Orion Forensics was invited to conduct a 2-day course training to Tokio Marine Life Insurance (Thailand) PCL. On the first day was an online class ,The training course was Digital Evidence – Unlocking the Secrets, which is a theory course throughout the training. The 2nd day of Training was an In-House Class, which is Workshop class – Forensic Techniques for Auditor -This course is a one day workshop for It /Auditor /Fraud Analyst or those who working on fraud investigations or Who works related to digital evidence. the event hold on 3rd-4th March 2022 .The Location is S31 Sukhumvit Hotel.
Orion Forensics would like to thank Tokio Marine Life Insurance (Thailand) PCL. for giving us the opportunity to lecture and educate employees to upskill of digital forensics and are able to apply digital forensics techniques to adapt to the current work.
Course Training Activity
Day1 (Online Class ,Participants 26 Person).
Day 2 (In-House Class, Participants 15 Person).
All Course Training CLICKRead More
We have seen a significant increase in the number of cases where employees responsible for issuing payments on behalf of the company have been tricked into transferring the money into bank accounts under the control of a malicious person (Business Email Compromise). Already in the first 13 days of this year (2022) we have been contacted in relation to three such cases.
How is this type of fraud achieved and what can you do to prevent your company becoming another victim of fraud via email?
The fraudster will can often gain unauthorized access to an email chain via a number of ways. This includes
- Hacking the company network or your vendor’s network
- Unauthorized access by a malicious employee
- Using social engineering or phishing emails
- Using email login details that have become compromised for example by malware located on the computer system or the user using an unsecured WIFI network without a VPN
It should be noted that it is often very difficult to identify how the actual compromise has occurred.
Having gained access to the email chain the fraudster will then create an email address that looks almost identical to an email address within the chain that should be receiving a payment. They will then send an email from the fake email address using an excuse such as “our bank account is being audited so you need to make the payment into this other account of ours”. They will often then follow up with several more emails pushing for the payment to be made as quickly as possible. By using a fake email address, they have now taken control of the conversation. Most victims fail to notice the slight differences between the real email address and the fake one. As a result, all further emails are being diverted away from the intended real recipient to the fraudster. Once the payment has been made it will be extremely difficult to get the money back so prevention is the best policy.
If you do find yourself in the unfortunate position of having been a victim of this type of fraud, then Orion may be able to assist in gathering evidence and preparing the evidence so you can report the crime to the police. It is important to take the following steps.
- Retain an electronic copy of all original emails in the email chain and especially the emails requesting payment to a new bank account and any follow up emails from the fraudster.
It is important to keep an electronic copy of the original received emails and not ones that have been forwarded on internally to other staff members. The reason for this is that the emails contain embedded hidden information that is not usually seen when looking at the email through an email client. This information is known as email header information and contains details of all the computers the email has passed through from the sender to the recipient.
The email header will also contain time and date information and possibly the originating Internet Protocol (IP) address of the sender. In order for a device to connect to the Internet it has to be allocated an IP address. This IP address will be allocated to the customer by an Internet Service Provider (ISP).
Therefore, if we can identify the originating IP address of the email and the time and date information we can identify which ISP is responsible for allocating the IP address and from which country. Law enforcement can then make a legal request to the ISP for details of who the IP address was allocated to at the time and date the email was sent.
When you forward the emails internally the original email header information can be lost which is why it is important to preserve the original emails received in an electronic format.
Case Studies – Examples of cases where we have been able to assist our clients.
Example 1 – A Thai company asked us to examine the emails received from the fraudster to try and identify if they had been compromised or their USA vendor. We were able to show that the fraudster had used the USA vendor email login details to log into the email account via webmail from Nigeria and as a result it was the vendor who had been compromised.
Example 2 – A fraudster had created fake email addresses very similar to our client’s legitimate email addresses to commit the fraud. As a result, the other company concluded our client’s network had been compromised and they then took our client to court to sue for failing to maintain a secure computer network. Based on the evidence available it was impossible for the other company to draw this conclusion. Orion went to court as the expert witness for our client stating that based on all available evidence at the time it was impossible to conclude how the breach to the email system had occurred and which company had been compromised.
If you need assistance, then please do not hesitate to contact Orion Forensics to see how we may be able to help.Read More
In the present, there are many legal cases relevant to electronic data as the evidence and are expecting to increases since people can easily access electronic devices, e.g. Mobile phones. While people committing offences using mobile phones are increases, these complicated electronic data should be examined by specialists if the evidences are required for the litigation.
The following is legal case that has been filed, heard, and already made the decision by Supreme Court.
- The Defendant entered into a loan agreement with the Plaintiff with the balance of 595,000 Baht and agreed to pay interest at the rate of 1 percent per month. Defendant has received the full amount of the loan. After the agreement has been made, the Defendant did not pay the principal. The balance of 4 installments for interest that has yet to be pay, totaling 6,500 Baht The Plaintiff sent messages to Defendant via Facebook with the point saying the Defendant does not have to pay 670,000 Baht, which was the total of the loan, the interest does not have to be pay as well, so that the Defendant will not have any more debt. The transmission of such information is a conversation through the internet network. Hence, it is considered to be electronic data transmission. Therefore, the Electronic Transactions Act 2001 article 7 to article 9 has to be enforce. Although this message does not have the Plaintiff’s signature, but sending messages via Facebook will show sender’s name and Plaintiff admitted that that he had sent the messages to the Defendant. The conversation messages then can be heard as the intention to release the debt from the Defendant with evidence in writing. According to the Civil and Commercial Code, Section 340, Release of Obligation. If the creditor declares to the debtor an intention to release the obligation, it is extinguished. When an obligation has been evidenced by writing, the release must also be in writing or the document embodying the obligation be surrendered to the debtor or cancelled. The Plaintiff has no standing to sue.
- The plaintiff has plaint and amended the indictment, requested to force the defendant to pay the amount of 731,850 Baht with the interest of 12 percent per annum from the principal of 595,000 Baht, from the date of filing onwards until payment is made to the plaintiff.
The defendant requested the dismissal.
Civil Court adjudged the dismissal. The fees are to be waived
The Plaintiff filed an appeal.
The Fourth Reginal Court of Appeals reversed the judgement, ordered the Defendant to pay 595,000 Baht with interest of 12 percent per annum from 26th August 2013 onward until the payment is completed. By deducting the interest of 6,550 Baht from the interest that the Defendant has to pay to the plaintiff. Both courts fees are to be waived.
Defendant appeal to the Supreme Court
The Supreme Court decided “after considering, the basics fact was established that on 26th August 2013, The Defendant entered into a loan agreement with the Plaintiff of 595,000 baht. The Defendant agreed to pay interest at the rate of 1 percent per month. The Defendant received the loan in full. After the contract, the Defendant did not pay the principal. The balance of 4 installments for interest that has yet to be pay, totaling 6,500 Baht.
The case has issued and has to be diagnosed according to the Defendant’s appeal that the Defendant is liable for payment of the loan with interest or not. Regard that the message that the Plaintiff sent to the Defendant via Facebook with the point saying the Defendant does not have to pay 670,000 Baht, which was the total of the loan, the interest does not have to be pay as well, so that the Defendant will not have the anymore debt. The transmission of such information is a conversation through the internet network. Hence, it is considered to be electronic data transmission.
According to the Electronic Transactions Act 2001 article 7 rules that the information shall not be denied legal effect and enforceability solely on the ground that it is in the form of a data message. Also, article 8 rules that subject to the provision of Section 9, in the case where the law requires any transaction to be made in writing, to be evidenced in writing or supported by a document which must be produced, if the information is generated in the form of a data message which is accessible and usable for subsequent reference without its meaning being altered, it shall be deemed that such information is made in writing, is evidenced in writing or is supported by a document.
Therefore, the messages that the Plaintiff sent to the defendant via Facebook, although this message does not have the Plaintiff’s signature, but sending messages via Facebook will show sender’s name and Plaintiff admitted that that he had sent the messages to the Defendant. The conversation messages then can be heard as the intention to release the debt from the Defendant with evidence in writing. According to the Civil and Commercial Code, Section 340, Release of Obligation.
If the creditor declares to the debtor an intention to release the obligation, it is extinguished. When an obligation has been evidenced by writing, the release must also be in writing or the document embodying the obligation be surrendered to the debtor or cancelled. The Plaintiff claimed that the Plaintiff does not intend to release the debt to the Defendant, but because of the stress of wanting to sarcasticize the Defendant, the Plaintiff could not cite the said incident in order to make the intention that was expressed to be invalid. Because there is no fact that the Defendant knew the hidden intent of the Plaintiff.
The evidence of the Defendant has more weight to hear than the evidence of the Plaintiff. The fact therefore can be heard that the Defendant has been released from the loan under the loan agreement. The Defendant is not liable to pay the debt to the Plaintiff. The Plaintiff has no standing to sue. The Supreme Court disagreed to the judgment of the Fourth Regional Court of Appeal saying the judgement is incorrect, hence the appeal of the Defendant was relevant.
Reversed the judgement, ordered the dismissal. The fees of the three courts are to be waived.
Source : http://www.supremecourt.or.th/
Introduction In today’s fast paced world, organisations have to rely more and more heavily on technology to remain competitive. Customers have come to expect organisations to have an online presence with professional looking websites, be able to respond quickly to online enquiries, have online chat functionality and have the ability to order online.Read More
I have been based in Bangkok now for the past 7 years and, with the push for a digital economy, Thailand 4.0 has meant that the issue of cyber-security has been pushed to the forefront. Each year we continue to see a growth in demand for forensic awareness training and for forensic examinations. However, there is still a general lack of understanding about digital forensics and we continue to see companies making the same mistakes over and over again.
Electronic data is fragile, if there is any chance it may be used as evidence in legal proceedings, then it must be handled in a certain way so it is possible to demonstrate to the court that the integrity and authenticity of the evidence has been maintained. If mishandled, then the evidence may be called into question when presented at court.
The majority of our investigations involve the theft of company data by rogue employees. Management will naturally turn to their IT staff to begin an investigation and collect potential evidence. However, consider the following points:
- Usually the IT staff have not been trained in how to conduct a methodical investigation
- They are often unaware of the need to maintain a complete chain of custody from the collection of data stage through to producing a report
- They are unaware of all the potential sources of evidence
- They lack the specialist tools required to conduct a forensic investigation
- They lack experience in correctly interpreting the findings of the investigation
- They lack experience in preparing evidence and professional reports for court
- They are inexperienced at presenting digital evidence at court as an expert witness
Companies often assume that as long as the person conducting the investigation holds some type of IT qualification then this will be sufficient. Digital forensics is a highly specialized field and, as demonstrated by the points above, requires a forensic investigator with the qualifications and experience to conduct the forensic investigation.
Another important issue to consider is the experience of your legal team. Do they have experience of dealing with cyber-crime cases and do they have the technical understanding of digital evidence? Due to the potential complexity of cyber-crime cases the legal team will often have to work closely with the forensic investigator to ensure the best possible outcome in any legal proceedings.
Without doubt the number of legal cases using electronic evidence will continue to grow. Also, as the number of forensic specialists in Thailand increases, we can expect to see electronic evidence that has not been handled correctly being more robustly challenged in the courts. If you are involved in legal proceedings where the other side is presenting digital evidence, you should consider hiring your own forensic expert to examine the validity of their evidence. In order to give yourself the best chance of success in any legal proceedings, make sure you use suitably trained forensic investigators and lawyers with the experience of dealing with electronic evidence.
My colleague Andrew was keen to get my perspective as a lawyer. Here it is.
As a young criminal defense lawyer a senior colleague advised me that the only way to succeed, whether you are prosecuting or defending, is to put all your energy into preparing your case for trial and most importantly, to “know and understand the subject matter”. Back then it was reasonably straight forward to understand the subject matter of the criminal charges before you. Today it’s a very different story indeed.
Technology has developed at an exponential rate in the last decade or so and has given rise to a far more sophisticated medium for the dishonest perpetrator to cause damage to the unsuspecting victim, be that an employer, a business, a bank, the Authorities or even another individual.
The motive of the crime can be to damage the reputation of the victim, unlawfully obtain the victim’s confidential information or fraudulently acquire cash or other assets belonging to the victim.
As a lawyer prosecuting or defending such a case the task of knowing and understanding the subject matter of your cybercrime case is an extremely difficult one. After all you are a lawyer and not a trained scientist. This is where you need to work alongside an expert with digital forensics training and experience.
As Andrew mentions above, lawyers and other prosecuting Authorities will often rely on persons who have some level of IT training to try and make sense of the data. This is where mistakes can occur.
As lawyers we have a duty to our clients to get it right from the outset. There is no point in taking a case to trial with little prospect of success because you cannot properly explain highly technical evidence to a judge in such a way as to convince him of the perpetrators guilt, beyond reasonable doubt. Equally, the accused has a right to a fair trial and that means we have to be able to challenge technical evidence which clearly does not support the charges faced by the accused.
Our specialist cybercrime lawyers have handled many cases involving ‘cybercrime evidence’. The major advantage our team of lawyers have over many other advocates is instant access to our in-house computer forensics team. They are on hand to help us understand the subject matter of these cases, deliver expert reports, assist with our examination in chief, cross examination and give testimony to assist the court to make sense of complicated evidence. All of this is key to a successful prosecution or defence.
About the Authors:
Mr. Andrew Smith (Andy) – Director of Computer Forensics Services at Orion Forensics Thailand
Andrew has 17 years’ experience in the field of digital forensics. Andrew was a UK police officer for 9 years of which the last 4 years was spent working within the police computer crime unit where he received extensive forensic training. His role included the acquisition of electronic data, analysis and the presentation of evidence in the UK courts as an expert witness.
Andrew has now been based in Bangkok for over 7 years and is the Director of Computer Forensics Services for a commercial investigation company called Orion Investigations. His role is to oversee all forensic investigations, business development, promote awareness of cyber security and present evidence as an expert witness in Thai courts. He has regularly appeared as a guest speaker for various business chambers and organizations. Andrew has developed a range of forensic training courses for the local Thai market. Andrew has also developed a number of free forensic tools which are now used in forensics labs all around the world.
Email: firstname.lastname@example.orgRead More
Many people around the world have been following the trial of Oscar Pistorius who is accused of murdering his girlfriend Reeva Steenkamp. Digital evidence extracted from the girlfriend’s mobile phone has provided intimate insights into the couple’s volatile relationship.Read More
Turning to the Dark Side – The Dangers of Using Mobile Devices for Business With the introduction of the iPad in 2010, the tablet quickly emerged as one of the fastest selling devices in history. Tablets have achieved a level of adoption in 3 years that took smartphones nearly 10 years to achieve. In 2013, the adoption of smartphones in the US surged to 64 % according to the latest Nielsen survey.Read More
The Automotive Focus Group (AFG) invited Orion Investigations to address the group on the subject of employee fraud. This turned out to be one of the most interesting lectures held this year.
The presentation was an informative introduction to employee fraud based on the hands-on experience of the three commercial investigation practitioners, Steve Morrissey, Andrew Smith and Peter Holmshaw. It was also interesting that Orion Investigations had gone from five employees 10 years ago, to 92 today.
Introduction Computer forensics or digital forensics as it is now commonly called, is still in its infancy in Thailand but that is about to change. For the past two years I have regularly searched on the keywords “computer forensics Thailand.Read More