1

Grover S. Kearns, Ph.D., CPA, CFE

The Accounting Sleuth:What’s New in Computer Forensics

2

Information technology forensics - all the sciences and technical disciplines combined to allow the examination of material that contain information (computers, networks, electronic devices etc…) to assist an investigation and, eventually, present evidence for a trial. European Network of Forensic Science Institutes

Sleuth – To track or follow (Old Norse)

Definitions

Use of Computer Forensics

Find and recover information apparently lost in deleted files

Search all corners of a hard disk for suspect data

Print out computer evidence and present it in court

Write the reports to support a case Testify as experts and help to prove the

facts

Types of Computer Abuse

Theft of intellectual property Employment disputes Destruction of/misappropriation of data Alteration of data, alteration/misuse of

programs Use of unlicensed software Unauthorized access to a computer

system Unauthorized use of a company's

computer for private gain Unofficial access to confidential data

5

Accountants Role in Computer Forensics

Uncovering and analyzing electronic evidence in all digital devices to support legal/regulatory inquiry

Proactively using software and digital devices to ascertain data anomalies and/or trends that require supervisory attention

Support audits

Investigative Options

Ask for assistance from law enforcement

Hire a forensics specialist Train an in-house incident

response team and CERT (computer emergence response team)

6

Investigative Options (cont.)

Ask for assistance from law enforcement Law enforcement rarely trained to deal with

computer based fraud or forensics FBI has regional forensic labs but interested

only in high $ or high exposure cases Lose control of investigation Very time consuming May not result in a prosecution May not result in restoration of lost resources

7

Investigative Options (cont.)

Hire a forensics specialist May provide needed expertise for

consultation May be costly if not controlled Can be time-consuming Response time lag may cost further

loss

8

Investigative Options (cont.)

Train an in-house incident response team and computer emergency response team (CERT) Faster response A response plan is in place Agents are familiar with the environment May be most effective and least costly

approach Can be combined with other approaches

9

CyberCrime

Types of Computer Crime

Hacking Theft of Intellectual Property Theft of PII Phishing and Pharming Identity Theft Cyberstalking Viruses

Email Image Spams

Botnets infect up to 10% of all computers

Image spams allow emails to avoid filters

Popular spam – enticing readers to buy a cheap stock in a pump and dump

Cyberstalking Kay Scarpetta

Leslie Sachs alleged on his website that author Patricia Cornwell was a "Jew hater" and "neo Nazi".

Court appointed psychiatrist labeled the action as cyberstalking.

Cornwell said in court “Someone should not be able to run away from the consequences of their despicable behavior.”

Said her lawsuit would help prevent future occurrences.

The Italian Job

Infected more than 10,000 web pages on popular websites including travel agents, hotels, charities and government departments.

Most are in Italy, but also Spain and US. Eastern European based using a $500

kit. Downloads keylogger to steal identities.

Mobile Computing

Cell Phone Evidence 101 Calendars/schedules Call logs – incoming/outgoing Text messages Contact lists Photos Email GPS Notepad Internet history Wallpaper

Cell Phone Seizures

Document all actions Observe power status

If OFF, leave OFF If ON, isolate immediately – Faraday

bag, Reynolds wrap, paint can, Faraday tent

SIM and SD Cards

SD holds photos – can be upgraded

SIM identifies phone and owner and can be changed

Blackberry and iPhoneRemote Protection

Remote Wipe Reset to Factory Defaults IT policy rule specifies whether a BlackBerry® device resets to the default settings when it receives the Erase Data and Disable Handheld IT administration command over a wireless network. Default value is False - change to True.

If your iPhone is stolen or lost, login to www.me.com/account to access Find My iPhone.

You can remotely wipe out your personal data permanently and restore the iPhone to its factory settings.

21

22

Tools of the Trade

23

Surveillance Tools

Pen mike $190 Cam video

recorder $130 Micro cam $49 Car remote DVR

$130

www.dynaspy.com

Surveillance Tools GPS track stick

$270 Voice changer

$139 Spoof card $9

www.dynaspy.com

Surveillance Tools Coke spy cam $160 Spy cobra usb

$150 Sound enhancer

$62

www.dynaspy.com

Anti-Surveillance Tools

Audio Jammer $170 Spycam Finder $110 HF Bug Detector

$110 Wire-tap Detector

$295

www.spygear4u.com

Private Eye and Chameleon

Facial recognition Spots shoulder surfers Distorts screen except for

authorized user Eliminates need for

passwords Monitors can be installed to

recognize authorized employees

29

30

Note IP address 41.203.239.237

31

www.itistimed.com

32

aruljohn.com/track.pl

Keyword Search and E-Discovery

E-discovery and document review expensive

Cost associated with heavy reliance on human review

Search solutions were not built with e-discovery in mind

Majority of companies do not have an effective retention or archiving plan for electronic documents

33

34

ipconfig/all

35

MAC Address

IP Address

NSLookup

36

Sedona Conference and ESI Framework

37

Sedona ESI Framework

38

Sedona Conference - White papers on keyword searches and electronic stored information (ESI)

Keyword list can cut costs substantially Most searches turn up small percent of relevant

documents and miss many critical documents Risks for both under and over inclusive terms Sedona framework provides higher quality and

lower costs

ESI Retention Policy

Must comply with SOX and be scrutinized by legal

Categorize documents by type and retention period

Use different archival methods Software can provide for efficient

retrieval Train employees to policy

39

E-Mail Retention Policy

Federal Rules of Civil Procedure, industry regulations and internal policies all influence which emails should be archived.

Safe harbor in eDiscovery rests in an organization adhering to its policies and procedures that guide the destruction of its email data.

Not all e-mails are the same: Set archive categories by nature of email.

Adopt a policy and do not vary from it.

Encryption

41

Encryption

Message Integrity – the message has not been altered Guaranteed by encryption

Authentication – the message is indeed from the stated sender Guaranteed by a digital signature

Two key systems: Symmetric and Asymmetric

Symmetric or Private Key Encryption – One Key

Asymmetric or Public Key Encryption – Two Keys

Mathematically related key-pair.

Session Key (Symmetric)

A symmetric key is faster but easier to break. The public key protects it in transit.

Session Key is Protected

The session key (symmetric) is encrypted by a private key and decrypted with the public key. The stronger asymmetric keys protect it.

By hashing the original message, a message digest is created. A digital signature is created by encrypting the message digest.

Data in Transit and at Rest

SSL (Secure Sockets Layer) is a public key system that is commonly used for online transactions. It only encrypts data in transit.

Over 50% of all stored data is unencrypted and vulnerable.

All PII should be encrypted. Software can offer full disk encryption.

TrueCrypt

Encrypts an entire partition or storage device such as USB flash drive or hard drive.

Encryption is automatic, real-time (on-the-fly) and transparent.

Parallelization and pipelining allow data to be read and written as fast as if the drive was not encrypted.

49

50

TrueCrypt: Encrypt Options

50

51

TrueCrypt: Volume Options

51

Cost of Poor Retention Policy

The judge could … instruct the jury to infer that the record(s)

destroyed contained information unfavorable to your company.

order your company to pay cost of restoring any archival media on which a lost record is stored plus reasonable litigation expenses incurred by your opponent in filing a motion for discovery and production of the record.

52

Redacted E-mail and Privacy

Deleted information may be recoverable from electronic documents

Policy should be specific as to what information must be deleted before issuing to a third party

Covered by federal laws and regs Software available to filter and delete

53

IT Technologies Important to Accountants

54

55

56

Top Business/Technology Issues Survey Results

Regulatory compliance Enterprise-based IT management and IT

governance Information security management Disaster recovery/business continuity IT value management Challenges of managing IT risks Compliance with financial reporting

standards

AICPA Top 10 Technology Initiatives

Information Security Management Privacy Management Secure Data File Storage, Transmission and Exchange  Business Process Improvement Mobile and Remote Computing Training and Competency Identity and Access Management Application and Data Integration Knowledge Management Electronic Data Retention Strategy

57

http://accessdata.com/downloads/media/Rules_of_Digital_Evidence_and_AccessData_Technology.pdf

Federal Rules of Evidence and Digital Data

Challenges presented in FRE by digital evidence are due to following differences:

Degradation: Even a minute change to an electronic document may make it inadmissible.

Ownership: It can be difficult to prove authorship of digital documents.

Original Documents: Given two digital documents, you cannot distinguish the original from a copy.

Reinterpretation of FRE

Authenticity1) The computer-generated or computer-stored records

were altered, manipulated or damaged after they were created;

2) The reliability of the computer program that generated the computer record; and

3) The reliability of the identity of the author.

Best Evidence Rule1) Must insure an accurate and complete data

acquisition;2) Must meet Daubert Standards

Daubert Standards

1) Theory or technique utilized must have been tested and that test must be replicable.

2) Theory or technique must have been subject to peer review and publication.

3) Error rate associated with the technique must be known.

4) Theory or technique must enjoy general acceptance within the scientific community.

61

New Federal Rules of Civil Procedure

Scope of Discovery exhaustive search for all electronically stored

information

Early Review and Production Native Production

native format with metadata intact Increased Sanctions

Serra Chevrolet, Inc. v. General Motors $50k/day

62

Audit Command LanguageACL

63

64

6565

Audit Command Language

ACL is the market leader in computer-assisted audit technology and is an established forensics tool.

Clientele includes … 70 percent of the Fortune 500

companies over two-thirds of the Global 500 the Big Four public accounting firms

66

66

Audit Command LanguageACL is a computer data extraction and analytical audit tool with audit capabilities …StatisticsDuplicates and GapsStratify, Classify and CategorizeSamplingBenford Analysis

6767

How ACL Can Assist Research

Import data files of different formats Data cleansing – eliminate leading,

trailing, embedded characters etc Data field definition – field type,

length Check for missing data Locate specific data items Validation of data set

Cleansing Data

What you see … 1239 1239 1239

What the computer sees… 10011010111 100110101110000 00100110101110

Data imported with leading or trailing blanks may appear to be the same to the user but not to the computer. Data fields must be harmonized. Data types (number, text, date) must be the same and field length must be the same.

The computer will not match these fields!

Cleansing Data

What you see … 1239 1239 1239

What the computer sees…

10011010111

100110101110000

00100110101110

Easy command to harmonize:

Substr(Alltrim(Codes), 1, 11)

The computer will not match these fields!

Data type for EmpID is Number

Field Size for EmpID is Long Integer

7171

MATCH( )

Compares an expression or field value of any type to a series of specified expressions or field values to determine whether there is at least one match.

MATCH(CODE, "123" ) Returns all records in field CODE that begin "123".

MATCH(LOC,"01","02","22") Returns all records in field LOC that begin with "01","02","22".

7272

BETWEEN( )

BETWEEN(value,min,max) or BETWEEN(value,max,min)

To return all records with values in CODE between 5000 and 5999 inclusive:

BETWEEN(ALLTRIM(CODE), "5000","5999")

To return all records with dates in field DATE between Oct. 1, 2006 and Dec. 31, 2006.

BETWEEN(DATE, `200610101`,`20061231`)

7373

CLEAN( )

Searches for any invalid characters in a string and replaces them and all subsequent characters with blanks.

CLEAN(string <,extra_invalid_characters>)

CLEAN("ABC%DEF","%") = "ABC “In the following example, # represents

invalid character data: CLEAN("DOE, JOHN##102891231") =

"DOE, JOHN “

7474

EXCLUDE()

Returns a variable length string, excluding characters that you specify from the result.

EXCLUDE(string, characters_to_exclude)

EXCLUDE("123 any street","0123456789")=" any street“

To remove a forward slash and a number sign from the Prodno field, specify:

EXCLUDE(Prodno,"/#")

7575

INCLUDE( )

Returns a variable length string, including only specified characters in the result.

INCLUDE(string,characters_to_include)

INCLUDE("123 any street","0123456789")="123“

INCLUDE(Prodno,"123456789")

76

Benford Analysis

States that the leading digit in some numerical series is follows an exponential rather than normal distribution

Applies to a wide variety of figures: financial results, electricity bills, street addresses, stock prices, population numbers, death rates, lengths of rivers

Leading Digit

Probability

1 30.1 % 2 17.6 % 3 12.5 % 4 9.7 % 5 7.9 % 6 6.7 % 7 5.8 % 8 5.1 % 9 4.6 %

Small Business Owner Example Small business owner expanded his one-

store family-owned business into a four-store chain

Had to relinquish some hands-on control with the expansion

Concerned about bookkeeping errors or possibility of fraud

Owner used Excel program based on Benford’s Law to analyze the store’s disbursement data

SBO Example 1st Digits Test

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

1 2 3 4 5 6 7 8 9

Digit

Ra

te Benford

Sample

SBO Example – 2nd Digits Test

00.05

0.10.15

0.20.25

0.30.35

0 1 2 3 4 5 6 7 8 9

Digit

Rat

e Benford

Sample

SBO Example – 2 Digits Test

0

0.02

0.04

0.06

0.08

0.1

0.12

0.14

0.16

0.18

0.2

10

14

18

22

26

30

34

38

42

46

50

54

58

62

66

70

74

78

82

86

90

94

98

Two Digit Pair

Rate Benford

Sample

Small Business Owner Example

Benford’s Law Analysis First Digits Test

Digits 5, 6, & 7 appear much more than expected, while the digit 1 appeared much less than expected

Second Digits Test Again, the digits 6 & 7 appear much

more often than expected, and 0 did not occur at all

Small Business Owner Example

Benford’s Law Analysis cont. First Two-Digits Test

56 & 67 are the two digit combinations that appear more frequently than expected

Owner pulled sample of disbursements starting with the 56 & 67 sequences Discovered pymts to unfamiliar vendor Addtl invest revealed vendor did not

exist – pymts going to personal acct

8383

Moats and Drawbridges

85For the truly paranoid – Ccleaner will destroy all temp files, cookies, browsing history.

86

87

Rainbow Tables are pre-computed, brute-force attacks. A brute-force attack is an attempt to recover a cryptographic key or password by trying every possible combination until the correct one is found. With a Rainbow Table, you can decrypt 40-bit encrypted files in seconds or minutes rather than days or weeks.

Rainbow Tables

www.accessdata.com

Beware the Unmanaged IM and Email

Recipients may retain IM IM immune to firewalls IM may be offensive to employees Track IM usage Enable content filtering and blocking Log and audit conversations Do not allow encrypted IM

90

Beware the Unmanaged IM and Email

Over 10,000 U.S. laws and regulations apply to Instant Messaging and Email Retention!

92

93

94

95

www.crackpassword.com

Your Documents May Give Away Your Identity

96

Right-click on the file(Word, Excel, Access, etc.) and select Properties.You may find the name of the author.

97

Right-click your MS Word file document.Select Properties. If you have namedyour computer name as your own, you may wish to change it to an anonymous name.

This person used his name for his computer.

This document picked up the name of the computer as the author.Note that we can remove properties from this document!

Remove all identifying properties from this document!

Control Panel / System and Security / System

Changing the computer name helps to anonymize the documents.

Virtual Credit Cards

Currently available from Citi, Discover, PayPal, and Bank of America.

Numbers are generated for single use of online shopping.

Numbers are of no use to hackers. Overcomes threat of having

traditional card numbers stolen.

Blogs and Facebook can be highly revealing …

One photo is worth a thousand words

102

Steganography

http://www.securekit.net/

105

106

107

MD5 Using HashCalc

Note that three different algorithms were used to produce checksums or message digests. This ensures acceptance for legal or regulatory purposes and guarantees file integrity.

108

109

110

111

Data Capture

KeyKatcher

Records chat, e-mail, internet & more

Is easier to use than parental control software

Identifies internet addresses Uses no system resources Works on all PC operating

systems Undetectable by software

www.lakeshoretechnology.com

112

113

114

Questions or Comments?

Thank you for your attention …

Grover S. Kearnsgkearns@stpt.usf.edu

University of South Florida St. Petersburg