Cybercrime and

Cyber-Related
Incident Response
Operations
 Cybercrime
• Cybercrime also called computer crime is the use of a computer as an
instrument to further illegal ends such as committing fraud trafficking child
pornography, intellectual property violations, stealing identities or violation of
privacy. The difference between traditional criminal offences from cybercrime
is the use of the computer in committing such offences. Majorly cybercrime is
an attack on the information of Individuals, governments or corporations.
• To combat and prevent cybercrime, the government of the Philippines
introduced the Republic Act No.101175 or Cyber Prevention Act of 2012. This
Act was signed by the President of the Philippines Mr. Benigno Aquino on
September 12th of 2012. The original goal of this Act was to penalize acts like
cybersex, child pornography, identity theft etc. 
 Punishable Acts
There are sixteen types of cybercrime covered under the Cybercrime
Prevention Act of 2012. They are:

Illegal Access Computer-related Fraud

Illegal Interception Computer-related Identity Theft
Data Interference Cybersex
System Interference Child Pornography
Misuse of devices Libel (Cyber Libel)
Cybersquatting Aiding or Abetting in the commission of cybercrime
Computer related Forgery Attempt in the commission of cybercrime
 Cybercrime Response

Cybercrime Response is the actual police intervention in a

cybercrime or cyber-related incident where the acquisition
of matters of evidentiary value is traceable within the
computer’s hardware, software and its network.
 Guidelines in Responding to Cybercrime
and Cyber-Related Incidents
1) When responding to a cybercrime incident, or to a crime scene where Information
and Communication Technology (ICT) equipment (e.g computers, digital storage devices
and other electronic devices or equipment) are present, it is imperative for the First
Responder (FR) to protect and preserve the crime scene and seek the assistance of the
station IOC to identify potential evidence such as the following:
a) Contraband or fruits of a crime;
b) Tools used for the commission of the crime; and/or
c) Other items that may be used in the commission of the crime.

2) The FR shall immediately coordinate with the nearest ACG office, through the station
TOC or the IOC, for assistance. Upon arrival of the ACG personnel, they shall immediately
conduct the “bag and tag” procedure on the digital evidence and turn over to the IOC.
 Guidelines in Responding to Cybercrime
and Cyber-Related Incidents
3) The concerned investigating unit shall secure and submit a court order
and necessary legal requirements for the ACG to conduct digital forensic
examination that is in accordance with the rule on cybercrime warrants. The
evidence seized shall then be subjected to digital forensic examination by the
PNP ACG. The result of the forensic examination, as well as the testimony of
the forensic expert, shall be made available during the trial.
 Preservation of Seized Computer
Upon determination of how the computer was utilized in the commission
of the crime, and once the legal requirements have been complied with,
the following are the guidelines in the preservation of the seized computer:

1) Secure the Scene

a) Officer’s safety is always paramount.
b) Preserve the area for potential fingerprints.
c) Immediately restrict access to the computer.
d) Disable the internet connection to restrict remote access to the computer
 Preservation of Seized Computer
Upon determination of how the computer was utilized in the commission
of the crime, and once the legal requirements have been complied with,
the following are the guidelines in the preservation of the seized computer:

2) Secure the computer as evidence

a) If the computer is “OFF”, do not turn it “ON”.
b) If the computer is “ON”, do not turn it “OFF”, nor touch its mouse or its
keyboard.
 Preservation of Seized Computer
3) For stand-alone connection or single area connection computers ( non-networked )
a) Consult a Digital Forensic Examiner.
b) If a Digital Forensic Examiner is not available, the station IOC shall perform the following:
(1) Photograph screen and disconnect all power sources and plugs including those at
the back of the computer;
(2) Cover or put a tape over each drive slot;
(3) Photograph (or make a diagram) and label parts located at the back of the
computer including its connections;
(4) Label all connectors and cable end to allow reassembly as needed (Example:
“Socket” marked “A” and the “cable End” also marked “A”);
(5) If transport is required, pack the components as “fragile cargo” prior to transport;
(6) Keep it away from magnets, radio transmitters, and from other hostile
environment; and
(7) Ensure that only the Digital Forensic Examiner conducts the search for any
evidence contained in the computer hardware;
 Preservation of Seized Computer
4) For Networked Computers (or business computers)

a) Consult a Digital Forensic Examiner for assistance.

b) Do not immediately pull the plug to prevent the
following:
(1)Severe damage to the system;
(2) Disrupting the legitimate business; and
(3) Possible liability of the police officers.
 Preservation of Seized Computer

5) For Ransomware or Malware Attack on a Computer

a) Consult a computer specialist for assistance;
b) Immediately disconnect the computer from the network to
avoid the spread of malware to other computers on the same
network; and
c) Do not immediately pull the plug and wait for the computer
specialist to arrive.
 Guidelines in the Treatment of Other Electronic
Data Storage Devices

The IOC should understand that other electronic devices may contain
viable evidence associated with the crime. The IOC must ensure that
the device should not be accessed unless a warrant has been issued.
 Preservation of Seized Mobile
Communication Devices
Upon determination of how the mobile communication device was utilized in
the commission of the crime the following are the guidelines to be followed:
1) If the device is turned “ON”, do not turn it “OFF” as it could activate lockout
feature.
a) Take a photograph of the screen display and write down all information therein;
b) If possible, turn on airplane/flight mode or use a signal blocking container, if
available, and record the steps undertaken;
c) If the device is locked, do not attempt to unlock it; and
d) Bring the power supply cord of the seized device found at the scene.
2) If the device is TURNED “OFF”, leave it “OFF” AS IT could alter evidence in
the device.
Internal Security
Operations
 The PNP shall provide active support to the AFP in
Internal Security Operations (ISO) for the suppression of
the TGs and other serious threats to national security. In
the conduct of ISO, the PNP quad concept shall be
integrated and applied.
 The PNP in an Active Support Role
In white areas of operation, the PNP may assume the lead role in ISO against
the TGs, other threats to national security and OCGs engaged in armed
offensives. In red areas of operation, the AFP will assume the lead role.
Coordination with the territorial AFP and other uniformed services must be
made in writing before the conduct of ISO. However, in justifiable
circumstances, electronic means may be allowed;
Specific areas where atrocities initiated by the TG occurred, such as but not
limited to ambush, harassment, arson, raid, liquidation and bombing, shall be
treated as a crime scene. The LPU shall conduct the Crime Scene Investigation
(CSI); and
Specific areas where armed encounters occurred shall likewise be investigated
by the LPU for purposes of evidence and intelligence gathering.
 Target Hardening
Police stations, patrol bases of mobile forces and established
checkpoints, especially those located in far-flung areas, are prone to
attacks. As such, security measures to prevent atrocities of terrorist
groups must be undertaken such as but not limited to:
Conduct of security survey and inspection to assess defense
viability;
Strengthen physical security measures and defense to prevent
unauthorized access;
Develop security consciousness among personnel through
education and training;
Conduct regular Red Teaming Operations to check and provide
solutions to identified gaps in the security plan;
 Target Hardening
Conduct community organization and mobilization activities to encourage the
community to immediately report the presence and plans of TGs;
Internalize and put into practice the 11 General Orders of a Duty Guard.
Likewise, personnel on duty shall always carry issued long firearms and
ammunition rig/bandoliers with basic load and wear bulletproof vest;
Whenever there is an arrested individual identified to be a member or
associated with TGs, a mandatory DNA collection sample should be taken from
the arrested individual upon request of the arresting police unit to the PNP CL
in support to investigation and as part of the record/ database of the PNP for
future investigation/intelligence operations; and
Regularly conduct simulation exercise on camp defense to improve
operational readiness of PNP personnel and capabilities.