Grover Kearns, PhD, CPA, CFE
Computer Forensics for AccountantsClass 2
Summer 2013
2
Laptop Security Tips
Treat it like cash. Get it out of the car...don’t ever leave it behind. Keep it locked...use a security cable. Keep it off the floor...or at least between your
feet. Keep passwords separate...not near the laptop
or case. Don’t leave it “for just a sec”...no matter where
you are. Pay attention in airports...especially at security.
3
Importance of IT Forensic Techniques to
Organizations The New Corporate Environment Sarbanes-Oxley 2002 SAS 78, 80, 94, 99 COSO and COBIT ISO 9000 and ISO 17799 Gramm-Leach-Bliley Act US Foreign Corrupt Practices Act…all of these have altered the corporate
environment and made forensic techniques a necessity!
4
Importance of IT Forensic Techniques to Auditors SAS 99SAS No. 99 - Consideration of Fraud in a Financial Statement Audit - requires auditors to … Understand fraud Gather evidence about the existence of fraud Identify and respond to fraud risks Document and communicate findings Incorporate a technology focus
5
Importance of IT Forensic Techniques to Auditors Majority of fraud is uncovered by chance Auditors often do not look for fraud Prosecution requires evidence Value of IT assets growing
Treadway Commission Study … Undetected fraud was a factor in one-half of
the 450 lawsuits against independent auditors.
6
Digital Crime Scene Investigation Digital Forensic Investigation
A process that uses science and technology to examine digital objects and that develops and tests theories, which can be entered into a court of law, to answer questions about events that occurred.
IT Forensic Techniques are used to capture and analyze electronic data and develop theories.
7
Audit Goals of a Forensic Investigation Uncover fraudulent or criminal cyber activity Isolate evidentiary matter (freeze scene) Document the scene Create a chain-of-custody for evidence Reconstruct events and analyze digital
information Communicate results
8
Audit Goals of a Forensic Investigation
Immediate Response Shut down computer (pull plug) Bit-stream mirror-image of data Begin a traceback to identify possible log
locations Contact system administrators on
intermediate sites to request log preservation Contain damage and stop loss Collect local logs Begin documentation
9
Audit Goals of a Forensic Investigation
Continuing Investigation Implement measures to stop further loss Communicate to management and audit
committee regularly Analyze copy of digital files Ascertain level and nature of loss Identify perpetrator(s) Develop theories about motives Maintain chain-of-custody
10
Disk Geometry
Track
Sector
Cylinder
(Clusters aregroups ofSectors)
11
Slack Space
End of FileEnd of File Slack SpaceSlack Space
Last Cluster in a FileLast Cluster in a File
12
Data Recovery
File Recovery with PC Inspector
13
Data Eradication
Securely Erasing Files
14
Data Integrity
MD5 Message Digest – a hashing algorithm used to
generate a checksum Available online as freeware Any changes to file will change the checksumUse: Generate MD5 of system or critical files
regularly Keep checksums in a secure place to
compare against later if integrity is questioned
15
Data Integrity
MD5 Using HashCalc
16
Data Integrity HandyBits EasyCrypto
17
Audit Command Language (ACL) ACL is the market leader in computer-
assisted audit technology and is an established forensics tool.
Clientele includes … 70 percent of the Fortune 500 companies over two-thirds of the Global 500 the Big Four public accounting firms
18
Forensic Tools
Audit Command Language
ACL is a computer data extraction and analytical audit tool with audit capabilities …StatisticsDuplicates and GapsStratify and ClassifySamplingBenford Analysis
20
21
22
23
24
Forensic Tools: ACL
Benford Analysis States that the leading digit in
some numerical series follows an exponential distribution
Applies to a wide variety of figures: financial results, electricity bills, street addresses, stock prices, population numbers, death rates, lengths of rivers
Leading Digit
Probability
1 30.1 % 2 17.6 % 3 12.5 % 4 9.7 % 5 7.9 % 6 6.7 % 7 5.8 % 8 5.1 % 9 4.6 %
25
26
Ll
27
28
29
Practical applications for Benford's law and digital analysis Accounts payable data. Estimations in the general ledger. The relative size of inventory unit prices among
locations. Duplicate payments. Computer system conversion (for example, old to
new system; accounts receivable files). Processing inefficiencies due to high quantity/low
dollar transactions. New combinations of selling prices. Customer refunds.
30
31
32
Background Checks
33
34
35
Developing a Forensic Protocol
The response plan must include a coordinated effort that integrates a number of organizational areas and possibly external areas
Response to fraud events must have top priority
Key players must exist at all major organizational locations
People
Technology
Policies
Processes
36
A Forensic Protocol
Security Exposures
Organizations may possess critical technology skills but …
Skills are locked in towers – IT, Security, Accounting, Auditing
Skills are centralized while fraud events can be decentralized
Skills are absent – vacations, illnesses, etc
37
A Forensic Protocol
The Role of Policies
They define the actions you can take They must be clear and simple to understand The employee must acknowledge that he or
she read them, understands them and will comply with them
They can’t violate law
38
A Forensic Protocol Forensic Response Control
Incident Response Planning … Identify needs and objectives Identify resources Create policies, procedures Create a forensic protocol Acquire needed skills Train Monitor
39
A Forensic Protocol
Documenting the Scene Note time, date, persons present Photograph and video the scene Draw a layout of the scene Search for notes (passwords) that might be
useful If possible freeze the system such that the
current memory, swap files, and even CPU registers are saved or documented
40
A Forensic Protocol Forensic Protocol
First responder triggers alert Team response
Freeze scene Begin documentation
Auditors begin analysis Protect chain-of-custody Reconstruct events and develop theories Communicate results of analysis
41
A Forensic Protocol Protocol Summary Ensure appropriate policies Preserve the crime scene (victim computer) Act immediately to identify and preserve logs
on intermediate systems Conduct your investigation Obtain subpoenas or contact law
enforcement if necessary
Key: Coordination between functional areas
42
Conclusion
Computer Forensic Skills Can … Decrease occurrence of fraud Increase the difficulty of committing fraud Improve fraud detection methods Reduce total fraud losses
Auditors trained in these skills are more valuable to the organization!
43
Preventing Internal Attacks: Common Sense Measures Notify employees that their use of the company's personal computers,
computer networks, and Internet connections will be monitored. Then do it.
Limit physical access to computers - imposition of passwords; magnetic card readers; and biometrics, which verifies the user's identity through matching patterns in hand geometry, signature or keystroke dynamics, neural networks (the pattern of nerves in the face), DNA fingerprinting, retinal imaging, or voice recognition. More traditional site control methods such as sign-in logs and security badges can also be useful.
Classify information based on its importance, assigning security clearances to employees as needed.
Eliminate nonessential modems that could be used to transmit information.
Monitor activities of employees who keep odd hours at the office. Includes extensive background checks in the company's hiring process ,
especially in cases where the employee would be handling sensitive information.
Stress the importance of confidential passwords to employees.
44
Preventing External Attacks: Common Sense Measures Install and use anti-virus software programs that
scan PCs, computer networks, CDROMs, tape drives, diskettes, and Internet material, and destroy viruses when found.
Update anti-virus programs on a regular basis. Ensure that all individual computers are equipped
with anti-virus programs. Remove administrative rights from employees. Make sure that the company has a regular policy of
backing up (copying) important files and storing them in a safe place, so that the impact of corrupted files is minimized.
45
The CERT Web site posts the latest security alerts and also provides security-related documents, tools, and training seminars.
CERT offers 24-hour technical assistance in the event of Internet security breaches.
46
Malicious Internet Programs
Virus – Program that attaches itself to other programs and infects them.
Trojan – Disguised as legitimate program but designed to take control of computer. Can be used to attack other computers (zombies).
Worm – Network aware virus that replicates using file sharing or e-mail.
Over 115,000 known viruses, trojans, and worms. 70% of all e-mail traffic is SPAM!
47
Spyware
Programs used to gather information about you and relay it to an Internet advertising company for resale.
Browser cookies can be used to track your activity.
Gathering practices and use of personal information generally not clear during web site usage or program installation.
48
http://www.vtinfragard.org/vtinfosafe/InformationResources.html
49
50
Questions or Comments?