Using Circumstantial Evidence to

Show the Defendant was at the

Computer
 Overview
• Proving that the defendant committed the
crime.
• Role of circumstantial evidence
• Strategies for collecting and using
circumstantial evidence in computer/cyber
crime cases
• Conclusions

PNP-CIDG Anti Transnational and Cyber Crime Division

The “I LOVE YOU” Computer Virus
• The virus was received in e-mail inboxes in Hong Kong on 4 May,
2000, with subject “I LOVE YOU” and an attachment “LOVE-
LETTER-FOR-YOU.TXT.vbs.”.
• It erases or blurs the graphics and data in the computer and gets
the contact addresses in the computer directory, and sends the
same email to all contacts listed in that directory. Once received
and opened in another computer, it replicates all that it did
previously.
• The replication went on and on, sweeping all computers where the
email was received and opened, from Hong Kong, to Europe, to
the United States, infecting and damaging computers and networks
of small and big companies, private and government institutions.
• The damage was about US$ 5.5 billion; some reports say US$ 10
billion.
PNP-CIDG Anti Transnational and Cyber Crime Division
The “I LOVE YOU” Computer Virus
• An international manhunt was conducted; the
investigators traced the origin of the virus to its creator, a
programming student (Onel de Guzman) at the AMA
Computer University in Manila.
• When arrested (11 May 2000), the suspect apologized to
the public and said he had no intention of causing such
great harm.
• Government prosecutors filed cases against him, but
even at the first stage, the indictment was dismissed as
there was no law penalizing the act at the time (May
2000) in the Philippines (nullum crimen, sine lege )!
PNP-CIDG Anti Transnational and Cyber Crime Division
 Situation
• Most cyber crimes will never be investigated or prosecuted
because of resource and jurisdictional issues. Technology is to
complex for any one person or even a LEA to master.
• PNP has one case investigated where the defendant pleaded
guilty for violation of RA 8792 “Electronic Commerce Act of
2000” particularly hacking, was JJ Maria Giner. He was
convicted in September 2005 by Manila MTC Branch 14 Judge
Rosalyn Mislos-Loja.
• Giner pleaded guilty to hacking the government portal “gov.ph”
and other government websites. He was sentenced to one to two
years of imprisonment and fined Php100,000. However, he
immediately applied for probation, which was eventually
granted by the court.
PNP-CIDG Anti Transnational and Cyber Crime Division
Issues on Electronic Evidence
PROVING THE DEFENDANT
COMMITTED THE CRIME
 Proving the Defendant Committed
the Crime
• One of the biggest challenges for prosecutors
and investigators of most computer crime cases
is proving who was at the computer

• This evidence will almost always depend on

some form of circumstantial evidence

PNP-CIDG Anti Transnational and Cyber Crime Division

 Some Scenarios
• Fraudulent bank transfer using suspect’s
account, traced to IP address assigned to
suspect’s computer
• Unauthorized access to restricted database from
suspect’s government computer terminal
• Threats made through email account registered
in suspect’s name
How do you prove the suspect
committed the crime?
PNP-CIDG Anti Transnational and Cyber Crime Division
Issues on Electronic Evidence
THE ROLE OF CIRCUMSTANTIAL
EVIDENCE
 Circumstantial Evidence
Definition: evidence based on inference
• National legal systems may treat it differently,
but it is generally distinguished from “direct
evidence”
• The assertion of a “collateral fact” that allows a
key fact in the case to be inferred

Inference that the suspect committed the crime

PNP-CIDG Anti Transnational and Cyber Crime Division

 Circumstantial Evidence
• Rules of Evidence, Rule 133 Weight and Sufficiency
of Evidence, Sec. 4.Circumstantial evidence, when
sufficient. — Circumstantial evidence is sufficient for
conviction if:
(a)There is more than one circumstances;
(b)The facts from which the inferences are derived are
proven; and
(c)The combination of all the circumstances is such as to
produce a conviction beyond reasonable doubt.

PNP-CIDG Anti Transnational and Cyber Crime Division

 Circumstantial Evidence
• Electronic evidence may lead to a computer, but
not to a suspect
• Absence direct evidence linking the suspect to
the crime, we search for circumstantial
evidence of:
1. Access
2. Knowledge
3. Opportunity
4. Motive
5. State of mind
PNP-CIDG Anti Transnational and Cyber Crime Division
Issues on Electronic Evidence
STRATEGIES FOR COLLECTING
AND USING CIRCUMSTANTIAL
EVIDENCE IN CYBERCRIME
CASES
 Access
• Suspect’s access to computer resources used to
commit the crime
– Computer (hardware, software, files)
– Telephone or cable lines used for online access
– Online accounts (Email, online banking, social
networking)

May need to rule out others with access

PNP-CIDG Anti Transnational and Cyber Crime Division

 Knowledge
• Suspect’s knowledge of information related to
the crime
– Suspect experience with the program, system or
network that was used or compromised
– Suspect computer training, education, experience or
ability
– Suspect familiarity with specific facts linked to
crime
– Suspect possession of passwords
PNP-CIDG Anti Transnational and Cyber Crime Division
 Opportunity
• Opportunity for the suspect to commit the crime
– Suspect use of a computer at the time of the
criminal activity
– Suspect has no credible alibi

PNP-CIDG Anti Transnational and Cyber Crime Division

 Motive
• Motive for the suspect to commit the crime
– Revenge
– Money (including blackmail, extortion)
– Politics
– Personal challenge

PNP-CIDG Anti Transnational and Cyber Crime Division

 State of Mind
• The suspect’s culpable state of mind
– Deception
– Concealment
– Destruction of evidence

PNP-CIDG Anti Transnational and Cyber Crime Division

 Use of Traditional Tools
• The best circumstantial evidence may
come from old-fashioned police
investigative work, such as:
– Suspect and witness interviews
– Other Physical evidences
– Surveillance Conducted
Above additional evidence can substantiate electronic evidence

PNP-CIDG Anti Transnational and Cyber Crime Division

 Conclusions
• Circumstantial evidence provides the key link
between the suspect and the computer (digital
evidence)
• Traditional circumstantial evidence
complements electronic evidence in making a
stronger case that the suspect was responsible
for the crime

PNP-CIDG Anti Transnational and Cyber Crime Division

Issues on Electronic Evidence
HOW DO WE COUNTER
DEFENSE STRATEGIES?
 Overview
• Common Cyber Crime Defenses
• Defense Tactics and Ways to Counter Them
• Conclusions

PNP-CIDG Anti Transnational and Cyber Crime Division

 Universal Principles
• Defendants all over the world use similar
approaches in computer/cybercrime cases
• Confuse everything
• Imply guilt or bad motives for all witnesses
(except defendant)
• Make the technology and evidence as beyond
understanding

PNP-CIDG Anti Transnational and Cyber Crime Division

Common Tactics Used by the Defense
• Using technology to create confusion
• Pointing to absence of direct evidence
• Claiming to lack technical ability
• Suggesting someone else controlled the
computer
• Implying that evidence was planted or altered
by the authorities

PNP-CIDG Anti Transnational and Cyber Crime Division

 Using Technology to Create
Confusion
• Defense will:
– Make the technology seem more
complicated than it really is
– Exploit general fear of technology and
computers
– Create doubt in the mind of the fact finder
– “If I can’t understand the facts, how can I be
sure the defendant did it?”
PNP-CIDG Anti Transnational and Cyber Crime Division
 Using Technology to Create
Confusion
• Prosecutor response:
– Simplify everything
– Introduce and explain the technology early
– Know your audience
– Prepare witnesses to explain the technology
using clear language
– Use visual aids and exhibits

PNP-CIDG Anti Transnational and Cyber Crime Division

 Using Technology to Create
Confusion
• Prosecutor response:
Do not forget to present non-electronic
evidence
• Fact witnesses
• Surveillance records
• Physical evidence
• Motive
• Suspicious or Past behavior
Corroborates electronic evidence
PNP-CIDG Anti Transnational and Cyber Crime Division
 Defense Pointing to Absence of
Direct or Physical Evidence
• Defense will:
– Argue that your case depends on only
“circumstantial evidence”
– Point to a lack of physical evidence like DNA
or fingerprints
– Suggest that this makes your case weaker
than one based on “direct” evidence

PNP-CIDG Anti Transnational and Cyber Crime Division

 Defense Pointing to Absence of
Direct or Physical Evidence
• Prosecutor response:
– Argue (if possible) that circumstantial
evidence is as compelling as direct evidence
– Explain that lack of “direct” evidence is
typical of computer crime cases
– Emphasize the lack of any viable alternative
suspect

PNP-CIDG Anti Transnational and Cyber Crime Division

 Claiming to Lack Technical Ability
• Defense will:
– Claim that the crime required someone with
special computer expertise
– Suggest that defendant does not have special
skills or is not smart enough to have carried
out the criminal acts
This is often combined with the first tactic --
sowing confusion through technology
Defense will treat the witnesses as dumb or playing dumb
PNP-CIDG Anti Transnational and Cyber Crime Division
 Claiming to Lack Technical Ability
• Prosecutor response:
– Research your defendant’s technical
background
– Equipment and software can demonstrate
sophistication
– Examine Internet history for a record of self-
education
– Interview suspect and associates regarding
computer knowledge
PNP-CIDG Anti Transnational and Cyber Crime Division
 Suggesting Someone Else Was in
Control
• Defense will:
– Argue that the computer or service was
hijacked by an unknown agent
– “A virus took over the computer and
downloaded material from the Internet”
– “The email was spoofed”
This is often combined with the first tactic --
sowing confusion through technology
PNP-CIDG Anti Transnational and Cyber Crime Division
 Suggesting Someone Else Was in
Control
• Prosecutor response:
– Show how access to the suspect’s computer
was limited
– Demonstrate that others with access to the
computer did not commit the crime
– Explain (through forensic examiner) how we
know that no program or outside person
controlled the computer
PNP-CIDG Anti Transnational and Cyber Crime Division
Implying that Evidence Was Planted

• Defense will:
– Attack the collection of electronic evidence,
chain of custody, and forensic examination
– Try to impeach the forensic examiner and
everyone who touched the evidence

PNP-CIDG Anti Transnational and Cyber Crime Division

Implying that Evidence Was Planted
• Prosecutor response:
– Prove secure chain of custody for the digital
media
– Introduce records showing when the
suspect’s files were created, accessed, or
– modified Describe in court the devices used
to image
– and record the evidence Explain safeguards
of the forensic process
PNP-CIDG Anti Transnational and Cyber Crime Division
 Conclusions
• The same technology and electronic evidence
can be used by the defense to confuse and by
the prosecution to enlighten
• Prosecutors, police and forensic investigators
working together can effectively anticipate,
prepare for, and counter common cybercrime
defenses

PNP-CIDG Anti Transnational and Cyber Crime Division

Thank You for Listening

Questions?