Digital Evidence Concerns for Law Enforcement
Source & Disclaimer
Contents on this page are sourced from the material directly linked below. This does not constitute legal advice.
Atty Francis Acero on Electronic/ Digital Evidence Concerns for Law Enforcement
Axioms of Admissibility
- None but facts having relational probative value are admissible
- All facts having rational probative value are admissible unless some specific rule forbids their admission
Criminal law is simple
Satisfy the conditions, break that down into further evidence.
Worst evidence is testimonial evidence. It has to be backed up by something.
Evidence Defined
- The means
- sanctioned by [the Rules on Evidence]
- of ascertaining
- in a judicial proceeding
- the truth
- respecting a matter of fact
Rules on Evidence
- They apply to all forms of judicial proceedings and to administrative proceedings where there is no other rule.
- Changes in the rules apply to all pending proceedings.
The Job
The only job is to document it.
Documentary and Electronic Evidence
“Everything that you need to prosecute your case is in the devices and in the computers of the people that you are apprehending.” Atty. Francis Acero
Cultural Aspect
Filipinos agreement on matters differ from European and American ways. Filipinos have a notion of “Understood” and would constitute agreement. Other cultures would require items on paper. We are a verbal culture.
What then constituite “paper”?
In the Philippines, a chat can constitute “paper”.
Electronic Data Messages/Document Authentication
Level Recognition
- And electronic document has the same evidentiary value as a physical document.
- The Electronic document is the equivalent of an original document if
- it is stored in a computer, original
- any printout or output readable by sight shown to reflect the data accurately
- A duplicate is admissible to the same extent as the original unless
- There is genuin question as to the authenticity of the original
- It is unject or inequitable
Authentication
Manner of Authentication
- Evidence that been digitally signed by the person purported to have signed the same
- Evidence that other appropriate security procedures or devices as may be authorized by the Supreme Court or by law were applied
- Other evidence showing its integrity and reliability to the satisfaction of the judge
Evidentiary Weight - Integrity of the System
Factors for Assessing Evidentiary Weight
- Reliability of the manner in which it was generated, stored, and communicated
- Manner in which originator was identified
- Integrity of the information and communication system
- Familiarity of the witness or person who made the entry into the system
- Nature and quality of the information that went into the system
- Other factors that the court may consider
Integrity of the Information and Communication System
- Operation of the system in a manner that di not affect the integrity of the electronic document, and there are no other grounds to doubt the integrity of the information and communication system
- Recorded or stored by a party to the proceedings with adverse interests to the party using it
- Recorded or stored in the usual and ordinary course of business by a person not a party to the proceedings or under the control of the party using it
Integrity of the Data
- What is presented, it is what is it.
- At the point of seizure, it should be the same data presented to the court.
- show the arrest and seizure, not the same permission to examine the contents
- examination of the contents is left to the forensic specialists
Business Records - Method of Proof
Hearsay Inapplicable
- Business Records
- Made near the time of or from transmission or supply of information by a person knowledgge thereof
- Kept in the regular course or conduct of business activity
- Was the regular practice to make the document or record by electronic means
- SHown by the testimony of the custodian
- May be overturend by evidence of untrustworthiness of the source of information or the method or circumstances of the preparation, transmission, or storage.
Method of Proof
- All matters relating to the admissibility and evidentiary weight of an electronic
document must be established by an affidavit
- Stating facts of direct personal knowledge of the affiant or based on automatic records
- Must show the competence of the affiant to testify on these matters
- Affiant shall be made to affirm the contents in open court
Important: Those screenshots or photos that staff ask in the course of their business are evidence
Audio, Video, and Ephemeral Evidence
Audio, Photo, and Video
- Audio, photographic, and video evidence of events, acts, or transactions, are admissible.
- Provided it is shown, presented, or displayed to the court
- Identified, explained, or authenticated by the person who made the recording or some other person competent to testify on the accuracy thereof
- Includes recordings of phone conversations or other ephemeral electronic communication
Ephemeral Evidence
- Proven by a person who was a party to the same or has personal knowledge
- Other competent evidence may be admitted in the case of absence or unavailability
Difference of Public Documents and Private Documents
Public Documents
Documents consisting of entries in public records made in the performance of a duty by a public officer are prima facie evidence of the facts therein stated. All other public documents are evidence, even against a third person, of the fact which gave rise to their execution and of the date of the latter.
- The written official actsm or records of the sovereign authority, official bodies, and tribunals and public officers whether of the Philippines of a foreign country.
- Document acknowledged before a notary public except last will and testaments.
- Document that are considered public documents under treaties and conventions which are in force between the Philippines and country of source, and
- Public records, kept in the Philippines, of private documents required by law to be entered therein
Private Documents
Where a private document is more than thirty (30) years old, is produced from a custody in which it would naturally be found if genuine, and is unblemised by any alterations or circumstances of suspicion, no other evidence of its authenticity need be given.
Before any private document offered as authentic is received as evidence, its due execution and authenticity must be provided by any of the following means:
- By anyone who saw the document executed or written;
- By evidence of the genuineness of the signature or handwriting of the maker, or
- By other evidence showing its due execution and authenticity
General Principles
Warrants are needed for digital devices
- Even if incidental to a search, a digital device and/or computer is a separate domain that requires
Effective Period
- Cybercrime warrants are valid only for a period of ten days, and may be extended for a further 10 based on justifiable reasons
Where to Apply
- The cybercrime courts in Quezon City, City of Manila, Makati City, Pasig City, Cebu City, Iloilo City, Davao City, and Cagayan de Oro City have nationwide jurisdiction and over extraterritorial crimes under the cybercrime law.
- Violations by crimes committed through the use of ICT and punishable by the Revised Penal Code (RPC) and other special penal laws are filed with the regular trial courts.
A Private Document is Everything Else
- Present the people who were there
- How it was recorded, how it was made
Moving Vehicle Scenario
When you sieze a digital device after an arrest, … you will still need a warrant for the contents of the device.
The physical device is different from the contents.
The rule on exigent circumstances will never apply to the contents of the digital device.
The court understands that the device is already with you, therefore, you have time to prepare.”
To get the contents of a digital device is not simple.
- Chain of Custory
- Non-Repudiation
Cybercrime Warrant Issues
- Data stored in cloud services/providers.
- “I would assume that that would a Subpoena Duces Tecum (SDT)”
- Most likely will involve Search Warrant for the data itself.
Preservation of Computer Data
- The integrity of traffic data and subscriber information shall be kept, retained, and preserved by a service provide for a minimum of six (6) months from the date of receipt of the order from law enforcement authorities requiring the preservation.
- Law enforcement may order a one-time extension for six-months
- Once that evidence is used in a case, the receipt of the service provider of a copy of the transmittal document to the Office of the Prosecutir is deemed a notification to preserve the data for the duration of the case and/or as ordered by the court.
- The order and its compliance is confidential.
The telco will not be able to tell you where the data is coming from if the request if off by 24 hours. Every day, the network allocation table is going to change.
Tracing Drawbacks/Barriers
IPv4
IPv4’s Network Address Translation (NAT) Session Timeout is the reason for this.
2^32 = 4,294,967,296
IPv6
In a purely IPv6 stack, NAT is not needed. Every device has its own unique address.
2^128 = 340,282,366,920,938,463,463,374,607,431,768,211,456
Warrant to Disclose Computer Data
- Order to disclose or submit subscriber information, traffic data, or relevant data within 72 hours from receipt of the order in relation to a valid complaint
- The complaint is officially docketed and assigned for investigation
- The disclosure is necessary and relevant for the purpose of investigation
Contents of Application
- Probable offense involved
- Relevance and necessity of the computer data or subscriber’s information sought to be disclosed for the purpose of the investigation
- Names of the individuals or entities whose computer data or subscriber’s information are sought to be disclosed, including the names of the individuals or enbtities that have control, possession, or access
- Particular description of the computer data or subscriber’s information sought to be disclosed
- Place where the disclosure of the computer data or subscriber’s information is to be carried out
- Other relevant information that will persuade the court of the existence of probable cause
When Already in the Network
A Warrant to Intercept Computer Data
Warrant to Examine Computer Data
When Law Enforcement is Already in the Possession of the Computer
Warrant to Search, Cease, and Examine Data
Upon acquiring possession of a computer device or computer system via lawful warrantless arrest, or by any other lawful method, law enforcement authorities shall first apply for a warrant before searching the said computer device or computer system for the purpose of obtaining for forensic examination the computer data contained therein. The warrant therefor shall be denominated as a Warrant to Examine Computer Data (WECD)
Contents of Application
- Probable offense involved
- Relevance and necessity of the computer data or subscriber’s information sought to be searched, seized, and examined for the purpose of the investigation
- Names of the individuals or entities whose computer data or subscriber’s information are sought to be examined, including the names of the individuals or entities that have control, possession, or access
- Description of the computer data or subscriber’s information sought to be examined
- Place where the examination of the computer data or subscriber’s information is to be carried out
- Other relevant information that will persuade the court of the existence of probable cause
Returns for WSSECD and WECD
Initial Return
- A list of all the items that were seized, with a detailed Identification of: a. the devices of the comnputer system seized, including the name, make, brand, serlal numbers, or any other mode of identification, if available, and b. the hash valus of the computer data and/or the seized computer device or computer system containing such data.
- A statement on whether a forensic image of the computer data was made on-site, and if not, the reasons for making the forensic image off-site;
- A statement on whether the search was conducted on-site. and if not, the reasons for conductng the search and seizure off-site,
- A statement on whether interception was conducted on-site, and if not, the implementation of the WSSECD, together with a. a detailed identification of all the interception activities that were conducted, b. the hash values of the communications or computer data intercepted, and c. an explanation of the said items’ reasonable relation to the computer data subject of the WSSECC
- List of all the actions taken to enforce the WSSECD, from the time the law enforcumunt officers reached the placo to be seized until they left the premises with the seized items and reached the place where the items seized were stored and secured for examination; and
- A reasonable estimation of how long the examination of the items seized will be concluded and the justification therefor
Custody of Computer Data
Deposit and Custody of Seized Computer Data
Upon the filing of the return for a WDCD or WICD, or the final return for a WSSECD or WECD, all computer data subject thereof shall be simultaneously deposited in a sealed package with the same court that issued the warrant. It shall be accompanied by a complete and verified inventory of all the other items seized
Affidavit of the Duly Authorized Law Enforcement Officer
- The date and time of the disclosure, interception, search, seizure, and/or examination of the computer data
- The particulars of the subject computer data, including its hash value
- The manner by which the computer data was obtained
- Detailed identification of all items seized in relation to the subject computer data
- The names and positions of the law enforcement authorities who had access to the computer data Irom seizure until the end of the examination and the names of officers who wiil be delivering the seized items to the court
- The name of the law enforcement officer who may be allowed access to the deposited data
- A certification that no duplicates or coples of the whole or any part thereof have been made, or if made, all such duplicates or copies are included in the sealed package deposited