grover kearns, phd, cpa, cfe, citp catching al capone : what all accountants should know about...
TRANSCRIPT
Grover Kearns, PhD, CPA, CFE, CITP
Catching Al Capone: What All Accountants Should Know About
Computer Forensics
Catching Al Capone
Capone was known to be responsible for a wide array of felonies and violent crimes but evidence was lacking
Witnesses tended to disappear Direct evidence was needed Business records provide direct evidence Careful search, analysis, and handling of
data are required to produce data that are acceptable as evidence
5
Survey Shows Companies Fear Fraud, But Many Not Prepared Ernst & Young's 9th Global Fraud Survey:
Fraud Risk in Emerging Markets 60 percent of multinationals say they believe
fraud is more likely to occur in emerging market operations than developed markets
Robust internal controls remain the first line of defense against fraud for companies in all markets
6
8
Why
Accountants and auditors … are better positioned to detect computer
based fraud can assist in maintaining a chain-of-custody
for digital evidence can better communicate with IT employees can promote IT-based internal controls can assist in the efficient use of IT resources
Common Applications of Computer Forensics Employee internet abuse
common, but decreasing Unauthorized disclosure of corporate
information and data accidental and intentional
Industrial espionage Damage assessment Criminal fraud and deception cases
9
Cardinal Rules of Evidence Handling Only use tools and methods that have been
tested and evaluated to validate their accuracy and reliability.
Handle the original evidence as little as possible to avoid changing the data.
Establish and maintain the chain of custody. Document everything done. Never exceed personal knowledge
10
Forensic Accountants are Involved In Criminal Investigations Shareholders' and Partnership Disputes Personal Injury Claims Business Interruption Fraud Investigations Matrimonial Disputes Professional Negligence Mediation and Arbitration
11
Computer forensics can be defined as the collection and analysis of data from computersystems, networks, communication streams (wireless) and storage media in a manner that is admissible in a court of law.
-CERT
12
“Computer forensics” can thus not afford solely to concern itself with procedures and methods of handling computers, the hardware from which they are made up and the files they contain. The ultimate aim of forensic investigation is use in legal proceedings [Mandia 01].
The objective in computer forensics is quite straightforward. It is to recover, analyze and present computer based material in such a way that it is useable as evidence in a court of law [Mandia 01].
14
Digital Crime Scene Investigation Digital Forensic Investigation
A process that uses science and technology to examine digital objects and that develops and tests theories, which can be entered into a court of law, to answer questions about events that occurred.
IT Forensic Techniques are used to capture and analyze electronic data and develop theories.
15
Audit Goals of a Forensic Investigation Uncover fraudulent or criminal cyber activity Isolate evidentiary matter (freeze scene) Document the scene Create a chain-of-custody for evidence Reconstruct events and analyze digital
information Communicate results
16
Audit Goals of a Forensic Investigation
Immediate Response Shut down computer (pull plug) Bit-stream mirror-image of data Begin a traceback to identify possible log
locations Contact system administrators on
intermediate sites to request log preservation Contain damage and stop loss Collect local logs Begin documentation
17
Audit Goals of a Forensic Investigation
Continuing Investigation Implement measures to stop further loss Communicate to management and audit
committee regularly Analyze copy of digital files Ascertain level and nature of loss Identify perpetrator(s) Develop theories about motives Maintain chain-of-custody
18
Digital Crime Scene Investigation Scene Preservation & Documentation Goal: Preserve the state of as many
digital objects as possible and document the crime scene.
Methods: Shut system down Unplug (best) Do nothing
Bag and tag
19
Audit Goals of a Forensic Investigation
Requirements for Evidence
Computer logs … Must not be modifiable Must be complete Appropriate retention rules
20
Digital Crime Scene Investigation Problems with Digital Investigation Timing essential – electronic evidence
volatile Auditor may violate rules of evidence NEVER work directly on the evidence Skills needed to recover deleted data or
encrypted data
21
Digital Crime Scene Investigation Extract, process, interpret Work on the imaged data or “safe copy” Data extracted may be in binary form Process data to convert it to
understandable form Reverse-engineer to extract disk partition
information, file systems, directories, files, etc Software available for this purpose
Interpret the data – search for key words, phrases, etc.
22
Digital Crime Scene Investigation Technology
Magnetic disks contain data after deletion Overwritten data may still be salvaged Memory still contains data after switch-off Swap files and temporary files store data Most OS’s perform extensive logging (so do
network routers)
Role of a First Responder
Essentially the first person notified and reacting to the security incident
Responsibilities: Determine the severity of the incident Collect as much information about the
incident as possible Document all findings Share this collected information to determine
the root cause
23
Importance of Computer Forensics to Accountants First Responder IT Auditor Member of CERT Maintain Chain-of-Evidence Document Scene Develop Investigatory Process Manage Investigatory Process Advanced Certifications (CISA etc)
24
A Little Bit of History
Our numbering system is based on a Hindu system that came into the Arabic world about 776 CE.
This replaced the Roman that is still used today (at the end of movie credits).
26
A Little Bit of History
Pingala (c. 5th-2nd century B.C.)
An Indian scholar, used binary numbers in the form of short and long syllables (think Morse code).
Base 10 versus Base 2
When we talk numbers, we use a base 10 system, because we use ten characters to write out all of our numbers.
•Computers using binary language operate on a base-2 number system, because the two numbers they use are “0” and “1”.
0 1 2 3 4 5 6 7 8 9
0 1These are called
binary digits or bits.
Alphabet Soup
We use the English language consisting of 26 characters.
•Computers use binary language consisting of 2 characters, arranged together in groups of eight, to communicate.
Aa Bb Cc Dd Ee Ff Gg Hh Ii Jj Kk Ll Mm
Nn Oo Pp Qq Rr Ss Tt Uu Vv Ww Xx Yy Zz
Aa = 01000001 01100001
Zz = 01011010 01111010
8 bits = 1 byte
Binary Numbering System
32
Placeholder 5 4 3 2 1Power 4 3 2 1 0Digital 10^4 10^3 10^2 10^1 10^0Digital 10,000 1,000 100 10 1Binary 2^4 2^3 2^2 2^1 2^0Binary 16 8 4 2 1
Placeholder 10 9 8 7 6Power 9 8 7 6 5Digital 10^9 10^8 10^7 10^6 10^5Digital 1,000,000 100,000,000 10,000,000 1,000,000 100,000Binary 2^9 2^8 2^7 2^6 2^5Binary 512 256 128 64 32
Placeholders
In the value 5,736,941 the 3 stands for 30,000 because of its location in the fifth place or 3 x 104 power.
Nearly all numbering systems use placeholders. An exception is the Roman where they write down numbers from biggest to smallest. Ex. MCMXCVIII is 1998.
33
Binary to Decimal
34
Power 4 3 2 1 0Binary 2^4 2^3 2^2 2^1 2^0Value 16 8 4 2 1
Binary Value Decimal Value1111 8 + 4 + 2 + 1 = 15 OR 16 -1 = 151000 16
1 0101 16 + 4 + 1 = 211 1111 16 + 8 + 4 + 2 + 1 = 31 OR 2^5 - 1 = 32 - 1 = 31
Hands-on Activity 1
Use your math skills to calculate the binary number for the base-10 number provided.
__ =__ __ __ __
24 23 22 21 20
16 8 4 2 1
21
Hands-on Activity 1Answer
Use your math skills to calculate the binary number for the base-10 number provided.
24 23 22 21 20
16 8 4 2 1
=1 0 1 0 1 21
Hands-on Activity 2
__ =__ __ __ __ 31
__ =__ __ __ __
24 23 22 21 20
16 8 4 2 1
7
__ =__ __ __ __ 17
Hands-on Activity 3
= ?
24 23 22 21 20
16 8 4 2 1
1 = 0 ?1
11 1 1
0
0
Use your math skills to translate the binary number into the decimal number it represents.
Hands-on Activity 3Answer
= 29
24 23 22 21 20
16 8 4 2 1
1 = 0 241
11 1 1
0
0
Use your math skills to translate the binary number into the decimal number it represents.
Hexadecimal
0, 1, 2, 3, 4, 5, 6, 7, 8, 9 A = 10 B = 11 C = 12 D = 13 E = 14 F = 15 (highest hex value in one place)
42
Hexadecimal
43
Placeholder 5 4 3 2 1Power 4 3 2 1 0Digital 10^4 10^3 10^2 10^1 10^0Digital 10,000 1,000 100 10 1Hexadecimal 16^4 16^3 16^2 16^1 16^0Hexadecimal 65,536 4,096 256 16 1
Hexadecimal
44
Power 4 3 2 1 0Hexadecimal 16^4 16^3 16^2 16^1 16^0Hexadecimal 65,536 4,096 256 16 1
Hex Value Decimal ValueF 15 x 1 = 15ABC 10 x 256 + 11 x 16 + 12 x 1 = 2,7482D05 2 x 4,096 + 13 x 256 + 5 x 1 = 11,5251000 4,096FFF 4,096 -1 = 4,095
Hexadecimal and Binary
Base 16 (0-9, A, B, C, D, E, F) Short-hand for binary
Decimal Hex Binary
255 FF 1111 1111
256 100 1 0000 0000
4,095 FFF 111 1111 1111
4,096 1000 1 0000 0000 0000
45
Odometer Effect
When a value reaches its maximum for the placeholders and you add 1, it rolls over. For example, in decimal
46
Decimal Binary Hex255 1111 1111 FF
1 1 1256 1 0000 0000 100
999,999 add 1 1,000,000
Hands-on Activity 1
Use your math skills to calculate the hex number for the base-10 number provided.
47
= 65,535
164 163 162 161 160
65,536 4,096 256 16 1
= 4,095_ _ _ _ _
_ _ __ _ _
Hands-on Activity 1Answer
Use your math skills to calculate the hex number for the base-10 number provided.
48
= F 65,535F F F
164 163 162 161 160
65,536 4,096 256 16 1
= F 4,095 F F
Hands-on Activity 2
Use your math skills to calculate the hex number for the base-10 number provided.
49
= 297,036
164 163 162 161 160
65,536 4,096 256 16 1
= 83,041_ _ _ _ _
_ _ __ _ _
Hands-on Activity 2Answer
Use your math skills to calculate the hex number for the base-10 number provided.
50
= 297,036
164 163 162 161 160
65,536 4,096 256 16 1
= 83,0411 4 4 6 1
4 8 8 4 C
Hands-on Activity 3
Use your math skills to calculate the hex number for the base-10 number provided.
51
1 = 2 ?A 0 C
164 163 162 161 160
65,536 4,096 256 16 1
= B ?1 A D
Hands-on Activity 3Answer
52
1 = 2 107,020A 0 C
164 163 162 161 160
65,536 4,096 256 16 1
= B 7,0851 A D
Hands-on Activity
1. Calculate how many bytes are in a 500 GB hard drive.
2. How many bytes are in a 64 MB memory chip?
3. A hard drive has 1 terabyte of data. How many kilobytes is that?
Hands-on ActivityAnswers
1. Calculate how many bytes are in a 500 GB hard drive.
500 x 1,000,000,000 = 500,000,000,000 2. How many bytes are in a 64 MB memory chip?
64 x 1,000,000 = 64,000,000
3. A hard drive has 1 terabyte of data. How many kilobytes is that?1,000,000,000,000 = 1,000,000,000 kbytes
Hands-on Activity
Your computer just received the following binary message from the keyboard. Translate the message into English.
01001000 01100101 01111001 00101100 00100000 01111001 01101111 01110101 00100111 01110110 01100101 00100000 01101100 01100101 01100110 01110100 00100000 01110100 01101000 01100101 00100000 01000011 01000001 01010000 01010011 00100000 01101100 01101111 01100011 01101011 00100000 01101011 01100101 01111001 00100000 01101111 01101110 00100001
Hands-on Activity
Your computer just received the following binary message from the keyboard. Translate the message into English.
01001000 01100101 01111001 00101100 00100000 01111001 01101111 01110101 00100111 01110110 01100101 00100000 01101100 01100101 01100110 01110100 00100000 01110100 01101000 01100101 00100000 01000011 01000001 01010000 01010011 00100000 01101100 01101111 01100011 01101011 00100000 01101011 01100101 01111001 00100000 01101111 01101110 00100001
Just kidding!
File Signatures in Hex
65
File Type Signature
PDF 25 50 44 46
JPG FF D8 FF E0
EXE 4D 5A 90 00
DLL 4D 5A 90 00
DOC D0 CF 11 E0
XLS D0 CF 11 E0