Understanding EMR Audit Trails

Understanding EMR Audit Trails is important to any company dealing with (PHI). They must have all the necessary security measures in place and follow them to ensure HIPAA Compliance.

Understanding EMR Audit Trails is essential to a patient’s medical history In medical malpractice litigation. The Health Insurance Portability and Accountability Act (HIPAA) requires that the Electronic Medical Records (EMR) maintain an audit trail including all of the metadata. This EMR audit trail is a piece of highly relevant evidence as to who accessed what in the record, what entries were made and/or changed, by whom and when. Computer Forensic experts are key to effective electronic discovery during medical malpractice litigation.

How do hospitals record, protect, and store data? HIPAA sets the guidelines for the most highly sought after information by the world’s best technology hackers. Medical records are worth 4 times more than credit card information. Managing Personal Healthcare Information (PHI) places Healthcare facilities at risk of cyber attack 24/7, 365 days a year.

Check out this video with Enigma Forensics, President & CEO, Lee Neubecker, and John Blair, a noted Healthcare Industry Cyber Security Expert where they discuss the importance of protecting Personally Identifiable Information (PII).

Lee Neubecker and John Blair

Understanding EMR Audit Trails video transcript follows:

This is the third of the last video in the three-part series on Health Care Industry Cyber Threats:
Watch Part 1, Watch Part 2

Lee Neubecker: Hi, I have John Blair, a cyber security expert in the field of healthcare, and John is also involved with understanding patient medical, electronic medical record (EMR) audit trails, so I asked him to come on the show and talk a little bit about that with me. John, thanks for coming back on the show.

John Blair: Thanks, Lee. Glad to be back.

LN: So John, can you tell everyone a little bit about what HIPAA requires of healthcare organizations as it relates to tracking data of caregiving and the patients?

JB: Sure. Most of this is obviously directed at hospitals, but HIPAA also has things called business associates, and any interaction from any entity with, or any user with, PHI is going to be subject to these audit logging. Hospitals use systems called EMRs, so generally those, the audit trails are built into the EMRs by default, but obviously entities can turn those off if they so choose or configure them differently. HIPAA requires that you pretty much log any interaction, whether it’s read-only, view-only, edit, whatever that interaction might be. Identify the user, identify the time, what was done to the record, and that has to be maintained for several years. So it doesn’t matter what a user does with the record. Even if they just view it, that counts as a valid interaction and has to be logged and maintained.

LN: In fact, all of these hospital software systems out there have to be HIPAA compliant, or else the hospitals wouldn’t be able to use the software packages. Isn’t that true?

JB: Right, right. There’s a lot of federal regulations regarding that, that the standards that these systems have to meet in order to get refunds or rebates from the government.

LN: So Medicare funding, reimbursement, obviously is important.

JB: All of that stuff. And audit logs of user activity and interactions, or any interaction with PHI, is a critical component of that.

LN: You know, what I’ve seen is sometimes despite the software packages being EMR, audit trail compliant, that there’s the ability for the software that’s deployed to be altered so that the audit trails aren’t retained as long as required by law.

JB: Yeah, sometimes the storage of the audit logs, it can be overwhelming. So oftentimes they are archived offsite or inappropriate access is given to the audit log itself. And then it possibly can be changed, which ruins the integrity of the log, obviously, and that would be a very bad thing should something come up down the road and you needed that log.

LN: Yeah, and certainly, someone who has the master database administrator password to that back-end system, they could do whatever they wanted.

JB: Yup. But there’s supposed to be logs of that activity, as well, and reviews of those logs, but you’re absolutely right. If you’re an administrator, you can do a lot of damage.

LN: Yeah, I’ve assisted clients before involved in litigation, medical malpractice litigation, with just seeking the truth of what’s there in the records. Most of the time, they think many hospitals are compliant and do have those audit trail records.

JB: Absolutely.

LN: But, they don’t necessarily want to make that data readily available.

JB: No, they don’t. And it depends, it’s a case-by-case scenario, under the advice of counsel and things like that, but it’s very, very sensitive information, and obviously, it’s a public relations nightmare to have a breach of patient data, so they take those things very, very seriously.

LN: Absolutely. So can you tell everyone what PHI stands for?

JB: It’s Protected Health Information, as defined by HHS, there are 18 very specific fields that comprise PHI. PHI is a subset of PII, which is Personally Identifiable Information, but with respect to healthcare, it’s primarily PHI that we’re worried about and those 18 identifiable fields.

LN: Why would hackers want to target health care records?

JB: It’s far more valuable now than several years ago, it was credit card information, basically for year after year. Now, the credit card companies and technology with respect to how quickly a card can be replaced and deactivated. And so, just more money in it to steal medical information. And there’s more flexibility, as well. You can go get drugs, you can do a variety of things, whereas, with the credit card, it’s just money.

LN: If people wanted to launch a targeted scam on individuals, certainly having records that would enable them to filter patients that have Alzheimer’s, might give them an unfair advantage at duping people out of their savings.

JB: Absolutely. Because generally if you get someone’s entire record, you’re getting everything about them: their Soc number, their address, phone numbers, relatives, I mean, all this information is now at your disposal. And loans can be taken out in their names, it’s just a disaster waiting to happen.

LN: So Electronic Medical Records, known as EMR, represent an important target that hackers seek, because of the value of that information, and the uniqueness.

JB: Yup. The price of those records, per record, now varies, but I believe it’s in the $150, $200 range per record if it’s a breach now, and laptops can hold hundreds of thousands of records. So it can be very, very expensive.

LN: But it seems that this is a problem, too, that it isn’t just localized to any one area, it’s universal.

JB: Yeah, it’s across the board. Anyone dealing with PHI has this problem.

LN: How does the cost of a patient medical record compare to a credit card record, compare to the black market?

JB: Yeah, for the last several years, medical records have gained in value every year, while financial records, credit card information have devalued. And it’s to the point now where medical information’s worth four times as much as financial information. And that’s only increasing.

LN: So does that mean that people that work in the healthcare sector in IT and security are going to get paid four times as much as the people of the financial sector?

JB: I wish.

LN: Well, thanks again for being on the show, this was a lot of good stuff. I appreciate this.

JB: Thanks, Lee, appreciate it.

Other related stories about EMR Audit Trails

Other resources to learn more about EMR Audit Trails.

https://www.cdc.gov/phlp/publications/topic/hipaa.html

Keys to a Secure Supply Chain

The world is data-driven. Companies face an overwhelming barrage of big data. Neubecker and Blair discuss the certifications necessary to ensure constant data security.

Cyber Security is Crucial to Supply Chain

Companies face an overwhelming barrage of endless data that contains sensitive information and involves a variety of supply chain vendors. The world is data-driven and securing your supply chain will help minimize your risk of cyberattacks. Here are some keys ways to help you understand more about securing your data beginning with supply chain vendors.

Check out this video with Enigma Forensics, Lee Neubecker, President & CEO, and John Blair, noted Healthcare Industry Cyber Security Expert dissect big data and the certifications needed to understand how to secure your supply chain to help monitor the risks.

2nd video in a three-part series

This is the second video transcript of a three-part series.

Lee Neubecker: Hi, thank you for doing this show, John.

John Blair: No problem.

LN: I appreciate you coming back on.

JB: Thanks Lee, glad to have you here.

LN: So, we’re going to talk today a little bit about what organizations should be doing to monitor the risk associated with their supply chain.

JB: Okay.

LN: And John, if you can, give me an understanding of what are things that you look for when selecting a vendor or city that might be hosting your data.

JB: Right.

LN: Or running parts of your operation.

JB: Well, the world is data-driven, and so your evaluation of vendors is critical and should be focused on their interaction with your data, what their subcontractors are going to do, are you going to allow them to have subcontractors? Where are those subcontractors located? And by all means, get some sort of attestation, that their environment that you’re now relying on, has been audited, you know, the SOC 2’s, those types of things, go a very long way in giving you some level of comfort that they’re operating their controls effectively and that you can rely on ’em.

LN: Great, can you explain to our viewers what essentially a SOC 2 certification is, and why you care about that with a vendor?

JB: That one, the SOC 2, there are multiples ones, but a SOC 2 Type 2 is the standard. There are five Trust Principles associated with it. The biggest one used probably, 75 percent of the time is security. And that’s where you, the vendor would offer, whatever service you’re interested in, the SOC report would be scoped for that service, and then the auditors evaluate that service according to the security principle that’s defined by SOC.

LN: So, typically they’re looking at physical security measures, as well,

JB: Yep.

LN: that extend just beyond data,

JB: Right.

LN: but physical security measures that help to protect your data.

JB: Right, SOC defines objectives, and then the organization defines controls within those objectives, so the objectives are the boundaries, and then the organization defines the controls, but generally speaking, they are the IT basics, chain management, software development, life cycle, physical security, logical security, network security, data storage and security, transmission security, those types of things are almost always covered under the security principle.

LN: Isn’t it true that someone could have all the certs out there and still get compromised?

JB: Oh, absolutely. The certs are not a guarantee, by any stretch. They are just, you know, as we’ve said, they’re meant to give you a level of comfort in the control environment of the people you are now, basically trusting with your data.

LN: And so, as you go out, and you select vendors if you do this diligence and you find vendors that have a certain level of attestation, and various certs that you care about, that might help you if data breach happened, to show that you actually practiced good faith and due diligence, in selecting your vendors.

JB: No, absolutely, and HIPPA requires it, so if you did some sort of due diligence at least, at least you have a story to tell. If you don’t have a story to tell, then that’s where things start going off the rails almost immediately, because you didn’t do anything, and that’s never a good thing.

LN: Well, thanks for being on the show again.

JB: My pleasure, thank you.

More about cybersecurity

Information on HIPPA website for security professionals

https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

Iranian Cyber Threat Readiness

DHS has issued an advisory warning of potential cyber attacks by Iran against the U.S. Organizations should watch this short video detailing the top ways to protect yourself from Iranian Cyber Attacks.

D.H.S. Alert – Iran Cyber Threat Readiness

On January 4, 2020 Department of Homeland Security (DHS) has issued an advisory warning that Iran maintains a robust cyber program and can execute cyber attacks against the United States. Iran is capable, at a minimum, of carrying out cyber attacks with temporary disruptive effects against critical infrastructure in the United States. Previous homeland-based plots have included, among other things, scouting and planning against infrastructure targets and cyber enabled attacks against a range of U.S.- based targets. The Iranian Cyber Threat is real and warrants proactive measures to ensure cyber threat readiness and minimize the risk of a successful cyber attack.

Check out Enigma Forensics, Lee Neubecker, President & CEO, and John Blair, noted Healthcare Industry Cyber Security Expert to learn more about what can be done to deter such cyber-attacks and maximum readiness to an Iranian originated cyber attack.

Video Discussion on Iran Cyber Threat Readiness

1st Video in a three-part series with John Blair

This is the first video transcript of a three-part series.

Lee Neubecker (LN): So John, thank you for being on the show.

John Blair (JB): Thanks, Lee.

LN: John is a cybersecurity expert that focuses on the healthcare sector. Can you tell us a little bit about what organizations should be doing right now in response to concerns about potential Iranian cyber strikes on U.S. companies?

JB: Sure. I’m a pragmatist, so I think you should execute the basics first. Make sure your devices, it’s a border level of your network, and the devices are patched. You might want to start increasing your network monitoring for the next few weeks, to monitor the activity coming through, check your firewall rule sets, these types of things, just to make sure that you get a comfort level. I’m a firm believer in executing the basics solidly, and then monitoring. Because if you’re a target, and the people know what they’re doing, there’s not much you can do to prevent it anyway.

LN: So one of the things too, that I would add to that is, I think it’s important that people have a command of what’s on their network, which is basic inventory of your digital assets, so you know what your devices are.

JB: Yes, you do need to know your environment.

LN: Like you said, knowing what’s on your network, monitoring your log files and patching your devices, those three things go a very long way.

JB: A very long way. And they’re just good practice anyway. That’ll prevent most things from going bad.

LN: Great, well thanks for being on the show.

JB: Sure, thank you.

Articles & Resources Related to Cyber Threat Readiness

Resources on the Internet Related to Cyber Threat Readiness

Click here to view the DHS Iranian Cyber Threat Advisory.

Cyber Essentials: Building a Culture of Cyber Readiness– a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.
Department of Homeland Security

Cybersecurity for Small Business: The Fundamentals” – a set of training slides and speaker notes to help small business owners educate themselves and their employees about cybersecurity best practices and resources.
National Institute of Standards and Technology

Cyber Readiness Program  – The Cyber Readiness Program is designed to provide practical resources and tools to help organizations like yours take action to become cyber ready. Completing the Program will make your organization safer, more secure, and stronger in the face of cyber threats. (Note: account with login is required.)
Cyber Readiness Institute

Hospital Data Breached

Hospital Data Breach

Hackers will continue to pummel the sector with targeted attacks.

Have you heard the news about the most recent Chicago, Illinois area hospital data breach?  We’re referring to the article in the Chicago Tribune, By Lisa Schencker on December 31, 2019.  “Personal information of nearly 13,000 people may have been exposed in Sinai Health System data breach” Click here to view the article.

After reading this article many questions came to mind.  Who would hack a hospital system?  Are cyber attacks on hospitals becoming more frequent? Could a foreign hacker be targeting hospitals to conduct cyber warfare?  Could it be a disgruntled employee who maliciously wants to obtain patient electronic medical records (EMR) and target a particular patient?

It has been reported that 70% of hospital data breaches include sensitive demographic or financial information of that could lead to identity theft. The Sinai Health System data breach included 13,000 patients’ names, addresses, birth dates, Social Security numbers, health information or health insurance information were potentially exposed. 

One could easily assume that if a hacker was armed with this information, they could sell patient electronic medical records and financial data to the highest bidder. The potential for patient harm is exponential.

Data Breach Incident Response

What happens next? Computer Forensic Experts are called to initiate a data breach response. Experts start with immediately stopping the breach, accessing the damage, notifying those affected, conducting a security audit. Forensic experts create a recovery plan to prepare for future attacks.  Finally, Forensics experts train employees to protect the data and enforce strong passwords.

Computer Forensic Experts A.K.A. Cyber Security sleuths or electronic detectives are really excellent at detecting where and how the breach occurred and accessing the damage.  In cases of litigation due to a data breach or medical malpractice, Computer Forensics Experts are hired by law firms to serve as expert witnesses to help win the litigation. In addition, many hospitals hire Computer Forensic Experts to assist in auditing their records to prove their side of the case. 

Prepare a Data Breach Incident Response Plan

Looking forward to 2020. Cyber Forensic experts agree the entire sector needs to adjust its security approach to keep pace with hackers. The Department of Health and Services and many states may impose fines on those who are not following security guidelines. It’s vitally important to create a Data Breach Incident Response Plan.

Enigma Forensics are experts in Data Breach Incident Response. To learn more about Enigma Forensics read below.

If you think you have been breached…contact Enigma Forensics.com

Cyber Readiness: Power Grid Outages

Are you ready for a power outage? Check out this video for Cyber Readiness and Power Outages tips.

Enigma Forensics CEO & President, Lee Neubecker and Geary Sikich, President of Logical Management Systems, tackle the strategies you need to know to prepare for a cyber attack. Each describes in detail the importance of cyber readiness starting with power outages.

Be prepared for a cyber attack or power outage

The transcript of the video follows:

Lee Neubecker: Hi, I’m here today with Geary Sikich. Geary is the President of Logical Management Systems. Thank you, Geary, for being on the show.

Geary Sikich: Thank you, Lee.

Lee Neubecker: So we’re here to talk a little bit about cyber attacks on the power grid, and what impacts that could have on businesses and individuals alike. All right, Gary, is the future of war likely to be cyber, in your opinion?

Geary Sikich: Well Lee, I think there’s three aspects of that that we need to look at. There’s what I’ll call a strategic aspect, which in effect, we’re already in a cyber war in many respects. Nation states are using cyber in a lot of different ways. Not necessarily as disruptive as it could be, but it’s got the potential to expand. There’s then another level down from there which I’ll call operational, which is targeting specific locales and areas. And then, what I’ll call a tactical level where you’re targeting individual facilities to include even neighborhoods at this stage. And one of the things I think you’re going to see in the future is that there’s going to be more of a reliance on these disruptions because of the great impact they have on businesses as well as the general population.

Lee Neubecker: Yeah so, one of the things that I had lectured on before was some research that came out of Princeton University on a topic called MadIoT, which relates to manipulation of end user demand by attacking insecure Internet of Things, IoT, devices in homes and whatnot. And essentially, what the researchers found was that by taking over enough routers in homes, you could compromise Wi-Fi devices attached to high-wattage appliances like Internet-enabled microwaves, toasters, heaters, things like that that would draw a lot of current, air conditioning systems and that by attacking adjacent neighborhoods, you could manipulate power demand in one neighborhood such that the power’s going off or down low, and then the adjacent neighborhood causing all these appliances to come on, which by only creating a small disturbance in balance of power, Kirchhoff’s law that dictates the flow of electricity could cause faults in lines as electricity moved from one neighborhood to another in spikes, and that that type of attack could effectively knock out parts of the grid. There are a lot of factors, obviously, that could knock out the grid, but what have you been advising your clients to do in advance of such an outage, to help them mitigate the risk and protect themselves?

Geary Sikich: One of the things we look at with that issue, and it’s a very big issue, and it ties into the areas I previously mentioned, the strategic, operational, and tactical, is to begin to look at how you can be resilient as an organization. So, I’ll give you an example. A colleague who was at a firm in Southern Illinois, they were about to move to a larger building. And one of the things he was charged with was developing the plans and then getting the move set up. They didn’t have a generator, and I highly recommended to him that they get a generator. They decided to do it, and to their benefit, once installed and once they got it in the building, they had a localized power outage which, for them, was a non-event so to speak because the generator immediately kicked on. They didn’t lose any power. As a commodities trading firm, they’re very dependent on the ability to communicate electronically for trade. So when we got to analyzing things, I asked, “What did you think?” and he said, “Well, it cost “probably a quarter of a million.” And then I asked the second question, which I think was more relevant and important as he understood it, “What was the cost in lost trades, if you’d have not “had the generator?” He said, “About $2 billion.” So the immediate impact on these things is that organizations really need to think about how can they secure a power supply for themselves so that they can effectively operate independently of the grid in times of a crisis?

Lee Neubecker: So an adversary of a financial services company could actually cause massive harm by targeting and causing a power disruption, knocking out the trading facilities–

GSL Yes. LN:Costing them billions of dollars.

Geary Sikich: Yes. And the interesting part about that is, that when you begin to look at it, it’s not just that immediate impact, it’s the cascading impact that goes throughout the entire system. So you knock out the trading aspect, you suddenly knock out the logistics of movement of products and services, and it cascades throughout the entire system if you will.

Lee Neubecker: So what do you see are the other downstream potential impacts to a prolonged outage?

Geary Sikich: Oh, prolonged outages are one of the concerns that a lot of organizations have. What do I do to keep my business in business if we’re faced with a long-term outage? Natural disasters have shown us that it can take up to and beyond a couple of years to recover. A lot of organizations literally could go out of business as a result of not being able to have the financial resources to weather a storm like that.

Lee Neubecker: Well, this has been great stuff. I really appreciate you coming on the show, Geary. Thanks a bunch.

Geary Sikich: Thank you, Lee, I appreciate it.

Anatomy of Computer Forensics In Trade Secret Misappropriation

Enigma Forensics CEO & President Lee Neubecker attends Legal Tech 2018 in New York. Lee sits down with Attorney David Rownd who is a partner at Thompson Coburn to discuss trade secret misappropriation and the role of Computer Forensics. They share their experiences in litigation concerning trade secrets and the misapporiation of information.

The transcript of the video follows

Lee Neubecker: So I’m at LegalTech New York and I’m here with David Rownd. He’s a partner at Thompson Coburn and David and I had a past working on cases involving trade secret theft and misappropriation and I just asked him to come here today and share a little bit about his experience using computer forensics and what role that’s played in cases and helping him to get good results for his clients.

David Rownd: Well computer forensics can be an amazing tool, particularly in a trade secret misappropriation case where a departing employee takes valuable company information. Often almost all of the information that is relevant to a company’s business is stored on the computer and the most common situation that you see is where the employee mistakenly believes that no one will catch him if he just emails stuff to a personal account and that is, at this point a well-worn trick, but it still happens. And most employees, what they are doing, is a see that they are going to pursue another option and they want to use information that belongs to the company so they do what they can to obtain that information. And they may realize that it’s traceable, but they may not. But what they probably don’t realize is the extent to which it really is traceable. And that every little move can be captured with a forensics expert such as me.

Lee Neubecker: Thank you. So are there any recommendations you’d have to clients that have an employee that leave that might have sensitive client data and trade secrets? What would you advise those clients to do?

David Rownd: You mean before they leave or after they leave?

Lee Neubecker: They find out their Head of Sales and Marketing leaves and goes to a competitor, how would you advise that client if they called you up and said, Dave, what should we do? We’re concerned that this person took stuff.

David Rownd: Well, first of all, any computerized data, if there was a desktop computer that that employee worked at, you should immediately evaluate the desktop computer to see if in fact any data has been moved or transferred in any way. And there are a variety of different ways that it can be done. And you know better than I do all of those different ways to identify the potential use of data. There’s also the issue about what information may be on your iPhone or a handheld device. I mean those are more and more becoming part of the way business gets conducted, especially in terms of sales, these salespeople are on the road, they’re communicating with customers by text, by email, and being able to trace the activity that went on on personal handheld devices is obviously an important thing to do as well. And to try to get a grip on, okay, what exactly did this person do prior to leaving?

Lee Neubecker: Now, have you ever had a company call you up where they hired this person who left and took stuff?

David Rownd: Oh that happens all the time. I mean the typical scenario is, in a lawsuit such as this, is that the departing employee and the new employer are both named as defendants, and the new employer can be potentially aiding and abetting the misappropriation of information, they can be tortuously interfering with agreements that the departing employee had with his prior employer. And you know one of the things we didn’t talk about is what sort of agreements are these employees operating under? Good prevention measures obviously to have an employment agreement with people who are going to have sensitive, proprietary information where they acknowledge that the information is confidential and that it’s proprietary and that it’s valuable.

Lee Neubecker: And just to add Dave, one of the most important things before, if an employee is leaving, you want to make a forensic image as soon as possible, done in an appropriate matter so that the data doesn’t get altered ’cause that can introduce chain of custody attacks

David Rownd: Correct

Lee Neubecker: and other allegations.

David Rownd: Correct. And the quicker that’s done and the more process oriented the way that it’s done, the better because you’re going to want to ultimately demonstrate to a court that this is reliable and that’s the key. And so if you can show that it was done almost contemporaneously and if you can a show a step by step process by which this mirror image was created so that a court can look at that data and say yes, this is in fact what was in existent at that time.

Lee Neubecker: Can you tell us what other type of case matters you work on to help your clients? Just a little bit more to our viewers about your practice?

David Rownd: Well my practice is, I am a business litigator is the generic term, but that can mean a lot of different things. I’ve done a lot of trade secret misappropriation in the past. These cases with a departing employee goes to a new employer, I’ve been on all sides of those cases in the past. A lot of my work is business to business litigation where it’s centered around some sort of business arrangement usually documented by a contract, but there can be other issues which are extraneous and in your typical straight up litigation matter today, the importance of electronically stored information is significant because that’s the way we do business now.

Forensic Imaging

Forensic Imaging

Forensic Imaging Tools Used By Computer Forensic Experts

Leading computer cyber forensics Expert Lee Neubeckers discusses FTK Imager (forensics imaging tool) and Write Block Technology with Alex Gessen renowned forensics expert.

The transcript of the video follows

Lee Neubecker: So, I hear you recently uncovered a problem with forensic write block technology can you tell me about that?

Alex Gessen: Oh, yes. Not only with write block technology, but even more importantly with… Forensic imaging tool, which is used by basically everybody in the industry, called FTK Imager. And what I discovered, I also used that tool for years, and didn’t realize the fault, but what I discovered. Basically, two weeks ago, and I did some tests and analysis and I asked Kevin to help me, that FTK Imager produces a wrong serial number when USB storage devices are imaged and that serial number basically is useless for the purpose of verification if specific device was plugged into a specific computer, which, with USB devices, is almost always. When you analyze these devices, 90% of times, it’s of critical importance, and–

Lee Neubecker: So, how is that information used when you are doing a trade secret misappropriation investigation to assist you?

Alex Gessen: I… Quite often, I have to image a computer. Usually work computer, where the person works, or worked, and then, first of all, I find out, analyzing the computer, that certain devices were plugged in, in this specific instance. There are other ways to steal intellectual property or trade secrets. You can upload them to the Cloud, you can email important attachments to yourself. But, quite often, because it’s the most time effective, is to copy data to external devices. So, first, you find out which devices were plugged into the computer, and then you have to get these devices and analyze them. And when you have these devices, you have to be sure that this is device which was plugged into the computer in question and for that you need serial number, and FTK Imager didn’t provide serial number. And people, whole industry, was using that for years and years.

Read Below to Learn More About Computer Forensics