Grover Kearns, Ph.D., CPA, CFE, CITP

Computer Forensics for Accountants

Additional Materials

1

File Signatures in Hex

2

File Type SignaturePDF 25 50 44 46

JPG FF D8 FF E0

EXE 4D 5A 90 00

DLL 4D 5A 90 00

DOC D0 CF 11 E0

XLS D0 CF 11 E0

Corrupt the FileShift Left or Right

Hex editors allow you to shift bits right or left

Result? The file looks like garbage. To view file, reverse the process.

3

Beat File Signature Analysis Anti-forensic approach to stop

EnCase and similar tools from identifying file types.

Change the file extension. Use hex editor to alter the file

signature MZ for executable files

4

Hide Files in Open Sight

First change the file signature

Second change the file extension

Example: plan.doc becomes plan.jpg

5

6

In the hex editor the hex values 42 4D is the signature for a bitmap file. These can easily be changed to another value such as D0 CF 11 E0 for a .doc file.

Hibernate Mode

Hibernate or Sleep?

8

Hibernate or Sleep?

9

Timestomp.exeFreeware that allows time stamps to be altered. This code will change the file creation to 10/8/2005.timestomp.exe c:\test.txt -z "Saturday 10/08/2005 2:02:02 PM" timestomp.exe c:\test.txt -a "Saturday 10/08/2005 2:02:02 PM"

10

11

Changing Time Stamp

12

Computers are Obedient – They Do What They are Told

Everything is represented in 1’s and 0’s The bytes are interpreted according to

user instructions The bytes may represent numbers,

dates, text, colors, sounds, etc. Representation may also depend on

hardware such as audio cards, video cards, etc.

13

Dates in Excel

14

DATE   Number

Sunday, January 01, 1900 1

Monday, June 10, 2013 41,435

Tuesday, June 11, 2013 41,436

Wednesday, June 12, 2013 41,437

Obfuscation: Simple Hiding Technique

15

11/25/2001 $ 37,220

3/15/2023 $ 45,000

5/24/2002 $ 37,400

8/29/1953 $ 19,600

2/10/2140 $ 87,700

8/20/2088 $ 68,900

2/18/1982 $ 30,000

1/23/2792 $ 325,820

Assumed Trust

16

Top 10 Social Networking Websites

1. Facebook2. YouTube3. Twitter 4. Squidoo5. Hubpages

17

6. MySpace7. LinkedIn8. Classmates9. Xanga10. Weebly

Facebook – Can You Do This?

My middle name __________, my age ___, my favorite soda _______, my birthday ___/___/___, whose the love of my life ______, my best friend _____, my favorite color ______, my eye color _______, my hair color ______ my favorite food ________ and my mom's name __________. Put this as your status and see who knows you best.

18

19

Your friend [Name here] just answered a question about you!

Was it possible that an old friend answered a question about me that I needed to "unlock?" Absolutely.

When you click on the link, the next screen should give you pause: 21 Questions is requesting permission to ... (a) access your name, profile picture, gender, networks, user ID, friends and any other information shared with everyone ... (b) send you email ... (c) post to your wall ... and ... (d) access your data any time ... regardless of whether or not you're using their application.

20

Look at the video I found of you! LOL.

21

Big Problems in One Click

We’re Stuck! (and 5 Things Never to Post)

You or Your Family's Full Birth Dates Your Relationship Status Your Current Location The Fact That You Are Home Alone Pictures of Your Kids Tagged With

Their Names

22

Secret Crush

23

Meet Sophie Draufster Born on Facebook and LinkedIn in 2010 Purpose: Social engineering of

executives at large consulting firms Facebook Friends: 105 LinkedIn Requests: 133 Divulging of PII: 73 Date Requests: 33

24

Spear Phishing Like phishing but targeted to a specific

person or group using personalized information that lends credibility.

Typically diverts to a spoofed web page requesting PII, card numbers, etc.

May request clicking link that downloads malware.

25

Linked-In and Spearphishing

26

Cybercriminals datamine LinkedIn for information about companies and employees.That information is used to launch spearphishing attacks. Corporate directories also exist online, providing a wealth of information for spearphishers.Malicious LinkedIn invitation reminders redirect you to a webpage that installs malware onto your computer. If you click, hackers can potentially steal your confidential data.

Top 5 Social Media Security Threats

Lack of a social media policy Your employees Social networking sites Social engineering Mobile apps

27

Should We Block SN Sites? “Allowing access to social network sites influences user

behavior in a way that increases corporate risk.” Chris Poulin, Chief Security Officer at Q1 Labs There is no need to block access to social network sites.

The risks can be easily addressed and the downsides of blocking are greater than potential problems.

Shel Holtz, Principal of Holtz Communication + Technology One study shows 54% of U.S. companies restrict

employees from visiting sites like Facebook, Twitter and LinkedIn.

28

Social Networking Headlines

Hackers hijack Obama's, Britney's Twitter accounts Twitter wrestles with multiple worm attacks Phishers, viruses target Facebook users Twitter/Google Apps hack raises questions about

cloud security High-profile organizations ban Facebook, Twitter Twitter victimized by distributed denial-of-service

attack Facebook shuts down Beacon program, donates

$9.5 million to settle lawsuit Facebook unveils controversial new privacy settings

29

Seven Most Lethal Social Networks Hacks

1. Impersonation and targeted personal attacks 2. Spam and bot infections 3. Weaponized OpenSocial and other social networking applications 4. Crossover of personal to professional online presence 5. XSS, CSRF attacks 6. Identity theft 7. Corporate espionage

30

Common Social Media Policies Be transparent Be connected Be thoughtful Strive for accuracy Do not mix personal with business Think twice before posting

31

Social Networking Policy “Employees are forbidden from using social networks to post or display comments about co-workers, supervisors that are vulgar, obscene, threatening, harassing, or a violation of Company XYZ’s policies on discrimination or harassment.” “Employees may not use social networks to disclose any confidential or proprietary information about Company XYZ or its employees, customers or business partners.” “Employees should refrain from speaking on behalf of Company XYZ when not authorized.”

32

Social Networking Policy (cont.)

Display a warning banner on all systems

Policy should state that company has right to inspect all computers on-site at will without notice

Policy should include employee’s own computer, cell phone, briefcase, purses, etc.

33

34

Are Passwords Effective Not always. Strong passwords are

difficult to impossible to crack Social engineering attacks are

effective against strong passwords Companies should have and enforce a

strong password policy. Companies should train employees to

social engineering attacks.35

Online Information About You

Name(s) Address Phone Birthdate Spouse Children High School

36

Workplace Education Relatives

Names Pets Names Criminal

History Email Address SSN (?)

37

Card Readers: Is Your PII Safe?

Guide to Computer Forensics and Investigations 37

SIM SD

Smart Card

Mag Stripe

38

39

40

41

Not on Windows 8!

42

Bring your system back from the dead!

Next … More hacks and theft of PII and IP Social engineering combined with hacks Office 2013 safer BYOD Cloud Computing XBRL Need for extensive employee training

43

Even reasonable intelligent people make

mistakes!

44

Even reasonable intelligent people make mistakes!

How much will those mistakes cost your

organization?

45

Grover Kearns, Ph.D., CPA, CFE, CITPGregory, Sharer & Stuart Term Professor

in Forensic Accounting

gkearns@usfsp.edu46