When people hear the phrase “computer forensics”, they often think of the television program “CSI” and police criminal investigations. However computer forensics, or digital forensics as it is now commonly called, is an invaluable tool used in a wide range of investigations including contractual disputes between companies, employee misuse of computers, intellectual property investigations, computer hacking investigations and libel cases.
Digital forensics is still in its infancy in Thailand but that is about to change. A search on the Internet will now reveal companies advertising digital forensic services, training courses and blogs within Thailand dedicated to the world of forensics.
But what exactly do we mean by the term digital or computer forensics? Simply put it refers to the collection and examination of electronic data stored on computers and other electronic devices for evidence using a forensically sound method. And a forensically sound method is one that does not alter the source evidence, except to the minimum extent necessary to obtain it. In every case the manner used to obtain the evidence must be documented and justified.
Digital forensics not only includes the preservation of the electronic data, but also identifying the data of relevance to the investigation, extraction of the data and its presentation in a way that is suitable for court purposes. It is important that people get away from the idea that digital forensics only includes computers. Any device that can store electronic data falls under the umbrella of digital forensics. This includes mobile phones, digital cameras, satellite navigation devices, USB storage devices, games consoles, and in one memorable case has even included an electric oven.
When you consider that the majority of transactions, communications and documentation are now in electronic format, you only have to look at the following numbers to see why digital forensics is an important investigation tool for any business. Highlights from the 2011 Global Economic Crime Survey show that cyber-crime now ranks as one of the top four economic crimes, and almost 1 in 10 who reported fraud suffered losses of more than US$5 million. Reputational damage was the biggest fear for 40% of respondents with 56% of respondents saying the most serious fraud was an ‘inside job’. The survey also showed that 60% of respondents said their organization doesn’t keep an eye on social media sites. Tellingly, 34% of respondents experienced economic crime in the last 12 months (up from 30% reported in 2009). A worrying 2 in 5 respondents to the survey said had not received any cyber security training and an even more unsettling majority admitted that they do not have, or are not aware of having, a cyber-crisis response plan in place.
This is astonishing when you consider that in today’s fast paced world, organisations have to rely more and more heavily on technology to remain competitive. Customers have come to expect organisations to have an online presence with professional looking websites, be able to respond quickly to online enquirers have online chat functionality and have the ability to order securely online. In fact, technology has become so integrated into people’s lives that they expect to have constant access to their personal emails and to be able to stay in touch with friends even during working hours.
So what does this mean for organisations? Frankly, it means that they will face some kind of cyber-security incident at some point and the reality is they are often unprepared to deal with the incident effectively. Organisations are aware they need to have firewalls in place, up to date anti-virus and the latest patches installed. However they often do not enforce their acceptable computer u sage policy or give any thought to the control of USB devices that can be plugged into the network or mobile phones that may hold company data. In addition when an employee’s contract is terminated the organisation often overlooks the need to quickly close down the employee’s user accounts, which can include remote access to the network.
Companies in all industries, both here and abroad have a legal and moral obligation to protect their customer’s personal information. However, data leakage remains one of the biggest problems they face in today’s technological world. If the commercial sector in Thailand wishes to compete within the global market, they will need to have in place the resources to deal with cyber-security crime whatever form it may take. Cyber-security has now become such an issue that companies who do not have in place the resources to combat cyber-crime incidents will fail to win large business contracts, a point made succinctly by Professor Peter Grabosky who once said that “Those who fail to anticipate the future are in for a rude shock when it arrives”.
Examples of cyber-security crime include computer fraud, violations of organisational computer security policies, industrial espionage, theft of proprietary corporate data or information, violations of privacy acts, and the download of child and adult pornography.
When such an incident occurs it can leave the organisation in a vulnerable position, ethically, financially and legally. All incidents need to be treated seriously. What starts out initially as an internal investigation could quickly expand into a criminal investigation which then involves outside agencies or the investigation could leak out to the public or the media.
That said, because it is such a new field, the awareness of digital forensics in Thailand is still quite low and there is a shortage of experienced forensic investigators here. As a result the commercial sector and the judicial system are either not utilizing the full potential of digital forensics or not using forensics at all during the course of their investigations. This is almost certainly resulting in potentially vital evidence being overlooked.
There are a number of misconceptions in relation to digital forensics. For example, digital forensics is only relevant to criminal investigations; digital Forensics is expensive; or digital evidence is very complex. The truth is that whether it is a criminal investigation, civil litigation or a private prosecution, if computers, electronic communications or electronic documents have been used by either party then digital forensics is relevant to the investigation. Forensics can often recover data that would not have otherwise been accessible. This includes the recovery of deleted data and temporary versions of documents – irrefutable information that frequently proves, say, the malicious actions of an employee.
Digital forensics may seem to be an expensive option which businesses are reluctant to invest in. However the use of forensics during the course of the investigation can often produce a wealth of evidence that proves vital to achieving a successful outcome to litigation. In many cases it can actually prevent a long drawn out legal battle, which ultimately produces financial savings for the business, as per the following example.
A long term employee who was responsible for the backups of company data suddenly left the business without notice. After he had left it was discovered that he had deleted the contents of his work email account. A forensic image of the hard drive from the employees work computer was obtained along with a forensic image of the employees email PST files and user data, which were located on the company server. A full forensic analysis was conducted. As a result it was found that the employee, prior to leaving the company, had placed a pen drive into the computer and downloaded a copy of the backup files onto it. He then subsequently accessed his email account and deleted key emails prior to leaving. As a result of the analysis, it was possible to show and evidence the sequence of events that took place. When confronted with the evidence the former employee admitted to his actions and as a result the need for a drawn out legal battle was prevented.
Lawyers in Thailand currently have a fear of using digital evidence in the Thai courts because they feel the evidence may be too complex and will ultimately be disallowed. This does not have to be the case. In many instances the type of digital evidence that is being produced for court consists of images, emails, electronic documents and Internet history. This type of evidence can be produced in a clear, easy format that everyone can understand.
When dealing with digital evidence, there are two key issues that the court has to address, the integrity of the evidence and the authenticity of the evidence. Thailand already has in place legislation for dealing with electronic evidence in the form of the Electronic Transaction Act B.E 2544 (2001), which at least is a beginning.
Cyber security crime has been identified as one of the four top economic crimes and is on the increase. Many businesses fail to realise the devastating impact cyber crime can have on a company, both financially and reputation-wise, until it is too late. We cannot get away from the fact that the majority of transactions, communications and documentation are now in electronic format.
In many cases, in order to win lucrative business contracts, companies today have to show that not only do they have the resources in place to reduce the risk of being a victim of cyber crime, they also have the determination and wherewithal to effectively investigate any cyber security incident that occurs in their organisation.
In this context digital forensics is a powerful tool that companies should be adopting as a matter of basic corporate policy in the fight against cyber crime.
Publish : RBSC Magazine April2012
About the Authors:
Mr. Andrew Smith (Andy) – Director of Computer Forensics Services at Orion Forensics Thailand
Andrew has 17 years’ experience in the field of digital forensics. Andrew was a UK police officer for 9 years of which the last 4 years was spent working within the police computer crime unit where he received extensive forensic training. His role included the acquisition of electronic data, analysis and the presentation of evidence in the UK courts as an expert witness.
Andrew has now been based in Bangkok for over 7 years and is the Director of Computer Forensics Services for a commercial investigation company called Orion Investigations. His role is to oversee all forensic investigations, business development, promote awareness of cyber security and present evidence as an expert witness in Thai courts. He has regularly appeared as a guest speaker for various business chambers and organizations. Andrew has developed a range of forensic training courses for the local Thai market. Andrew has also developed a number of free forensic tools which are now used in forensics labs all around the world.