An Anti Fraud and Computer Crimes Division Presentation

CYBER CRIMES

YOUR LECTURER
SA Palmer U. Mallari (Executive Officer) Anti-Fraud & Computer Crimes Division

I. INTRODUCTION
When the Internet was developed, the founding fathers of Internet hardly had any inclination the Internet could also be misused for criminal activities.

Introduction
Today, there are many disturbing things happening in cyberspace. Cybercrime refers to all the activities done with criminal intent in cyberspace. These could be either the criminal activities in the conventional sense or could be activities, newly evolved with the growth of the new medium. Because of the anonymous nature of the Internet, it is possible to engage into a variety of criminal activities with impunity and people with intelligence, have been grossly misusing this aspect of the Internet to perpetrate criminal activities in cyberspace.

Introduction
The field of Cybercrime is just emerging and new forms of criminal activities in cyberspace are coming to the forefront with the passing of each new day.

1. The LOVE BUG

THE INTERNET IS SUPPOSED TO BE FREE FOR THE ENJOYMENT AND USE OF EVERYBODY

The LOVE BUG

By far the most popular incidence of cyber crime in the Philippines is the ILOVEYOU Virus or the LOVE BUG. The suspect in the case, a 23year old student from a popular computer university in the Philippines drafted the virus with the vision of creating a program that is capable of stealing passwords in computers, ultimately to have free access to the internet.

The LOVE BUG

During the height of the LOVE BUG incident, Reuters has reported: "The Philippines has yet to arrest the suspected creator of the 'Love Bug' computer virus because it lacks laws that deal with computer crime, a senior police officer said". The fact of the matter is that there are no laws relating to Cybercrime in the Philippines. The National Bureau of Investigation is finding it difficult to legally arrest the suspect behind the 'Love Bug' computer virus.

The LOVE BUG

As such, the need for countries to legislate Cyberlaws relating to Cybercrime arises on an urgent priority basis. Due to the incident, the Philippines has seen the necessity for the passage of a law to penalize cyber crimes, thus the enactment of Republic Act 8792 otherwise known as the Electronic Commerce Act.

2. Penal provisions of The Electronic Commerce Act (R.A. 8792)

Sec. 33. Penalties. - The following Acts shall be penalized by fine and or imprisonment, as follows: a) Hacking or cracking which refers to unauthorized access into or interference in a computer system/server or information and communication system; or any access in order to corrupt, alter, steal, or destroy using a computer or other similar information and communication devices, without the knowledge and consent of the owner of the computer or information & communications system, including the introduction of computer viruses and the like, resulting in the corruption, destruction, alteration, theft or loss of electronic data messages or electronic document shall be punished by a minimum fine of one hundred thousand pesos (P100,000.00) and a maximum commensurate to the damage incurred and a mandatory imprisonment of six (6) months to three(3)years;

b)

Piracy or the unauthorized copying, reproduction, dissemination, distribution, importation, use, removal, alteration, substitution, modification, storage, uploading, downloading, communication, making available to the public, or broadcasting of protected material, electronic signature or copyrighted works including legally protected sound recordings or phonograms or information material on protected works, through the use of telecommunication networks, such as, but not limited to, the internet, in a manner that infringes intellectual property rights shall be punished by a minimum fine of one hundred thousand pesos (P100,000.00) and a maximum commensurate to the damage incurred and a mandatory imprisonment of six (6) months to three (3) years;
Violations of the Consumer Act or Republic Act No. 7394 and other relevant or pertinent laws through transactions covered by or using electronic data messages or electronic documents, shall be penalized with the same penalties as provided in those laws; Other violations of the provisions of this Act, shall be penalized with a maximum penalty of one million pesos (P1,000,000.00) or six (6) years imprisonment.

c)

d)

3. Limitations of the penal provisions of R.A. 8792 (from a Law Enforcement Perspective)

1. The penalties and sanctions do not successfully promote deterrence of cybercrimes.

Limitations
2. The Internet Service Providers (ISP) are not obligated in the maintenance of very important logs and cooperation with law enforcement in the investigation of computer crimes is not defined.

Limitations
3. The Telecommunications companies, as in the ISPs, are not obligated to cooperate with law enforcement in the investigation of computer crimes.

Limitations
4. Internet Cafes/Cyber Cafes where most of the computer crimes perpetrators perform the violations are not obligated to maintain records of their clients and customers.

Limitations
5. Other offenses committed with the use of computers and/or the internet are not penalized under said law. (Internet Gambling, Internet Pornography etc.)

CYBERCRIME INVESTIGATION

1. Definition of CYBERCRIMES
CYBER CRIMES crimes committed : a. with the use of Information Technology b. where computer, network, internet is the target c. where the internet is the place of activity

2. Common Types of Cyber Crimes already handled by the NBI

HACKING / CRACKING MALICIOUS EMAIL SENDING INTERNET PORNOGRAPHY LAUNCHING OF HARMFUL COMPUTER VIRUSES DISTRIBUTED DENIAL OF SERVICE ATTACKS (DOS) WEBSITE DEFACEMENT ACQUIRING CREDIT CARD INFORMATION FROM AN ECOMMERCE WEBSITE INTERNET SHOPPING USING FRAUDULENTLY ACQUIRED CREDIT CARDS WIRE TRANSFER OF FUNDS FROM A FRAUDULENTLY ACQUIRED CREDIT CARD ON-LINE AUCTION FRAUD

2.1. HACKING
Hacking is the act of illegally accessing the computer system/network of an individual, group or business enterprise without the consent or approval of the owner of the system.

2.2. CRACKING
Cracking is a higher form of hacking in which the unauthorized access culminates with the process of defeating the security system for the purpose of acquiring money or information and/or availing of free services.

2.3. MALICIOUS SENDING OF E-MAILS

One of the very prevalent computer crimes in the Philippines, the sending of malicious and defamatory electronic mails has rendered obsolete the traditional snail-threat-mail and has likewise become a new medium in extorting money, or threatening prospective victims.

MALICIOUS SENDING OF E-MAILS

Electronic mails, being faster and easier to send to a great number of recipients, entails very little cost and effort to send unlike the traditional paper mail while giving the sender a sense of anonymity that is hard to trace for an ordinary individual.

2.4. INTERNET PORNOGRAPHY

The trafficking, distribution, posting, and dissemination of obscene material including childrens nude pictures, indecent exposure, and child sex slavery posted into the internet, live streaming videos aired through the internet under a certain fee constitutes one of the most important Cybercrimes known today.

INTERNET PORNOGRAPHY
A large number of internet pornography sites (IFRIENDS, JADECOOL, NETVENTURES, CAMCONTACTS) offer its surfers live streaming web chats wherein chatters can chat with a girl of his choice real-time in exchange of a certain fee. Site actresses or models under the ASIAN Category are mostly Filipinas and fees range from $2.00 - $3.99 per minute.

2.5. LAUNCHING OF HARMFUL COMPUTER VIRUSES

A computer virus is a computer program that can copy itself and infect a computer without permission or knowledge of the user. The original may modify the copies or the copies may modify themselves.

COMPUTER VIRUS
A virus can only spread from one computer to another when its host is taken to the uninfected computer, for instance by a user sending it over a network or carrying it on a removable medium such as a floppy disk, CD, or USB drive.

COMPUTER VIRUS
Additionally, viruses can spread to other computers by infecting files on a network file system or a file system that is accessed by another computer. Viruses are sometimes confused with computer worms and Trojan horses.

COMPUTER VIRUS
A worm, however, can spread itself to other computers without needing to be transferred as part of a host. A Trojan horse is a file that appears harmless until executed. In contrast to viruses, Trojan horses do not insert their code into other computer files.

LAUNCHING OF HARMFUL COMPUTER VIRUSES

The most classic example is the Love Bug. The subject of the email, a love letter, is so intriguing, that a recipient will surely open it out of curiosity.

2.6. DISTRIBUTED DENIAL OF SERVICE ATTACKS (DDOS)

DDoS attacks can be committed by employing multiple computers controlled by a single master computer server to target a particular server by bombarding it with thousands of packets of data in an attempt to overwhelm the server and cause it to crash.

ATTACKER

VICTIM

2.7. WEBSITE DEFACEMENT

Website defacement is the unauthorized modification of a website.

2.8. ACQUIRING CREDIT CARD INFORMATION FROM A WEBSITE THAT OFFERS E-SERVICES
In the privacy of your own home, if you do not feel like going to the mall to buy something, you can always visit an online shop (E-commerce website) and you can search almost anything ranging from goods to services and buy/avail it with just a click of the mouse.

ACQUIRING CREDIT CARD INFO

Several payment methods are being offered by the website thru credit card, checking account or by a third party escrow service such as paypal, and billpoint.

ACQUIRING CREDIT CARD INFO

Using such online shopping method have certain advantages but has more disadvantages.

ACQUIRING CREDIT CARD INFO

When you shop online, the most convenient way to pay for the items you order is through your credit card. When you pay thru your credit card, you need to disclose information such as your complete name, your postal address, zip code, state, phone number credit card account number, its expiration date and its security code/pin. (CVV2)

ACQUIRING CREDIT CARD INFO

Upon entering the above-mentioned information, it will be verified real-time by the site merchant. It usually takes a minute to verify whether the credit card is valid or invalid. If valid, the information you entered will be stored in the websites database server.

ACQUIRING CREDIT CARD INFO

Hackers look for the file containing the credit card information of all the customers who bought from a certain ecommerce site.

ACQUIRING CREDIT CARD INFO

Upon acquisition thereof, it will be decrypted to make it readable and all the information of the transactions will be made available.

THE HACKER BREAKS IN TO THE MERCHANT AND LOOKS FOR THE FILE CONTAINING CREDIT CARD TRANSACTIONS

SERVER THE FILE WILL BE DECRYPTED BY THE HACKER AND A PASSWORD / TEXT FILE WILL BE MADE AVAILABLE. UPON FINDING THE SAID FILE, DOWNLOADS THE SAME TO HIS COMPUTER

ACQUIRING CREDIT CARD INFORMATION FROM A WEBSITE THAT OFFERS E-SERVICES

Hackers prefer VISA, AMERICAN EXPRESS and MASTERCARD when filtering credit card information. It is because VISA and MASTERCARD are widely accepted by almost ALL Internet Shopping Sites. American Express on the other hand has no CREDIT LIMIT. Credit card numbers of American Express start with the number 3, MasterCard credit cards start with the number 5 while VISA Credit cards start with the number 4. American Express credit cards have 15 digits Account Number while Visa and Mastercard credit cards contain 16.

2.9. INTERNET SHOPPING USING FRAUDULENTLY ACQUIRED CREDIT CARDS

Hackers, upon acquiring the desired credit card information now conducts window shopping, hopping from one shop site to another, looking for cellphones, gadgets, apparels, computer peripherals, softwares etc.

USING FRAUDULENTLY ACQUIRED CREDIT CARDS

When he finds what he wants to buy, he then add/s his desired item/s to the shopping cart and checkouts.

USING FRAUDULENTLY ACQUIRED CREDIT CARDS

He will then supply the Credit Card information of the fraudulently acquired credit card such as the Complete name of the cardholder, address, zip code, state, email address, credit card number and expiration date. Other pertinent information such as shipping address of the items ordered will have to be supplied too.

USING FRAUDULENTLY ACQUIRED CREDIT CARDS

Amazon.com, ebay.com, & yahooauctions.com are the e-commerce websites that are frequently victimized by credit card hackers

2.10. WIRE TRANSFER OF FUNDS FROM A FRAUDULENTLY ACQUIRED CREDIT CARD

When a hacker knows your complete credit card information, he can extract CASH from the acquired credit/debit card online. By signing up with Western Union Money Transfer (http://www.westernunion.com) using the fraudulently acquired credit card information, he can pretend that he will just send money to his relative and western union will directly debit the credit card and it will reflect on the billing statement of the original credit card holder.

WIRE TRANSFER
Unlike shopping sites, Wire transfer of funds using credit cards require the credit card security number (CVV2). Without the 3 digit cvv2, the online merchant will deny your credit card.

2.11. ONLINE AUCTION FRAUD

Performing online auction fraud does not necessarily require the cybercriminal to be a hacker. All he needs is good communication skills, a little bit knowledge on Web Development and of course, fraudulently acquired Credit Cards.

 First, the fraudster should signup for an account at an online auction site such as ebay, yahoo auctions and U-Bid

The fraudster falsifies all information that he enters on the signup page. The only true information is his email address, for he will be contacted by interested bidders by means of email.

ONLINE AUCTION FRAUD

He will be asked to provide a credit card. This is where he will be needing the fraudulently acquired credit card. When all of the required fields are signed up, his application will be approved and he will be a registered member of the said auction site. He is now then allowed to bid, and auction any item.

ONLINE AUCTION FRAUD

How does it work?
A fraudster should have enough knowledge in web development for he will be making an auction page of the item/s he will be auctioning. Legitimate bidders find attractive auction page believable. So if the fraudster makes attractive auction pages, legitimate bidders will not find it hard to decide whether he will be placing a bid or not.

ONLINE AUCTION FRAUD

A fraudster will auction expensive items such as laptops, cellphones, PDAs (handheld devices), desktop computers, camcorders and hard to find memorabilias. He will then sell it at a lower price for legitimate bidders to bid immediately.

ONLINE AUCTION FRAUD

How does it work?
In an online auction, the integrity of a seller is known through his feedbacks. Feedbacks are obtained with every successful deal made between a buyer and a seller. If both parties are satisfied with their deal, they will both leave positive feedbacks to each other.

ONLINE AUCTION FRAUD

A fraudster, in order to obtain positive feedback, makes multiple accounts and exchanges feedback with each account that he made for it to appear as a legitimate transaction.

ONLINE AUCTION FRAUD

How does it work?
An online fraudster only accepts payments thru personal checks, money order, wire transfer and western union money transfer. It is bluntly stipulated in his auction page.

ONLINE AUCTION FRAUD

When a legitimate bidder decides to buy an item from the fraudster, he will then send the payment either of the four payment methods he specified in the auction page. The fraudster, upon receiving the money stops all communication with the buyer.

3. TECHNICAL TERMS
ISP stands for Internet Service Provider. It provides internet service to internet users. IP Address series of numbers assigned by an Internet Service Provider to an internet user when it connects to the Internet Dynamic IP Address a type of IP Address that changes everytime the internet user accesses his Internet Service Provider. It is usually assigned to dial-up or base speed broadband service subscribers (eg. ISP Bonanza, Surfmaxx, PLDT myDSL 128kbps service etc.) Static IP Address a type of IP Address that is constant regardless of the time or number of attempts the internet user accesses the internet. It is usually assigned to HighSpeed Internet Users or Corporate Accounts (eg. ADSL (Asymetric Digital Subscriber Line) connections, E1 Internet Connections, OC3 Internet Connections, T1 Internet Connections, Leased Line Internet Connections) Website a portfolio of a person / organization / entity / company which is posted on the Internet for accessibility worldwide.

4.1. THE INTERNET PROTOCOL (IP) ADDRESS

The INTERNET PROTOCOL (IP) ADDRESS is the anchor of the investigation of all crimes committed via the internet. The identification of the IP Address leads to the identity of the Internet Service Provider (ISP) used to access the internet and eventually the subscriber of the account where the internet activity was performed.

IP ADDRESS
The IP Address as given by the ISP depends on the type of internet account a subscriber maintains, whether it is a DYNAMIC IP or STATIC IP.

06-26-04@23:00:33 210.213.258.23

DYNAMIC IP ADDRESSING

Internet User

06-27-04@00:41:58 210.213.258.65

Internet Service Provider

06-26-04@23:00:33 202.163.55.23

STATIC IP ADDRESSING
Internet User 06-27-04@00:41:58 202.163.55.23

Internet Service Provider

CYBERSPACE
World Wide Web (WWW)

PLDT DSL

GLOBE DSL

BAYANTEL / SKYINET

OTHER ISP

INTERNET USERS

THE USUAL PROCEDURES

EXTRACTION OF IP ADDRESS
IP Addresses can be extracted thru the header information of emails, system logs

 WHAT TO DO WITH THE IP?

Subject the obtained ip address to a WHOIS lookup to verify to which Internet Service Provider it belongs.
Visit a whois lookup capable website and verify.(eg. www.Checkdomain.com, www.apnic.net etc.)

Results of IP ADDRESS verification

 When ISP name is already available, request or Subpoena is sent to the ISP to inquire on the following:

1. Whether IP Address is Static or Dynamic:

If Static:
subscriber information (name, billing address, installation address, type of internet account, usage and costs etc.) if applicable
If Dynamic log reports indicating telephone number used to make dial-up access

 2. Coordinate with Telephone company:

Request for subscriber name, address and other info.

1. Technical Surveillance if applicable

PROCESSING INFORMATION FROM ISP AND PHONE COMPANY

Visit the Website concerned to determine whether it is still active and /or to secure additional information thru links and affiliations. Establish communication with subject thru Email. Download Resource materials.

PROCESSING INFO
2. Physical Surveillance
Visit addresses provided by the ISP/Phone Company to determine actual physical existence of the address. Compare results with information provided

PROCESSING INFO
VERY IMPORTANT: The address of the subscriber as given by the ISP or Phone Company should be analyzed to determine whether it is a Billing Address or an Installation Address. For purposes of a search warrant application, the Installation Address is the more important matter to consider.

PROCESSING INFO
***The purpose of a Search Warrant application/ implementation in a cyber crime investigation, as with any other offense is to confiscate and seize the instruments/implements, tools used in the commission of the offense.

PROCESSING INFO
***Since the crime was committed with the aid of a computer, the same and its peripherals are the instruments used in its commission.

PROCESSING INFO
***Apart from it being the instrument used in the commission of the offense, the harddisc thereof would open more room for evidence, through forensics.

THE USUAL PROCEDURES

PHYSICAL SURVEILLANCE of the address as provided by the ISP/Phone Company confirms whether the same is a Billing Address or an Installation Address. Apart from the above, all other indicators of the existence of a criminal activity in the area may be confirmed through physical surveillance.

 Physical Surveillance likewise results to the acquisition of other evidence or the discovery of additional indicators as to the existence of an illegal activity in the area.

THE USUAL PROCEDURES

The results of the above evaluation would dictate the succeeding actions to be undertaken by law enforcement. A search warrant operation is the most viable thing in order to confiscate the computer and other instruments utilized to commit the offense and arrest the perpetrator.

 Indicators of Internet Connection:

Portruding wires on PLDT/Bayantel/other Telephone boxes. Visible Signal Receiver for wireless internet access (SmartBro, Globe Wireless Broadband, etc.)

Other non-IT indicators - occupants, frequent visitors - electric billings - phone billings - neighbor testimonies

CASE SAMPLE
PENGENGREGALO.COM.PH, a company based in Makati is engaged in the business of delivering gifts ordered via the internet to its customers. Initially, customers who intend to order for gifts access the internet site of the company and click on the link to choose there from the type of merchandise they want delivered. Upon input of their credit card details and their e-mail address, the customer indicates the date, place and time where the items will be delivered.

CASE SAMPLE
In March 2004, the company was victimized by an offender who made use of the e-mail address greedyme@yahoo.com in ordering electronic supplies valued at P 80,000.00 using fraudulently acquired credit card information. Prior to delivery, the offender requested that the items be delivered by the companys courier at McDonalds Restaurant located in Boni Avenue, Mandaluyong City, at around 5:00 PM on March 04, 2004 where customers messenger would be stationed purposely to pick-up the merchandise

CASE SAMPLE
Days after delivery, the company received notice from the credit card company saying that the card owner submitted a dispute resolution denying that he made the order. A subsequent investigation by the company revealed that they have been victimized by a fraudster.

CASE SAMPLE
Results of Investigation
Extraction of the IP Address resulted to the following: IP Address relative to the orders indicated that the same belong to a local ISP. Verification made with the ISP indicated that the same was a static IP belonging to a subscriber who maintains an internet caf in Mandaluyong City.

CASE SAMPLE
Results
The internet caf was visited but no records were maintained as to its users. The caf however has records of time and the corresponding workstation used by customers per day.

CASE SAMPLE
Results
The caf employee, luckily has recollection of how the workstation user looks like. A Cartographic sketch was prepared based on the descriptions given by the witness.

CASE SAMPLE
Results
Cartographic sketch of user was presented to the delivery man of courier and the latter confirms them to be one and the same person

CASE SAMPLE
Results
Separate verification was made with YAHOO!USA through United States Department of Homeland Security to request for all available IP Addresses pertinent to usage made on email address greedyme@yahoo.com.

CASE SAMPLE
Results
Various IP Addresses provided by YAHOO!USA. The last three IP Addresses correspond to the same IP Address of cyber caf. The YAHOO logs meanwhile pinpoint to the first IP Addresses corresponding to the creation of the YAHOO account

CASE SAMPLE
Results
A domain check/trace routing of the IP Addresses led to the identification of its corresponding local ISP.

CASE SAMPLE
Results
A review of the logs of the ISP pinpointed to the telephone number used to access the internet by dial-up.

CASE SAMPLE
Results
Phone company provides subscriber information of telephone number. Address points to residential apartment in Baranca Drive, Mandaluyong City.

CASE SAMPLE
Results
Search Warrant application follows suit.

CASE SAMPLE
Results
Service of search warrant results to the confiscation of the computer used to open YAHOO account.

CASE SAMPLE
Results
Arrested subject is identified by caf employee and delivery man of courier.

CASE SAMPLE
Results
Forensic Examination made on confiscated harddisc resulted to an e-mail by subject to his friend dated March 05, 2004 offering the sale of electronic supplies.

CASE SAMPLE
Results
Separate search warrant was applied leading to the recovery of electronic supplies from the fence who was charged with violation of the Anti-Fencing Law.

CYBER INCIDENT RESPONSE

TYPES OF INCIDENT RESPONSE 1. Based on a 3rd Party Request 2. Seizure by Search Warrant

 ***Regardless of whether the incident response is based on a 3rd party request or by virtue of a search warrant operation, the same would always involve a technical and investigative phase of work.

TWO PHASES OF INCIDENT RESPONSE

Technical Aspect - The technical aspect of computer crimes investigation, being very technical is usually assigned to the most IT literate personnel of the Command. Being the most IT literate personnel of the Command, the IT guy is given the task of evaluating how the crime was committed, be it committed via the internet or any other means by which computer technology was utilized.

In most cases, the IT guy takes part in the entirety of the investigation for his expertise and knowledge is utilized every step of the way. He collects data in the internet, conducts surveillance in the internet, testifies in search warrant applications, assists in the service of search warrant, examines seized computer related evidence and assists in the proper handling and storage of evidence. More than these numerous tasks, the IT guy is given the work of preparing a forensic report that should be understandable to all possible users.

TWO PHASES OF COMPUTER CRIMES INVESTIGATION

Investigative Aspect - The most common notion that the investigation of computer crimes should only be assigned to computer literate individuals is now becoming a thing of the past. Nowadays, ordinary investigators with a sound knowledge and experience in investigation of any type of case and a little knowledge of the internet qualify as a computer crimes investigator.

In the investigation of computer crimes, the basic procedures initiated in ordinary investigation are likewise followed, such as:
Evaluation of initial information to determine possible violations of existing penal/special laws; Interviews and sworn statement taking of complainants and witnesses; Record check/s; Procurement of testimonial, physical and documentary evidence; Physical surveillance; Possible search warrant applications; Possible search warrant implementations; Interview and interrogation of subject/s.

BASED ON A 3RD PARTY REQUEST

INITIAL STAGE The receipt of the request. When a request for investigation of possible computer crimes is received, the investigator who receives the request must take note of the following:
the name of the caller, his address, contact numbers and his knowledge of the crime committed; the victim this is essential because the caller may not be the victim himself the nature of computer crime/s the time and date of discovery of the crime; the location of the compromised computer/s the possible suspect/s; the immediate damage caused by the crime.

INVESTIGATION PROPER
INVESTIGATIVE STAGE The formation of the team to conduct field work at victims computer.
THE TEAM Agent-on-case The note taker evidence man investigative photographer the IT guy

In the formation of the team, the Agent-on-case would have to consider the nature of case, the extent of possible damage caused by the crime and the availability of personnel to join the field work. In most cases, the agent-on-case would decide on the composition of the team and the extent of work to be done.

INVESTIGATION PROPER
THINGS TO BE BROUGHT FOR FIELD WORK

Investigative Notes, Consent Form, Chain of Custody Form, etc. Floppy diskette for Volatile data Compact Discs with Immediate Response (IR) Tools Camera, videocam and films Evidence Bags and Tags Forensically wiped hard discs The on-site apparatus

INVESTIGATION PROPER
The FIELD WORK
Upon arrival at the scene, the Agent-on-case coordinates with the caller/requesting party and conducts an initial interview to determine the following:
the callers knowledge of the discovered computer crime and/or the person most knowledgeable of the crime; the person who discovered the crime; the location of the compromised computer/s; possible damage; possible offenders;

VERY IMPORTANT: In the event that the requesting party has no authority to give the express consent, the TEAM should not proceed with the initial examination of the compromised computer and the immediate vicinity of the same. The examination and search only follows suit after express written consent was already acquired.

INVESTIGATION PROPER
After an initial interview, the Agent-on-case would have to request the requesting party to lead the team to the location of the computer. However, before proceeding with the search and initial examination of the compromised computer, the Agent-on-case would have to seek the express written permission of the requesting party to conduct an examination of the same and a search of the immediate vicinity where the computer was located. Most important of all, the investigator tasked to take down notes should be jotting down on his Investigative Notes the time of arrival in the place and all other information acquired during the interview.

INVESTIGATION PROPER
To start the examination/search, the TEAM performs the following:
takes note of the state of the computer upon arrival at the area (whether it is open/operational, turned-off, etc.) and photographs the same (back and front); the IT guy saves volatile data on the Diskette with the use of IR tools (CD) while taking photographs thereof; after saving volatile data, IT guy unplugs the computer (without shutting down/logging out) then photographs the computer once again; after doing so, the team reviews the immediate vicinity of the compromised computer; evidence man bags the Diskette with volatile data and IR tools (CD) together with other items secured during immediate search

VERY IMPORTANT: In the entirety of all these, the note taker jots down all the procedures undertaken on his Investigative notes.

INVESTIGATION PROPER
After the above procedures, the Agent-oncase inquires from the requesting party whether the harddisc/s of the compromised computer can be brought to the NBI. If requesting party denies the same, the TEAM prepares on-site a copy of the compromised harddisc/s.

The most difficult stage of investigation would set in the moment the investigators start determining the identity of the offender/s and his whereabouts. In doing so, the investigators may make use of the following:
information obtained from Victim/requesting party and witnesses; result of examination of compromised computer/s and other items procured during field work; domain check/trace routing of caught Internet Protocol Address of Subject; Verification with the Internet Service Providers of Victim and Offender; Verification with telecommunications companies.

INVESTIGATION PROPER
Upon procurement of the address of the possible suspect, the agent-on-case then proceeds with the physical surveillance of the area to acquire other evidence that may be essential in the application for search warrant.

THINGS TO CONSIDER IN A SEARCH WARRANT APPLICATION

Level of IT Literacy of the Judge where the Search Warrant application will be made. Expect to give a crash course to the Judge on the operation of the internet.

THINGS TO CONSIDER
Convince Judge on the following matters:
whether computer crime was indeed committed that the offense committed indeed transpired in the place where the search warrant is being applied for that the instruments/implements used in the commission of the offense is still located and found in the area that the offender is an occupant/owner or had access to the place where the search warrant is being applied for

THINGS TO CONSIDER
The immediacy and necessity to apply for and implement the search warrant. One advantage of a cyber criminal is the level of anonymity he maintains prior, during and subsequent to the commission of the offense. The identification of the identity of the suspect is another problem that law enforcement encounters even after the search warrant has been implemented.

INCIDENT RESPONSE BY VIRTUE OF A SEARCH WARRANT

***As with an incident response involving a 3rd party request, that involving a search warrant entail the same sets of procedures.

 THE PRE-OPN BRIEFING

Nature of the Case Nature of the Operation Security Issues Evidenciary Issues

The formation of the team to conduct operation at the Subjects computer.

THE TEAM
Assault Team Perimeter Team Searching Team Photographer Inventory Man/Evidence Man IT Guy

In the formation of the team, the Agent-on-case would have to consider the nature of case, the extent of possible damage caused by the crime and the availability of personnel to join the raid. In most cases, the agent-on-case would decide on the composition of the team and the extent of work to be done by each member.

 The most important matter to consider in forming the team would be: - experience and capabilities of each member - security issues ***An agent-on-case would rather lose evidence than lose a member of his team.

REMEMBER: Every police operation may encounter possible resistance from subjects, regardless of the nature of the case.

 THE RAID PROPER 1. Securing the Area for: a. Safety of occupants, raiding team b. Preservation of evidence

As soon as area has been secured: 1. IT guy runs Immediate Response (IR) Tools
mostly done on computer intrusion cases/events were a computer system has been compromised the primary purpose of which is the development of a well understood and predictable response to find additional evidence, damaging events and computer intrusions

2. IT guy saves Volatile Data which includes:

Suspect/Victims current system time and date Processes currently running in the suspect/victims system memory Suspect/Victims current network configuration Suspect/Victims current network connections Users currently logged onto the suspect/victims system Applications currently listening on open sockets

 When to use HELIX?

Its primary use is as a computer forensics and incident response tool. It is distributed as a live CD so as not to make any changes to the host computer's hard drive.
Knock and Talk approach, for Suspects that are willing to let investigators have a glimpse/preview of their system this is used.

 ***Again, as with an ordinary incident response, the preparation of the Investigative Notes from the time of the Pre-Opn Briefing until the last step of the forensic process is finished should be prepared in order to document the entire steps undertaken.

 Chain of Custody of Evidence: The designated Inventory Man, after preparation of the Inventory Sheet undertakes to trace the process of evidence transfer by means of a Chain of Custody Form.

Transporting Electronic Evidence

Do not put the computer in the trunk
Police radio transmitter can damage the hard drive and destroy evidence

Avoid radio transmissions while transporting

 STORAGE OF EVIDENCE SUITABLE PLACES TO STORE EVIDENCE: From Raid and Prior to Forensics: During Forensics and After: ***The transfer of evidence from the place of the raid to the laboratory and so on should be properly recorded in the Chain of Custody Form and the Investigative Notes.

FORENSICS
The forensic examination of seized computer related evidence is the heart and soul of computer crime investigation. In forensics, the investigator confirms his earlier suspicion and theories and settles all doubts as to the case.

 FORENSIC TOOL KIT (FTK) - Manufactured by AccessData in the USA - Used and widely accepted as a forensic tool/software by most law enforcement agencies worldwide

 - CAPABILITIES

 ENCASE - Manufactured by Guidance Software, USA - Used and widely accepted by most law enforcement agencies worldwide

 CAPABILITIES

ENCASE

 PARABEN

 THE FORENSIC REPORT

 For cases where there are multiple occupants of the premises, there is a need to determine the real culprit for purposes of filing a case.

IDENTIFYING THE SUBJECT

Process of Elimination in terms of:

actual access to the subject computer by occupants of the premises IT proficiency and experience of occupants of the premises in the use of internet motive past activities of occupants of the premises Forensic Results

PRACTICAL EXERCISES

Help Us Combat Crimes Visit www.nbi-afccd.ph

CYBER CRIMES