1 Grover S. Kearns, Ph.D., CPA, CFE The Accounting Sleuth: What’s New in Computer Forensics.
-
Upload
neal-blankenship -
Category
Documents
-
view
213 -
download
1
Transcript of 1 Grover S. Kearns, Ph.D., CPA, CFE The Accounting Sleuth: What’s New in Computer Forensics.
2
Information technology forensics - all the sciences and technical disciplines combined to allow the examination of material that contain information (computers, networks, electronic devices etc…) to assist an investigation and, eventually, present evidence for a trial. European Network of Forensic Science Institutes
Sleuth – To track or follow (Old Norse)
Definitions
Use of Computer Forensics
Find and recover information apparently lost in deleted files
Search all corners of a hard disk for suspect data
Print out computer evidence and present it in court
Write the reports to support a case Testify as experts and help to prove the
facts
Types of Computer Abuse
Theft of intellectual property Employment disputes Destruction of/misappropriation of data Alteration of data, alteration/misuse of
programs Use of unlicensed software Unauthorized access to a computer
system Unauthorized use of a company's
computer for private gain Unofficial access to confidential data
5
Accountants Role in Computer Forensics
Uncovering and analyzing electronic evidence in all digital devices to support legal/regulatory inquiry
Proactively using software and digital devices to ascertain data anomalies and/or trends that require supervisory attention
Support audits
Investigative Options
Ask for assistance from law enforcement
Hire a forensics specialist Train an in-house incident
response team and CERT (computer emergence response team)
6
Investigative Options (cont.)
Ask for assistance from law enforcement Law enforcement rarely trained to deal with
computer based fraud or forensics FBI has regional forensic labs but interested
only in high $ or high exposure cases Lose control of investigation Very time consuming May not result in a prosecution May not result in restoration of lost resources
7
Investigative Options (cont.)
Hire a forensics specialist May provide needed expertise for
consultation May be costly if not controlled Can be time-consuming Response time lag may cost further
loss
8
Investigative Options (cont.)
Train an in-house incident response team and computer emergency response team (CERT) Faster response A response plan is in place Agents are familiar with the environment May be most effective and least costly
approach Can be combined with other approaches
9
Types of Computer Crime
Hacking Theft of Intellectual Property Theft of PII Phishing and Pharming Identity Theft Cyberstalking Viruses
Email Image Spams
Botnets infect up to 10% of all computers
Image spams allow emails to avoid filters
Popular spam – enticing readers to buy a cheap stock in a pump and dump
Cyberstalking Kay Scarpetta
Leslie Sachs alleged on his website that author Patricia Cornwell was a "Jew hater" and "neo Nazi".
Court appointed psychiatrist labeled the action as cyberstalking.
Cornwell said in court “Someone should not be able to run away from the consequences of their despicable behavior.”
Said her lawsuit would help prevent future occurrences.
The Italian Job
Infected more than 10,000 web pages on popular websites including travel agents, hotels, charities and government departments.
Most are in Italy, but also Spain and US. Eastern European based using a $500
kit. Downloads keylogger to steal identities.
Cell Phone Evidence 101 Calendars/schedules Call logs – incoming/outgoing Text messages Contact lists Photos Email GPS Notepad Internet history Wallpaper
Cell Phone Seizures
Document all actions Observe power status
If OFF, leave OFF If ON, isolate immediately – Faraday
bag, Reynolds wrap, paint can, Faraday tent
SIM and SD Cards
SD holds photos – can be upgraded
SIM identifies phone and owner and can be changed
Blackberry and iPhoneRemote Protection
Remote Wipe Reset to Factory Defaults IT policy rule specifies whether a BlackBerry® device resets to the default settings when it receives the Erase Data and Disable Handheld IT administration command over a wireless network. Default value is False - change to True.
If your iPhone is stolen or lost, login to www.me.com/account to access Find My iPhone.
You can remotely wipe out your personal data permanently and restore the iPhone to its factory settings.
21
Surveillance Tools
Pen mike $190 Cam video
recorder $130 Micro cam $49 Car remote DVR
$130
www.dynaspy.com
Anti-Surveillance Tools
Audio Jammer $170 Spycam Finder $110 HF Bug Detector
$110 Wire-tap Detector
$295
www.spygear4u.com
Private Eye and Chameleon
Facial recognition Spots shoulder surfers Distorts screen except for
authorized user Eliminates need for
passwords Monitors can be installed to
recognize authorized employees
29
Keyword Search and E-Discovery
E-discovery and document review expensive
Cost associated with heavy reliance on human review
Search solutions were not built with e-discovery in mind
Majority of companies do not have an effective retention or archiving plan for electronic documents
33
Sedona ESI Framework
38
Sedona Conference - White papers on keyword searches and electronic stored information (ESI)
Keyword list can cut costs substantially Most searches turn up small percent of relevant
documents and miss many critical documents Risks for both under and over inclusive terms Sedona framework provides higher quality and
lower costs
ESI Retention Policy
Must comply with SOX and be scrutinized by legal
Categorize documents by type and retention period
Use different archival methods Software can provide for efficient
retrieval Train employees to policy
39
E-Mail Retention Policy
Federal Rules of Civil Procedure, industry regulations and internal policies all influence which emails should be archived.
Safe harbor in eDiscovery rests in an organization adhering to its policies and procedures that guide the destruction of its email data.
Not all e-mails are the same: Set archive categories by nature of email.
Adopt a policy and do not vary from it.
Encryption
Message Integrity – the message has not been altered Guaranteed by encryption
Authentication – the message is indeed from the stated sender Guaranteed by a digital signature
Two key systems: Symmetric and Asymmetric
Session Key (Symmetric)
A symmetric key is faster but easier to break. The public key protects it in transit.
Session Key is Protected
The session key (symmetric) is encrypted by a private key and decrypted with the public key. The stronger asymmetric keys protect it.
By hashing the original message, a message digest is created. A digital signature is created by encrypting the message digest.
Data in Transit and at Rest
SSL (Secure Sockets Layer) is a public key system that is commonly used for online transactions. It only encrypts data in transit.
Over 50% of all stored data is unencrypted and vulnerable.
All PII should be encrypted. Software can offer full disk encryption.
TrueCrypt
Encrypts an entire partition or storage device such as USB flash drive or hard drive.
Encryption is automatic, real-time (on-the-fly) and transparent.
Parallelization and pipelining allow data to be read and written as fast as if the drive was not encrypted.
49
Cost of Poor Retention Policy
The judge could … instruct the jury to infer that the record(s)
destroyed contained information unfavorable to your company.
order your company to pay cost of restoring any archival media on which a lost record is stored plus reasonable litigation expenses incurred by your opponent in filing a motion for discovery and production of the record.
52
Redacted E-mail and Privacy
Deleted information may be recoverable from electronic documents
Policy should be specific as to what information must be deleted before issuing to a third party
Covered by federal laws and regs Software available to filter and delete
53
56
Top Business/Technology Issues Survey Results
Regulatory compliance Enterprise-based IT management and IT
governance Information security management Disaster recovery/business continuity IT value management Challenges of managing IT risks Compliance with financial reporting
standards
AICPA Top 10 Technology Initiatives
Information Security Management Privacy Management Secure Data File Storage, Transmission and Exchange Business Process Improvement Mobile and Remote Computing Training and Competency Identity and Access Management Application and Data Integration Knowledge Management Electronic Data Retention Strategy
57
Federal Rules of Evidence and Digital Data
Challenges presented in FRE by digital evidence are due to following differences:
Degradation: Even a minute change to an electronic document may make it inadmissible.
Ownership: It can be difficult to prove authorship of digital documents.
Original Documents: Given two digital documents, you cannot distinguish the original from a copy.
Reinterpretation of FRE
Authenticity1) The computer-generated or computer-stored records
were altered, manipulated or damaged after they were created;
2) The reliability of the computer program that generated the computer record; and
3) The reliability of the identity of the author.
Best Evidence Rule1) Must insure an accurate and complete data
acquisition;2) Must meet Daubert Standards
Daubert Standards
1) Theory or technique utilized must have been tested and that test must be replicable.
2) Theory or technique must have been subject to peer review and publication.
3) Error rate associated with the technique must be known.
4) Theory or technique must enjoy general acceptance within the scientific community.
61
New Federal Rules of Civil Procedure
Scope of Discovery exhaustive search for all electronically stored
information
Early Review and Production Native Production
native format with metadata intact Increased Sanctions
Serra Chevrolet, Inc. v. General Motors $50k/day
62
6565
Audit Command Language
ACL is the market leader in computer-assisted audit technology and is an established forensics tool.
Clientele includes … 70 percent of the Fortune 500
companies over two-thirds of the Global 500 the Big Four public accounting firms
66
66
Audit Command LanguageACL is a computer data extraction and analytical audit tool with audit capabilities …StatisticsDuplicates and GapsStratify, Classify and CategorizeSamplingBenford Analysis
6767
How ACL Can Assist Research
Import data files of different formats Data cleansing – eliminate leading,
trailing, embedded characters etc Data field definition – field type,
length Check for missing data Locate specific data items Validation of data set
Cleansing Data
What you see … 1239 1239 1239
What the computer sees… 10011010111 100110101110000 00100110101110
Data imported with leading or trailing blanks may appear to be the same to the user but not to the computer. Data fields must be harmonized. Data types (number, text, date) must be the same and field length must be the same.
The computer will not match these fields!
Cleansing Data
What you see … 1239 1239 1239
What the computer sees…
10011010111
100110101110000
00100110101110
Easy command to harmonize:
Substr(Alltrim(Codes), 1, 11)
The computer will not match these fields!
7171
MATCH( )
Compares an expression or field value of any type to a series of specified expressions or field values to determine whether there is at least one match.
MATCH(CODE, "123" ) Returns all records in field CODE that begin "123".
MATCH(LOC,"01","02","22") Returns all records in field LOC that begin with "01","02","22".
7272
BETWEEN( )
BETWEEN(value,min,max) or BETWEEN(value,max,min)
To return all records with values in CODE between 5000 and 5999 inclusive:
BETWEEN(ALLTRIM(CODE), "5000","5999")
To return all records with dates in field DATE between Oct. 1, 2006 and Dec. 31, 2006.
BETWEEN(DATE, `200610101`,`20061231`)
7373
CLEAN( )
Searches for any invalid characters in a string and replaces them and all subsequent characters with blanks.
CLEAN(string <,extra_invalid_characters>)
CLEAN("ABC%DEF","%") = "ABC “In the following example, # represents
invalid character data: CLEAN("DOE, JOHN##102891231") =
"DOE, JOHN “
7474
EXCLUDE()
Returns a variable length string, excluding characters that you specify from the result.
EXCLUDE(string, characters_to_exclude)
EXCLUDE("123 any street","0123456789")=" any street“
To remove a forward slash and a number sign from the Prodno field, specify:
EXCLUDE(Prodno,"/#")
7575
INCLUDE( )
Returns a variable length string, including only specified characters in the result.
INCLUDE(string,characters_to_include)
INCLUDE("123 any street","0123456789")="123“
INCLUDE(Prodno,"123456789")
76
Benford Analysis
States that the leading digit in some numerical series is follows an exponential rather than normal distribution
Applies to a wide variety of figures: financial results, electricity bills, street addresses, stock prices, population numbers, death rates, lengths of rivers
Leading Digit
Probability
1 30.1 % 2 17.6 % 3 12.5 % 4 9.7 % 5 7.9 % 6 6.7 % 7 5.8 % 8 5.1 % 9 4.6 %
Small Business Owner Example Small business owner expanded his one-
store family-owned business into a four-store chain
Had to relinquish some hands-on control with the expansion
Concerned about bookkeeping errors or possibility of fraud
Owner used Excel program based on Benford’s Law to analyze the store’s disbursement data
SBO Example 1st Digits Test
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
1 2 3 4 5 6 7 8 9
Digit
Ra
te Benford
Sample
SBO Example – 2nd Digits Test
00.05
0.10.15
0.20.25
0.30.35
0 1 2 3 4 5 6 7 8 9
Digit
Rat
e Benford
Sample
SBO Example – 2 Digits Test
0
0.02
0.04
0.06
0.08
0.1
0.12
0.14
0.16
0.18
0.2
10
14
18
22
26
30
34
38
42
46
50
54
58
62
66
70
74
78
82
86
90
94
98
Two Digit Pair
Rate Benford
Sample
Small Business Owner Example
Benford’s Law Analysis First Digits Test
Digits 5, 6, & 7 appear much more than expected, while the digit 1 appeared much less than expected
Second Digits Test Again, the digits 6 & 7 appear much
more often than expected, and 0 did not occur at all
Small Business Owner Example
Benford’s Law Analysis cont. First Two-Digits Test
56 & 67 are the two digit combinations that appear more frequently than expected
Owner pulled sample of disbursements starting with the 56 & 67 sequences Discovered pymts to unfamiliar vendor Addtl invest revealed vendor did not
exist – pymts going to personal acct
Rainbow Tables are pre-computed, brute-force attacks. A brute-force attack is an attempt to recover a cryptographic key or password by trying every possible combination until the correct one is found. With a Rainbow Table, you can decrypt 40-bit encrypted files in seconds or minutes rather than days or weeks.
Rainbow Tables
www.accessdata.com
Beware the Unmanaged IM and Email
Recipients may retain IM IM immune to firewalls IM may be offensive to employees Track IM usage Enable content filtering and blocking Log and audit conversations Do not allow encrypted IM
90
Beware the Unmanaged IM and Email
Over 10,000 U.S. laws and regulations apply to Instant Messaging and Email Retention!
Your Documents May Give Away Your Identity
96
Right-click on the file(Word, Excel, Access, etc.) and select Properties.You may find the name of the author.
97
Right-click your MS Word file document.Select Properties. If you have namedyour computer name as your own, you may wish to change it to an anonymous name.
This person used his name for his computer.
This document picked up the name of the computer as the author.Note that we can remove properties from this document!
Control Panel / System and Security / System
Changing the computer name helps to anonymize the documents.
Virtual Credit Cards
Currently available from Citi, Discover, PayPal, and Bank of America.
Numbers are generated for single use of online shopping.
Numbers are of no use to hackers. Overcomes threat of having
traditional card numbers stolen.
107
MD5 Using HashCalc
Note that three different algorithms were used to produce checksums or message digests. This ensures acceptance for legal or regulatory purposes and guarantees file integrity.
111
Data Capture
KeyKatcher
Records chat, e-mail, internet & more
Is easier to use than parental control software
Identifies internet addresses Uses no system resources Works on all PC operating
systems Undetectable by software
www.lakeshoretechnology.com
114
Questions or Comments?
Thank you for your attention …
Grover S. [email protected]
University of South Florida St. Petersburg