CYBER 3
if the SIM card number belongs to a foreign TELCO, then the investigator shall coordinate through letter
rogatory with the foreign counter-part Law Enforcement Agency through Mutual Legal Assistance Treaty
(MLAT) procedures to get the information on the owner of the SIM card number and other log/records
pertaining to the said SIM.
10. Alter completion of the investigative requirements, the case wil be filed in court for possible arrest and
conviction of the suspect. If not, pursue the solution of the case.
(Note: A seized devices should be sent to Computer Forensic Sec, ACD, CIG for Computer/Celphone Forensic
B. Application of Search Warant (Note: preferably conducted by Trained Personnel not necessarily comina
from Computer Forensic Sec, ATCD, CIDG).
ACTION
STEP
ELECTRONIC CRIME SCENE PROCEDURES
1. Secure and take control of the area containing
the suspected electronic media. Always be aware
of officer's safety and securely take control of the
scene.
C P U L o c a t i o n T e l e p h o n
M o n i t o r
Keyboard
The investigator should move individuals at the
scene away from all computer equipment to ensure
no last-minute changes or corruption to the data
occur. If suspect is allowed to access computer
equipment, he or she may be able to destroy or
alter the evidence making it much more difficult to
conduct the forensic analysis at a later time.
Once all individuals have been removed from the
areas containing the electronic evidence,
investigators can start conducting interviews of
either the suspects on the scene or potential
witnesses.
Interviewing the individuals on the scene may
provide a substantial amount of information
pertaining to the case and may help lead the
investigators in the right direction. The interviews
should take place in an area where the interviews
wil not be interrupted and alow for the individual to
talk freely to the investigator.
At this time, conduct your interviews with
individuals found on the scene or the crime or the
21
ing person who provided the information.
The investigator should avoid switching the
computer system on if it is turned of upon your
arrival. Make sure there is no active screen saver
by pressing one of the arrow keys located on the
keyboard connected to the computer system. The
arrow keys wil not alter any documents if the
system is active. Photograph the monitor to show
the status of the system upon your arrival on the
scene.
If the screen is blank and the system is turned on,
again, press the arrow keys to ensure a screen
saver is not active. If the monitor power is off, turn
the monitor power on.
Once the monitor comes on, photograph the
monitor to show what was on the screen at the time
of your arrival.
Check to see if the system is connected to the
internet or has network capabilities. Some systems
may not have a CAT5 or other type of network
cable attached; the system could be utilizing a
wireless connection.
If the system is networked, the investigator wil
want to capture the volatile data contained in the
system"s memory. If the system"s power is
disconnected before volatile data has been
collected, the data wil be lost and the investigator
wil not be able to retrieve that data at a later time.
Once the investigator has collected the volatile
data, he wil want to disconnect the power from the
machine in order to shut it down. The forensic
practice is to disconnect the power source from the
rear of the machine and NOT from the wal outlet.
This wil make sure the investigator is removing the
correct power supply and not another systems
power. Shutting down (using the Operating System)
wil alter the registry and it wil be considered as
tampering of evidence.
The investigator wil then document the crime
scene by taking photographs. These photographs
wil help the investigator remember where
22
ahing was located on the crime scene and
how the crime scene looked when he or she
arrived.
The investigator should take pictures of the
entrance to the crime scene, and then take
photographs from each comer of the crime scene.
Additionally, as evidence is located and recovered,
the investigator should photograph the evidence
before it is moved to document the location it was
found on the scene.
The next step is to document the crime scene even
further by drawing a sketch of the entire crime
scene. The sketch wil show the measurements of
the crime scene and where the evidence is located
on the crime scene by their exact distance from
other objects on the crime scene. The investigator
can find two unmovable points on the crime scene
and conduct all measurements from that location.
After taking all the necessary photographs, the
investigator must to label and tag all the evidence
located in the crime scene. When labeling the
computer system, the investigator should label
each connector and port attached to the system.
This wil help ensure the investigator wil be able to
reconstruct the system in a court of law.
The investigator can place a tag on the video cable
labeled "A." Then label the video port on the back
of the system also with the letter "A." This way the
investigator wil know that cable "A" connects to
port "A." This method, also known as "Bagging and
Tagging," should be done for each cable connected
to the system. At this time, label all the
connections to the computer system.
Once the system has been labeled correctly, the
investigator can place evidence tape over the 3 ½
inch drive and the drive case. This wil help the
investigator know if anyone tampers with the
computer system in transit back to the forensic lab.
If there is any media located in the drives, the
media should be photographed and then removed
to protect the evidence from being destroyed or
altered. CD-ROMS may be scratched in transit and
therefore may become unreadable. At this time,
remove any media in the drive bays and place
evidence tape over the drives.
23
is time to package al the equipment for
nsportation. Al electronic evidence should be
packaged in anti-static bags to help ensure the
integrity of the data is maintained. As each piece of
evidence is packaged, an evidence label should be
attached.
This evidence label wil help identify the evidence,
the date and time it was found on the scene, the
location it was recovered from, and the investigator
who found the evidence. Additional information can
be added to include the Case Number and the
primary investigating officer.
At this time, please ensure all evidence has been
packaged and labeled from the crime scene.
Before each item is removed from the crime scene,
a chain of custody must be filled out to ensure the
evidence is properly tracked from investigator to
investigator. A chain of custody will contain the
name of the recovering officer and the date and
time he transferred the evidence to the primary
investigating officer. Additionally, the chain of
custody may contain the item number or evidence
number along with the case number of the crime.
Search through all documentation to find
passwords or other physical evidence that may
pertain to the crime.
Passwords or hidden notes may be located on the
scene inside documentation manuals or books.
C. Requirements for Computer/Cellphone Forensic Examination at Computer Forensic Laboratory, ATCD, CIDG)
For Hard Disk
1. Letter Request for Examination (From RC, RCIDU/RD, PRO/ DD, NCRPO District/Dir, NSU/Head of
Agency/Corporate Secretary of Private Corporations/Private Complainant)
2. One (1) piece Hard Disk (Double the Size of the Hard Disk for examination)
3. One (1) piece Compact Disk (CD Recordable for the Forensic Result
For Cellphone
1. One (1) piece Compact Disk (CD) Recordable for the Forensic Result
24
requesting party or the Court can only request for the Examination results and pieces of evidence after filling
Chain of Custody form.
ACCESS DEVICE REGULATION ACT OF 1998
- Law that punishes access device fraud or the unlawful use of credit card.
REPUBLIC ACT 8484
- The folowing acts shall constitute access device fraud and are hereby declared to be unlawful:
1. An act of producing, using, trafficking in one or more counterfeit access devices;
2. An act trafficking in one or more unauthorized access devices or access devices fraudulently applied for;
3. An act of using, with intent to defraud, an unauthorized access device;
An act of using an access device fraudulently applied for;
An act of possessing one or more counterfeit access devices or access devices fraudulently applied for;
6. An act of producing, trafficking in, having control or custody of, or possessing device-making or altering
equipment without being in the business or employment, which lawfuly deals with the manufacture, issuance, or
distribution of such equipment;
7. An act of inducing, enticing, permitting or in any manner allowing another, for consideration or otherwise to
produce, use, traffic in counterfeit access devices, unauthorized access devices or access devices fraudulently
applied for;
8. An act of multiple imprinting on more than one transaction record, sales slip or similar document, thereby
making it appear that the device holder has entered into a transaction other than those which said device holder
had lawfully contracted for, or submitting, without being an affiliated merchant, an order to collect from the issuer
of the access device, such extra sales slip through an affiliated merchant who connives therewith, or, under
false pretenses of being an affiliated merchant, present for collection such sales slips, and similar documents;
9. An act of disclosing any information imprinted on the access device, such as, but not limited to, the account
number or name or address of the device holder, without the latter's authority or permission;
10. An act of obtaining money or anything of value through the use of an access device, with intent to defraud or
with intent to gain and fleeing thereafter;
11. An act of having in one's possession, without authority from the owner of the access device or the access
device company, an access device, or any material, such as slips, carbon paper, or any other medium, on which
12. An act of writing or causing to be written on sales slips, approval numbers from the issuer of the access device
of the fact of approval, where in fact no such approval was given, or where, if given, what is written is
deliberately different from the approval actually given;
13. An act of making any alteration, without the access device holder's authority, of any amount or other information
written on the sales slip;
14. An act of effecting transaction, with one or more access devices issued to another person or persons, to receive
payment or any other thing of value;
15. An act, without the authorization of the issuer of the access device, soliciting a person for the purpose of:
a) Offering an access device; or
b) Selling information regarding or an application to obtain an access device; or
16. An act, without the authorization of the credit card system member or its agent, causing or arranging for
another person to present to the member or its agent, for payment, one or more evidence or records of
transactions made by credit card.
17. Other analogous acts.
Evidences needed to file a case of Access Device Fraud
25
2 2 DEMI
morial Evidence - affidavit of complainants and witnesses.
cumentary Evidence - Certificate of Registration of the owner of access devices, Photographs of access devices
fraudulently used, Certificate of Obligation issued as a result of fraudulent transactions or contract of sale and other
pertinent documents obtained through the use of fraudulent access device, police records and other relevant records.
3. Object Evidence - Subject access devices, computers and other electronic equipment.
4. Other relevant documents.
CREDIT CARD FRAUD INVESTIGATIONS (VIOLATION OF RA 8484)
ACCOUNT TAKE-OVER
Account Take-over (ATO) - a criminal trying to take over another person's account, first by gathering information
about the intended victim, then contacting their bank or credit issuer - masquerading as the genuine cardholder -
asking for mail to be redirected to a new address. The criminal then reports the card lost and asks for a replacement to
be sent. The replacement card is then used fraudulently.
STEPS IN INVESTIGATING ATM CARD
A. There Must be a Complaint
1. Duly accomplished complaint sheet
2. Affidavit of the complainant and issuing Bank
3. If complainant is a juridical person, ask for his/her authority to file a complaint (Special Power of Attorney or
Corporate Secretary's Certificate).
4. Evaluate the complaint to ascertain the crime committed and/or if the case is suited for entrapment.
5. Determine what appropriate laws can be applied.
B. Pieces of Evidence Needed
1. Delivery receipt signed by the suspect/s (if credit card was delivered)
2. Affidavit of the courier (if card was delivered)
3. Affidavit of the legitimate card holder
4. Credit Card itself (if recovered)
5. Affidavit of merchant/s (if the credit card was used)
6. Sales Invoice and charge slip (if the credit card was used)
7. Affidavit of Arrest (if suspects were arrested)
8. Statement of Account
C. Filing of the Case (The Documents Needed Can Be Secured from the Complainant)
- Inquest, if arrest was made, with the following documents:
1. Referral addressed to the Prosecutor's Office
2. Duly accomplished complaint Sheet
3. Affidavit of complainant and issuing Bank
Certificate is needed.)
(Note: If complainant is a juridical person, Special Power of Attorney (SPA) and/or Corporate Secretary"s
4. Affidavit of the legitimate cardholder e. Delivery receipt signed by the suspect, if credit card was delivered
5. Affidavit of the courier, if credit card was delivered
6. Credit Card itself, if recovered
7. Affidavit of merchants, if credit card was used
8. Sales invoice and charge slip, if credit card was used
9. Statement of account
10. Affidavit of arrest
1. Booking sheet
26
io of the suspect/s (if arrested)
tar/Ordinary Filing if no arrest was made
Note: Affidavit of arrest and booking sheet is not required
anS 14as abe charged with Sec 9 of RA 8484, Art 172 and/or 172, Art 178, and Art 315 and Art 308, al of PC
and CA 142 as amended by RA 6085, etc.
Note: The Case Folder shall contain all of paragraph 3.
STEPS IN INVESTIGATING FRAUDULENT APPLIED CARD
a. There must be a complaint
1. Duly accomplished complaint sheet
2. Affidavit of the complainant/issuing Bank
3. I a complainant is a juridical person, ask for his/her authority to file a complaint Special Power of Atorney or
Corporate Secretary"s Certificate
4. Evaluate the case to ascertain the crime commited and/or if the case is suited for entrapment.
5. Determine what appropriate laws are applicable.
b. Documents needed
1. Application form (if any, application usually done thru phone)
2. Documents presented in support to that application i.e. ID"s, certificate of employment, etc (if any)
3. Delivery receipts signed by the suspect/s (if credit card was delivered)
4. Affidavit of courier (if card was delivered)
5. Credit Card itself (if recovered)
6. Affidavit of merchant/s (if card was used)
7. Sales Invoice and Charge Slip (if card was used)
8. Affidavit of Arrest (if suspect/s were arrested)
9. Statement of Account
FILING OF THE CASE - Documents needed can be secured from the complainant.
a. Inquest, if arrest was made
1. Referral addressed to the City Prosecutor
2. Duly accomplished complaint sheet (mandatory)
3. Affidavit of complainant/issuing Bank
Note: If complainant is a juridical person, Special Power of Attorney and/or Corporate Secretary"s Certificate is
4. Application Form (if any, application usually done thru phone)
5. Documents presented in support for that application i.e. ID"s, certificate of employment etc (if any)
6. Affidavit of courier (if card was delivered)
7. Credit Card itself (if card was recovered)
8. Affidavit of merchant (if card was used)
9. Sales invoice and charge slip (if card was used)
10. Statement of Account
11. Affidavit of Arrest
12. Booking Sheet
13. Picture of the suspect (if arrested)
b. Regular/Ordinary Filing if no arrest was made
Note: Affidavit of arrest and booking is not required
amended by RA 6085, etc.
c. Suspect/s can be charged with Sec 9 of RA 8484, Art 172 and 171, Art 178, Art 315 al of RPC, and CA 142 as
d. Counterfeit Credit Cards
Note: The Case Folder shall contain al of paragraph 3
27
MINVESTIGATING COUNTERFEIT CARDS
mere must be a complaint
1. Duly accomplished complaint sheet
2. Affidavit of the complainant/certification from the issuing Bank
. If a complainant is a juridical person, ask for his/her authority to file a complaint (Special Power of Atomey or
Corporate Secretary's Certificate).
4. Evaluate the case to ascertain the crime committed and/or if the case is suited for entrapment.
5. Determine what appropriate laws are applicable
b. Pieces of Evidence Needed
1. Credit Card itself (if recovered)
2. Affidavit of merchant (if card was used)
3. Sales invoice (if card was used)
4. Charge slip (if card was used)
5. Letter of dispute/affidavit of the legitimate card holder
6. Affidavit of arrest (if suspect was arrested)
7. Statement of Account
c. Filing of the Case (the documents needed can be secured from the complainant)
Inquest, if arrest was made:
1. Referral addressed to the City Prosecutor
2. Duly accomplished complaint sheet
3. Affidavit of complainant/issuing Bank
4. If the complainant is a juridical person, Special Power of Attorney and/or Corporate Secretary"s Certificate is
5. Credit Card itself (if the card was recovered)
6. Police Blotter to the effect that the card was lost or stolen
7. Affidavit of Merchant (if the card was used)
8. Sales invoice and charge slip (if the card was used)
9. Letter of dispute/affidavit of the legitimate card holder
10. Affidavit of Arrest
11. Statement of account
12. Booking sheet
13. Picture/s of the suspect (if arrested)
d. Regular/Ordinary Filing if no arrest was made
Note: Affidavit of arrest and booking sheet is not needed
e. Suspect can be charged with sec 9 of RA 8484, Art 308 and Art 178 al of RPC, CA 142 as amended by RA
6085, etc.
Note: The Case Folder shall contain al of paragraph 3.
STEPS IN INVESTIGATING MANUFACTURING OF CREDIT CARDS
a. There must be a complaint
1. Duly accomplished complaint sheet
2. Affidavit of the complainant
3. If complainant is a juridical person, ask for his/her authority to file a complaint.
4. Evaluate the case to ascertain the offense committed.
5. Determine what laws are applicable.
b. Piece/s of evidence needed
28
6. Determine what document/s or pieces of evidence are needed to complete the picture of the case.
Skimming device (Card Reader) - a device used to record the data of credit card and then transferred to a
duplicate card
2. Hol Stamper - machine used to shape plastic material by bending, folding, pressing, stretching and or
3. Embosser - machine used to carve a design in relief on a surface
4. Printer - external
5. Scanner - computer peripheral or a stand-alone device that converts a document, filing, graphic, or
photographic to a digital image.
6. Blank PVC Cards - a standard-sized blank plastic card where a certain credit card is to be printed
7. Computers - general purpose machine, commonly consisting of digital circuitry, that accepts (inputs), stores,
manipulates, and generates (outputs) data a number, text, graphics, voice, video files, or electrical signals, in
accordance with instructions called programs.
c. If possible, apply for Search Warrant
d. Filing of the Case
1. Inquest if arrest was made
a) Referral addressed to the City Prosecutor
b) Duly accomplished sheet
c) Affidavit of the complainant/Certification from the Credit Card Association of the Philippines
Note: If the complainant is a juridical person, Special Power of Attorney and/or Corporate
Secretary"s Certificate is needed.
d) Skimming Device
e) Stamper
f) Embosser
g) Printer
h) Scanner
i) Blank PVC Card
k) Copy of Search Warrant/s
1) Receipt of property seized
m) Certificate of orderly searched
n) Affidavit of Arrest
o) Booking Sheet
2. Ordinary Filing if no arrest was made
Note: Affidavit of Arrest and booking sheet is not needed
3. Suspect/s can be charged with sec 9 of RA 8484
e. Return of Search Warrant/s
Note: The Case Folder shall contain al of paragraph 4 and 5.
RULES ON CYBERCRIME WARRANTS AND ELECTRONIC EVIDENCE
The rule on Cybercrime Warrants was promulgated by the Supreme Court on March 16, 2018 and took effect
on August 15, 2018. It provides the procedural framework for implementing Republic Act 10175, specifically
focusing on how law enforcement can legally access, preserve and examine digital evidence.
THE SUPREME COURT OF THE PHILIPPINE RULES ON CYBERCRIME WARRANTS
TYPES OF WARRANTS
PURPOSE
Warrant to Disclose Computer Data
(WDCD) Compels service providers to reveal
subscriber info, traffic, or content data.
29
FURTHER EXPLANATION
Authorizes law enforcement to issue
an order to disclose or submit
subscriber's information, traffic data,
or relevant data in the possession or
control of a person or service
Warrant to Intercept Computer Data Alow real-time interception of
(WICD) communications/data transmissions.
Examine (WSSECD) Warrant to Search, Seize and
Authorizes physical search and
seizure of devices and on-site data
review.
(WECD) Warrant to Examine Computer Data
Permits forensic examination of seized
data/devices.
provider within seventy-two (72)
hours from the receipt of the order.
Within forty-eight (48) hours from
implementation or after the expiration
of the effectivity of the WDCD, the
authorized law enforcement officer
must accomplish a retur and to turn
over the disclosed computer data or
subscriber's information to the court.
It authorizes law enforcement to
listen, record, monitor, or surveil the
content of the communications
through electronic eavesdropping or
tapping devices, at the same time
the communication is occurring
A WSSECD authorizes the search
the particular place for items to be
seized and/or examined.
Upon the conduct of the seizure, law
enforcement must file a return stating
the (a) devices that were subject of
the WSSECD and (b) the hash value
of the computer data and/or the
seized computer device or computer
system containing such data.
The Warrant to Examine Computer
Data (WECD) is to allow law
enforcement agencies to search a
computer device or computer seized
during a lawful warrantless arrest or
by any other lawful method such as
valid warrantless seizure, in flagrante
delicto, or by voluntary surrender.
Take Note: The four warrants
described above are only obtained
by law enforcement agencies (PNP
or the NBI) from Regional Trial
Courts specially designated to
handle cybercrime cases. Thus,
private complainants will need to
coordinate with such agencies if
such warrants are to be obtained.
affidavit.)
(Note: each warrant must be issued by a judge based on probable cause, supported by verified application and
Safeguards and Limitations
30
Oversight - Al warrants require court approval to prevent abuse.
no-Bound - Warrants are valid for a limited period (Usualy 10 days extendable once)
Chain of Custody - Strict documentation of seized data/devices to ensure integrity.
: Privacy Protections - the rule aligns with constitutional rights under the 1987 Constitution, particularly:
Section 2, Article III - Protection against unreasonable searches and seizures.
Section 3, Article II - Right to privacy of communication.
Practical Applications
These warrants are used in investigating crimes such as:
Cybersex and Child Pornography
Online Libel
Hacking and Illegal Access
Identity theft and phishing
• Computer-related fraud
Note: They also apply to traditional crimes (e.g, estafa, human trafficking) when commited using ICT tools.
Preservation Orders
Before a warrant is issued. law enforcement may request a Preservation Order to prevent to prevent deletion or
alteration of data. This is valid for up to 20 days, renewable once.
THE SUPREME COURT OF THE PHILIPPINE RULES ON ELECTRONIC EVIDENCE
The Supreme Court of the Philippines promulgated the Rules on Electronic Evidence under A.M. No. 01-7-01-SC,
which took effect on August 1, 2001. These rules were crafted to complement the E-Commerce Act of 2000 (R.A. No.
8792) and address the admissibility, authenticity, and evidentiary weight of electronic documents and data messages in
legal proceedings.
Definitions
• Includes terms like digital signature, certificate, computer, and asymmetric cryptosystem, which are
essential for understanding how electronic evidence is processed.
Key Highlights of the Rules
1. Scope and Coverage
• Applies to civil actions, quasi-judicial, and administrative proceedings.
• Covers electronic documents and electronic data messages used as evidence.
2. Admissibility
Electronic documents are admissible if they comply with the Rules of Court and are properly authenticated.
• They are considered equivalent to original documents if they meet certain criteria under the Best Evidence
Rule.
3. Authentication
• Authentication is crucial to ensure the integrity and reliability of digital evidence.
• May involve verifying digital signatures, metadata, or system logs to confirm origin and integrity.
The Rules on Electronic Evidence have significantly reshaped legal practice in the Philippines, ushering in a more
moder, tech-savvy approach to litigation and documentation. Here's how they've made an impact:
Implications on Legal Practice
31
AIMHOS
า ว ว า ร ะ
panded Evidentiary Tools
Lawyers can now present emails, text messages, digital signatures, and scanned documents as valid evidence.
• This broadens the scope of what can be used to prove or disprove claims, especialy in cases involving digital transactions or communications.
2. Authentication Becomes Crucial
• Legal practitioners must understand Rule 5 on authentication, which requires proving the integrity and origin of
electronic documents.
• This means lawyers often need to work with IT experts, digital forensic analysts, or use metadata and audit
trails to validate evidence.
3. Shift in Litigation Strategy
• The availability of electronic evidence changes how cases are built-lawyers now consider data preservation,
chain of custody, and cybersecurity as part of their litigation prep.
• It also affects discovery procedures, requiring parties to disclose relevant digital files.
4. Increased Efficiency
: Courts and lawyers benefit from faster document handling, reduced paper cluter, and easier access to records.
• Electronic filing and remote hearings have become more feasible, especially post-pandemic.
5. Challenges in Implementation
• Not al legal professionals are tech-savvy, leading to a skills gap in handling digital evidence.
• There are also concerns about data manipulation, privacy, and cybercrime, which require constant vigilance and
updated protocols.
6. Impact on Jurisprudence
• Courts have begun to develop case law around electronic evidence, refining standards for admissibility and
reliability.
• Decisions like People v. Enojas emphasize the importance of proper authentication and compliance with the
rules.
In short, these rules have made legal practice more dynamic, but also more demanding. Lawyers must now blend legal
expertise with digital literacy to stay effective. If you're exploring how this affects a specific type of case say, cyber libel
or online contracts—| can help break that down too