysis, the detective would discuss the perpetrators' data-hiding
tactics for concealing their identities and behavior. Secret data may reveal knowledge of a
crime, possession of records, or intent to commit a crime.
 30

The aim of these experiments is to reconstruct the criminal justice system (or event
reconstruction). Through the identification, collection, and connection of evidence, the
reconstruction of the occurrence seeks to determine who was responsible for the accident,
what happened, where the event occurred, when the event occurred, and how the event
occurred (revealing the "big picture" or essence of an event).

LEARNING ACTIVITY

Instructor: Read carefully the questions and give the best answer in your own words.
Observe correct spelling and grammar.
A. Discuss the procedures in conducting the following investigative process.
1. Securing and Evaluating the Scene
__________________________________________________________________
__________________________________________________________________.

2. Conducting Preliminary Interviews

__________________________________________________________________
__________________________________________________________________.

3. Documenting the Scene

__________________________________________________________________
________________________________________________________________.

4. Evidence Collection
__________________________________________________________________
__________________________________________________________________.
5. Retrieval of Non-Electronic Evidence
__________________________________________________________________
__________________________________________________________________.
6. Packaging, Transportation, and Storage of Electronic Evidences
__________________________________________________________________
________________________________________________________________.

7. Handling of Digital Evidence

__________________________________________________________________
__________________________________________________________________.

B. Instruction: Read carefully the questions and give the best answer in your own
words. Observe correct spelling and grammar.
1. Discuss comprehensively the FOUR PHASES involved in the initial handling of digital
evidence
 31

a. Identification
b. Collection
c. Acquisition
d. Preservation
2. Explain the importance of reporting and discuss how are you going to write a report of
your findings oil on the investigation of Electronic Evidence.
3. What is the importance of knowing and observing the Legal and Ethical Obligations of a
Cyber Crime Investigator?

Reference:
Caballero, N.S. (2022). Basics of Cybercrime Investigation and Environmental Laws and
Protection: A learning and Teaching Module for Criminology Students and Instructors.
https://www.collegesidekick.com/study-docs/1287336