PRESERVATION REQUESTS,

WARRANTS AND OTHER

COMPUTER DATA; AND
DUTIES OF LAW
ENFORCEMENT AGENCY
1key files
 A. Preliminary Provisions
B. General Provisions
C. Preservation of Computer Data
D. Disclosure of Computer Data
E. Interception of Computer Data
F. Search, Seizure, and Examination of CD
G. Custody of Computer Data
H. Destruction of Computer Data

1key files
1key files

MENTORING COURSE
OUTLINE
Your own footer Your Logo
 COURSE INTENDED LEARNING OUTOMES
Your own footer

At the end of the course, the

students will have to:
•Identify and explain the different kinds of
Cyber warrants according to its application;
•Explain the Law Enforcement Activities; and
•Explain the procedure in the application of
1key files

cyber warrants
1key files
 A. Preliminary Provisions

B. General Provisions
C. Preservation of Computer Data
D. Disclosure of Computer Data
E. Interception of Computer Data
F. Search, Seizure, and Examination of CD
G. Custody of Computer Data
H. Destruction of Computer Data

1key files

Your Logo
 SCOPE AND
APPLICABILITY

SUPPLEMENTARY
NATURE OF THIS
RULE TO THE
EXISTING RULES
1key files OF PROCEDURE
AND REMEDIES
A. Preliminary Provisions

B. General Provisions
C. Preservation of Computer Data
D. Disclosure of Computer Data
E. Interception of Computer Data
F. Search, Seizure, and Examination of CD
G. Custody of Computer Data
H. Destruction of Computer Data

Your Logo
 Section 6:
Regular or 01
(Sec.4 and 5)
special Court -province/city
-CS is
04
Scene: situated
RTC Branch 54: Filed on
June 24, 2022
RTC Branch 56: Filed on 02 natural or
June 27, 2022 juridical
Q: Determination of what
court acquires the 03 person
jurisdiction
•Section - Law
Enforcement •Section
4. Cybercrime - Offense/Elements
- CS is situated 5. Other
Offenses. - Damage
- However (Courts
with special
Offenses.
Authority

•Section 6. - Law
Enforcement
-regular or
• RPC and SPL specialized
Once a criminal action is instituted, is a
motion to quash and other related
incidents shall be heard and resolved?

Court: Acquired
jurisdiction YES
What are the
prosecution’s duties?
transmittal of the records

transfer of the items' custody

ProcedureSection 7.2
Before issuance of a warrant, what
actions shall be considered by the
court?
shall not exceed a period of ten
(10) days from its issuance

-Upon Motion
-Justifiable reasons
-not extending 10 days from the expiration
What is the repercussion when
the Law Enforcement Authorities Action for Contempt
failed to return the warrant,
seized items?
• which procedures
shall be governed
by Rule 71 of the
Rules of Civil
Procedure, insofar
as they are
applicable.
Non-compliance or
failure to comply
on proper filling
•Obstruction of Justice

•Presidential WHERE TO FILE?

Decree No. Shall be filed before the
1829 designated cybercrime
court-Jurisdiction over
the non-compliance
Extraterritorial Service of Warrants
and Other Court Processes
Outside of the
Philippines Department of Justice-
Office of Cybercrime

16
THE RULE ON CYBERCRIME WARRANTS

What are the contents of

the inventory upon the
filing of return by law
enforcement?

17
What must the application contain?
Identification of all items seized (make, brand, serial
numbers) 05
How the data was obtained 04
Particulars of computer data including hash values. 03
Particulars of computer data including hash values. 02
Date and time of disclosure, interception, search, seizure, and
examination of data
01

18
 These are the following:
Certification that no duplicates has been made or retained by
law enforcement. 09
Name of law enforcement officer allowed to access the deposited
data. 08
Names of officers who delivered the items to the court. 07
Names and position of law enforcement who had access to the data prior
to depositing to the court. 06

19
 THE RULE ON CYBERCRIME WARRANTS

Who has access to the

computer data while
under custody?

20
A. Preliminary Provisions
B. General Provisions

C. Preservation of CD
D. Disclosure of Computer Data
E. Interception of Computer Data
F. Search, Seizure, and Examination of CD
G. Custody of Computer Data
H. Destruction of Computer Data

Your Logo
PRESERVATION OF COMPUTER DATA.
- Pursuant to Section 13,
Chapter IV of R A 10175-by a
service provider
01
-information held by the service provider
-subscribers of its services
1. type of communication
2. Subscriber’s identity
3. Information on the site-site of the
installation of communication
equipment
Traffic Data and Subscriber’s
Information
Minimum-Six (6) months date of
transaction

Content Data
02
six (6) months from the date of
receipt of the order
 YES
Provided, that once computer data that is
preserved, transmitted or stored by a service
provider is used as evidence in a case, the
receipt by the service provider of a copy of the
transmittal document to the Office of the
Prosecutor shall be deemed a notification to
preserve the computer data until the final
termination of the case and/or as ordered by
the court, as the case maybe
Does the service provider
needs to disclose to the
subscriber regarding a
preservation order issued?
NO
The service provider ordered to
preserve computer data shall
keep the order and its
compliance therewith
confidential.
A. Preliminary Provisions
B. General Provisions
C. Preservation of Computer Data

D. Disclosure of CD
E. Interception of Computer Data
F. Search, Seizure, and Examination of CD
G. Custody of Computer Data
H. Destruction of Computer Data

Your Logo
Requirements for service provider:

-Disclose or submit
subscriber's information,
traffic data or other
relevant data.
26
 ?
How long does the service provider
have to comply with the disclosure
warrant?

27
 Probable
Offense

WDCD
Relevance and
-is an order necessity
Place

-foregoing:
contents Names of the
individual or Manner
for the entities

application Particular Other relevant

Description information
Annex A — Warrant to Disclose Computer Data.
Republic of the Philippines Regional Ti ia1 Court Branch ,

Re: Application for a Warrant to Disclose Computer Data under Section 14 of Republic ACt No. 10175

WDCD No. IF SATISFIED?

NAME OF APPLICANT,

Applicant.

WARRANT TO DISCLOSE COMPUTER DATA

To the law enforcement authorities:

Greetings:

It appearing to the satisfaction of the undersigned after examining under oath {name of
applicant and his/her witness/es {names of witness/es) that there is probable cause to believe
that {state the probable offense involved has been committed, is being committed or is
about to be committed, a Wairant to Disclose Computer Data (WDCD) is hereby ISSUED,
in accordance with the provisions of Section 4 of A.M. No. , entitled the “Rule on
Cybercrime Warrants”.

WHEREFORE, by virtue of this WDCD, you are hereby AUTHORIZED to issue an

ordel compelling {names of the individuals or entities whose computer data or subscriber ’s
information are sought to he disclosed, including the names of the individMals or entities who
have control, possession or access thereto, if available) to disclose or submit particular
description of the computer data or subscriber’s information sought to be disclosed).

{In the judge’s discretion, indicate other terms to be included by the law enforcement
authorities in the order to disclose, as may be gathered from the warrant application, such
as the place where the disclosure is to be enforced,the manner or method hy which the
disclosure is to be carried out, and other relevant terms to attend the implementation of the
order to disclose, subject to the limitations imposed hy law.)

The authorized law enforcement officer is COMMANDED to submit a return on the

WDCD and simultaneously turn-over the custody of the disclosed computer data or
subscriber’s information to the undersigned within the period and under the terms
prescribed in the Rule on CybererilneWarrants.

Fail not under penalty of law.

Witness my hand this day of , in the City , Philippines

ISSUING JUDGE
29
29
WDCD No. Probable cause
 CYBER WARRANTS

When the authorized law

enforcement officer shall submit a
return on the WDCD to the court?

30
 CYBER WARRANTS

Is law enforcement allowed to keep

copies of the data obtained from the
disclosure warrant?
YES:
Confidential

31
 CYBER WARRANTS

Upon filling of Criminal

Court Order: No filed
Action

?
When are law enforcement
authorities no longer allowed to
retain the data?

32
 CYBER WARRANTS

?
Justification of Law enforcement
authorities are allowed to retain a
copy

33
 CYBER WARRANTS

Upon filling of Criminal

Court Order: No filed
Action

When the retained copy

shall be turned over? ?
34
A. Preliminary Provisions
B. General Provisions
C. Preservation of Computer Data
D. Disclosure of Computer Data

E. Interception of CD
F. Search, Seizure, and Examination of CD
G. Custody of Computer Data
H. Destruction of Computer Data

Your Logo
 WHAT IS
INTERCEPTION?
including procuring of the content data,
either
- directly - indirectly
INTERCEPTION OF
COMPUTER DATA
What is Warrant to
Intercept Computer
Data (WICD)?
Court issued
warrant
Annex B — Warrant to Intercept Computer Data.

Republic of the PhilippinesRegional

Trial Court Branch

Re: Application for a Warrant to Intercept WICD No.

Computer Data under Section 15 in relationto Section 3(m)
ofRepuhlic Act No. 10175
IF SATISFIED?
NAME OF APPLICANT,
Applicant.

WARRANT TO INTERCEPT COMPUTER DATA

To the law enforcement authorities:

Greetings:

It appearing to the satisfaction of the undersigned after examining under oath {name of applicant j and
his/her witness/es {names of witness/es that there is probable cause to believe that {state the probahle offense
involved) has been committed, is being committed or is about to be committed, a Warrant to Intercept
Computer Data (WICD) is hereby ISSUED, in accordance with the provisions of Section 5 of A.M. No. ,
entitled the “Rule on Cybercrime Warrants”.

WHEREFORE, by virtue of this WICD, you are hereby AUTHORIZED to listen to, record, monitor,
and/or conduct surveillance of particular description of the communications and7or computer data sought
to be intercepted), which are communications or computer data of{names of the individuals or entities whose
communication or computer data are soughtto he intercepted, including the names of the individuals or entities
who have control, possession or access thereto, ifavailahle j.

{In the judge’s discretion, indicate other terms to attend the implementation of the WICD as may be
gathered from the warrant application, such as the place where the interception is to he enforced, the manner
or method hy which the interception is to he carried out, and other relevant terms, subject to the limitations
imposed by law.)

The authorized law enforcement officer is COMMANDED to submit a return on the WICD and
simultaneously turn-over the custody of the intercepted communication or computer data to the undersigned,
as well as notify the person whose communications or computer data have been intercepted of the
activities conducted pursuant to this warrant, within the periods and under the terms prescribed in
the Rule on Cybercrime Warrants.

Fail not under penalty of law.

Witness my hand this day of , in the City , Philippines

40
Probable cause
ISSUING JUDGE
 Same: Section 6.8.
Final Return on the 1. submit a final return on the

WICD
WICD to the court

2. Turn over the custody of

WITHIN computer data

from the implementation or after the

expiration of the effectivity of the
WICD DUTY OF THE JUDGE
Notice after filing of Return

-from the filling of

the return

No filling
 CYBER WARRANTS

Does law
enforcement
authorities need to
disclose the
interception to the
accused?
NO:
Except-No
return filed 43
A. Preliminary Provisions
B. General Provisions

C. Disclosure of Computer Data

D. Interception of Computer Data

E. Preservation of CD

F. Search, Seizure, and Examination of CD

G. Custody of Computer Data

H. Destruction of Computer Data

Your Logo
 Commonalities with
Ordinary Search
“ Warrants
◂ Also 1 crime
◂ Requirements of particularly –
place and items to be searched
45
 What is the subject of a warrant to Search, Seize and
Examine? emails,
website, chat
contents

HYBRID HUMAN AND 01 HUMAN GENERATED

COMPUTER- EVIDENCE
GENERATED EVIDENCE

cell tower and face

know the time, date or period
computer data was
generated, created or sent;
example – Email: email
address and IP address are
computer generated but
content is human
46
generated
data, GPS records,
FTP transfer logs,
operating system
03 02 logs, registry files,
webmail IP logs and
records, IP logs
COMPUTER-GENERATED
from ISPs, toll
EVIDENCE records
 Computer Data and other items sought

FRUITS OF A
CRIME

CONTRABAND

EVIDENCE OF
CRIME

INSTRUMENTALITY
OF OFFENSE

47
Who can apply for Warrants to Search, Seize and
Examine?

48
Collection of Evidence

Non-tangible items
as subject
Search can be on-site
or off-site – physical v.
intangible search;
examination 49
Items to be Seized
TANGIBLE OBJECTS
04
INTANGIBLE OBJECTS
03
ITEMS SUBJECT TO SEIZURE
02
LIMIT TO SCOPE OF PROBABLE CAUSE
01

50
What data is kept
by law
enforcement?

-List of all items seized (name,

make, brand, serial numbers)
-Hash value of data seized. 51
 How long shall the
examination of data be
conducted by law
enforcement?

52
 -Unreasonable
US DOJ advice: begin with
an “ all records “ description,
add limiting language stating
Is Warrant seeking to the crime, the suspects and
search, seize and relevant time period if
applicable, include explicit
examine “ all records “ of examples to records to be
a computer valid? seized
 YES

Can search include deleted,

encrypted or password
protected files on a storage
medium found at search
location?
 make a forensic
Section 6.4. image of the
computer data
Off-site and On-site Limit the search
Principle; Return of ON-SITE

Items Seized Off- -Forensic Image is made

site -reasons: in the initial
return

OFF-SITE
 TYPES OF CYBER WARRANTS

Can the accused

seeks return of the
seized and searched
items and data?

56
 When necessary 1

When can
off site Forensic Image 2

search be
conducted? Reasons Initial Return 3
Justification for Off Site Searches

01 Storage large volumes

02 impossible Seizure is
necessary

03 Presence of password:
Time Constraint
 Off Site Search via Image Copy
•Rather than seize entire
computer system for off siteduplicates every bit and byte on the target drive,
search. including slack space, Master File Table and
metadata in exactly the same order as they appear

•Called Image Copy on the original

•Ensure that integrity of copied

data is maintained
•Remove original data
 What must first be
done by law
enforcement
authorities on site?
Make a forensic image of
1
the computer data
Limit search to place
2
specified in Warrant
Try not to seize computer items
3 if search can be done on site
 PROCESS
• Take a documentation
• Before starting to do forensic examination process, Check the time of the
computer if it is the same with the actual time. (Place a device showing the
actual time beside the computer then take a documentation)
• Plug the mouse jiggler
• Make sure that the laptop is not connected with the Internet
• Turn off the anti-virus so it will not defer or may disrupt the forensic
examination process.
• Plug the drive (thumb drive/external drive)
 NO
One crime per
Warrant

•In the course of a valid

search involving computer
fraud, the police discover
child pornography in the
respondent’s laptop, can he
still continue to search for
child pornography?
 TYPES OF CYBER WARRANTS

Can interception of
communications and
data be done even in a
search, seizure and
examination warrant?

63
What activities are allowed in the implementation of
the WSSECD?
Interception of communications
and computer data
Provided only those reasonably related to
subject matter of Warrant
Relation must be explained in Initial Return

Must be fully disclosed

 Limited to related communication
and computer data
Provided
Activities are disclosed and explained
in the initial return
Law enforcement may order any person
to provide necessary information
Initial Return.

Within ten (10) days from the issuance of

the WSSECD, the authorized law
enforcement officers shall submit an initial
return
 What are the requirements for the
issuance of a warrant to Examine CD?
Possession of a computer device or computer
system that has been acquired via a lawful
warrantless arrest or other lawful method,
and a detailed description of the same
Forensic examination of the computer data
contained therein is needed
Probable offense involved
 What are the requirements for the
issuance of a warrant to Examine CD?
Relevance & necessity of computer data
sought for the purpose of investigation
Particular description of computer data
sought
Circumstances surrounding lawful
acquisition of computer device or system
containing the computer data
 “ What additional
information must
be alleged in
application?
1. Explanation of the Search & Seizure strategy to be implemented
2. Projection of whether search will be on site or off site
3. Items to be searched, seized and examined have been observed
to be at the search site 69
4. Projected time frame for search, seizure and examination
Section 6.8.
Final Return on the 1.submit a final return on
the WSSECD to the
WSSECD court

2.Turn over the custody of

WITHIN computer data
 law enforcement authorities shall
Section 6.9. first apply for a warrant before
searching the said computer
Examination where device or computer system for the
of device is obtained; purpose of obtaining for forensic
Warrant to Examine Computer Data examination the computer data
(WECD) contained therein. The warrant
therefor shall be denominated as a
Warrant to Examine Computer
Data (WECD).
A. Preliminary Provisions
B. General Provisions

C. Disclosure of Computer Data

D. Interception of Computer Data

E. Preservation of CD
F. Search, Seizure, and Examination of CD

G. Custody of Computer Data

H. Destruction of Computer Data

Your Logo
Section 7.1.

Deposit and Custody of

Seized Computer Data. deposited in a sealed
package

complete and verified

inventory of all the other
items seized
1. The date and time of the disclosure, interception,
search, seizure, and/or examination of the computer
data.

1. The particulars of the subject computer data,

including its hash value;

2. The manner by which the computer data was obtained;

3. Detailed identification of all item seized

5. Names and positions of the law enforcement authorities
who had access to the computer data

6. Name of the law enforcement officer who may be

allowed access to the deposited data.

7. A certification that no duplicates or copies of the whole

or any part thereof have been made
Duty of the Prosecutor When Criminal
Action is Instituted
move for the immediate transmittal
of the records

transfer of the intercepted,

disclosed, searched, seized,
and/or examined computer
data and items
Access to and Use of
Computer Data

The package containing the computer data shall not be

opened, or the recordings replayed, or its contents revealed, or,
in any manner, used as evidence, except upon motion duly
granted by the court.
The motion for the purpose shall state:

1. The relevance of the computer data sought to be

opened, replayed, revealed, or used as evidence; and

2. The names of the persons who will be allowed to have

access thereto, if the motion is granted.
A. Preliminary Provisions
B. General Provisions

C. Disclosure of Computer Data

D. Interception of Computer Data

E. Preservation of CD
F. Custody of Computer Data
G. Destruction of Computer Data

H. Search, Seizure, and Examination of CD

Your Logo
Duty of Service
Providers and Law
Enforcement
Authorities to
Destroy.
 Destruction and Return of
Computer Data in the
Custody of the Court

- Justifiable reasons
- No PI after 31 days from their deposit
- With PI- lack of probable cause

In its sound discretion, the court may conduct a clarificatory hearing to

further determine if there is no reasonable opposition to the items’
destruction or return.
 Section 8.3. How Destruction of
Computer Data is made?

In the presence of:

- Branch Clerk-of-Court (designated by the court)
- accused/owner/counsel
- Law enforcement officer or duly representative

Upon notice by the

branch clerk-of-
court at least 3
days prior
 What does the Branch of Clerk-of-Court
shall issue 24 hours from the destruction?

-sworn certification
-file the said certificate with the same
court
destroyed by shredding, drilling of four
holes through the device, prying
QUESTION
A policeman assigned to the Ayala
Mall, Cebu City responds to a call for
assistance to the department store
security guards . A suspect is being
held who has been complained of
taking unauthorized video of women in
the dressing room. He arrests the man
and takes possession of the man’s
cellular phone.
The women want the cellular phone to
be examined immediately so that their
video may be erased and or verified to
be used as evidence against the man
Can the policeman search the
cellphone in his possession?
NO