I. Overview

Cybercrime cases in the Philippines often depend less on eyewitness testimony and more on digital evidence: screenshots, chat logs, emails, transaction records, device data, IP logs, server records, subscriber information, metadata, and forensic reports. Because digital evidence can be easily altered, deleted, copied, or fabricated, Philippine law requires careful attention to preservation, authentication, admissibility, chain of custody, and proper submission to law enforcement, prosecutors, or courts.

The governing legal framework includes the Cybercrime Prevention Act of 2012, the Rules on Electronic Evidence, the Rules of Court, the Data Privacy Act of 2012, the Revised Penal Code, special penal laws, and procedural rules on search, seizure, subpoenas, warrants, affidavits, and documentary evidence.

This article explains how complainants, lawyers, companies, investigators, and witnesses should collect, preserve, submit, and present evidence and records in Philippine cybercrime cases.

II. Common Cybercrime Cases Where Digital Evidence Is Needed

Cybercrime evidence may be submitted in cases involving:

Online libel
Identity theft
Cybersex offenses
Computer-related fraud
Phishing and credential theft
Unauthorized access or hacking
Data interference
System interference
Cyber-squatting
Online scams
Business email compromise
Romance scams
Online threats and harassment
Unauthorized publication of private images
Electronic evidence of estafa, fraud, coercion, unjust vexation, or grave threats
Illegal access to company systems
Unauthorized use of accounts, cards, e-wallets, or payment platforms
Social media impersonation
Data breach incidents
Child sexual abuse or exploitation material, subject to special handling rules

Not every online wrong is automatically a cybercrime. Some acts are ordinary criminal, civil, labor, commercial, or administrative disputes that merely involve electronic evidence. The classification matters because it affects venue, investigating agency, penalties, procedure, preservation orders, and warrants.

III. Legal Nature of Digital Evidence

Digital evidence is evidence stored, received, transmitted, or generated by electronic means. It may appear as:

Screenshots
Chat messages
Emails
Social media posts
Website pages
Audio or video recordings
Transaction confirmations
Bank or e-wallet records
Server logs
IP address records
Device extraction reports
Cloud storage records
Metadata
Login history
Subscriber information
Domain registration records
CCTV files
Authentication logs
Call logs
SMS records
App records
Hash values
Forensic images of devices

Under Philippine rules, electronic documents and electronic data messages may be admissible if they are properly authenticated and shown to be relevant, competent, and not excluded by law.

Digital evidence is not automatically inadmissible merely because it is electronic. The main issues are usually authenticity, integrity, relevance, chain of custody, and proper identification of the source.

IV. First Principle: Preserve Before You Report

The first and most important step is preservation.

Many cybercrime victims immediately confront the offender, delete messages, block accounts, factory-reset devices, or edit screenshots. These actions can weaken the case. Digital evidence should be preserved in its original condition as much as possible.

A. Do not delete

Do not delete:

Messages
Emails
Posts
Comments
Notifications
Transaction confirmations
Login alerts
Device logs
App histories
Browser histories
Call logs
SMS messages
Files received from the offender

Deleting may destroy evidence that investigators or forensic examiners need.

B. Do not edit files

Do not crop, annotate, filter, rename unnecessarily, convert repeatedly, or compress original files. Edited copies may be useful for explanation, but the original file should remain untouched.

C. Do not rely only on screenshots

Screenshots are often useful but may be challenged. Whenever possible, preserve the underlying source:

Original email with headers
Original chat conversation on the device
Original URL
Original post link
Original file
Original transaction record
Original device
Downloaded data archive
Certified records from the platform, bank, telco, or service provider

Screenshots should support, not replace, stronger evidence.

V. What Evidence Should Be Collected

A. For online libel or defamatory posts

Collect:

Full screenshot of the post
URL or link
Date and time viewed
Account name and profile link
Comments, shares, reactions, and context
Screenshots showing public visibility
Identity indicators of the poster
Evidence of publication to third persons
Evidence of damage, harm, or consequences
Witness affidavits from persons who saw the post
Archived or downloaded copy of the page, if possible

For online libel, the evidence must show not only the statement but also authorship, publication, identification of the offended party, defamatory imputation, and malice where applicable.

B. For hacking or unauthorized access

Collect:

Login alerts
Account access history
IP addresses shown by the platform
Email security notifications
Device login list
System logs
Server access logs
Firewall logs
Admin console records
Screenshots of unauthorized changes
Records of data accessed, altered, or deleted
Timeline of incident
User account permissions
Device involved
Forensic images, if available

In business cases, logs should be exported by authorized IT personnel and documented with date, time, system source, and method of extraction.

C. For phishing and online scams

Collect:

Links sent by the suspect
SMS, email, or chat messages
Sender numbers or email addresses
Screenshots of fake websites
URL details
Transaction receipts
Bank transfer records
E-wallet transaction IDs
Account numbers used by the suspect
Names used by the suspect
Delivery records, if goods were involved
Marketplace chat logs
Profile pages
Calls or recordings, if lawfully obtained
Complaint records with bank, e-wallet, or platform

Financial records should be requested formally from banks, e-wallet providers, or platforms when possible.

D. For identity theft or impersonation

Collect:

Fake profile link
Screenshots of the fake account
Evidence showing use of your name, image, business name, or credentials
Messages sent by the impersonator
Complaints from people contacted by the fake account
Original identity documents proving your real identity
Platform reports
Any connection between fake account and suspect

E. For unauthorized publication of private images

Collect:

Link or location where image/video was posted
Screenshots showing account, URL, date, and visibility
Copy of the posted image/video if lawful and safe to preserve
Evidence of identity of poster
Communications showing threats, coercion, or blackmail
Witnesses who saw the upload
Platform takedown reports
Evidence of lack of consent

For intimate images or sexual content, handling must be especially careful. Avoid unnecessary sharing or reproduction. Submit only through proper authorities and counsel.

F. For business email compromise

Collect:

Original email with full headers
Email thread
Altered payment instructions
Bank transfer proof
Vendor communications
Domain records
SPF, DKIM, DMARC results if available
Mail server logs
Login records
Suspicious forwarding rules
Compromised account access logs
Internal incident report
Timeline of payment and discovery
Bank recall requests and responses

Email headers are often critical because they may show routing details, originating servers, authentication results, and spoofing indicators.

VI. How to Preserve Screenshots Properly

Screenshots remain common in cybercrime complaints. They should be prepared carefully.

A good screenshot should show:

The full content of the message, post, page, or transaction
The sender or account name
The account profile link or identifier, where visible
Date and time
URL, if browser-based
Surrounding context
Device clock, where relevant
Conversation sequence, not isolated fragments only

Best practices

Take continuous screenshots showing the full conversation.
Include the top portion showing the account, profile, or email address.
Do not crop unless making a separate explanatory copy.
Save the image in its original format.
Record the date and time when the screenshot was taken.
Keep the device where the screenshot was taken.
Back up copies securely.
Create a simple evidence log.

Common mistakes

Cropping out the sender identity
Taking only one message without context
Failing to include dates
Failing to save URLs
Editing or annotating the only copy
Losing access to the original account or device
Printing screenshots without keeping digital originals

Printed screenshots may be submitted, but the digital source should be preserved.

VII. How to Preserve Emails

Emails are stronger when preserved in original form, not only as screenshots.

Preserve:

Original email in the mailbox
Full headers
Attachments
Sender address
Reply-to address
Received path
Authentication results
Date and time stamps
Email thread
Downloaded .eml or .msg file, if available

The full header may show whether the message was spoofed, relayed, or authenticated. For scams and business email compromise, headers are often more useful than screenshots.

Do not forward the email repeatedly as the sole evidence, because forwarding may alter formatting and header details. Instead, export or save the original email and preserve the mailbox.

VIII. How to Preserve Chat Messages

For chats on Messenger, Viber, WhatsApp, Telegram, Instagram, TikTok, X, or other platforms, preserve:

Full conversation thread
Account name and profile
Phone number or username
Message timestamps
Media files sent
Voice notes
Attachments
Deleted message notices
Payment instructions
Threats or admissions
Group chat member list, if relevant

Where possible, download an official archive of account data from the platform. This may provide stronger context than screenshots alone.

Do not leave the group chat or delete the conversation until evidence is preserved.

IX. How to Preserve Social Media Posts

For social media posts, preserve:

URL
Screenshot showing content
Screenshot showing account name
Screenshot showing profile page
Date and time of posting, if visible
Public visibility or audience setting, if visible
Comments and shares
Reactions, if relevant
Videos or images attached
Profile identifiers
Archived copy, if available
Witnesses who saw the post

For public posts, third-party witnesses may execute affidavits confirming they saw the content. This can help establish publication.

X. How to Preserve Websites and URLs

When a website is involved, record:

Full URL
Domain name
Date and time accessed
Screenshots of relevant pages
Source code, where relevant
WHOIS/domain information, if lawfully obtained
Hosting information, if available
Downloaded webpage copy
Payment page details
Contact information displayed
Terms and conditions, if relevant

Some websites disappear quickly. Immediate documentation is important.

XI. How to Preserve Device Evidence

Devices may contain the best evidence. These include phones, laptops, tablets, desktops, external drives, CCTV systems, routers, servers, and storage media.

A. Do not tamper

Avoid:

Factory reset
Reinstallation
Deleting apps
Clearing cache
Reformatting drives
Changing system time
Running unnecessary “cleaner” tools
Installing suspicious recovery apps
Repeatedly opening files that may change metadata

B. Secure the device

Keep it powered if needed to preserve volatile data, but do not explore unnecessarily.
Disconnect from networks if continued access by the suspect is possible.
Record the device condition.
Note date, time, and who handled it.
Keep passwords available for lawful forensic examination, subject to legal advice.
Do not allow multiple people to handle the device.

C. Forensic imaging

In serious cases, a forensic image should be made by trained personnel. A forensic image is a bit-by-bit copy of storage media. Hash values are used to show that the copy is identical to the original and has not changed.

XII. Chain of Custody

Chain of custody is the documented history of evidence: who collected it, when, where, how, from whom, where it was stored, and who accessed it.

For digital evidence, chain of custody helps prove integrity. The proponent must show that the evidence presented is the same evidence collected and has not been materially altered.

A. Basic evidence log

A simple evidence log may include:

Item No.	Description	Source	Date Collected	Collected By	Method	Storage Location	Hash/Identifier
1	Screenshot of Facebook post	Facebook URL	Jan. 10, 2026	Complainant	Phone screenshot	External drive	File name/hash
2	Email with headers	Gmail account	Jan. 11, 2026	IT officer	Exported `.eml`	Evidence folder	Hash
3	Phone containing chat thread	iPhone	Jan. 12, 2026	Complainant	Original device	Sealed envelope	Serial number

B. Handling rules

Limit access to evidence.
Keep originals separate from working copies.
Use secure storage.
Record every transfer.
Label files clearly.
Avoid overwriting metadata.
Use hashes for important files.
Maintain backup copies.

C. Hash values

A hash value is a digital fingerprint of a file. If the file changes, the hash changes. Common hash algorithms include SHA-256. Hashing is useful for proving that submitted files are unchanged.

XIII. Authentication of Electronic Evidence

Under the Rules on Electronic Evidence, electronic documents must be authenticated before admission.

Authentication may be done by:

Evidence that the electronic document was digitally signed
Evidence that appropriate security procedures or devices verified it
Testimony of a person who saw, made, received, or retrieved the electronic document
Other evidence showing integrity and reliability

For ordinary complainants, this usually means executing an affidavit explaining:

How the evidence was obtained
What device or account was used
When it was accessed
Who took the screenshots
Whether the screenshots accurately reflect what appeared
Whether the original remains available
Whether the contents were altered
How the files were stored

For companies, authentication may come from:

IT personnel
Records custodians
Compliance officers
System administrators
Data protection officers
Forensic examiners
Platform representatives
Bank or telco records custodians

XIV. Affidavits Needed for Submission

A cybercrime complaint is usually supported by sworn statements.

A. Complaint-affidavit

The complainant’s affidavit should state:

Personal details of the complainant
Identity of the respondent, if known
Relationship between complainant and respondent, if any
Chronology of events
Description of the cybercrime
How the complainant discovered the act
Evidence gathered
Harm suffered
Relief sought
Request for investigation and prosecution
Statement that attached evidence is authentic and true
Certification or jurat before authorized officer

B. Witness affidavits

Witnesses may testify that they:

Saw the post
Received the message
Were deceived by the scam
Transacted with the suspect
Identified the respondent
Took or preserved screenshots
Administered the relevant system
Retrieved logs or records

C. Records custodian affidavit

For business or institutional records, the custodian may explain:

The system used
How records are generated
Ordinary course of business
Access controls
Retrieval method
Accuracy and reliability
Attached records

D. Forensic examiner affidavit or report

A forensic report may include:

Device examined
Methodology
Tools used
Hash values
Files recovered
Logs analyzed
Findings
Limitations
Examiner qualifications

XV. Where to Submit Evidence

Evidence may be submitted to different offices depending on the stage and type of case.

A. Philippine National Police Anti-Cybercrime Group

The PNP Anti-Cybercrime Group receives complaints, assists in cybercrime investigations, and may coordinate digital forensic examination.

A complainant usually brings:

Valid ID
Complaint-affidavit
Printed evidence
Digital copies
Original device, if needed
URLs and account details
Transaction records
Witness details
Contact information

B. National Bureau of Investigation Cybercrime Division

The NBI Cybercrime Division also investigates cybercrime offenses. The complainant may submit similar records and affidavits.

C. Office of the City or Provincial Prosecutor

A criminal complaint may be filed directly for preliminary investigation. The complaint must include affidavits and supporting evidence sufficient to establish probable cause.

D. Department of Justice Office of Cybercrime

The DOJ Office of Cybercrime has roles under the Cybercrime Prevention Act, including coordination, preservation-related processes, and international cooperation channels.

E. Courts

Once a case is filed in court, evidence is submitted according to procedural rules, including marking, pre-trial, judicial affidavits, formal offer of evidence, and testimony.

F. Administrative agencies

Depending on the matter, records may also be submitted to:

National Privacy Commission for data privacy violations
Securities and Exchange Commission for investment scams or corporate fraud
Bangko Sentral ng Pilipinas-supervised financial institutions through complaint mechanisms
Department of Trade and Industry for consumer complaints
DICT-related reporting channels for cybersecurity incidents
School, employer, or professional regulatory bodies for internal proceedings

XVI. Filing a Cybercrime Complaint: Practical Steps

Step 1: Preserve evidence immediately

Save screenshots, URLs, original files, emails, messages, transaction records, and devices.

Step 2: Prepare a timeline

Create a chronological narrative:

Date and time of first contact
What happened
What was sent or posted
What money or information was transferred
When damage was discovered
What steps were taken
Who witnessed the event

Step 3: Identify the suspect

Provide all identifiers:

Full name, if known
Alias
Username
Email address
Phone number
Profile link
Bank account
E-wallet account
IP address, if available
Domain name
Business name
Delivery address
Device identifier
Employer or affiliation, if relevant

Step 4: Organize evidence

Number attachments clearly:

Annex “A” – Screenshot of message
Annex “B” – Screenshot of profile
Annex “C” – Transaction receipt
Annex “D” – Email headers
Annex “E” – Witness affidavit
Annex “F” – Incident report

Step 5: Execute affidavits

Affidavits must be sworn before an authorized officer. Attach copies of IDs when required.

Step 6: Submit both printed and digital copies

Law enforcement and prosecutors may require:

Printed copies for docketing
Digital files in USB drive or storage media
Original device for inspection
Certifications or affidavits

Step 7: Keep your own complete copy

Maintain a duplicate set of everything submitted, including receiving stamps, reference numbers, and officer contact details.

XVII. Preservation Orders

The Cybercrime Prevention Act allows authorities to require preservation of computer data. This is important because platforms, telcos, banks, and service providers may retain logs only for limited periods.

A preservation request or order may cover:

Traffic data
Subscriber data
Content data, subject to stricter legal requirements
Logs
Account information
IP records
Transaction data

Preservation is not the same as disclosure. It generally means the data must be kept from deletion while proper legal process is pursued.

Disclosure or production may require lawful process such as a court warrant, subpoena, production order, or other authorized mechanism.

XVIII. Search, Seizure, and Examination of Computer Data

Cybercrime investigations may require search and seizure of computer systems or data. Authorities must comply with constitutional protections against unreasonable searches and seizures.

Depending on the action, law enforcement may need:

Search warrant
Warrant to disclose computer data
Warrant to intercept computer data, where legally allowed and applicable
Warrant to search, seize, and examine computer data
Court order
Subpoena
Production order

A private complainant generally cannot compel platforms, telcos, banks, or internet service providers to disclose protected records merely by request. Proper legal process is usually necessary.

XIX. Subpoenas and Requests for Records

Records from third parties may be critical. These include:

Bank records
E-wallet records
Telco subscriber records
Internet service provider records
Platform account data
Marketplace records
Delivery records
Domain registrar records
Employer system logs
CCTV records

However, these records may involve privacy, bank secrecy, contractual confidentiality, or platform policies. They are usually obtained through:

Prosecutor subpoena
Court subpoena
Law enforcement request
Preservation request
Warrant
Mutual legal assistance process, for foreign providers
Consent of the account holder, where applicable

Private complainants should identify the records needed and explain why they are relevant.

XX. Foreign Platforms and Cross-Border Evidence

Many cybercrime cases involve platforms based outside the Philippines. Examples include foreign social media platforms, email providers, cloud services, marketplaces, and messaging apps.

Challenges include:

Foreign data storage
Different retention periods
Privacy laws of other jurisdictions
Platform-specific law enforcement portals
Need for preservation before deletion
Mutual legal assistance requirements
Limited disclosure to private individuals

Philippine authorities may coordinate through appropriate channels, including the DOJ and international cooperation mechanisms. Delay can be fatal because logs may expire.

XXI. Admissibility in Court

Evidence must generally be:

Relevant – It relates to a fact in issue.
Competent – It is not excluded by law or rule.
Authenticated – It is shown to be what it claims to be.
Reliable – Its integrity is sufficiently established.
Properly offered – It is formally offered in evidence at the correct stage.

Even strong digital evidence may be rejected or given little weight if it is not properly authenticated or formally offered.

XXII. The Best Evidence Rule and Electronic Evidence

The best evidence rule generally requires the original document when the contents of a document are the subject of inquiry. For electronic documents, the “original” may include an electronic document that is an output readable by sight or other means, if it accurately reflects the data.

Printouts may be admissible if properly authenticated. But when authenticity is challenged, the court may require stronger proof, such as original devices, system records, metadata, or testimony from a person with knowledge.

XXIII. Hearsay Issues

Digital records may face hearsay objections if offered to prove the truth of their contents. Some records may fall under exceptions, such as entries in the course of business, official records, admissions, or independently relevant statements.

For example:

A scammer’s message may be admissible not to prove that the message is true, but to prove that the message was sent.
A bank certification may be admissible if properly authenticated by a records custodian.
A chat admission by the respondent may be treated differently from a third-party statement.

The purpose for which the evidence is offered matters.

XXIV. Judicial Affidavit Rule

In many criminal proceedings, witnesses submit judicial affidavits containing their direct testimony. Digital evidence should be identified in the judicial affidavit.

The witness should explain:

What the exhibit is
How it was obtained
When it was obtained
Who made it
Whether it is accurate
Whether the original exists
Why it is relevant
How the witness can identify it

A witness who cannot explain the source of a screenshot may have difficulty authenticating it.

XXV. Formal Offer of Evidence

Evidence attached to a complaint is not automatically evidence in court. During trial, after testimony, evidence must be formally offered.

The formal offer should state:

Exhibit number or letter
Description
Purpose
Witness who identified it
Legal relevance

Failure to formally offer evidence may prevent the court from considering it.

XXVI. Special Considerations for Online Libel

Online libel under Philippine law has specific requirements. Evidence must usually establish:

A defamatory imputation
Publication through a computer system or similar means
Identification of the offended party
Malice, either presumed or actual depending on the circumstances
Authorship or responsibility of the accused
Date of publication
Jurisdiction and venue

Key evidence

Screenshot of post
URL
Account profile
Witnesses who saw the post
Evidence connecting account to accused
Proof of complainant’s identity
Context showing defamatory meaning
Evidence of harm, if claiming damages

Venue concerns

Cybercrime venue can be legally sensitive. Filing location should be selected based on applicable rules, including where the offended party resides, where the content was accessed, where it was first published, or where elements occurred, depending on the case and controlling doctrine.

XXVII. Special Considerations for Financial Cybercrime

Financial cybercrime evidence should be fast, detailed, and coordinated with financial institutions.

Submit:

Transaction receipts
Account numbers
QR codes
Reference numbers
Bank branch or platform details
Time of transfer
Sender and recipient account names
Screenshots of payment instructions
Scam messages
Police or prosecutor complaint, if needed by bank
Request for freeze, recall, or hold where legally available

Time is critical because funds may be withdrawn or transferred quickly.

XXVIII. Special Considerations for Data Privacy and Data Breach Cases

A cybersecurity incident may also involve data privacy law. Evidence may include:

Incident report
Personal data involved
Number of affected data subjects
Logs of unauthorized access
Security measures in place
Breach discovery timeline
Notifications sent
Remediation steps
Contracts with processors
Data protection policies
NPC submissions, if any

For companies, mishandling evidence can create additional exposure. Access to personal data should be limited to authorized personnel and documented.

XXIX. Special Considerations for Minors and Sexual Content

Cases involving minors, sexual exploitation, or intimate content require special caution.

Important rules:

Do not circulate the material.
Do not send copies casually through email or messaging apps.
Do not post the material online to “prove” the offense.
Preserve evidence securely.
Submit through law enforcement or counsel.
Protect the identity of minors and victims.
Observe confidentiality and child protection procedures.

In these cases, the safest course is immediate reporting to proper authorities.

XXX. Data Privacy Considerations When Submitting Evidence

Evidence may contain personal data of suspects, victims, witnesses, employees, customers, or third parties.

The Data Privacy Act does not prevent lawful reporting of crimes, but parties should observe proportionality and security.

Practical rules

Submit only relevant records.
Redact unrelated personal data when appropriate.
Keep unredacted originals available for lawful review.
Avoid public posting of evidence.
Use secure storage.
Limit access.
Document who handled the data.
For companies, involve the Data Protection Officer when personal data is involved.

XXXI. Company Records as Cybercrime Evidence

Companies should establish internal procedures for preserving and submitting records.

A. Internal incident report

The report should include:

Date and time of incident
How discovered
Systems affected
Users involved
Logs reviewed
Initial findings
Actions taken
Evidence preserved
Business impact
Recommended legal action

B. Authority to submit

The company representative should have authority to file the complaint. This may require:

Secretary’s certificate
Board resolution
Special power of attorney
Authorization letter
Employment certification

C. Records custodian

A records custodian or IT officer should authenticate business and system records.

XXXII. Evidence Packaging and Submission Format

A. Printed evidence

Printed evidence should be:

Clear and readable
Paginated
Marked as annexes
Accompanied by affidavit
Organized chronologically
Printed with URLs and dates where possible

B. Digital evidence

Digital evidence should be placed in a clean storage medium such as USB drive, external drive, or optical disc, depending on the receiving office’s requirements.

Organize folders:

Cybercrime Evidence/
  01_Complaint_Affidavit/
  02_Screenshots/
  03_Emails/
  04_Chat_Logs/
  05_Transaction_Records/
  06_Profile_and_URLs/
  07_Witness_Affidavits/
  08_Device_or_System_Logs/
  09_Forensic_Report/
  10_Evidence_Log/

Use clear file names:

Annex_A_Facebook_Post_2026-01-10.png
Annex_B_Profile_Page_Respondent.png
Annex_C_GCash_Transaction_Receipt.pdf
Annex_D_Email_Header_2026-01-11.eml
Annex_E_Witness_Affidavit_Maria_Santos.pdf

C. Hash list

For important files, prepare a hash list:

File Name	SHA-256 Hash	Date Hashed	Hashed By
Annex_A_Post.png	[hash value]	Jan. 12, 2026	Complainant/IT officer

XXXIII. Sample Evidence Checklist

General cybercrime complaint checklist

Valid government ID
Complaint-affidavit
Witness affidavits
Screenshots
URLs
Chat logs
Emails with full headers
Transaction records
Account/profile links
Device used
Timeline of events
Evidence log
Digital copy of evidence
Printed annexes
Proof of damages
Prior reports to bank/platform/telco
Company authorization, if applicable

Online scam checklist

Messages from scammer
Profile of scammer
Payment proof
Bank/e-wallet details
Marketplace listing
Delivery records
Demand/refund messages
Platform complaint
Police or NBI/PNP referral record

Online libel checklist

Screenshot of post
URL
Profile page
Date and time of post
Witnesses who saw post
Proof complainant was identifiable
Context of statement
Evidence of malice or harm
Evidence linking account to respondent

Hacking checklist

Login alerts
IP logs
System logs
Screenshots of unauthorized access
Device list
Access history
Changed passwords or settings
Forensic report
IT incident report

XXXIV. Common Problems That Weaken Cybercrime Evidence

1. No proof tying the account to the accused

A username alone may not prove identity. Additional evidence may be needed:

Admissions
Phone number
Email address
Recovery account
Payment account
Device records
IP logs
Witness identification
Similar photos or personal details
Prior communications

2. Screenshots without context

Isolated screenshots may be attacked as misleading. Full threads and surrounding messages are better.

3. No date or time

Dates matter for prescription, venue, sequence, and credibility.

4. Edited evidence

Cropping, annotations, filters, and conversions may raise authenticity issues.

5. Lost original device

If the original device is lost, authentication becomes harder.

6. Delayed reporting

Delay may allow deletion of logs, posts, accounts, and funds.

7. Publicly posting evidence

Posting evidence online may violate privacy, defame others, alert suspects, or compromise the case.

8. Unlawfully obtained evidence

Evidence obtained through hacking, unauthorized access, illegal recording, or privacy violations may be challenged and may expose the complainant to liability.

XXXV. Lawful Collection vs. Illegal Collection

Victims should not commit a cybercrime to prove a cybercrime.

Avoid:

Guessing passwords
Accessing the suspect’s account
Installing spyware
Recording private communications unlawfully
Impersonating law enforcement
Hacking devices
Entrapping without coordination with authorities
Publishing private data
Threatening the suspect
Fabricating conversations

Lawful preservation of messages received by the complainant is generally different from unauthorized access to another person’s private account.

XXXVI. Role of Digital Forensics

Digital forensics may be needed when:

Evidence is deleted
Device compromise is suspected
Logs are technical
Malware is involved
Authenticity is disputed
Corporate systems are affected
Large amounts of data are involved
Identity of the offender is unclear
Metadata matters
Court presentation requires expert explanation

Forensic work may include:

Imaging devices
Recovering deleted files
Extracting chat databases
Analyzing metadata
Reviewing logs
Tracing malware
Hash verification
Timeline reconstruction
Reporting findings

Forensic examiners must be prepared to explain their methods in court.

XXXVII. Records From Banks, E-Wallets, Telcos, and Platforms

A. Banks and e-wallets

Relevant records may include:

Account holder name
Account opening documents
Transaction history
Destination accounts
KYC records
Device IDs
Login IPs
Cash-out records
Linked phone numbers
CCTV at withdrawal points, if applicable

These usually require legal process.

B. Telcos

Relevant records may include:

Subscriber information
SIM registration details
Call detail records
SMS logs, where legally available
Cell site information, subject to legal restrictions
IP assignment logs

C. Internet service providers

Relevant records may include:

Subscriber assigned to an IP address at a specific time
Account information
Connection logs, depending on retention

D. Online platforms

Relevant records may include:

Account registration details
Login IP history
Device information
Content data
Deleted content, if preserved
Messages, subject to privacy and legal limits
Account recovery information

XXXVIII. Time Sensitivity and Retention

Digital records may be retained for short periods only. Examples:

IP logs may expire.
Deleted posts may become unrecoverable.
CCTV may be overwritten.
Bank fraud trails may move quickly.
Scam accounts may be abandoned.
Messaging apps may use encryption.
Temporary stories or posts may disappear.
Devices may be reset.

Immediate preservation and reporting are often decisive.

XXXIX. Prescription Periods

Cybercrime and related offenses have prescriptive periods. The applicable period depends on the offense, penalty, and governing law. In cybercrime cases, penalties may be one degree higher for certain offenses committed through information and communications technologies, affecting prescription analysis.

Delay may create both evidentiary and legal problems. A complainant should document the date of discovery, date of publication, date of transaction, and date of last relevant act.

XL. Venue and Jurisdiction

Cybercrime jurisdiction can involve:

Location of complainant
Location of accused
Location where device was used
Location where data was accessed
Location of publication
Location where damage occurred
Location of server or platform
Place where transaction occurred

Because cybercrime can cross city, provincial, and national borders, venue must be carefully assessed. A complaint filed in the wrong venue may face challenge.

XLI. Evidence for Probable Cause vs. Evidence for Conviction

At the complaint or preliminary investigation stage, evidence must establish probable cause. At trial, guilt must be proven beyond reasonable doubt.

Evidence sufficient for filing may not be sufficient for conviction.

For probable cause

The complainant needs enough evidence to show that a crime was probably committed and the respondent probably committed it.

For conviction

The prosecution must prove every element of the offense beyond reasonable doubt, including identity of the accused and authenticity of evidence.

XLII. How to Present Evidence in the Complaint-Affidavit

A complaint-affidavit should be clear, chronological, and evidence-based.

Suggested structure

Introduction and personal circumstances
Identity of respondent
Relationship to respondent
Chronology of events
Description of online act
Evidence gathered
How evidence was obtained
Harm suffered
Legal basis for complaint
Prayer for investigation/prosecution
Annex list

Sample language for screenshots

Attached as Annex “A” is a screenshot of the message I received from the account named [account name] on [date]. I personally took this screenshot using my mobile phone. The screenshot accurately reflects the message as it appeared on my device. I have not altered the contents of the screenshot. The original conversation remains stored in my [app/account/device].

Sample language for email

Attached as Annex “B” is a copy of the email I received on [date] from [email address]. I downloaded the email from my own email account. The full email header is attached as Annex “B-1.” The email and header have not been altered.

Sample language for transaction record

Attached as Annex “C” is the transaction receipt showing my transfer of PHP [amount] to [account/e-wallet] on [date and time]. This receipt was generated by [bank/e-wallet app]. The transaction reference number is [number].

XLIII. Marking of Evidence

At the complaint stage, evidence is usually marked as annexes. At court trial, evidence is marked as exhibits.

Example:

Annex “A” / Exhibit “A” – Screenshot of Facebook post
Annex “B” / Exhibit “B” – Respondent’s profile page
Annex “C” / Exhibit “C” – GCash receipt
Annex “D” / Exhibit “D” – Email with full header
Annex “E” / Exhibit “E” – Witness affidavit
Annex “F” / Exhibit “F” – Forensic report

Maintain consistency between the affidavit and attachments.

XLIV. Certification and Notarization

Complaint-affidavits and supporting affidavits must generally be sworn before a prosecutor, notary public, or authorized officer. Some agencies may provide forms or require personal appearance.

A defective affidavit may delay the case.

XLV. Submitting Evidence in Electronic Form

When submitting digital files:

Use a clean USB drive or storage medium.
Label the medium.
Include a file index.
Include hash values for key files.
Avoid mixing irrelevant personal files.
Make duplicate copies.
Ask the receiving office to acknowledge receipt.
Keep the exact copy submitted.

Label example:

Evidence USB
Complainant: Juan Dela Cruz
Respondent: Pedro Santos
Case: Online Scam
Date Submitted: January 15, 2026
Contents: Annexes A to M

XLVI. Security of Evidence

Cybercrime evidence may include sensitive data. Protect it.

Recommended measures:

Store in encrypted drive
Use strong passwords
Keep backup copy
Limit access
Avoid cloud sharing without security
Do not send sensitive evidence through unsecured channels
Keep physical devices in safe storage
Maintain access log for company evidence

XLVII. Coordination With Platforms

Victims may report content directly to platforms for takedown, but they should preserve evidence first.

Platform reports may help:

Freeze accounts
Remove harmful content
Preserve records
Show good faith
Prevent further harm

However, if content is removed before screenshots, URLs, and records are preserved, evidence may be lost.

XLVIII. Takedown vs. Evidence Preservation

There is a tension between removing harmful content and preserving evidence.

In urgent cases, such as sexual exploitation, threats, or ongoing scams, takedown may be necessary. But before takedown, preserve:

URL
Screenshots
Account details
Date/time
Content
Witnesses
Report confirmation

For serious cases, coordinate with law enforcement before takedown when possible.

XLIX. Handling Anonymous or Pseudonymous Offenders

Many cybercrime offenders use fake accounts. A case can still proceed if there is enough evidence to identify or investigate them.

Useful identifiers include:

Phone numbers
Email addresses
Payment accounts
Bank accounts
Delivery addresses
IP addresses
Device identifiers
Reused usernames
Photos
Voice recordings
Admissions
Common contacts
Marketplace histories
Domain registration
SIM registration records
KYC records

The complaint may initially name a respondent as “John Doe” or describe the unknown person behind a specific account, subject to investigation.

L. Use of Recordings

Recordings may be relevant but must be lawfully obtained. The Philippines has laws restricting unauthorized recording of private communications.

Before submitting audio or video recordings, consider:

Who recorded it
Whether the recorder was a party to the conversation
Whether consent was given
Whether the communication was private
Whether the recording violates anti-wiretapping laws
Whether the recording is complete and unedited
Whether metadata is preserved

Unlawful recordings may be inadmissible and may create liability.

LI. Metadata

Metadata is data about data. It may show:

Creation date
Modification date
Device used
GPS location
Author
File path
Email routing
Camera details
Software used
Hash values

Metadata can help prove authenticity, but it can also be changed. Preserve original files to retain metadata.

LII. Evidence From Cloud Accounts

Cloud accounts may contain:

Backups
Login activity
Device lists
Shared files
Deleted files
Access logs
Recovery emails
Account security alerts

Preserve account access and avoid deleting notifications. Change passwords if needed for security, but document when and why changes were made.

LIII. Evidence From CCTV and IoT Devices

Cybercrime cases may involve CCTV, smart locks, routers, or other connected devices.

Preserve:

Video files
Export logs
Device serial numbers
System time settings
Admin access logs
Network logs
Firmware information
Storage media
Export method

CCTV systems often overwrite footage. Immediate preservation is necessary.

LIV. Employee and Workplace Cybercrime

When cybercrime occurs in the workplace, evidence may involve employee accounts, company devices, and internal systems.

Employers should consider:

Acceptable use policies
Consent notices
Data privacy obligations
Labor law implications
Internal investigation protocols
Access authorization
HR documentation
Preservation of logs
Avoiding unauthorized access to personal accounts

Company-owned systems may be reviewed according to policy and law, but personal accounts require caution.

LV. Civil, Criminal, and Administrative Use of the Same Evidence

The same digital evidence may support:

Criminal complaint
Civil action for damages
Labor case
Administrative complaint
Data privacy complaint
Internal disciplinary action
Platform takedown request
Insurance claim
Bank fraud claim

Each forum may have different evidentiary rules and standards.

LVI. Burden of Proof

The burden depends on the proceeding:

Criminal preliminary investigation: probable cause
Criminal trial: proof beyond reasonable doubt
Civil case: preponderance of evidence
Administrative case: substantial evidence
Internal company action: policy-based standard, subject to law

Evidence should be prepared with the strictest expected proceeding in mind.

LVII. How Respondents Challenge Cybercrime Evidence

Respondents may argue:

The screenshot is fabricated.
The account was fake or hacked.
The respondent did not own the account.
The evidence was edited.
The full context was omitted.
The evidence was illegally obtained.
The post was not public.
The complainant was not identifiable.
The records are hearsay.
The witness lacks personal knowledge.
The court has no jurisdiction.
The complaint was filed in the wrong venue.
The offense has prescribed.
The statement was opinion, fair comment, privileged communication, or truth.
The transaction was civil, not criminal.
The digital records lack authentication.

Anticipating these defenses helps determine what evidence to collect.

LVIII. Strengthening the Case

A cybercrime complaint is stronger when it has:

Original electronic records
Full context
Multiple independent evidence sources
Clear timeline
Witness affidavits
Platform or bank records
Forensic report
Proper chain of custody
Evidence connecting account to accused
Evidence of damage or harm
Prompt reporting
Lawful collection

LIX. Practical Evidence Index Template

EVIDENCE INDEX

Complainant: ____________________
Respondent: ____________________
Case Type: ______________________
Date Prepared: __________________

Annex A - Screenshot of initial message dated ______
Annex B - Screenshot of respondent profile page
Annex C - Full chat thread screenshots
Annex D - Transaction receipt dated ______
Annex E - Bank/e-wallet confirmation
Annex F - Email with full headers
Annex G - URL printout and webpage screenshot
Annex H - Witness affidavit of __________
Annex I - Evidence log
Annex J - Hash list
Annex K - Company incident report
Annex L - Forensic report
Annex M - Platform complaint confirmation

LX. Sample Chain of Custody Form

CHAIN OF CUSTODY FORM

Case Title: ______________________
Evidence Item No.: _______________
Description: _____________________
Source: __________________________
Date/Time Collected: _____________
Collected By: ____________________
Method of Collection: ____________
Original Location: _______________
Storage Medium: __________________
Hash Value: ______________________
Remarks: _________________________

Transfer History:

Date/Time: _______________________
Released By: _____________________
Received By: _____________________
Purpose: _________________________
Signature: _______________________

Date/Time: _______________________
Released By: _____________________
Received By: _____________________
Purpose: _________________________
Signature: _______________________

LXI. Sample Affidavit Paragraph for Evidence Authentication

I personally obtained and preserved the electronic evidence attached to this Complaint-Affidavit. The screenshots attached as Annexes “A” to “D” were taken by me from my own mobile phone on [date]. These screenshots accurately show the messages, account names, dates, and contents as they appeared on my device. I did not alter, edit, or manipulate the contents of these screenshots. The original conversation remains available on my device and account for examination by the proper authorities.

LXII. Sample Affidavit Paragraph for Company Logs

I am the [position] of [company], and I am authorized to retrieve and maintain system records in the ordinary course of business. The logs attached as Annex “E” were generated by our company’s [system/server/application] and were retrieved by me on [date] using administrator access assigned to me. These logs are automatically recorded by the system at or near the time of the events reflected therein. I certify that the attached records are true and accurate copies of the logs retrieved from our system.

LXIII. Sample Request to Preserve Records

We respectfully request the immediate preservation of all records, logs, account information, transaction details, access records, IP logs, device identifiers, and related data concerning the account/transaction identified as follows:

Account/Profile/Number: ____________________
URL/Email/Username: ________________________
Transaction Reference: _____________________
Date and Time: _____________________________
Reason: These records are relevant to a cybercrime complaint involving ____________________.

This request is made to prevent deletion, alteration, or loss of relevant data while appropriate legal processes are pursued.

A private request may not compel disclosure, but it may alert the entity to preserve records, depending on its policies and applicable law.

LXIV. Ethical Duties of Lawyers Handling Cybercrime Evidence

Lawyers should:

Avoid presenting fabricated or altered evidence.
Verify the source of digital records.
Advise clients not to hack, entrap unlawfully, or publicly shame suspects.
Preserve confidentiality.
Avoid unnecessary exposure of sensitive data.
Consider data privacy duties.
Properly mark and authenticate electronic evidence.
Prepare witnesses to explain digital evidence accurately.
Request preservation or subpoenas promptly.

LXV. Do’s and Don’ts

Do

Preserve evidence immediately.
Save URLs and full context.
Keep original devices and files.
Take clear screenshots.
Export emails with full headers.
Keep transaction records.
Prepare a timeline.
Execute sworn affidavits.
Use an evidence index.
Maintain chain of custody.
Report promptly.
Coordinate with proper authorities.
Protect sensitive personal data.

Don’t

Delete conversations.
Edit screenshots.
Hack the suspect.
Publicly post private evidence.
Rely only on cropped screenshots.
Delay reporting.
Lose access to accounts.
Share intimate images unnecessarily.
Submit disorganized files.
Ignore data privacy obligations.
Assume a username alone proves identity.

LXVI. Conclusion

Submitting evidence and records in Philippine cybercrime cases requires more than printing screenshots. The complainant must preserve original digital sources, organize records, authenticate electronic evidence, document chain of custody, prepare sworn affidavits, and submit materials through the proper law enforcement, prosecutorial, administrative, or judicial channels.

The strongest cybercrime cases are built early: before posts disappear, accounts are deleted, funds are withdrawn, logs expire, or devices are altered. Proper preservation, lawful collection, and careful presentation often determine whether a cybercrime complaint can proceed from report to investigation, from investigation to prosecution, and from prosecution to conviction.