CHAPTER 1

THE BACKGROUND AND ITS SETTING

Introduction

In a world where “cloud”, “web applications” and “bring your

own device” are becoming general trends, it’s time to dive into

the mind of a cyber criminal.  We live in a world where IT

becomes a general availability. Where people want to have their

freedom, their own space, their own identity and especially their

own tools. In that same world “consumerization” started a growing

tendency for new IT to emerge first in the consumer market and

then spread into business and government organizations.

With the phenomenal growth of the Internet, more and more

people enjoy and depend onthe convenience of its provided

services. The Internet has spread rapidly to almost all over

theworld. Up to June 2008, the Internet has distributed to over

233 countries and world regions,and has more than 1.46 billion

users. Unfortunately, the wide use of computer and Internet also

has opened doors to cyber attackers. There are different kinds of

attacks that an enduser of a computer or Internet has to face.

For instance, there may be various viruses on thehard disk, there

may be several backdoors opened in the operating system, and

there may be lot of phishing e-mails in his/her mailbox. Also,

more and more fraud activities appear in online advertising

networks and online auction systems. According to the 2008 CSI

computer crime& security survey by Computer Security Institute

(CSI), cyber attacks cause a lot of money losses each year.

Network attackers can easily hide their identities through IP

spoofing, stepping stones, network address translators (NATs),

Mobile IP or other ways, and thereby reduce the chance of being

captured. The current IP network infrastructure lacks measures

and cannot effectively deter and identify motivated and well-

equipped attackers. Therefore, innovative trace back schemes are

required to attribute the real attackers. By the way, network

traffic always comes with high rate in distributed format without

obvious beginning and ending.1

These properties make network traffic much different

compared with traditional data sets, and data stream model is

1Linfeng Zhang (Effective Techniques For Detecting and Attributing Cyber Criminals, 2008)

Page | 2

more feasible to analyse network traffic. In our research, we

study and design efficient and effective techniques for detecting

and attributing cyber criminals. We generally consider two kinds

of fundamental techniques:2forensics-soundattack monitoring and

trace back, and forensics-sound online fraud detection. We hope

that our work may serve as fundamental components which can be

widely applied innetwork security and many other domains.

Computers are used to commit crime and are the target of

crime every day. Besides the magnitude and scope of the threat,

one of the greatest challenges in fighting computer crime resides

in the fundamental nature of the computing world. Cyber space is

dynamic and changes often at a rapid pace. A computer’s

increasing sophistication, in terms of power capacity and

communication speed, increases the criminal opportunity for

motivated offenders as well as the availability of suitable

targets. Moreover, the worldwide computer network has transformed

computer crime from a local problem to an international security

issue.

Cyber threats are currently significant enough to become a

national security priority in several western countries including

Page | 3

the United States. In order to better understand the challenges

that the United States‟ cyber infrastructures are facing, it is

necessary to examine how government agencies are addressing the

threats posed by those who perpetrate computer-based crimes and

attacks. On one hand, we know that computer crimes are often a

“hi-tech” version of more traditional crimes such as theft,

espionage, sabotage, and fraud. On the other hand, the

ramification of cyber crimes are so extensive and technologically

complex that they require specific knowledge to better understand

the evolving nature of the threats as well as the tactics and

strategies to investigate them.

Cybercrime goes beyond the technical, transnational

dimension and involves offenders who deliberately fashion their

attacks to exploit the potential weaknesses present in the

infrastructure’s transnational nature. It threatens the

substantial and growing reliance of commerce, governments, and

the public upon theinformation infrastructure to conduct

business, carry messages, and process information. Cybercrime is

one of the fastest growing non-violent crimes in the Asian

region. It takes a great deal of technical expertise and co-

Page | 4

operation, both local and foreign, in order to address such

problems. This crime affects different countries in varying

degrees, depending on the extent of the legislative enactment of

each country. In the Philippines, as technical and electronic

landscapes change, there is a need to enact laws or amend

existing laws to fully address cyber threats.

The public is aware of the importance of legislation that

supports police efforts against computer crimes. Onel de Guzman,

the Philippine dropout who, in August 2000, created and unleashed

a remarkably dangerous computer virus called “I LOVE YOU”, cost

several companies, governments, and citizens billions of US

dollars in damages. In August of the same year, charges against

him in our country were dismissed, mainly because we had not yet

passed legislation addressing the crimes he had committed. The

public around the world is justifiably outraged.

Legal Basis

Computers are used to commit crime and are the target of

crime every day. Besides the magnitude and scope of the threat,

one of the greatest challenges in fighting computer crime resides

Page | 5

in the fundamental nature of the computing world. Cyber space is

dynamic and changes often at a rapid pace. A computer’s

increasing sophistication, in terms of power capacity and

communication speed, increases the criminal opportunity for

motivated offenders as well as the availability of suitable

targets. Moreover, the worldwide computer network has transformed

computer crime from a local problem to an international security

issue.

An act providing for the recognition and use of electronic

commercial and non-commercial transactions and documents,

penalties for unlawful use thereof and for other purposes. Be it

enacted by the senate and house of representatives of the

republic of the Philippines in Congress assembled:

Republic Act No. 8792 of Philippines Electronic Commerce Act

of 2000, An act providing for the recognition and use of

electronic commercial and non-commercial transactions and

documents, penalties for unlawful use thereof and for other

purposes Be it enacted by the senate and house of representatives

of the republic of the Philippines in congress assembled:The

State recognizes the vital role of information and communications

Page | 6

technology (ICT) in nation-building; the need to create an

information-friendly environment which supports and ensures the

availability, diversity and affordability of ICT products and

services; the primary responsibility of the private sector in

contributing investments and services in telecommunications and

information technology; the need to develop, with appropriate

training programs and institutional policy changes, human

resources for the information technology age, a labor force

skilled in the use of ICT and a population capable of operating

and utilizing electronic appliances and computers; its obligation

to facilitate the transfer and promotion of technology; to ensure

network security, connectivity and neutrality of technology for

the national benefit; and the need to marshal, organize and

deploy national information infrastructures, comprising in both

telecommunications network and strategic information services,

including their interconnection to the global information

networks, with the necessary and appropriate legal, financial,

diplomatic and technical framework, systems and facilities.

Page | 7

Page | 8

Figure 1: Map of National Capital Regions

Background of the Study

This study covers the National Capital Region which includes

different law enforcement agencies that handle and investigate

cybercrime in the Philippines this includes the Philippine

National Police, Criminal Investigation and Detection Group and

the National Bureau of Investigation. The Philippine National

Police (Filipino: PambansangPulisyangPilipinas and abbreviated

as PNP) is the civilian national police force of the Republic of

the Philippines. To The Philippine National Police, which was a

result of a merger of the Philippine Constabulary and

the Integrated National Police, was activated on January 29,

Page | 9

1991. Its national headquarters are based at Camp Crame in Quezon

City. It has a manpower of 140,000.

The Criminal Investigation and Detection Group, widely known

as the CIS, came into existence out of the great necessity of the

Philippine Constabulary to organize a unit that would primarily

handle the investigation of major crimes. This move aimed to free

other constabulary units of the time consuming and highly

specialized investigative works.

The Criminal Investigation and Detection Group (CIDG) has

its beginnings in 1901 with the creation of the Information

Section of the Insular Constabulary pursuant to Section 2 of Act

253 of the Philippine Commission. It was given the task of

investigating crimes against the security of the state. Before

the outbreak of World War II, it was renamed Information Division

and later Police Affairs Division.

On January 19, 1953 it was formally christened as the Criminal

Investigation Service (CIS) under the C-2 Division of the

Philippine Constabulary. It was given the task to "detect,

investigate and prosecute major crimes in coordination with other

law enforcement bodies." Sometime in 1960, CIS was placed under

Page | 10

the C-3 Division. With the upsurged of criminality during the

early 70's, it became necessary for all field units of the CIS to

be placed under the direct command and control of a CIS Chief

based in Camp Crame. The reorganization was contained in General

Order Number 132, HPC dated January 1, 1971.

In line with the reorganization of the PC into 12 Regional

Commands, the CIS also underwent another change in its

organizational set-up. Pursuant to GO Nr 135 HPC dated August 9,

1978. Twelve (12) CIS Regional Offices were created to provide

investigative support to the PC/INP Regional Commands all over

the country.

When RA 6975 was enacted into law in 1991, CIS continued to

be the primary investigating arm of the Philippine National

Police charged with the following missions: 1) Undertake the

monitoring, investigation, and prosecution of all crimes

involving economic sabotage, and other crimes of such magnitude

and extent to indicate their commission by highly placed or

professional criminal syndicates and organizations; and 2)

Investigate all major cases involving violations of the Revised

Penal Code and operate against organized crime groups, unless the

Page | 11

President assigns the case exclusively to the National Bureau of

Investigation. From then on, CIS was renamed Criminal

Investigation Service Command (CISC) then to Criminal

Investigation Command (CIC), Criminal Investigation Group in 1996

and finally renamed to PNP Criminal Investigation and Detection

Group (CIDG) pursuant to NHQ LOI 49/96 code name "Detektib".

The National Bureau of Investigation (NBI) saw its inception

on November13, 1936. Upon approval of the commonwealth act no.181

on the legislature. It was the brain child of the late president

Manuel L. Quezon and Jose A. Yulo, then secretary of justice.

Tasked with organizing a division of investigation or DI

patterned after the United States Federal Bureau of Investigation

where Thomas Dugan, a veteran American police from New York

Police Department and Flaviano C. Guerrerro, the only Filipino

member of the Federal Bureau of Investigation. On the basis of

stiff Physical, Moral and Mental standard, 45 men were selected

as agent from among 300 applicants. To compliment this

investigative force was a civilian staff composed of doctor,

chemist, fingerprint technician, photographers, stenographers’

and clerk.

Page | 12

During the Japanese occupation, the DI is affiliated

with Bureau of Internal Revenue and the Philippine Constabulary

known as bureau of Investigation (BI). Subsequently, during the

post liberation period, all available DI were recruited by the US

army CIC as investigator.

Since then, the bureau assumed an increasingly significant

role. Thus on June 19, 1947, by virtue of Republic Act No.157 it

was recognize as to the Bureau of Investigation, later it was

amended by executive order No. 94 issue on October 4, 1947

renaming it to what it is presently known, the National Bureau of

Investigation.

Theoretical Framework

Cyberspace presents an exciting new frontier for

criminologists. Virtual reality and computer mediated

communications challenge the traditional discourse of

criminology, introducing new forms of deviance, crime, and social

control. Since the 1990s, academics have observed how the

cyberspace has emerged as a new locus of criminal activity, but

in general, criminology has been remiss in its research into the

Page | 13

phenomena of cyber crime and has been slow to recognize the

importance of cyberspace in changing the nature and scope of

offending and victimization. As such, very few theoretical

explanations of cyber crime exist. 

       Some researchers have tried to explain cyber crimes with

traditional theories, such as Social Learning Theory (Skinner and

Fream 1997; Rogers 1999; 2001), Kohlberg’s Moral Development

Theory and Differential Reinforcement Theory (Rogers 2001),

Cohen’s Strain Theory (O'Connor 2003), Deindividuation Theory

(Demetriou and Silke 2003), Gottfredson and Hirschi’s General

Theory of Crime (Foster 2004), Routine Activities Theory (Adamski

1998; McKenzie 2000; Grabosky 2001; Pease 2001; Yar 2005) and

multiple theories (McQuade 2005; Taylor et.al 2005; Darin et. al

2006). However, these theoretical explanations were found to be

inadequate as an overall explanation for the phenomenon of cyber

crimes, because cyber crimes are different from crimes of

physical space.

      There is a need for a theory for cyber crimes. Therefore,

this paper is directed at theory building for the explanation of

criminal behavior in the cyberspace, and presents the Space

Page | 14

Transition Theory.  Atheory called ‘Space Transition Theory’ in order

to explain the causation of crimes in the cyberspace. I felt the

need for a separate theory of cyber crimes because the general

theoretical explanations were found to be inadequate as an

overall explanation for the phenomenon of cyber crimes. "Space

Transition Theory” is an explanation about the nature of the behavior

of the persons who bring out their conforming and non-conforming

behavior in the physical space and cyberspace. Space transition

involves the movement of persons from one space to another. Space

transition theory argues that, people behave differently when

they move from one space to another.

The postulates of the theory are:

1. Persons, with repressed criminal behavior (in the physical

space) have a propensity to commit crime in cyberspace,

which, otherwise they would not commit in physical space,

due to their status and position.

2. Identity Flexibility, Dissociative Anonymity and lack of

deterrence factor in the cyberspace provides the offenders

the choice to commit cyber crime

Page | 15

3. Criminal behaviour of offenders in cyberspace is likely to

be imported to Physical space which, in physical space may

be exported to cyberspace as well.

4. Intermittent ventures of offenders in to the cyberspace and

the dynamic spatio-temporal nature of cyberspace provide the

chance to escape.

5. (a) Strangers are likely to unite together in cyberspace to

commit crime in the physical space. (b) Associates of

physical space are likely to unite to commit crime in

cyberspace.

6. Persons from closed society are more likely to commit

crimes in cyberspace than persons from open society.

7. The conflict of Norms and Values of Physical Space with the

Norms and Values of cyberspace may lead to cyber crimes.

Since criminology has started viewing the emergence of

cyberspace as a new locus of criminal activity, a new theory is

needed to explain why cyber crime occurs. The space transition

theory presented above provides an explanation for the criminal

behaviour in the cyberspace.

Page | 16

Routine activity theory was outlined by Clarke and Felson

(1993) and attempts to define criminal events in terms of the

common actions of offend-ers and victims. In the initial theory,

Clarke and Felson suggested that a criminal event required three

variables to occur simultaneously. These included a motivated

offender, a suitable target and an absence of guardians. With

regard to a property offence, such as a burglary, the theory

suggests that if a suitably motivated offender (perhaps one

seeking funding to buy drugs) finds a house which appears to have

objects of value in it, which is unattended by its owners, then

there is a heightened probability that an offence will take

place. Routine activity theory has some overlap with geographical

theories as criminal events are more likely to occur in

geographical areas which are described by the factors in routine

activity theory.

From a cyber criminological perspective, there may be some

evidence for routine activity theory. Several types of cybercrime

are more likely to be carried out by individuals with

considerable, unsupervised access to technology. Certainly, it is

difficult to surreptitiously carry out certain cybercrimes, such

Page | 17

as the collection of child pornography, without a personal

computer that other individuals do not have access to. Similarly,

a complex computer virus is more easily developed if the

individual has unlimited access to a privately held computer.

Hackers who attempt to develop botnets (a network of controlled

per-sonal computers) are possibly the best example of a

cybercriminal application of routine activity theory. They are

motivated to enhance their computing power, perhaps to disable a

specific website (what is known as a distributed, denial, of

service, attack). Suitable targets involve any Internet user’s

computer whose resources can be employed to complete the desired

act. A lack of suitable guardians in this case would refer to a

computer which has not been adequately protected through the use

of anti-virus software and a firewall. In a similar way, routine

activity theory can be applied to almost all types of cybercrime

and malicious online behavior, and as such it is a useful

addition to our understanding of cybercriminal events.

Rational choice theory states that committing a crime is a

rational choice made because the benefits outweigh the potential

negative consequences.

Page | 18

Conceptual Framework

Page | 19

1.IdentifyingtheExtent of the issuesAnd challenges In cybercrime Investigation inTerms of:1.1. Investigator’s

competency1.2. Facilities and

logistics1.3. Systems and

procedures1.4. Legal parameters

2.Identifying themeasures may be

1. Survey Questionnaires

2. Interview3. Statistics

1.Revision of the survey instruments based on the result of the pre- test conducted. 2. Reproduced enough copies of the survey instruments incorporating all suggestions received.3.Adequate amount of copies of the revised survey instruments are distributed to the three groups of respondents5.Data are collected

Figure 2: Conceptual Paradigm

EFFECTIVE COMPUTERCRIME BUSTING

Enhancement of theIssues

and Challengesin CybercrimeInvestigation

This paradigm of the study shows how to attain goals and

objectives of the research entitled Issues and Challenges in

Cybercrime Investigation: An Assessment towards an Effective

Computer Crime Busting which uses Space Transition Theory that

explains about the nature of the behaviour of the persons who

bring out their conforming and non-conforming behaviour in the

physical space and cyberspace. The rectangle at the top

represents the main objective of the study that can be achieved

through the input-process-output located right below the center

square which is the enhancement of the issues and challenges in

cybercrime investigation to attain the effective computer crime

busting. It is a one-way process from the bottom up to the top.

The first box below which is the Input represents the raw data

needed throughout the whole Process which is the second box.

These processes are namely; survey questionnaires, documentation,

interview and statistics. After the process is put into action,

the Output which is the third box can be obtained. The outputs

are the data collected from the respondents that will allow the

researchers to obtain the main objective and achieve the

effectiveness of computer crime busting.

Page | 20

Statement of the Problem

The main objective of the study is to identify and address

the issues and challenges in cybercrime investigation.

The study, therefore, seeks to answer the following sub-

problems:

1. To what extent are the issues and challenges encountered

in the investigation of cybercrime in terms of:

1.1. Investigator’s competency;

1.2. Facility and logistic;

1.3. Systems and procedures; and

1.4. Legal parameters?

Page | 21

2. Is there any significant difference on the assessment of

the groups of respondents on the issues and challenges

encountered in cybercrime investigation in terms of the above-

cited variables?

3. What measures may be proposed to strengthen the

cybercrime investigation in the Philippines?

Hypothesis of the Study

There is no significant difference on the assessment of the

respondents with regards to the issues and challenges encountered

in the investigation of cybercrime.

Scope and Limitation of the Study

Page | 22

The Setting

The setting of the study will be in Philippine National

Police, Criminal Investigation and Detection Group (CIDG) Camp

Crame and National Bureau of Investigation Cybercrime Division

Taft Avenue, Manila.

The Subject

The study will be concentrated on the issues and challenges

encountered by the law enforcement sector in the investigation of

cybercrime; including also the measures that may be proposed in

order to strengthen the conduct of cybercrime investigation.

The Respondents

There will be 3 groups of respondents. The first group of

respondent will be twenty (20) of the investigators of the

Philippine National Police Camp Crame. The second group will be

twenty (20) of the Crime Detection and Investigation Group

Investigators that handle cybercrime cases and the third group

will be twenty (20) of Cybercrime Investigators of the National

Bureau of Investigation.

The Time Frame

The study will cover the year of 2013-2014.

Page | 23

Significance of the Study

The results of the study will be deemed significant on the

following:

Law Enforcement Officers. This study will be beneficial to

them for it will give them better understanding in conducting

cybercrime investigation.

Courts. This study willbe beneficial to them for it will

give them information on the technical aspect of crime

investigation involving the use of computer and cyberspace.

Law Making Body. This will be beneficial to them for it will

give them insights on the pertinent laws needed to further

strengthen the fight against cybercrime.

Faculty and Students of Criminology. This study will be

beneficial to them for it will give them necessary information

with regard to the technicalities involve in cybercrime

investigation and to strengthen their knowledge in cyber world.

Definition of terms

Page | 24

Challenges. It refers to the problems encountered in

investigating cybercrimes by the cybercrime investigators of PNP,

CIDG and NBI.2

Computer. It refers to the gadget or device that uses

information communication technology and process information

which is the most used in committing cybercrimes.3

Cracking. It refers to the higher form of hacking in which

the unauthorized access culminates with the process of defeating the

security system for the purpose of acquiring money or information and/or availing

of free services.4

Crime Busting. It refers to the action taken by the law

enforcement agencies to fight criminality especially heinous

crimes.5

Cybercrime. It refers to thecrime accomplished through

special knowledge of computer technology or any crime where

computer is used as a tool or as a target or incidental to the

commission of a crime it.6

2P.B. Gove, Ph. D. (Webster’s Third New International Dictionary)3 Ibid.4Ibid.5Ibid.6Ibid.

Page | 25

Facilities. It refers to the something designed and created

to provide service in an investigation of crime.7

Framework. It refers to the set of ideas, principles,

agreements or rules that provides the basis or outline for

cybercrime busting intended to be more fully developed at later

stage.8

Hacking. It refers to the act of illegally accessing the

computer system/network of an individual, group or business

enterprise without the consent or approval of the owner of the system.9

Internet. It refers to the global system of

interconnected computer networks that use the standard Internet

protocol suite (TCP/IP) to serve billions of users worldwide. It

is a network of networks that consists of millions of private,

public, academic, business, and government networks, of local to

global scope, that are linked by a broad array of electronic,

wireless and optical networking technologies.10

Investigation. It refers to the art of locating, tracing and

identifying criminal in order to bring him before the court.11

7Ibid.8Ibid.9Ibid.10Ibid.11Ibid.

Page | 26

Investigator. It refers to a law enforcement officer

designated to investigate and provide inquiry on a crime

committed, he is either a member of the Philippine National

Police, Criminal Investigation and Detection Group or National

Bureau of Investigation.12

Investigator competency. It refers to the degree of

knowledge and ideas possessed by the investigator regarding the

laws, principles of investigation, and established rules in the

conduct of investigation especially knowledge about information

technology, in connection to cybercrime investigation.13

IP Address. It refers to the series of numbers assigned by an

Internet Service Provider to an internet user when it connects to

the Internet.14

Issues. It refers to the topic which is being discussed in

connection to cyber crime investigation.15

Logistics. It refers to the planning and control of the flow

of goods, and materials through an organized and manufacturing

12Ibid.13Ibid.14Ibid.15Ibid.

Page | 27

process in a law enforcement agencies to maintain a quality

service in responding and investigation of a crime.16

Legal Parameters. It refers to those set of laws and rules

that will facilitate and serve as a basis in an effective

cybercrimes investigation. 17

Phishing. It refers to sending fraudulent e-mails or website

pop-ups, to get victims to divulge sensitive financial

information such as credit card numbers or social security

numbers.18

Systems and procedure. It refers to the set of rules and

regulations to be followed by the investigator in investigating

crimes and the system of law enforcement agencies being used to

maintain a well organized process of investigation and rules

inside a department.19

ACRONYMS

CIDG. It refers to the Criminal Investigation and Detection

Group

16Ibid.17Ibid.18Ibid.19Ibid.

Page | 28

ICT – Information communication technology

NBI. It refers to National Bureau of Investigation

PNP. It refers to Philippine National Police

RA 8792. It refers to thelegislated because of I love you

virus, This Act shall be known and cited as the "Electronic

Commerce Act. “ Approved June 14, 2000.

Page | 29