Introduction
USB Forensic Tracker (USBFT) is a comprehensive forensic tool that extracts USB device connection artefacts from a range of locations within the live system, from mounted forensic images, from volume shadow copies, from extracted Windows system files and from both extracted Mac OSX and Linux system files. The extracted information from each location is displayed within its own table view. The information can be exported to an Excel file.

USBFT now has the ability to mount forensic images and volume shadow copies.

USBFT extracts information from the following locations:

Windows

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
  • HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses
  • HKEY_USERS\SID\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Portable Devices
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\VolumeInfoCache
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SWD\WPDBUSENUM
  • C:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx (Windows 7)
  • C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-ClassPnP/Operational.evtx  (Window 10)
  • C:\Windows\System32\winevt\Logs\Microsoft-Windows-WPD-MTPClassDriver/Operational.evtx
  • C:\Windows\INF\setupapi.dev.log
  • C:\Windows\INF\ setupapi.dev.yyyymmdd_hhmmss.log
  • C:\Windows\INF\setupapi.upgrade.log
  • C:\Windows\setupapi.log
  • “Windows.old” folder
  • Volume Shadow Copies

Mac OSX (tested on OSX 10.6.8 and 10.10.3)

  • /private/var/log/kernel.log
  • /private/var/log/kernel.log.incrementalnumber.bz2
  • /private/var/log/system.log
  • /private/var/log/system.log.incrementalnumber.gz

Linux (tested on Ubuntu 17.04)

  • /var/log/syslog

Requirements
USBFT requires Net Framework 4.5 to be installed on the system.

A 32bit and 64 bit version of USB Forensic Tracker is included in the download. If you run the 32 bit version on a 64 bit machine, USBFT will not display the results for the Event Log artefacts or for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Portable Devices.
From the “Help” menu the user can check for updates.

USBFT.PNG

License
This utility is released as freeware. You are allowed to freely distribute this program via any method, as long as you don’t charge anything for this. If you distribute this utility, you must include all files in the distribution package, without any modification!

 
Icons by Everaldo Coelho from the Crystal project are used; these are released under the LGPL license.

 
Imager Mounter – a special thanks to Mark Spencer president of Arsenal Recon who has very kindly granted me permission to incorporate Arsenal Image Mounter (AIM) within USBFT. https://arsenalrecon.com/weapons/image-mounter/

Disclaimer
The software is provided “AS IS” without any warranty, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The author will not be liable for any special, incidental, consequential or indirect damages due to loss of data or any other reason.

Version 1.0.8 October 2017
1)USBFT now extracts USB artefacts from C:\Windows\INF\ setupapi.dev.yyyymmdd_hhmmss.log
2)USBFT now extracts USB artefacts from C:\Windows\INF\setupapi.upgrade.log
3)Added a RecordID column to the Win10 Event Log tab
4)Added a RecordID column to the Win 7 Event Log tab
5)Added the ability to mount forensic images
6)Added the ability to extract volume shadow copy information
7)Added the ability to extract USB artefacts from mounted volume shadow copies
8)Added the option to enable debugging.
9)Added a view debug log button
10)Added a delete debug log button
11)Made improvements to the code to make it more reliable and to support debugging
12)Updated Help file.

Version 1.0.7 August 2017
1) USBFT now supports the extraction of USB artefacts from Linux (Ubuntu) syslog files
2) Added styling and formatting to the Excel report

Version 1.0.6 August 2017
1.)USBFT now extracts data from the registry  key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SWD\WPDBUSENUM
2.)Setupapi Log – changed the name of the “Connection Date” column to “Device Install Date
3.)Added a new column called “Device Delete Date”. USBFT extracts the time and date when the device drivers are installed for a USB device (typically the first time it is connected).
4.USBFT now displays the time and date when the Windows Plug and Play Cleanup service deletes the drivers for a USB device and deletes the entries for the device from the registry. The time and date is displayed in the “Device Delete Date” column.
Version 1.0.5 July 2017
1)Changed the project over from Windows Forms to WPF MVVM to make it easier to maintain and update in the future.
2)Made major changes to the code throughout the project to accommodate the new format.
3) Added the ability to process a custom folder that contains the extracted Windows registry files, Windows logs and NTUser.dat files
4)Added the ability to extract USB artefacts from the “Windows.old” folder.
5)Added the ability to extract USB artefacts from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\VolumeInfoCache
6)Added the ability for a user to extract the serial number of a USB device connected to the system.
7)Made changes to the title of the Win7 and Win10 Event Log tabs.
8)Added an EventID column to the Windows7 Event Log data grid and the Win10 Event Log data grid.
9)Removed the checkbox column from the data grids.
10)Removed the filter button from the menu (used to filter checked files).
11)Removed the Reload button ( now redundant)
12)Under Options => Export Options, added the ability for the user to select which data grids will be exported to the excel spreadsheet.
13)Combined all the DLL’s with the exe to make a single exe file for ease of deployment.
Version 1.0.3 November 2015
1) Added additional support for Mac OSX files. USBFT will now also process kernel.log and kernel.log.incrementalnumber.bz2 files
2) Modified code for USBSTOR section. For devices such as multi card readers that show as multiple drives with different drive letters but the same serial number, USBFT will now correctly display all of the drive letters.
3) Renamed the “Last Connection Date” column in the Device Classes section to “Connection Date”

Version 1.0.2 November 2015
1) Added the ability to extract USB artefacts from mounted forensic images.
2) Added the ability to extract USB artefacts from Mac OSX system files.
3) Made changes to code relating to obtaining the last modified date of registry keys.
4) Other minor changes made to some of the code to make more robust.

Feedback
If you have any feedback please email us at forensictools@orionforensics.com

USB Forensic Tracker v1.0.8
Advertisements

Introduction
USB Forensic Tracker (USBFT) is a comprehensive forensic tool that extracts USB device connection artefacts from a range of locations within the live system, from mounted forensic images, from extracted Windows system files and from both extracted Mac OSX and Linux system files. The extracted information from each location is displayed within its own table view. The information can be exported to an Excel file.

USBFT extracts information from the following locations:
Windows
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses
HKEY_USERS\SID\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Portable Devices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\VolumeInfoCache
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SWD\WPDBUSENUM
Microsoft-Windows-DriverFrameworks-UserMode/Operational Event Log (Windows 7)
Microsoft-Windows-Storage-ClassPnP/Operational.evtx Event Log (Window 10)
Microsoft-Windows-WPD-MTPClassDriver/Operational.evtx
C:\Windows\inf\setupapi.dev.log
C:\Windows\setupapi.log
“Windows.old” folder
Mac OSX (tested on OSX 10.6.8 and 10.10.3)
/private/var/log/kernel.log
/private/var/log/kernel.log.incrementalnumber.bz2
/private/var/log/system.log
/private/var/log/system.log.incrementalnumber.gz
Linux (tested on Ubuntu 17.04)
/var/log/syslog
Requirements
USBFT requires Net Framework 4.5 to be installed on the system.

A 32bit and 64 bit version of USB Forensic Tracker is included in the download. If you run the 32 bit version on a 64 bit machine, USBFT will not display the results for the Event Log artefacts or for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Portable Devices.

From the “Help” menu the user can check for updates.

NTFS

License
This utility is released as freeware. You are allowed to freely distribute this program via any method, as long as you don’t charge anything for this. If you distribute this utility, you must include all files in the distribution package, without any modification!

Icons by Everaldo Coelho from the Crystal project are used; these are released under the LGPL license.

Disclaimer
The software is provided “AS IS” without any warranty, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The author will not be liable for any special, incidental, consequential or indirect damages due to loss of data or any other reason.

Version 1.0.7 August 2017
1) USBFT now supports the extraction of USB artefacts from Linux (Ubuntu) syslog files
2) Added styling and formatting to the Excel report

Version 1.0.6 August 2017
1.)USBFT now extracts data from the registry  key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SWD\WPDBUSENUM
2.)Setupapi Log – changed the name of the “Connection Date” column to “Device Install Date
3.)Added a new column called “Device Delete Date”. USBFT extracts the time and date when the device drivers are installed for a USB device (typically the first time it is connected).
4.USBFT now displays the time and date when the Windows Plug and Play Cleanup service deletes the drivers for a USB device and deletes the entries for the device from the registry. The time and date is displayed in the “Device Delete Date” column.
Version 1.0.5 July 2017
1)Changed the project over from Windows Forms to WPF MVVM to make it easier to maintain and update in the future.
2)Made major changes to the code throughout the project to accommodate the new format.
3) Added the ability to process a custom folder that contains the extracted Windows registry files, Windows logs and NTUser.dat files
4)Added the ability to extract USB artefacts from the “Windows.old” folder.
5)Added the ability to extract USB artefacts from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\VolumeInfoCache
6)Added the ability for a user to extract the serial number of a USB device connected to the system.
7)Made changes to the title of the Win7 and Win10 Event Log tabs.
8)Added an EventID column to the Windows7 Event Log data grid and the Win10 Event Log data grid.
9)Removed the checkbox column from the data grids.
10)Removed the filter button from the menu (used to filter checked files).
11)Removed the Reload button ( now redundant)
12)Under Options => Export Options, added the ability for the user to select which data grids will be exported to the excel spreadsheet.
13)Combined all the DLL’s with the exe to make a single exe file for ease of deployment.
Version 1.0.3 November 2015
1) Added additional support for Mac OSX files. USBFT will now also process kernel.log and kernel.log.incrementalnumber.bz2 files
2) Modified code for USBSTOR section. For devices such as multi card readers that show as multiple drives with different drive letters but the same serial number, USBFT will now correctly display all of the drive letters.
3) Renamed the “Last Connection Date” column in the Device Classes section to “Connection Date”

Version 1.0.2 November 2015
1) Added the ability to extract USB artefacts from mounted forensic images.
2) Added the ability to extract USB artefacts from Mac OSX system files.
3) Made changes to code relating to obtaining the last modified date of registry keys.
4) Other minor changes made to some of the code to make more robust.

shutterstock_free

USB Forensic Tracker v1.0.7

Feedback
If you have any feedback please email us at forensictools@orionforensics.com

Read the rest of this entry »


So You Want to Become a Digital Forensics Investigator!

I have been a full time digital forensic investigator now for almost 15 years. I still remember the excitement on my first day when I started within the South Yorkshire Police Computer Crime unit. The learning curve was steep. I had no university degree in computers, limited computer training and most of what I knew about computers was self-taught including how to build computer systems.

So why was I offered a position within the computer forensic unit? I was an experienced investigator and I had demonstrated self-motivation and the ability to learn by teaching myself to build computer systems, 3 of the key skills required to become a good forensic investigator.

I have been very lucky in my career. From day one I had the privilege to work with some very skilled, experienced forensic investigators who were willing to share their knowledge and in return expected high standards. Over the past 15 years, I have seen many changes within the digital forensics field, including changes in the volume of data that needs to be examined, the range of devices that may hold vital evidence and an increase in the cyber criminals’ skills.

Digital forensics has been well established in the UK now for many years. The Association of Chief Police Officers (ACPO) in the UK first introduced the “Good Practice Guide for Digital Evidence” back in 1999. The first Master’s degree in digital forensics was introduced around 2002. Electronic evidence is routinely used in the UK courts and is generally well understood.

I have now been in Thailand for more than 5 years. As the Director of Computer Forensic Services for Orion Investigations, my role is not just business development but to help raise awareness of cyber security in general and in particular the benefits of digital forensics as part of an investigation. Digital forensics is still very new in Thailand and when I first arrived many companies and even law firms were unaware of what digital forensics actually is and how it can benefit them.

Things have really changed over the last few years. With the push for a digital economy, the awareness of cyber security and cyber security threats has really begun to grow. Local universities are including digital forensic modules within their courses and Thailand is prepring their own national guidelines for digital evidence.

At Orion, we have seen a steady increase in the volume of forensic investigations we undertake and a big increase in the number of people attending our forensic training courses. When I present on the topic of digital forensics, one of the questions I am now often asked is.

“What do you look for when recruiting a forensic investigator”?
Below are the qualities and skills I look for when recruiting a digital forensic investigator:

Skills of Digital forensics Investigators

 

 

  • Self-Motivation / Desire to Learn – Computer forensics is not a 9 to 5 job. There is so much to learn that it is not possible to do it all within work hours. In order to keep up with the changes in technology and techniques, a good forensic investigator will need to use some of their own personal time to conduct research.
  • Investigator’s Mindset – This is one of the hardest skills to teach a new investigator. I look for someone who is not afraid to ask questions and is determined to find answers to those questions. When you start an investigation you never know where it will lead. The investigator needs to be able to work as part of a team but also independently. The investigator needs to be able to decide what is relevant to the investigation, what lines of enquiries to follow and when to stop.
  • Communication Skills – The importance of good communication skills should not be underestimated. The investigator needs to have the skills to take potentially complex evidence and present it in a clear, easy to understand way for non-technical people. Good reporting skills is vital. The role of the forensic investigator often involves giving evidence in court as an expert witness. As a result, the investigator needs to be well prepared and to be able to answer questions in a clear, concise manner while under pressure.
  • Technical Skills – Digital forensics is a technical field and as a result the investigator should have a solid technical background. When looking for a forensic investigator to join the team I look for an investigator who has a broad range of general technical skills. An ideal investigator will also have additional skills in a specialized area. For example an investigator may have a particular interest in the forensic examination of Apple devices or Microsoft devices, network forensics or malware analysis

 

Digital forensics is an exciting field to be involved in and a good forensic investigator will never stop learning. There is currently a shortage of cyber security specialist in Thailand. Without doubt the demand for such specialists will continue to grow over the coming years both within the government and private sector. As a result people who are currently obtaining the required skills and qualifications will be well placed for an exciting and rewarding career in cyber security.

About the Author
Andrew Smith – Director of Computer Forensic Services, Orion Investigations

Andrew is responsible for the management of the Orion Computer forensic Unit. His responsibilities include ensuring the unit operates to the highest international standards, business development and the development and delivery of training for clients and staff. Andrew is an experienced forensic investigator with extensive training and comprehensive experience in relation to criminal, corporate, malware and counter terrorism investigations within the UK, Europe and, more recently, Asia. He has worked in the public sector with the South Yorkshire Police where he received his initial training in computer forensics and also in the private sector with a leading UK computer forensics company. He is also an experienced trainer having developed UK Law Society approved training courses and delivered master degree level forensic training. With over 15 years’ experience in the field of computer forensics, Andrew has regularly appeared in UK and Thai courts as an expert witness to present complex computer evidence.

Thai Version >> Click 

Visit Our Website :www.orionforensics.com

 


tix

ปัจจุบันองค์กรต่างๆได้อนุญาตให้พนักงานสามารถนำโทรศัพท์มือถือ แทบเล็ต นำมาใช้ในการสื่อสาร หรือปฎิบัติงานระหว่าง คนในองค์กร หรือระหว่างองค์กร ที่เรียกว่า BYOD (Bring Your Own Divides) ด้วยเหตุผลที่ว่า มีความสะดวกรวดเร็วในการติดต่องานกับลูกค้า พกพาสะดวกสบาย เหมาะกับ lifestyle คนรุ่นใหม่ เว็บไซต์ Eweek เปิดเผยว่า โดยทั่วไปเจ้าหน้าที่ IT ระดับสูงในองค์กร ระบุว่าในแต่ละปีองค์กรต้องสูญเสียค่าใช้จ่ายร้อยละ 42 % นำมาใช้ในการรักษาความปลอดภัยจากโทรศัพท์มือถือ หรือคิดเป็นเงินมากกว่า 250,000 เหรียญสหรัฐ

องค์กรส่วนใหญ่หรือร้อยละ 95% ต้องเผชิญกับความท้าทายด้านความปลอดภัย และการสนับสนุนการนำอุปกรณ์หรือโทรศัพท์นำมาใช้ในองค์กร (BYOD) ซึ่งหมายถึงความจำเป็นในการแก้ปัญหาการรักษาความปลอดภัยที่แข็งเกร่งมากขึ้นสำหรับอุปกรร์ส่วนบุคคลที่เชื่อมโยงกับเครือข่ายขององค์กร

ผลสำรวจจากผู้เขี่ยวชาญ ด้าน IT มากกว่า 700 คนซึ่งเป็นผู้เชี่ยวชาญด้านรักษาความปลอดภัยด้านซอท์ฟแวร์ ได้ทำงานสำรวจในปีนี้ระบุว่าร้อยละ 82 % คาดว่าจำนวนตัวเลขงบประมาณที่ต้องนำมาใช้ในการรักษาความปลอดภัยในองค์กร จะเติบโตมากขี้นในปี 2015

ผู้เชี่ยวชาญด้าน IT ระบุว่า ความท้าทายที่พบบ่อยที่สุดคิดเป็นร้อยละ 72% คือ องค์กรต้องเผชิญกับนโยบายด้านความปลอดภัย อย่างหลีกเลี่ยงไม่ได้สำหรับ อุปกรณ์ส่วนบุคคล(BYOD) คือการรักษาความปลอดภัยข้อมูลขององค์กร (Securing Corporate Information )ตามมาด้วยร้อยละ 67 % คือการจัดการอุปกรณ์ส่วนบุคคลที่ประกอบไปด้วยข้อมูลองค์กร ส่วนบุคคลและการใช้งานที่ปะปนกันอยู่ในอุปกรณ์ ร้อยละ 59 % ระบุว่า การติดตาม การควบคุมการเข้าถึงข้อมุลขององค์กรและเครือข่ายส่วนตัว

การนำอุปกรณ์ส่วนตัวมาใช้ในองค์กร(BYOD) เติบโตอย่างรวดเร็ว และนอกเหนือการรควบคุม ผู้บริหารจาก Global Marketing รายหนึ่งเปิดเผยกับ เวบไซต์ Eweek ว่า “องค์กรปัจจุบันต้องมีนโยบายอย่างชัดเจนในการนำอุปกรณ์สวนตัวมาใช้ในองค์กร โดยประเมินทางออกที่ดีที่สุดในการผสมผสานระหว่างการใช้อุปกรร์ส่วนตัวกับโครงสร้างพื้นฐานขององค์กร”

ระบบปฎิบัติการทีเสี่ยงที่สุดในตอนนี้คือ Android ซึ่งในปี 2013 พบว่ามีความเสี่ยงสูงสุดคือ ร้อยละ 49 % และในปี 2014 ตัวเลขเพิ่มสูงขึ้นถึง ร้อยละ 64% อย่างที่ทราบกันว่า Android เป็นระบบปฎิบัติการที่มีความเสี่ยงด้านความปลอดภัยสูงที่สุด มีผู้นิยมใช้งานเป็นอันดับต้นๆ ถ้าเปรียบเทียบกับระบบอื่น ๆเช่น IOS ,Window Phones ,

นอกจากนี้เกือบทั้งหมดของผู้ตอบแบบสอบถาม หรือคิดเป็นร้อยละ 98 % แสดงความกังวลเกี่ยวกับผลกระทบของเหตุการณ์ที่เกิดขึ้นจากการรักษาความปลอดภัยในระบบมือถือและเป็นกังวลมากที่สุดเพราะถือเป็นอุปกรณ์ที่มีศักยภาพในการสูญหายและขโมยข้อมูลขององค์กร

สิ่งที่น่ากังวลยิ่งไปกว่านั้นคือ ผลการสำรวจพบว่า ร้อยละ 87% พนักงานในองค์กรส่วนใหญ่ไม่ใส่ใจผลกระทบด้านความเสี่ยงจากอุปกรณ์พกพาที่นำเข้ามาใช้ในองค์กร 2 ใน3 ผลสำรวจตอบกลับมาว่าพนักงานไม่สนใจข้อมูลสำคัญขององค์กร เช่น การรั่วใหลของประวัติลูกค้าจากมือถือ

และยังพบอีกว่าร้อยละ 91 % ในองค์กรจะมีพนักงานประมาทซึ่งเป็นจุดอ่อนที่สุดในธุรกิจ ผู้เชี่ยวชาญด้าน IT พบว่า ในสองปีที่ผ่านมา โทรศัพท์มือถือมีจำนวนเพิ่มขึ้นทุกปีและเชื่อมต่อข้อมูลขององค์กรมากที่สุด

ในปี 2014 ร้อยละ 56 % สำรวจพบว่า พนักงานส่วนใหญ่เก็บข้อมูลลูกค้า ข้อมูลทางธุรกิจไว้ในมือถือ ผู้เชี่ยวชาญด้านไอทียังถูกถามว่าอุปกรณ์มือถือเช่นสมาร์ทโฟนหรือแท็บเล็ตได้รับอนุญาตให้เชื่อมต่อกับเครือข่ายขององค์กรหรือไม่

ผลสำรวจยังรายงานอีกว่า การนำอุปกรณ์ส่วนตัวมาใช้ในองค์กรนิยมกันอย่างแพร่หลายในปัจจุบัน โดยร้อยละ 95 % พนักงานเชื่อมต่ออุปกรณ์มือถือเข้ากับเครือข่ายองค์กร รวมถึงร้อยละ 74 ได้รับอนุญาตินำอุปกรณ์ส่วนตัวและจากองค์กรเชื่อมต่อเข้ากับเครือข่ายองค์กร ร้อยละ 20 อนุญาตอุปกรณ์จากบริษัทเชื่อมต่อเครือข่ายองค์กร และร้อยละ 1 % เท่านั้นที่ทำงานด้วยอุปกรณ์ส่วนตัว

ผู้เชี่ยวชาญด้าน IT เปิดเผยว่า พวกเค้าคาดหวังว่า ตัวเลขผลสำรวจจะลดลงในการจัดการแก้ปัญหาความเสี่ยงที่จะเกิดขึ้นภายในองค์กรจากการนำอุปกรณ์ส่วนตัวมาใช้ ผู้เชี่ยวชาญยังกล่าวอีกว่า ร้อยละ 87 % ระบุว่านายจ้างเชื่อว่า พนักงานในองค์กรเป็นภัยคุกคามที่ยิ่งใหญ่กว่า แฮกเกอร์ ซึ่งเป็นผลที่น่าแปลกใจมากทีสุด ในปัจจุบันยังไม่มีทางออกที่แน่นอนที่จะลดปัญหาเหล่านี้ไปได้ แต่สิ่งที่องค์กรทำได้ตอนนี้คือ ทำให้พนักงานรู้สึกผ่อนคลายในการนำอุปกรณ์ส่วนตัวมาใช้ในองค์กร หรือเชื่อมต่อกับเครือข่ายองค์กร โดยไม่มีความรู้สึกกดดันหรือรู้สึกว่าองค์กรกำลังจับผิด หรือทำให้ข้อมูลรั่วใหล

อย่างไรก็ตามการทำงานในปัจจุบันต้องให้ทันเทคโนโลยี โดยพนักงานที่มีความรู้ความสามารถจำเป็นต้องทำงานให้ทันกับอุปกรณ์เทคโนโลยีเพื่อให้การทำงานราบรื่นสะดวกขึ้น

แหล่งที่มา http://www.eweek.com


Corporate fraud can be difficult to prevent and to detect. What is important to remember is that corporate fraud is not a random occurrence. Fraud will occur when the conditions are right. Most employees do not set out to defraud their employer but the fact is the majority of people have the potential to become a fraudster under the right conditions. The three conditions are motive, opportunity and rationalisation.

While having appropriate checks and balances in place can greatly reduce the chance of becoming a victim of fraud there’s no guarantee you won’t be. Frauds can go undetected for many months, especially when committed by a previously trusted employee.

Not only is it important to have checks and balances in place but also procedures for dealing with the investigation once the fraud has been detected. Evidence of the fraud may be located on the employee’s computer, laptop or mobile device. If these devices are not handled correctly then vital evidence may be lost, altered or disallowed at court.

This is where digital forensics can help. Using forensic techniques allows the investigator to handle electronic data in a way that will not alter the original data and as a result can be used for legal proceedings. In addition digital forensics provides access to data that may not be available by any other means. This includes information contained within operating system files and deleted data.

At Orion Forensics we have a fully equipped digital forensics lab and a team of forensic investigators who are experienced at dealing with corporate fraud investigations. We can assist in the following ways:
• Preservation of electronic data either on client site or in our forensic lab

• Forensic previews to identify if the electronic device contains any evidence

• Full forensic examinations, production of exhibits and reports as required for legal proceedings

• Forensic awareness and incident response training for your IT staff
If you would like to know more about digital forensics or how we can assist your company with an investigation then please contact us to discuss your requirements.

Read More ….http://www.orionforensics.com/w_en_page/corporate-fraud-investigation-service.php

 


หลักสูตรการฝึกอบรมหนึ่งวันสำหรับผู้เชี่ยวชาญด้านกฎหมายซึ่งเกี่ยวข้องกับการจัดการกับหลักฐานดิจิทัล

หลักสูตรนี้จะเน้นที่การหลักฐานของแต่ละประเภทของหลักฐานทางดิจิทัล ที่พบบ่อยครั้งและนำไปดำเนินคดีทางกฎหมาย   รวมไปถึงหลักฐานอื่นที่รอบล้อมหลักฐานทางดิจิทัล

 วัตถุประสงค์

การฝึกอบรมจะเน้นหลักการพื้นฐานการทำ computer forensics ,เทคนิค และคำศัพท์ต่างๆที่ผู้เชี่ยวชาญควรทราบ

จุดประสงค์

จุดประสงค์ของหลักสูตรนี้มีจุดมุ่งหมายเพื่อให้เจ้าหน้าที่กฎหมาย เข้าใจในแต่ละละดับของการทำ computer forensics เพื่อให้สามารถเข้าใจความหมายของรายงานทาง forensics และประเมินความถูกต้องและความสมบูรณ์ของหลักฐานทางดิจิทัล โดยทาง Orion ได้เตรียมคู่มือให้กับผู้อบรมพร้อมกับหนังสือสือรับรองจำนวนชั่วโมงในการฝึกอบรม

ระดับของหลักสูตร:

เป้าหมายของหลักสูตรคือผู้เชี่ยวชาญทางกฎหมาย ที่ต้องจัดการกับหลักฐานทางดิจิทัล  ซึ่งไม่จำเป็นต้องมีประสบการณ์มาก่อน หรือมีความรู้เรื่องคอมพิวเตอร์ โดยเนื้อหาไม่เน้นด้านเทคนิค

เนื้อหาในการอบรม

1 – Introduction to Digital Forensics แนะนำComputer  Forensics

  • Define Digital Forensics คำจำกัดความ Computer  Forensics
  • Legal Considerations การพิจารณาในทางกฎหมาย
  • Integrity of Digital Evidenceความสมบูรณ์ของหลักฐานทางดิจิทัล
4 – What Happens to Deleted Data? เกิดอะไรขึ้นกับข้อมูลที่ลบไป

  • Live Data  ข้อมูลปัจจุบัน
  • Deleted Data ข้อมูลที่ลบไป
2 – Investigation Fundamentals การตรวจสอบในขั้นพื้นฐาน

  • Best Practice Guidelines แนวทางการปฎิบัติที่ดีที่สุด
  • The Four Principles of Computer Based Evidence 4 หลักการพื้นฐานในการเก็บหลักฐานทางดิจิทัล
  • Identifying Electronic Sources of Evidence การระบุแหล่งที่มาของหลักฐานทางดิจิทัล
  • The Four Levels of Computer Data  ระดับของข้อมูลดิจิทัล 4 ระดับ
  • Types of Data ชนิดของข้อมูล
5 – Types of Digital Evidence ชนิดของหลักฐานทางดิจิทัล

  • Types of Digital Evidence
3 – Forensic Techniques / Terms Explained เทคนิคการทำ Forensics /ข้อกำหนดในการอธิบาย

  • Forensic Image การทำสำเนา forensics
  • Forensic Clone  การโคลน forensics
  • Hash Values (digital fingerprint)ค่าแฮช ลายนิ้วมือทาง ดิจิทัล
  • Forensic Acquisition Reports รายงานการได้มาซึ่งหลักฐานทางดิจิทัล
6- Understanding Digital Evidence ความเข้าใจในหลักฐานทางดิจิทัล

  • Time and Date Stamps (what you need to know)วันและเวลาที่แสตมป์(ข้อมูลที่นักตรวจสอบต้องรู้)
  • File Metadata (the hidden information)ไฟล์ เมทาดาต้า(ข้อมูลที่ซ่อนไว้ )
  • Internet History ประวัติการใช้งานอินเตอร์เน็ต

สอบถามเพิ่มเติม E-Mail : kunrisa@orioninv.co.th

 


With the introduction of the iPad in 2010, the tablet quickly emerged as one of the fastest selling devices in history. Tablets have achieved a level of adoption in 3 years that took smartphones nearly 10 years to achieve. In 2013, the adoption of smartphones in the US surged to 64 % according to the latest Nielsen survey.

Businesses have been quick to adopt mobile technology seeing the immediate benefits it has to offer. Employees are no longer tied to an office. They can maintain access to clients, emails, documents and the news while on the move. Customers have new ways to interact with a company and they are storing more data online. In terms of online retail time, mobile devices have now surpassed PC’s. In June 2013 in the US, 55% of all online retail time was conducted on mobile devices.

Are businesses making full use of the mobile phenomenon? No not by a long way. The problem is that despite rapid growth, in many ways the mobile device market is still in its infancy. The majority of devices and applications or ‘apps’ as they are now known, are geared towards the consumers, not the business market. As the market matures the demand for business orientated apps will grow. Businesses will expect to be able to input data directly into their databases; generate and issue invoices and fully integrate their mobile devices into all aspects of the company network.

However, despite all the benefits those mobile devices have to offer there is a dark side. Businesses have been quick to make use of mobile technology with very little thought to the security implications.

Many businesses are providing their employees with mobile devices or allowing employees to connect BYOD’s (Bring Your Own Device) to the network. The trend for mobile devices is for data to be backed up to one or more online storage locations. As a result, with BYOD’s the line between the storage of personal data and business data is now blurring. The business has no control over where the data is stored online or any idea of how secure the online storage actually is. Allowing mobile devices to be connected to a network without the proper security systems in place means businesses have lost control of one of their most valuable assets, their confidential data. They no longer have control over who has access to that data.
Symantec recently released the 2013 Norton Report. Below are just some of the worrying statistics that they have identified:

• 57 % of Smartphone/tablet users are not aware that security solutions for mobile devices exist.
• Nearly 50 % of users do not use basic precautions such as passwords, security software or back up their files from the mobile device.
• 38 % of users experienced mobile cybercrime last year.
• 27 % of adults have lost their mobile device or had it stolen in the last 12 months.
• 49 % of users use their personal device for work and play.
• 20 % of users share work related information with friends and family.
Even when steps have been taken to secure the mobile device, this is no guarantee that the data will remain secure. Many users have fallen victim to unscrupulous mobile phone repair shops that have made copies of private data which has then been posted to the Internet, as seen in a recent BBC article. To avoid this type of problem it is vital that all data is removed from the device before handing it in for repairs.

Another, often ignored, aspect of mobile devices is the issue of malicious software (malware). Malware authors are now targeting mobile devices by creating malicious apps designed to steal data from the device. According to Trend Micro there are now over one million Android-based questionable and malicious applications in the wild. If you think you are immune by using an IOS device, think again, malware authors are also beginning to target IOS devices. Many of the malicious apps are known as premium service abusers, which sends unauthorized text messages to certain numbers and register users to costly services. Malware authors are also now targeting mobile users’ banking transactions by creating apps that are capable of intercepting the One Time Password (OTP) SMS message. Allowing unsecured devices to be connected to the company network increases the risk of the organization being a victim of employee fraud.

Below are just some of the highlights from the Symantec report “What’s Yours Is Mine: How Employees are Putting Your Intellectual Property at Risk”.

** 50 percent of employees who left or lost their jobs in the last year have kept confidential corporate data, and 40 percent of them admitted to planning to use that content in their new jobs.
** 56 percent of employees don’t believe it is a crime to use a competitor’s trade secret information.
** 62 percent of employees thought it was acceptable to transfer work documents to personal computers, tablets, smartphones or online file sharing applications.

Let’s take a moment to look at the stages an employee will typically go through before committing a fraud.

What is important to remember is that fraud is not a random occurrence. Fraud will occur when the conditions are right. Most employees do not set out to defraud their employer but the fact is the majority of people have the potential to become a fraudster under the right conditions. The three conditions are motive, opportunity and rationalization. This is often referred to as the Fraud Triangle. In order to prevent fraud you need to remove at least one of the three conditions.

Motive – is a need or pressure felt by the person committing the fraud. Maybe they are under financial pressure from medical bills, they need to support a family or have gambling debts. It could be pressure Fraud Risk Motive Opportunity Rationalisation
from work to meet targets, get that promotion or bonus. It could also be from a strong desire to own the latest material goods such as cars and houses which are beyond their normal means.

Opportunity – the opportunity arises when a person has access to information and assets and there are no suitable processes, checks or balances in place to monitor what is taking place. Employees often have access to information beyond what is needed for them to perform their role. Opportunity is the one condition that employers have the greatest control over. Without the proper safeguards in place it will only be a matter of time before fraud will occur.

Rationalisation – is the one thing we are all good at and do on a daily basis without even realising it. When we are driving and we exceed the speed limit we rationalise that it is ok because we are only just over the speed limit, the roads are empty or we need to arrive on time. Within the work place employees rationalise that it is ok to steal from the company because nobody is getting hurt, the company doesn’t appreciate the good work that has been done, are unfair on their employees or that they will never miss the money or assets. This is the hardest condition for an employer to deal with.

When an employee chooses to leave a company or their employment is terminated, the company is faced with the issue of how to ensure all of the company data has been removed from BYOD’s and from online storage locations. We can see from the above information that without the proper safe guards in place the employee who has the motivation, has the perfect opportunity to misuse the data.

Although there is significant risk with BYOD’s and a case of balancing risk versus privacy, all is not lost. Many companies who have successfully and securely integrated BYOD’s into their networks have done so by working closely with their employees to understand how they use their devices and to allay their fears about breach of privacy. As a result they have successfully introduced policies that comply with privacy laws while keeping company data secure. Mobile device management (MDM) vendors now provide solutions for dealing with BYOD’s. Many of the applications offer what is referred to as a ‘sandbox’ approach where the company has control of the corporate data but are unable to see or access any of the employee’s personal data. Selective wiping has now become the norm. When a mobile device is lost, only the company data, settings and apps are wiped while leaving the employee’s personal data intact.

As the functionality and performance of mobile devices increases, incorporating them into the company’s network will bring enormous benefits to both the employee and the company. With careful planning, the introduction of carefully thought out policies and the right security software, the risks that come with mobile devices can be drastically reduced for relatively little cost.

About the Author

Andrew Smith – Director of Computer Forensic Services, Orion Investigations Andrew is responsible for the management of the Orion Computer forensic Unit. His responsibilities include ensuring the unit operates to the highest international standards, business development and the development and delivery of training for clients and staff. Andrew is an experienced forensic investigator with extensive training and comprehensive experience in relation to criminal, corporate, malware and counter terrorism investigations within the UK and Europe. He has worked in the public sector with the South Yorkshire Police where he received his initial training in computer forensics and also in the private sector with a leading UK computer forensics company. He is also an experienced trainer having developed UK Law Society approved training courses and delivered master degree level forensic training. With over 11 years’ experience in the field of computer forensics Andrew has regularly appeared in court as an expert witness to present complex computer evidence.

Contact us:02-714-3801-3

E-Mail:andrew@orioninv.co.th

www.orionforensics.com