Electronic Evidence 4.

Forensic Data Analysis – It looks at organized data with the aim of uncovering and
examining patterns in financial crime-related fraud.
Electronic proof is material and data of forensic significance that is stored on or
distributed by an electronic computer. Such detail is collected or actual objects are gathered 5. Database Forensics – It deals with the investigation of data bases and their
and stored for analysis purposes. metadata.

Electronic proof: Cybercrime Investigation – Is a method of investigating, examining and retrieving vital
forensic digital data from the networks involved in the attack – this may be the Internet
 Is mostly dormant in the same way as fingerprints or DNA evidence are;
and/or a local network – in order to locate the perpetrators of the digital crime and their
 Can easily and quickly cross boundaries; true intentions.

 Is often time-sensitive and can be quickly changed, weakened or lost. Cybercrime Investigator – Investigates a variety of crimes that ranges from retrieving the
systems on computers that have been compromised or destroyed to investigating crimes
Digital Forensics against people.
Digital forensics, also known as Digital Forensic Science, is a field of forensic science WHO CONDUCTS CYBERCRIME INVESTIGATION?
that deals with the recovery and processing information stored in digital files, usually in the
context of cybercrime. The term digital forensics was first used as a synonym for electronic Criminal Justice Agencies
forensics, but it has since expanded to encompasses all application capable of storing digital
Department of criminal justice are in charge of cybercrime awareness campaigns, as
data.
well as the detection, monitoring, and conviction of digital criminals. Depending of the
Branches of Digital Forensics country of foreign origin, a criminal justice agency may handle all cybercrime incidents.

Digital forensics investigation is not restricted to collect data merely from the CYBERCRIME INVESTIGATION TECHNIQUES
computer, as laws are violated by the offenders and small digital devices (e.g., laptops,
While procedures vary based on the nature of cybercrime being prosecuted and
smartphones, flash drives) are now widely used. Some of these devices have volatile
who is leading the investigation, most computer criminals are subject to certain common
memory and some have non-volatile memory.
techniques used during the investigation process.
1. Computer Forensics – Computers, embedded systems (digital machines with limited
Background Check
computing capacity and onboard memory), and static memory (such as USB pen
drives) are all example of this discipline. Computer forensics can handle a wide When dealing with the original report on cybercrime, creating and defining the
variety of data, from data logs (such as internet history) to the individual files on the background of the crime with the proven facts would assist authorities in establishing a
hard drive. starting point to determine what they are up against and how much documentation they
have.
2. Mobile Device Forensics – The retrieval of digital evidence or data from a mobile
device is the subject of mobile device forensics, which is a sub-branch of digital Information Gathering
forensics. In contrast to computer forensics, handheld devices have built-in
One of the most critical tasks for any cybersecurity researcher is to collect as much
networking systems and, in most cases, propriety retrieval mechanism.
information as possible about the incident.
3. Network Forensics – Network analysis is concerned with the tracking and analysis of
Tracking and Identifying the Authors
computer network data, both local and WAN/internet, for the purposes of collecting
intelligence, obtaining data, or detecting intrusions.
 Depending on how much data is already in hand, this next step is often done during When cybercrime is detected, confirmed, and/or suspected, the crime scene is covered. The
the information-gathering process. It collects useful log data about their connections, as well first respondent understands and protects the crime scene from contamination and retains
as historical operation, websites and protocols used during the time they were linked in volatile evidence by isolation users from all digital devices located at the crime scene.
order to locate the perpetrators behind the cyber-attack. It also needs approval from the
3. ACQUISITION – different approaches to acquisitions performance exist. The
prosecutors and court order to obtain the required data, this is always the slowest step.
approach adopted depends on the digital device type. The procedure for obtaining
Digital Forensics from a computer hard drive, for example, differs from the procedure needed for
obtaining digital evidence from mobile devices, such as smartphones.
When ample data on cybercrime has been obtained the investigators, it is time to
analyze the digital networks that were affected or those that supposed to be involved in the 4. PRESERVATION – preservation of data aims to safeguard digital evidence from
origin of the attack. alteration. In each step of the handling of digital evidence, the credibility of digital
evidence should be maintained.
HANDLING OF DIGITAL EVIDENCE

Digital evidence is volatile and fragile and it can be modified by the correct handling
of this evidence. Protocols need to be observed because of its instability and fragility to
ensure that data is not altered during its handling.
RULES ON ELECTRONIC EVIDENCE
FOUR PHASES INVOLVED IN THE INITIAL HANDLING OF DIGITAL EVIDENCE
Admissibility of Digital Evidence
1. IDENTIFICATION – Preliminary knowledge of the cybercrime case is collected before
To ensure the admissibility of digital proof in a court of law, certain legal and
the collecting digital data. This preliminary information is the same as that
technological criteria have to be met. With regard to the former, the court discusses the
requested during a typical criminal investigation. Victims, witnesses, and
legal permission to scan and seize information and communication technologies and related
perpetrators of cybercrime, are also interviewed to obtain information and facts
data and the relevance, accuracy, integrity and reliability of digital evidence.
regarding the cybercrime being investigated.
Assessment of Digital Evidence
In order to locate, investigate and prosecute cyber criminals, undercover law
enforcement operations have also been performed. Furthermore, cybercrime analysts have Courts decide if the appropriate legal authorization for the search and seizure of
carried out undercover surveillance. A especially invasive tool for gathering evidence is this information and communication technology (ICT) and associated data has been used. A
tactic. search warrant, court order, or subpoena are among the forms of legal authorization. The
legal order necessary to obtain data relevant to ICT and ICT varies according to jurisdiction.
2. COLLECTION – with regard to cybercrime, the scene of the crime is not limited to
the physical location of digital devices used in cybercrime commissions and/or Consideration of Digital Evidence
threatened by cybercrime.
The digital forensics techniques and methods used to collect the proof, expertise,
The cybercrime scene also includes: and qualifications of the digital forensics experts who acquired, stored and examined the
digital evidence are assessed in terms of the integrity of digital evidence.
 The digital devices that potentially holds digital evidence; and
Digital forensics experts provide testimony in court to explain:
 Spans multiple digital devices, systems, and servers.
 Their qualifications;
  How to deal with digital devices, online channels, and other outlets relevant to ict; Best Evidence Rule

 Phase for digital forensics; An electronic document is considered the equivalent of an original document under
the Best Evidence Rule whether it is a printout or output readable by sight or other means,
 Why and not others, a specific digital forensics tool was used;
and it is shown to adequately represent the results (Rule 4, Section 1).
 How it was maintained, acquired and examined for digital evidence;
Authentication of Electronic Documents
 The meaning and outcomes of the studies carried out, and the reliability of these
Burden of proving Authenticity
interpretations; and any changes that may have happened to the data and why
these changes have taken place. The individual attempting to bring an electronic record into a legal action bears the
duty of demonstrating its validity in the manner set forth in this Rule (Rule 5, Section 1).
Determination of Digital Evidence
Any private electronic record that is given as genuine must have its validity checked
Digital evidence’s authenticity, credibility, and reliability was measured on the basis
by one of the following methods:
of the findings of the digital forensics process evaluation performed in the previous phase
(The digital evidence consideration phase), such as the use of forensically sound techniques  By evidence that it had been digitally signed by the person purported to have signed
and tools to collect digital evidence and the testimony of expert witnesses and digital the same;
forensic experts to validate the validity, credibility and reliability of evidence.
 By evidence that other appropriate security procedures or devices as may be
Digital Evidence is admissible if: authorized by the Supreme Court or by law for authentication of electronic
documents were applied to the document; or
 A fact of matter asserted in the case is established.
 By other evidence showing its integrity and reliability to the satisfaction of the
 During the digital forensics process, it remained unaltered; and
judge.
 The analysis findings are true, accurate and peer-reviewd.
METHOD OF PROOF
Electronic Documents
Affidavit Evidence - an affidavit stating evidence with direct personal knowledge of the
Where the terms “writing”, “book”, “record”, “instrument”, “memorandum”, or affiant or relying on authentic documents can be used to determine the admissibility and
“other kinds of writing” are used to describe a rule on evidence, that term includes an evidentiary weight of an electronic document.
electronic document as defined in these Rules.
Cross-Examination of Deponent
Admissibility
The affiant shall be made to affirm the contents of affidavit in open court and may
It is admissible as evidence if an electronic document complies with and is validated be crossed examined as a matter of right by the adverse party.
in accordance with the Rules of Admissibility specified by the Rules of Court and applicable
legislation. (Rule 3, Section 2).
EXAMINATION OF WITNESSES
Privilege Communication
Section 1. Electronic Testimony
The confidentiality of a privilege communication shall not be lost simply because it
takes the form of an electronic document (Rule 3, Section 3).
 The court can allow the presentation of testimonial evidence by electronic means Who has custody over the data or items seized, intercepted, and obtained by the law
after summarily hearing the parties pursuant to Rule 9 of these Rules. enforcement?

Transcript of Electronic Testimony 1. Before filing of return – law enforcement

When a witness is examined electronically, the entire proceedings, including the 2. After filing of return - court
questions and answers must be transcribe by a stenographer, stenotypist, or other certified
auditor, who must certify the transcript as correct.

CYBERCRIME WARRANTS

1. Warrant on the Disclosure of Computer Data (WDCD)

Requires any person or service provider to reveal within 72 hours of receipt of the order,
the subscriber’s information, traffic data, or related data in his or her possession or control.

It can be submitted only if the complaint is officially reported and allocated for the
investigation and the disclosure is required and relevant to the investigation.

2. Warrant on the Interception of Computer Data (WICD)

It allows the law enforcement to listen in on, log, trace, or control messages using
electronic eavesdropping or tapping equipment. The WICD request must also state the
significance and the necessity of the requested details, as well as specify the details to be
revealed.

3. Warrant to Search, Seize, and Examine Computer Data (WSSECD)

It’s similar to search warrant, except the WSSECD deals with the electronic evidence. In
addition, the WSSECD request must specify the relevance and the necessity of the data
sought, as well as describe the information to be seized and examined.

4. Warrant to Examine Computer Data (WECD)

Before searching for any confiscated unit, a WECD must be requested by the law
enforcement. The WECD must also state the importance and the necessity of the data
requested and, in particular, identify the information requested to be disclosed.

Validity of Cybercrime Warrants

Ten (10) days from the issuance, with the option of extending another ten (10)
days.