Stories from the Front Line of IP Protection in Thailand

Stories from the Front Line of IP Protection in Thailand

Though they may disagree on some of the finer points, most lawyers will agree that Thai law offers strong basic protection for the owners of Intellectual Property (IP). Most law firms offer a standard array of services and advice for clients to take preemptive measures to ‘protect’ their IP from a legal perspective. The most common of these are trademark, patent, and copyright registration. However, as a walk through some well-known local markets will demonstrate, many entrepreneurs show little respect for even the most thorough IP protection and are happy to benefit from the IP of others through blatant infringements and these are just the most visible infringers. Other infringers are less blatant and customers are unaware that what they are buying is an infringement.

So, what happens when a company becomes aware of a third party infringing their IP despite them being neatly registered and recorded?The following are some steps that companies should take once they become aware of an infringement.

Determine the nature and extent of the infringement – This can be done by sending investigators into the market to either survey physical or online markets or interview people with inside knowledge of the business.

Determine your company’s tolerance for infringement – A clothing company may decide that a market in a provincial town in the North East selling counterfeit shirts is tolerable, while a stall offering the same products in a major Bangkok mall less than 500 meters from their own distributor will most likely be considered intolerable. Not that they condone the provincial seller but IP Protection budgets are finite and they need to focus on infringements that are hurting their bottom line, brand image or reputation the most. Companies producing products which have customer health and safety implications such as pharmaceuticals, foods and car parts will usually have zero tolerance to infringements. Companies who don’t believe that infringing products will be confused with the genuine and don’t believe they are competing for the same buyers may be more tolerant.

Formulate an Action Plan – Where there’s a gap between your tolerance and the market situation, formulate a plan to reduce the infringements by first gathering evidence on the supply chain of the infringing products from manufacturer to customer. Then, decide what action to take such as a warning or a referral to law enforcement for a raid and seizure action. Are the infringers likely to listen to a warning? Or will they just be alerted to your interest and take precautions to avoid raid action in the future? Is your aim to prosecute the infringers and put them out of action? Or perhaps you could negotiate, claim damages, even bring them into your regular chain of suppliers and customers. They may already be a part of your regular supply chain. If you decide to proceed with a raid action then you will need to appoint a local representative to file complaints with the appropriate authorities. Your representative will then accompany those authorities on the enforcement action to identify products infringing your IP. After a successful enforcement action, follow up is needed to ensure that the infringer is prosecuted under criminal law and in some cases civil litigation may help recover some costs and damages for the IP owner.

Regarding the specific content I have tried to keep things simple and deliberately left out links to detailed legal provisions or extracts of law, preferring instead to go with ‘general principles’ where necessary.

Continue to monitor the market for further infringements – Sometimes the first round of enforcement does not send a strong enough message or the message is forgotten after a short respite so continued vigilance for the reemergence of counterfeit in the market is needed to ensure the hard won territory is not surrendered back to the infringers.

Case Studies – Brand owners are often reluctant to publicize their IP enforcement efforts. Despite these efforts demonstrating a strong desire to be responsible corporate citizens and protect their customers from infringements, many brand owners fear that media exposure of IP enforcement efforts will actually undermine their brand value as customers consider the risk of being sold counterfeit products and switch to other brands which they perceive as lower risk. For this reason, the identities of the innocent have been protected in the following case studies which provide practical examples of how IP owners have responded to infringements of their IP in Thailand. Some stories from the front line of IP Protection in Thailand as experienced by our investigators, raid coordinators, lawyers and computer forensics experts at Orion Investigations

Pharmaceuticals Sold in Clinics and Pharmacies – Through proactive surveys of pharmacies, the manufacturer became aware of significant penetration of counterfeit products into their supply chain including in clinics and pharmacies. An investigator was sent undercover to speak to pharmacy owners, identify their suppliers and then make larger and larger purchases from these suppliers. Surveillance of the buys led us closer and closer to the source of the product, eventually leading us to a doctor’s clinic whose upper floors were being used for the production of counterfeit pharmaceuticals. A complaint was filed with the Royal Thai Police who obtained search warrants and seized huge quantities of ingredients, components and machinery used to manufacture the counterfeit pharmaceuticals. Subsequent surveys showed that the counterfeit product was no longer present in the market. The doctor faced criminal and civil charges with successful outcomes for the manufacturer in both.

Counterfeit Software – A software publisher became aware of an individual (Mr. T) selling counterfeit copies of their software to IT managers at local companies. The copies were a fair imitation of the original, especially to the untrained eye, and Mr. T had come up with an enterprising scheme whereby the IT manager requested budget from his company for genuine software but then purchased the fake software at genuine prices from Mr. T, who kicked back some of the profits to the IT manager. It was such a successful enterprise that Mr. T sold franchises and had a few mini Mr. T operating. We identified one such mini Mr. T, arranged to meet him in a public place for delivery of software and had him arrested on delivery. Charges against mini Mr. T were dropped in exchange for providing sufficient information for the arrest of Mr. T in possession of significant quantities of counterfeit product. Mr. T was arrested 2 more times for the same offence. His mother was present during the third arrest and we believe it was her scolding, and not the rather minimal court fines, that finally persuaded him to leave the business.

Counterfeit Clothing – An international brand found counterfeit items such as lighters, racing jackets and shirts bearing their trademarks being sold around Bangkok’s malls and night markets. Surveys identified the scope of the problem and raids were conducted of the largest outlets. After the raids, warnings were distributed to other stalls still stocking the counterfeits. Another round of raids followed after which surveys showed that the stalls, while still selling counterfeit items, had stopped selling products with the client’s trademarks. While the criminal prosecutions resulted in low fines for the offenders, the threat of disruption to business for the sellers was enough to force them away from the client’s brand. While ideally, one would like to see them diverted away from infringing IP at all, in reality, it is often a diversion away from a client’s brands to another, less-protected brand.

Counterfeit Pharmaceuticals Sold Online – A website selling counterfeit medicine to overseas customers was identified through a customer complaint of counterfeit product received in the USA and sent from Thailand. Investigations located the website operator’s condominium and he was seen making daily trips to the local post office to send his product. Complaints were filed with the police who obtained search warrants for the condominium and arrested the website operator on his way to the post office. Counterfeit items were found in his possession and in his condominium. Of most interest was a laptop computer also found in his condominium which had been used to operate his business. A forensic copy was made of the laptop and analysis of the contents of the hard drive identified associated members of a major crime syndicate in his home country. Authorities in his home country were notified and his associates were also arrested and charged there, as was he when he made his next trip home.
Walking the streets of Bangkok, a casual observer may be forgiven for thinking the war against counterfeiters has been lost long ago. We hope these stories from the front line demonstrate that, while the war has surely not been won, some battles have been won and with the necessary application it is possible to transform Thailand’s theoretically strong IP protection into a practical reality. The key to a successful IP Protection project is an accurate assessment of the current situation, setting of clear objectives, careful planning of which of the available tools are most appropriate to the case at hand and determined implementation of the action plan.

Peter Holmshaw is Managing Director of Orion Investigations Co Ltd – a commercial investigation company and registered law office based in Bangkok offering the following services – intellectual property protection, corporate fraud response, computer forensics, surveillance, due diligence and employment screening. Their website is at www.orioninv.co.th.

What is Computer Forensics?

What is Computer Forensics?

Computer forensics is the examination of electronic data stored on computers and other digital storage devices for evidence using a forensically sound method.

It is important at this stage to be clear on what we mean by the terms evidence and forensically sound method.

Evidence – is information that supports a conclusion.

Forensically sound method – is a method that does not alter the source evidence, except to the minimum extent necessary to obtain the evidence. The manner used to obtain the evidence must be documented and justified.

Computer forensics can be broken down into five stages.

Preservation – When dealing with digital data the investigator must do everything possible to preserve the data. This must be done in such a way that the actions of the investigator do not cause changes to the data. This typically involves creating a forensic image or a forensic clone of the original media. Digital data may be stored on hard drives, CD/DVD, floppy disks, pen drives, mobile phones, music players and assorted backup tapes.

Identification – Year on year the storage capacity of hard drives is growing. As a result the investigation may consist of hundreds of Gigabytes of digital data. In order to identify potential evidence the investigator will employ techniques such as keyword searches or the filtering of specific files such as documents, images or Internet history files.

Extraction – Once potential evidence has been identified it will need to be extracted from the forensic image. Depending on the size of the data it may be possible to print out hard copies such as documents. However data such as Internet history can amount to hundreds of pages and will need to be produced in an electronic format.

Interpretation – Identifying and extracting potential evidence is only part of the role for a forensic investigator. It is vital that correct interpretation of the evidence takes place. The investigator should never rely on a single automated tool. The investigator needs to have the skills to manually verify and understand the results produced by the forensic software.

Documentation of computer evidence – Once an investigation begins the investigator needs to maintain contemporaneous notes in relation to the handling of the digital media through to the steps undertaken throughout the investigation. The notes should contain sufficient details so a third party can reproduce the results. Producing key evidence will amount to nothing if the investigator cannot produce a clear well written report. It is important to avoid using technical jargon whenever possible and where technical terms need to be used, they should be clearly explained. The investigator may be required to present their evidence in court as an expert witness.

The UK Association of Chief Police Officers (ACPO) has produced a guide called Good Practice Guide for Computer – Based Electronic Evidence. The guide lays down four key principles.

Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.

Principle 2: In circumstances where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

Principle 3: An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.
The four principles represent best practice in relation to computer forensic investigations, whether it is a criminal, civil or corporate investigation. By adhering to the principles it will help ensure that no questions are raised in relation to the integrity of the evidence produced from digital data.

Using Digital Evidence in Thai Courts

About the Author

Andrew Smith – Director of Computer Forensic Services, Orion Investigations

Andrew is responsible for the management of the Orion Computer forensic Unit. His responsibilities include ensuring the unit operates to the highest international standards, business development and the development and delivery of training for clients and staff. Andrew is an experienced forensic investigator with extensive training and comprehensive experience in relation to criminal, corporate, malware and counter terrorism investigations within the UK and Europe. He has worked in the public sector with the South Yorkshire Police where he received his initial training in computer forensics and also in the private sector with a leading UK computer forensics company. He is also an experienced trainer having developed UK Law Society approved training courses and delivered master degree level forensic training. With nearly ten years’ experience in the field of computer forensics Andrew has regularly appeared in court as an expert witness to present complex computer evidence.

Introduction

Computer forensics or digital forensics as it is now commonly called, is still in its infancy in Thailand but that is about to change. For the past two years I have regularly searched on the keywords “computer forensics Thailand”. There were always only a small number of hits but over the past several months that has begun to change. A search will now reveal companies advertising digital forensic services, training courses and blogs within Thailand dedicated to the world of forensics. If the commercial sector in Thailand wishes to compete within the global market, they will need to have in place the resources to deal with cyber-security incidents whatever form they may take. The judicial system also needs to prepare for this change. The use of digital forensics as a tool in large litigation cases and the regular production of digital evidence in Thai courts will become the norm, not the exception. As stated by Professor Peter Grabosky, Australia,

“Those who fail to anticipate the future are in for a rude shock when it arrives”

Digital Forensics

What exactly do we mean by the term digital forensics?

It is the examination of electronic data stored on computers and other digital storage devices for evidence using a forensically sound method.

A forensically sound is a method that does not alter the source evidence, except to the minimum extent necessary to obtain the evidence. The manner used to obtain the evidence must be documented and justified.

Because it is such a new field, the awareness of forensics is still quite low and there is a shortage of experienced forensic investigators in Thailand. As a result the commercial sector and the judicial system are either not utilizing the full potential of digital forensics or not using forensics at all during the course of their investigations. This is almost certainly resulting in potentially vital evidence being overlooked.

There are a number of misconceptions in relation to digital forensics.

  1. Digital forensics is only relevant to criminal investigations
  2. Digital evidence is very complex

Whether it is a criminal investigation, civil litigation or a private prosecution, if computers, electronic communications or electronic documents have been used by either party then digital forensics is relevant to the investigation. This includes contractual disputes between companies, employee misuse of computer, intellectual property investigations, computer hacking investigations and libel cases.

Lawyers within Thailand currently have a fear of using digital evidence in the Thai courts because they feel the evidence may be too complex and will ultimately be disallowed. This does not have to be the case. In many cases the type of digital evidence that is being produced for court consists of images, emails, electronic documents and Internet history. This type of evidence can be produced in a clear; easy to understand format that everyone can understand.

This is where the skills of the forensic investigator come into play. An experienced investigator quickly learns early in his career to stay away from using technical terms whenever possible. The investigator will work with the legal team and the client to try and achieve the following:

  • Work with legal team and client to have a clear understanding of the points to prove
  • Produce reports using plain language whenever possible
  • Only include in the reports information that is directly relevant to the case
  • When technical terms are used, provide easy to understand explanations
  • Produce the exhibits in a format that is easy for everyone to access and understand

I have found from experience that by following the above guidelines I have rarely had to attend court to give my evidence in the UK. All parties will often accept my evidence because it has been laid out in such a way that it is easy for everyone to understand.

Digital Evidence

When dealing with digital evidence, there are two key issues that the court has to address, the integrity of the evidence and the authenticity of the evidence. The evidence obtained from computers or computer media is subject to the same rules of evidence as documentary evidence. The onus is on the person producing the evidence to show to the court that the evidence produced is no more and no less now than when it was first taken into possession.

When dealing with the integrity of the evidence the court needs to consider a number of key points:

  • How was the electronic data handled?
  • Who handled the data?
  • Is the person suitably qualified to handle the data?
  • What method was used to preserve the data?
  • What is the likely-hood of change having occurred to the data?

Authenticity of the evidence refers to the ability to assess the integrity of the evidence and the courts need to consider the following key points:

  • Has the data been produced in its entirety?
  • Is it possible to demonstrate that no change has occurred to the data?
  • Is there a complete audit trail for the handling of the data through to the production of exhibits?
  • Would an independent third party be able to reproduce the steps taken and achieve the same
    results?

Digital Forensic Guidelines

Digital forensics is well established in many countries around the world and as a result the use of digital evidence in a wide range of court cases is common place. The unique issues surrounding digital evidence are well documented and the integrity and authenticity of the evidence has been thoroughly tested in numerous stated cases around the world. As a result various guidelines have been produced in order to develop best practice when conducting digital forensic examinations and to allow the courts to be able to make an assessment in relation to the integrity of the evidence.

Good Practice Guide for Computer Based Electronic Evidence (UK)

In the UK, a good practice guide has been agreed by the Association of Chief Police Officers (ACPO) called Good Practice Guide for Computer Based Electronic Evidence. Within the guidelines are four principles that are applied to computer based evidence.

Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.

Principle 2: In circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to. The four principles represent best practice in relation to computer forensic investigations, whether it is a criminal, civil or corporate investigation. By adhering to the principles, it will help ensure that no questions are raised in relation to the integrity of the evidence produced from digital data.

Federal Rules of Evidence (United States)

In the United States the admissibility of digital evidence is covered by the Federal Rules of Evidence.
In the case Lorraine v. Markel American Insurance Company, the judge noted that in order for electronically stored information (ESI) to be properly admitted into evidence, counsel needed guidance to avoid electronic evidence being disallowed.
He summarized that whenever ESI is offered as evidence either the judge or jury can make a preliminary determination regarding the admissibility of evidence. If the jury decides, then the Federal Rules of Evidence still apply, however when the judge makes the decision, they do not apply anymore.

He identified that the following evidential hurdles must be overcome for ESI to be admitted into evidence.

  • The relevance of the evidence.
  • The authenticity of the evidence.
  • The issue of Hearsay.
  • The original writing rule.
  • Balance of probative value with unfair prejudice.

In 2006 the Supreme Court approved amendments to the Federal Rules of Civil Procedure. The new rules directly address the issue surrounding the use and production of electronic evidence in civil cases. The four key areas are:

  • Scope of discovery – The new changes have been interpreted as meaning a thorough search of all active and stored data, as opposed to all available data, which would include the recovery of deleted documents.
  • Early review and production – The new rules now require extremely quick production of electronic evidence. A comprehensive search must be done of the electronic data prior to the first pre-trial conference.
  • Native production – Allows for the parties to discuss the form in which electronic data is produced.
  • Sanctions – The new rules allows for sanctions against the parties in the event the data is not produced in a timely manner or has been deleted.

Council of Europe Convention on Cybercrime (International)

In 2001 the Convention on Cybercrime came into force. The Convention is the first international treaty on crimes committed via the Internet and other computer networks, dealing in particular with infringements of copyright, computer-related fraud, child pornography and violations of network security. It also contains a series of powers and procedures such as the search of computer networks and interception.

Its main objective is to pursue a common criminal policy aimed at the protection of society against cybercrime, especially by adopting appropriate legislation and fostering international co-operation.
As of the 27th February 2012, 47 countries have signed up to the convention of which 32 countries have ratified the convention.

Thai Legislation

There is already in place in Thailand, legislation for dealing with computer crime and the production of digital evidence for court.

Electronic Transaction Act B.E 2544 (2001)

The act applies to all civil and commercial transactions performed by using a data message. Data message means information generated, sent, received, stored or processed by electronic means, such as emails, telegram, telex or facsimile.

Section 7 of the act states the following:

“Information shall not be denied legal effect and enforceability solely on the ground that it is in the form of a data message”.

Section 11 of the act states the following:

“The admissibility of a data message as evidence in the legal proceedings shall not be denied solely on
the grounds that it is a data message.
In assessing the evidential weight of a data message whether it is reliable or not, regard shall be had to the reliability of the manner in which or the method by which the data message was generated, stored or communicated, the manner or the method by which the completeness and the integrity of the information was obtained, the manner or the method by which the originator was identified or indicated, including all relevant circumstances”.

It can be seen from the above that when assessing the admissibility of the digital evidence it again comes down to the two key issues, the integrity and the authenticity of the evidence.

Copyright Act B.E. 2537 (1994)

The use of electronic evidence for IP investigations is still quite low compared to many other countries. The potential importance of the electronic data may often be overlooked when conducting searches on office or factory premises. The focus will often be on the physical goods found on the premises; however the computers and often the mobile phones may provide additional information such as contacts, electronic transactions and email messages.

The Copyright Act section 67 states the following:

“Section 67 For the benefit of operation under this Act, the officials shall be the officials according to the Penal Code and have the following authorities:
(1) To enter a building, office, factory or warehouse of any person during sunrise and sunset or during the working hours of such place or to enter a vehicle to search or examine the merchandise when there is a reasonable suspicion that an offence under this Act is committed,
(2) To seize or forfeit documents or materials relating to the offence for the benefit of proceeding a litigation when there is a reasonable suspicion that an offence under this Act is committed,
(3) To order any person to testify or submit accounting books, documents or other evidences when there is a reasonable suspicion that the testimony, accounting books, documents or such evidences shall be useful for the finding or the use as evidence for proving the offence under this Act.
Any person concerned shall provide suitable convenience for the operation of the officials”.

We can see from section (3) that the “or other evidences” opens up the opportunity to potentially
secure the data from computer systems, digital storage devices and mobile phones.

Computer Crime Act B.E 2550 (2007)

Offences under this act can be grouped into two categories, offences committed against computer systems or computer data and content offences committed via computers.

Examples of offences committed against computer systems or computer data, include:

    • Illegally accessing computer data for which there is a specific access prevention measure not intended for their own use.
    • Illegally damages, destroys, corrects, changes or amends a third party’s computer data.
    • Sending computer data or electronic mail to another person and covering up the source of such aforementioned data in a manner that disturbs the other person’s normal operation of their
      computer system.
    • Illegally commits any act that causes the working of a third party’s computer system to be suspended, delayed, hindered or disrupted to the extent that the computer system fails to operate normally.

Examples of content offences committed via computers, include:

  • Any person, who imports to a computer system that is publicly accessible, computer data where a third party’s picture appears either created, edited, added or adapted by electronic means or otherwise in a manner that is likely to impair that third party’s reputation or cause that third party to be isolated, disgusted or embarrassed.
  • Any person commits any offence of the following acts:

o (1) that involves import to a computer system of forged computer data, either in whole
or in part, or false computer data, in a manner that is likely to cause damage to that
third party or the public;
o (2) that involves import to a computer system of false computer data in a manner that is
likely to damage the country’s security or cause a public panic;
o (3) that involves import to a computer system of any computer data related with an
offence against the Kingdom’s security under the Criminal Code;
o (4) that involves import to a computer system of any computer data of a pornographic
nature that is publicly accessible;
o (5) that involves the dissemination or forwarding of computer data already known to be computer data under (1) (2) (3) or (4);

Conclusions

Many people here in Thailand are just waking up to the true potential of using digital forensics as a tool for their investigations. We cannot get away from the fact that the majority of transactions, communications and documentation are now in electronic format. That fact alone means that investigators and the judicial system should be looking at the importance of digital evidence.

There is still a fear of using digital evidence in Thailand, either due to a lack of awareness of what can be achieved through forensics, because there are no formal guidelines in Thailand for the handling of digital evidence or because they feel the evidence will be far too complex for the investigation in question.

Nevertheless the use of digital evidence in Thai courts will continue to increase and the judicial system needs to prepare for the changes. In order to assess the integrity and authenticity of the digital evidence, take note of the guidelines and the fundamental forensic principles that have been developed in other countries. These principles have been well tested in various courts and are accepted throughout the forensic community.
Because the use of digital evidence is still so new, there will be challenges and evidence may be disallowed. This is not a bad thing. It will force people to gain an understanding of the issues surrounding digital evidence, raise standards and help to formalize a set of guidelines for Thailand.

It is vital to find forensic investigators / experts to work with who have a good depth of experience and the ability to explain and present the evidence in a clear easy to understand manner. It doesn’t matter how good the evidence is if the expert cannot present the evidence in a way that will be understood by all concerned.


People who have to deal with digital evidence need to:

  • Undergo training in relation to forensic techniques, digital evidence and the issues surrounding the collection, preservation and production of digital evidence.
  • Identify suitably qualified forensic investigators / experts who they can work with.
  • Look at working together to put in place guidelines for the handling of digital data / evidence.

Taking the above steps will ensure that the judicial system is well placed to handle the issues surrounding digital evidence.

References

Good Practice Guide for Computer Based Electronic Evidence (UK)
http://7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence_v4_web.pdf
Lorraine v. Markel American Insurance Company
http://www.lexisnexis.com/applieddiscovery/LawLibrary/whitePapers/ADI_WP_LorraineVMarkel.pdf
Council of Europe Convention on Cybercrime (International)
http://www.coe.int/t/DGHL/cooperation/economiccrime/cybercrime/default_en.asp
Electronic Transaction Act B.E 2544 (2001)
http://thailaws.com/law/t_laws/tlaw0073.pdf
Copyright Act B.E. 2537 (1994)
http://www.stop.in.th/webdatas/download/copyright_act_2537.pdf
Computer Crime Act B.E 2550 (2007)
http://www.thailawforum.com/database1/thailand-computer-crime-law.html

Making Sense of Electronic Evidence (Avoiding the common mistakes)

Making Sense of Electronic Evidence (Avoiding the common mistakes)

Even after 20 years I can still vividly remember what it was like as a new police officer having to stand up in court and give evidence as a witness for the first time. It was one of the most nerve-wracking experiences I had ever been through. Having gone through that experience and learnt from my mistakes helped prepare me for my role as a digital forensic investigator. I soon learnt to document everything and not to overlook even the tiniest details.

I have been based in Bangkok now for the past 7 years and, with the push for a digital economy, Thailand 4.0 has meant that the issue of cyber-security has been pushed to the forefront. Each year we continue to see a growth in demand for forensic awareness training and for forensic examinations. However, there is still a general lack of understanding about digital forensics and we continue to see companies making the same mistakes over and over again.

Electronic data is fragile, if there is any chance it may be used as evidence in legal proceedings, then it must be handled in a certain way so it is possible to demonstrate to the court that the integrity and authenticity of the evidence has been maintained. If mishandled, then the evidence may be called into question when presented at court.

The majority of our investigations involve the theft of company data by rogue employees. Management will naturally turn to their IT staff to begin an investigation and collect potential evidence. However, consider the following points:

  • Usually the IT staff have not been trained in how to conduct a methodical investigation
  • They are often unaware of the need to maintain a complete chain of custody from the collection of data stage through to producing a report
  • They are unaware of all the potential sources of evidence
  • They lack the specialist tools required to conduct a forensic investigation
  • They lack experience in correctly interpreting the findings of the investigation
  • They lack experience in preparing evidence and professional reports for court
  • They are inexperienced at presenting digital evidence at court as an expert witness

Companies often assume that as long as the person conducting the investigation holds some type of IT qualification then this will be sufficient. Digital forensics is a highly specialized field and, as demonstrated by the points above, requires a forensic investigator with the qualifications and experience to conduct the forensic investigation.

Another important issue to consider is the experience of your legal team. Do they have experience of dealing with cyber-crime cases and do they have the technical understanding of digital evidence? Due to the potential complexity of cyber-crime cases the legal team will often have to work closely with the forensic investigator to ensure the best possible outcome in any legal proceedings.

Without doubt the number of legal cases using electronic evidence will continue to grow. Also, as the number of forensic specialists in Thailand increases, we can expect to see electronic evidence that has not been handled correctly being more robustly challenged in the courts. If you are involved in legal proceedings where the other side is presenting digital evidence, you should consider hiring your own forensic expert to examine the validity of their evidence. In order to give yourself the best chance of success in any legal proceedings, make sure you use suitably trained forensic investigators and lawyers with the experience of dealing with electronic evidence.

My colleague Andrew was keen to get my perspective as a lawyer. Here it is.

As a young criminal defence lawyer a senior colleague advised me that the only way to succeed, whether you are prosecuting or defending, is to put all your energy into preparing your case for trial and most importantly, to “know and understand the subject matter”. Back then it was reasonably straight forward to understand the subject matter of the criminal charges before you. Today it’s a very different story indeed.

Technology has developed at an exponential rate in the last decade or so and has given rise to a far more sophisticated medium for the dishonest perpetrator to cause damage to the unsuspecting victim, be that an employer, a business, a bank, the Authorities or even another individual.

The motive of the crime can be to damage the reputation of the victim, unlawfully obtain the victim’s confidential information or fraudulently acquire cash or other assets belonging to the victim.

As a lawyer prosecuting or defending such a case the task of knowing and understanding the subject matter of your cybercrime case is an extremely difficult one. After all you are a lawyer and not a trained scientist. This is where you need to work alongside an expert with digital forensics training and experience.

As Andrew mentions above, lawyers and other prosecuting Authorities will often rely on persons who have some level of IT training to try and make sense of the data. This is where mistakes can occur.

As lawyers we have a duty to our clients to get it right from the outset. There is no point in taking a case to trial with little prospect of success because you cannot properly explain highly technical evidence to a judge in such a way as to convince him of the perpetrators guilt, beyond reasonable doubt. Equally, the accused has a right to a fair trial and that means we have to be able to challenge technical evidence which clearly does not support the charges faced by the accused.

Our specialist cybercrime lawyers have handled many cases involving ‘cybercrime evidence’. The major advantage our team of lawyers have over many other advocates is instant access to our in-house computer forensics team. They are on hand to help us understand the subject matter of these cases, deliver expert reports, assist with our examination in chief, cross examination and give testimony to assist the court to make sense of complicated evidence.  All of this is key to a successful prosecution or defence.

About the Authors:

Mr. Andrew Smith (Andy) – Director of Computer Forensics Services at Orion Investigations Co., Ltd.

Andrew has 17 years’ experience in the field of digital forensics. Andrew was a UK police officer for 9 years of which the last 4 years was spent working within the police computer crime unit where he received extensive forensic training. His role included the acquisition of electronic data, analysis and the presentation of evidence in the UK courts as an expert witness.

Andrew has now been based in Bangkok for over 7 years and is the Director of Computer Forensics Services for a commercial investigation company called Orion Investigations. His role is to oversee all forensic investigations, business development, promote awareness of cyber security and present evidence as an expert witness in Thai courts. He has regularly appeared as a guest speaker for various business chambers and organizations. Andrew has developed a range of forensic training courses for the local Thai market. Andrew has also developed a number of free forensic tools which are now used in forensics labs all around the world.

Ghaff Khan (Ghaff) – Director of Legal Services at Orion Investigations Co., Ltd.

Ghaff practiced as a UK lawyer for 27 years. He set up and managed his own successful UK legal firm and held a number of departmental head positions in various legal disciplines. He appeared in many tribunals in the UK as an advocate and had Higher Rights of Audience in criminal law, before moving to Thailand in August 2015. Ghaff manages the lawyers in the Law office, reports to clients with regular updates and is responsible for ongoing development and training of the legal team.

Email ghaff@orioninv.co.th

Get a Free Consultation

Get free 30 minutes consult. Please fill out this form and we'll get back to you as soon as possible!
  • Date Format: MM slash DD slash YYYY
  • :
  • This field is for validation purposes and should be left unchanged.