1 IT Investigative Tools Tools and Services for the Forensic Auditor.
-
Upload
clara-burns -
Category
Documents
-
view
218 -
download
1
Transcript of 1 IT Investigative Tools Tools and Services for the Forensic Auditor.
![Page 1: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/1.jpg)
1
IT Investigative Tools
Tools and Services for the Forensic Auditor
![Page 2: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/2.jpg)
2
Digital Crime Scene Investigation Problems with Digital Investigation Timing essential – electronic evidence
volatile Auditor may violate rules of evidence NEVER work directly on the evidence Skills needed to recover deleted data or
encrypted data
![Page 3: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/3.jpg)
3
Digital Crime Scene Investigation Extract, process, interpret Work on the imaged data or “safe copy” Data extracted may be in binary form Process data to convert it to
understandable form Reverse-engineer to extract disk partition
information, file systems, directories, files, etc Software available for this purpose
Interpret the data – search for key words, phrases, etc.
![Page 4: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/4.jpg)
4
Digital Crime Scene Investigation Technology
Magnetic disks contain data after deletion Overwritten data may still be salvaged Memory still contains data after switch-off Swap files and temporary files store data Most OS’s perform extensive logging (so do
network routers)
![Page 5: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/5.jpg)
5
Disk Geometry
Track
Sector
Cylinder
(Clusters aregroups ofSectors)
![Page 6: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/6.jpg)
6
Slack Space
End of FileEnd of File Slack SpaceSlack Space
Last Cluster in a FileLast Cluster in a File
![Page 7: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/7.jpg)
7
Illustration of Forensic Tools
Forensic Software Tools are used for … Data imaging Data recovery Data integrity Data extraction Forensic Analysis Monitoring
![Page 8: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/8.jpg)
8
Data Imaging
EnCase
Reduces internal investigation costs Platform independent Automated analysis saves time Supports electronic records audit Creates logical evidence files — eliminating
need to capture entire hard drives
![Page 9: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/9.jpg)
9
Data Recovery
File Recovery with PC Inspector
![Page 10: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/10.jpg)
10
Data Eradication
Securely Erasing Files
![Page 11: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/11.jpg)
11
Data Integrity
MD5 Message Digest – a hashing algorithm used to
generate a checksum Available online as freeware Any changes to file will change the checksumUse: Generate MD5 of system or critical files
regularly Keep checksums in a secure place to
compare against later if integrity is questioned
![Page 12: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/12.jpg)
12
Data Integrity
MD5 Using HashCalc
![Page 13: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/13.jpg)
13
Data Integrity HandyBits EasyCrypto
![Page 14: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/14.jpg)
14
Data Integrity Private Disk
![Page 15: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/15.jpg)
15
Data Monitoring
Tracking Log Files
![Page 16: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/16.jpg)
16
Data Monitoring
PC System Log
![Page 17: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/17.jpg)
17
Security Software Log Entries
![Page 18: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/18.jpg)
18
![Page 19: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/19.jpg)
19
Free Log Tools
![Page 20: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/20.jpg)
20
Audit Command Language (ACL) ACL is the market leader in computer-
assisted audit technology and is an established forensics tool.
Clientele includes … 70 percent of the Fortune 500 companies over two-thirds of the Global 500 the Big Four public accounting firms
![Page 21: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/21.jpg)
21
Forensic Tools
Audit Command Language
ACL is a computer data extraction and analytical audit tool with audit capabilities …StatisticsDuplicates and GapsStratify and ClassifySamplingBenford Analysis
![Page 22: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/22.jpg)
![Page 23: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/23.jpg)
23
![Page 24: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/24.jpg)
24
![Page 25: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/25.jpg)
25
![Page 26: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/26.jpg)
26
![Page 27: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/27.jpg)
27
Forensic Tools: ACL
Benford Analysis States that the leading digit in
some numerical series follows an exponential distribution
Applies to a wide variety of figures: financial results, electricity bills, street addresses, stock prices, population numbers, death rates, lengths of rivers
Leading Digit
Probability
1 30.1 % 2 17.6 % 3 12.5 % 4 9.7 % 5 7.9 % 6 6.7 % 7 5.8 % 8 5.1 % 9 4.6 %
![Page 28: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/28.jpg)
28
![Page 29: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/29.jpg)
29
![Page 30: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/30.jpg)
30
![Page 31: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/31.jpg)
31
Data Monitoring
Employee Internet ActivitySpector captures employee web activity
including keystrokes, email, and snapshots to answer questions like:
Which employees are spending the most time surfing web sites?
Which employees chat the most? Who is sending the most emails with
attachments? Who is arriving to work late and leaving early? What are my employees searching for on the
Internet?
![Page 32: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/32.jpg)
32
Data Monitoring : Spector
Recorded Email
![Page 33: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/33.jpg)
33
Data Monitoring : Spector
Recorded Web Surfing
![Page 34: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/34.jpg)
34
Data Monitoring : Spector
Recording Keystrokes
![Page 35: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/35.jpg)
35
Data Monitoring : Spector
Recorded Snapshots
![Page 36: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/36.jpg)
36
![Page 37: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/37.jpg)
37
Data Capture : Key Log Hardware
KeyKatcher Records chat, e-mail, internet &
more Is easier to use than parental
control software Identifies internet addresses Uses no system resources Works on all PC operating
systems Undetectable by software
www.lakeshoretechnology.com
![Page 38: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/38.jpg)
38
index.dat filesContain all of the Web sites that you have ever visited. Every URL, every Web page, all of the email that has been sent or received through Outlook or Outlook Express.On Windows 2000 and Windows XP there are several "index.dat" files in these locations:
\Documents and Settings\<Username>\Cookies\index.dat
\Documents and Settings\<Username>\Local Settings\History\History.IE5\index.dat
\Documents and Settings\<Username>\Local Settings\History\History.IE5\MSHist012001123120020101\index.dat\Documents and Settings\<Username>\Local Settings\History\History.IE5\MSHist012002010720020114\index.dat
\Documents and Settings\<Username>\Local Internet Files\Content.IE5\index.dat
These files cannot be deleted without special software!
![Page 39: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/39.jpg)
39
![Page 40: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/40.jpg)
40
Background Checks
![Page 41: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/41.jpg)
41
![Page 42: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/42.jpg)
42
![Page 43: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/43.jpg)
43http://www.expressmetrix.com/solutions/
![Page 44: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/44.jpg)
44
![Page 45: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/45.jpg)
45
ipconfig /allipconfig /all
![Page 46: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/46.jpg)
46
ipconfig /displaydns
![Page 47: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/47.jpg)
47
netstat -a
![Page 48: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/48.jpg)
48
![Page 49: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/49.jpg)
49
Eraser
http://www.heidi.ie/eraser/
Private Disk
http://www.private-disk.net/
HashCalc
http://www.slavasoft.com/hashcalc/index.htm
PC Inspector
http://www.download.com/3000-2242-10066144.html
VeriSign
http://www.verisign.com
HandyBits Encryption
http://www.handybits.com/
EnCase
http://www.handybits.com/
![Page 50: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/50.jpg)
50
Spector
http://www.spectorsoft.com/
Stolen ID Search
https://www.stolenidsearch.com/
Abika Background Check
http://www.abika.com/
Guide to Log Management
http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf
ACFE Fraud Prevention Checkup
http://www.acfe.com/documents/Fraud_Prev_Checkup_IA.pdf
NetWitness
http://www.netwitness.com/
GASP Std V 7.0 Free Software
http://www.bsa.org/usa/antipiracy/Free-Software-Audit-Tools.cfm
Federal Guidelines for Searches
http://www.cybercrime.gov/searchmanual.htm
![Page 51: 1 IT Investigative Tools Tools and Services for the Forensic Auditor.](https://reader030.fdocuments.us/reader030/viewer/2022032709/56649eca5503460f94bd8208/html5/thumbnails/51.jpg)
51
Florida Criminal Database
http://www.fdle.state.fl.us/CriminalHistory/
Federal Bureau of Prisons
http://www.bop.gov/