Title: Forensics, Fraud and Analytical Techniques
1Forensics, Fraud and Analytical Techniques
- Computer Forensics (Chapter 12)
- Practicum Dell Computer Corporation
- (Planning Materiality and Tolerable Misstatement)
2Schedule (revised)
3For next week
- Comprehensive review of ISMT300T IS Audit course
Materials - Example question for test
- Suggested review readings
4Dell Computer
- Materiality and Tolerable Error
5Crime Doesnt Pay?
- As Willie Sutton the bank robber said when asked
why he robbed banks - 'because that's where the money is
- Sutton robbed banks and he was good at it. He
made no bones about that. He usually packed a
gun, either a pistol or a Thompson submachine gun - "You can't rob a bank on charm and personality"
- "Why did I rob banks? Because I enjoyed it. I
loved it. I was more alive when I was inside a
bank, robbing it, than at any other time in my
life. I enjoyed everything about it so much that
one or two weeks later I'd be out looking for the
next job. But to me the money was the chips,
that's all." - From Where the Money Was The Memoirs of a Bank
Robber (Viking Press, New York, 1976)
6Why Computer Crime?
- Because that's where the money is (c. 2005)
- Money is no longer held in physical form
- How much money is being handled daily by computer
exchange systems in 2005? - Foreign exchange 2 trillion daily
- Derivatives markets 5 trillion daily
- Outstanding derivatives positions 200 trillion
- NYSE daily activity 1.6 trillion daily
7Types of Computer CrimeBusiness as a Victim
- Employee Thefts
- Payroll Fraud
- Fraudulent
- Billing Schemes
- Fraud
- Committed by outsiders
- Management Thefts
- Corporate Thefts
8Types of Computer CrimeBusiness as a Vehicle
- Organized Crime
- Money laundering
- Theft from Minority Shareholders
- Other Stock Market Fraud
- Bankruptcy Fraud
9Crimes new venue
- The Internet (With an estimated 1 billion people
) is now in a golden age of criminal invention. - It's a "dot-con" boom, in which electronic crime
runs rampant in a frantic search for business
models. - Even encryption, supposedly a defensive measure,
has become a tool for extortion - witness the weird new crime of breaking into a
computer, encrypting its contents, and then
demanding a payoff to supply a password to the
victim's own data. - The crime's so new, it doesn't even have a name
yet. - All the classic scams and rackets that city
sharpies push on rubes can be digitized - once there were a few relatively uncomplicated
viruses, now there are torrents of fast-evolving,
multifaceted viruses. - Where once there was just small-time credit-card
fraud, now there is international credit-card
racketeering. - Computer-network password theft has turned into
sophisticated ID fraud that robs patrons of banks
and online auction sites. - Spam, once an occasional rude violation of
"netiquette," now arrives by the ton (12.9
billion pieces a day worldwide last May,
according to the e-mail security firm IronPort) - Then there are the newer electronic crimes,
proliferating so fast that even experts have
trouble keeping up with the jargon. Phishing.
Spear phishing. Pharming. DDOS. DDOS protection
rackets. Spyware. Scumware. Web site defacement.
Botnets. Keylogging.
10FBI 2005 Computer Crime and Security Survey
- Companies with sales of less than 10 million per
year - spent 643 per employee on computer security each
year. - For companies with more than 1 billion in annual
revenue - the amount spent on security dropped to 247 per
employee. - The survey found that companies in the utilities
business spent the most on computer security - on average, 190 per employee per year.
- Next highest on the list were transportation and
telecommunication companies, with average annual
costs per employee of 187 and 132, respectively.
11Computer Criminals Today
- The largest class of crime is Internet based
- Generally, there is a form of compartmentalization
, from the top down - At the top of the food chain is someone who has
the financial means to organize a group - This individual, acting as the criminal kingpin,
puts together a plan and then assembles the
necessary technologically savvy individuals. - These groups work together without central
organization - Many members are recruited through acquaintances
others are found online - Individuals use Web sites, online forums, and IRC
channels to advertise their services and meet
their colleagues. Many others visit these sites
to learn how to get started in the business. - The scene is always looking for rooters,
scanners, curriers various hacking specialties - Once they've learned those skills, hackers
commonly operate as freelancers, working on
projects in an area of expertise--whether it be
writing exploits, building botnet networks, or
designing fake Web sites - And like legitimate businesspeople and
freelancers, they must build a reputation before
they can get hired for lucrative work.
12Hotspots for Internet crime
- Brazil, Bulgaria, China, Estonia, Hungary,
Indonesia, Japan, Latvia, Malaysia, North Korea,
Romania, Russia, and the United States are major
centers for organized hacking - Why are certain areas hotspots?
- Places where there's a significant amount of
activity usually have a technically advanced
population and a large population of computer
users. - You also have a poor economy, so you have people
with the technical skills to do good work, but
they can't find a job that will provide for them,
- so they may have to resort to doing things that
are against the law - These hotspots (other than the United States and
Japan) also tend to be countries where laws and
law enforcement lag - hackers will find the weakest link, the country
with no laws
13Denial-of-service (DoS attack)
- A "denial-of-service" attack is characterized by
an explicit attempt by attackers to prevent
legitimate users of a service from using that
service. Examples include - attempts to "flood" a network, thereby preventing
legitimate network traffic - attempts to disrupt connections between two
machines, thereby preventing access to a service - attempts to prevent a particular individual from
accessing a service - attempts to disrupt service to a specific system
or person - Details are at http//www.cert.org/tech_tips/denia
l_of_service.html
14Zombies
- Zombies do a lot of the heavy lifting
- malware-infected computers that an online puppet
master controls - Set to work in thousands or even tens of
thousands, the machines in a zombie network or
"botnet" attempt to carry out the high-tech money
grab. - Botnets are popular because of their increasing
sophistication and multiple uses. - versatile zombie armies pull in cash for their
controllers in a variety of ways. - Sending spam (a big money-maker)is one common
use. - Zombie networks can also steal personal
information for purposes of identity theft. - When botnets are used to launch a DDoS attack,
- the ringleader instructs each zombie computer to
send a flood of data to a particular Web site. - By itself, the data from a single PC can't hurt a
site. - But multiply that traffic by 10,000 or more
computers, and a Web site can easily be
overwhelmed and cut off from the Internet. - E.g., MyDoom had a rather unsophisticated means
of controlling host machines. - Once it insinuated itself into an unprotected PC,
- anyone who knew a not-so-secret five-digit code
could commandeer the computer for any desired
purpose - As a result, MyDoom-compromised computers were
very popular with online criminals for a while
15Botnets
- Malware turned an average of 172,009 previously
healthy computers into zombies every day during
May 2005 - CipherTrust, an e-mail security company that
tracks botnets - As processing power improves and broadband
Internet connections become more widespread,
zombie computers will be able to send more spam
or hit Web sites harder - and botnets will become more powerful.
- Also, the ability to shuffle funds
- including ransom payments
- anonymously through convoluted Internet paths
using human mules (in much the same way as in the
drug trade) and online payment services - means that criminals can revisit old approaches.
16Cops and Robbers
- Some botnets consist of phalanxes of from 15,000
to 50,000 zombie PCs that are controlled by
groups of people dispersed around the world - Christopher Painter, deputy chief of the Computer
Crime section of the U.S. Department of Justice. - Most perpetrators are adults who execute
extremely sophisticated assaults. "They don't
brag, and they cover their tracks very well,"
(Painter) - One notorious cybergang, called Shadowcrew,
reportedly had 4000 members scattered across the
United States, Brazil, Spain, and Russia.
17Objectives
- Money is these cybergangs' primary motivation
- The asking price for temporary use of an army of
20,000 zombie PCs today is 2000 to 3000,
according to a June posting on SpecialHam.com, an
electronic forum for hackers - Marshaling their armies of zombie PCs, online
extortionists may threaten to crash a company's
Web site unless they are paid off. - Hackers are not shy about asking for 20,000 to
30,000 from companies.
18Payoffs
- Companies know it's far cheaper to pay the
hackers than to get knocked offline and lose
hundreds of thousands of dollars in lost business - Many extortionists go unreported because
businesses are unwilling to volunteer evidence of
their coercion to law enforcement officials, - corporations don't want to admit to their
customers, stockholders, and business partners
their networks were ever vulnerable to an attack. - only about 20 percent of computer intrusions are
ever reported to law enforcement agencies. - The US Secret Service receives between 10 and 15
inquiries per week from businesses owners who
believe they may be the target of a cyberattack. - 2004 survey conducted by the Computer Security
Institute
19Case Study Protx
- When the first extortion e-mail popped into
Michael Alculumbre's inbox, he had no idea it was
about to cost his business nearly 500,000. - The note arrived in early November of last year,
as Alculumbre's London-based transaction
processing company, Protx was being hit by a
nasty distributed denial of service (DDoS)
attack. - Zombie PCs from around the world were flooding
Protx.com (the company's Web site) and the
transaction processing server that was the
commercial heart of the business. - In extortion e-mail's broken English, someone
identifying himself as Tony Martino proposed a
classic organized-crime protection scheme. - "You should pay 10,000," Martino wrote. "When we
receive money, we stop attack immediately. - The e-mail even promised one year's protection
from other attackers for the 10,000 fee. - "Many companies paid us, and use our protection
right now," Martino said. "Think about how much
money you lose, while your servers are down." - A 2004 PriceWaterhouseCoopers survey of more than
1000 businesses in the UK found that, - on average, companies spent more than 17,000 on
their worst security incident that year. - For large companies, that amount was closer to
210,000, the study found. - For companies of either size, most of the loss
was due to the disruption in their ability to do
business, with expenses for troubleshooting the
incident and actual cash spent responding to it
accounting for considerably less.
20Case Study Protx
- By scrambling its IT staff and prohibiting
traffic from zombie servers - at one point, Protx.com simply blocked all
traffic originating from the Western United
States - that company managed to survive the first wave of
the attack against it. - But the 13-person company's biggest cost involved
preparing for the next assaults, consisting of
thousands of server requests, which came in
January and April of 2005. - The April attack, which lasted for more than five
days, was the most severe, - as Protx and the attackers engaged in a kind of
online cat and mouse - Just as Alculumbre's technicians found one way to
block the flood of unwanted server messages, the
attackers would switch to another tack. - At one point, the cybercrooks used a new exploit
of Microsoft's Microsoft Internet Information
Services server that caused the Protx Web site to
crash whenever certain types of secure messages
got through. - Protx responded by installing an SSL accelerator
and analyzing the messages before letting them
through. - On the final day of the April assault, the
attackers hit Protx with everything they had. - At the peak of the assault, the company's servers
were processing 800 megabits of traffic per
second, the equivalent of more than 530 T1 lines
firing at full capacity.
21Case Study Protx
- Just a few years ago, financially motivated
attackers tended to focus on fringe businesses
like online gaming sites. - Transaction processors like Protx are now choice
prey for extortionists, - If you bring down your payment processor, you can
bring down hundreds of online processors - Transaction processors like Protx will do
everything in their power not to be offline - therefore, they are investing heavily in security
and bandwidth. - Protx ended up spending a whopping 38,000 per
employee on security in 2004
22Client-side Targets
- About 60 percent of new vulnerabilities now
affect client-side applications - like Web browsers and media players
- And those vulnerabilities are drawing all the
wrong sorts of attention - In 2005, unwanted network traffic targeting
Symantec Veritas BackupExec - rocketed to 500,000 instances within days of an
announced security hole in the product, - up from a previous maximum of about 50,000
instances. - Microsoft Office, Internet Explorer, Firefox, and
AOL Instant Messenger also suffered from serious
reported vulnerabilities, as did RealPlayer and
iTunes
23Focus of Client-side Attacks
- Attackers now target
- backup and recovery programs,
- as well as "the antivirus and other security
tools that most organizations think are keeping
them safe - SANS Top 20 report for 2005 on the most critical
Internet vulnerabilities - The shift toward finding and exploiting
vulnerabilities in programs represents a major
change from past years, - when Windows and other operating systems and
Internet services like Web and e-mail servers
were the preferred targets.
24Client-side CrimeRecent Problem Software
- Some of the latest application holes
- Sony BMG's XCP copy protection Used ham-fisted
rootkit code to hide every file name that began
with the characters "sys" virus writers soon
released worms and Trojan horse programs to
leverage the XCP cloaking features - Symantec/Veritas NetBackup A buffer overflow
vulnerability in a file used by NetBackup clients
and servers - Macromedia Inc.'s Flash Player A buffer
overflow in some versions of the Macromedia Flash
Player - Skype Technologies S.A.'s Skype A critical
buffer overflow vulnerability in versions of the
free Internet phone app
25SANS (SysAdmin, Audit, Network, Security)
Institute The 20 Most Critical Internet
Security Vulnerabilities
- Top Vulnerabilities in Windows Systems
- W1. Windows Services
- W2. Internet Explorer
- W3. Windows Libraries
- W4. Microsoft Office and Outlook Express
- W5. Windows Configuration Weaknesses
- Top Vulnerabilities in Cross-Platform
Applications - C1. Backup Software
- C2. Anti-virus Software
- C3. PHP-based Applications
- C4. Database Software
- C5. File Sharing Applications
- C6. DNS Software
- C7. Media Players
- C8. Instant Messaging Applications
- C9. Mozilla and Firefox Browsers
- C10. Other Cross-platform Applications
- Top Vulnerabilities in UNIX Systems
- U1. UNIX Configuration Weaknesses
26Phishing
- California has passed an antiphishing law,
- the Anti-Phishing Act of 2005
- With the passage of the Anti-Phishing Act of
2005, California joins such states as Texas, New
Mexico, and Arizona, all of which adopted
antiphishing legislation earlier this year. - Phishing victims are typically sent fraudulent
e-mail designed to trick them into revealing
personal information, like bank account numbers,
user names, and passwords. - Under the Anti-Phishing Act, these victims may
seek to recover either the cost of the damages
they have suffered or 500,000, whichever is
greater government prosecutors can also seek
penalties of up to 2500 per phishing violation. - Phishing attacks have been on the rise. Research
firm Gartner estimates that 73 million U.S.
Internet users received phishing e-mails during
the 12 months ended May 2005, up 28 percent from
the previous year.
27Malware
- The mischief-making hacker of the 1990s gives way
to the determined high-tech thief of the 21st
century - The 2005 E-Crime Watch survey of security and law
enforcement - estimated an average loss of 506,670 per
organization due to malware - It's gotten so bad that the U.S. Secret Service
and Carnegie Mellon University's Computer
Emergency Response Team (CERT) - last year stopped publishing the number of
computer crime incidents, saying - "Given the widespread use of automated attack
tools, attacks against Internet-connected systems
have become so commonplace that counts of the
number of incidents reported provide little
information with regard to assessing the scope
and impact of attacks."
28How to Build a Legal Case
29Inference Network Analysis
- Legal cases are proved through inferences.
- These inferences, built in chains, must lead
logically from point A to point B - He strength (or weakness) of these inferences
determines the strength of the legal case
30Chain of Inferences
- Suppose we want to link the defendant (and
ex-football player and aspiring movie star) to
the murder of his ex-wife - Initially the evidence is weak (dotted line)
- The defendant and victim were divorced, and that
may have been motive for the murder, but that is
a weak case
31The Bloody Glove
- Our investigation has uncovered a bloody glove at
the crime scene - Immediately there is an inference that the glove
is somehow involved in the murder. If we later
learn that DNA from the bloody glove matches the
victim - The inferential relationship between murder and
glove become strong - Although the connection between the defendant and
the victim is still tenuous, - The connection between the victim and the glove
is strong. - We re not yet satisfied, and the investigation
continues
32Establishing Ownership
- The forensic examiners at the crime lab have
determined that the gloves are in fact a very
expensive brand sold only in movie-star /
football players. They are so unique that only
25 pairs have been sold in the past year. - This information alone does mot necessarily
strengthen the inferential relationship to the
defendant. - However, taken in combination with the fact that
a par of these gloves was purchased on the
ex-football players credit card two months
earlier, - we are strengthening our chain of inference.
33Uniquely Connecting the Gloves to their Owner
- Finally our forensic experts compare the DNA from
the skin cells found on the glove's lining with
those of the defendant they match - Up until now, we have only bee able to link the
defendant inferentially as the owner of similar
gloves. - Now we can link him as the owner of these
particular gloves (the dotted arrow becomes solid)
34Analytical and Automated Fraud Auditing Approaches
35Computer Assisted Techniques for Fraud Detection
- Audit software has commands that support the
auditor's requirement to review transactions for
fraud such as the existence of duplicate
transactions, missing transactions, and
anomalies. Some examples of these commands
include - comparing employee addresses with vendor
addresses to identify employees that are also
vendors - searching for duplicate check numbers to find
photocopies of company checks - searching for vendors with post office boxes
for addresses - analyzing the sequence of all transactions to
identify missing checks or invoices - identifying vendors with more than one vendor
code or more than one mailing address - finding several vendors with the same mailing
address and - sorting payments by amount to identify
transactions that fall just under financial
control on contract limits. - Audit software can be used to interrogate a
company's data files and identify data patterns
associated with fraud. - Patterns such as negative entries in inventory
received fields, voided transactions followed by
"No Sale," - or a high percentage of returned items may
indicate fraudulent activity. - Auditors can use these data patterns to develop
a "fraud profile" early in their review of
operations. - The patterns can function as auditor-specified
criteria and transactions fitting the fraud
profile can trigger auditor reviews. - Systems can even be built to monitor transactions
on an ongoing basis. - Continuous monitoring is a proactive approach to
the early detection of fraud.
36Fraud Detection Using Digital Analysis
- A growing area of fraud prevention and detection
involves the examination of patterns in data
i.e., Digital Analysis - The rationale is that unexpected patterns can be
symptoms of fraud. A simple example of the
application of this technique is a search for
duplicate transactions, such as identical invoice
or vendor numbers for the same amount. - A simple digital analysis technique is to search
for invoices with even dollar amounts, such as
200.00 or 5,000.00. - The existence of particular even amounts may be a
symptom of fraud and should be examined.
37Digital Analysis Case Study Even Amounts
- Travel expenses had always been a concern for the
auditors of X Company since it was an area where
the controls were weak. - Employees had a maximum per diem rate when
traveling but had to submit receipts to cover the
actual expenses. - Maximums were also established for meals
breakfast 10.00, lunch 20.00, dinner 30.00,
and hotel lodging 100.00. - The auditors configured the audit software to
identify meal expenses that were multiples of
10.00. - These transactions were compared to receipts to
ensure that the amounts expensed were
appropriate. - A detailed review determined that many travelers
were charging the maximum rates for meals even
though their receipts did not justify the
amounts.
38Ratio Analysis
- Another useful fraud detection technique is the
calculation of data analysis ratios for key
numeric fields. - Like financial ratios that give indications of
the financial health of a company, data analysis
ratios report on the fraud health by identifying
possible symptoms of fraud. - Three commonly employed ratios are
- the ratio of the highest value to the lowest
value (max/min) - the ratio of the highest value to the second
highest value (max/max2) and - the ratio of the current year to the previous
year. - For example, auditors concerned about prices
customers were being charged for products could
calculate the ratio of the maximum sales price to
the minimum sales price for each product. - If the ratio is close to 1.0, they can be sure
that there is little variance between the highest
and lowest prices charged to customers. - However, if the ratio is large this could
indicate that a customer was being charged too
much or too little for the product.
39Ratio Analysis Case Study Doctored Bills
- The auditors reviewed the patient billing system
at Company Y to determine if the appropriate
charges were being assessed by health care
providers. An initial analysis of the data was
performed to calculate the ratio of the highest
and lowest charges for each procedure. A judgment
was made that procedures with a max/min ratio of
greater than 1.30 be noted and subjected to
additional review. - For a particular quarter, three procedures had
ratios higher than 1.30, the highest being 1.42.
A filter was used to identify the records related
to the three procedures in question, and
additional analysis was performed. This quickly
determined that one doctor was charging
significantly more than the other doctors for the
same procedures. A comparison of charges from the
billing system with payments in the accounts
receivable system revealed that the doctor was
skimming off the patient payments. The amount
recorded in the receivable system was in line
with the usual billing amount for the procedures.
The doctor was unable to justify the higher
prices or explain the difference in the billing
and the receivable systems. - The third ratio compares data from different
years, departments or operating areas, and the
like. For example, the ratio of last year's
purchases to current year's purchases for each
supplier can point to symptoms of fraud such as
kickbacks in the contracting section. If the
total purchases from a supplier has gone from
100,000 to 400,000--a ratio of 4.0--further
analysis may be in order.
40Ratio Analysis Case Study Contracting Kickbacks
- Jonathan, one of the contracting officers, had
devised a great win/win kickback scheme. The
auditors decided to use digital analysis as part
of their review of the contracting section. One
of the analyses calculated the total contract
amount by supplier for each of the past two
years. A ratio of current year to previous year
was calculated and the minimum, maximum, average,
and highest and lowest five ratios were
displayed. While the average was close to 1.0,
the highest and lowest five values showed that
some companies had significant decreases in
business, while others had experienced
significant increases in business. - The auditors reviewed the details of all
companies that had a ratio of less than 0.7 or
more than 1.30. Totals were calculated by a
contracting officer. For companies with an
increase in business, the results revealed that
Jonathan had raised many of the contracts. In
comparison, Jonathan had raised no contracts with
the companies that had seen a decrease in
business. The auditors learned of Jonathan's
kickback scheme when they interviewed salesmen
from the companies that had ratios less than 0.7.
Interviews with salesmen from the firms that had
increased sales by 1.30 or more added credence to
the fraud accusations. Both groups of salesmen
said that they were told they would only get
business if they paid Jonathan a kickback.
41Benford's Law
- Benford's Law, developed by Frank Benford in the
1920s, predicts the occurrence of digits in data.
Benford's Law concludes that the first digit in a
large population of transactions (10,000 plus)
will most often be a 1. Less frequently will the
first digit be a 2 even less frequently a 3. - An analysis of the frequency distribution of the
first or second digits can detect abnormal
patterns in the data and may identify possible
fraud. An even more focused test can be used to
examine the frequency distribution of the first
two digits (FTD). The formula for the expected
frequencies is - Expected FTD Frequency log(11/FTD)
- Therefore, the expected frequency of 13 is
log(11/13). The expected frequencies range from
0.041 for 10, to 0.004 for 99. - Some audit software programs can be used to
determine the frequency distribution for first
digits, first two digits, and second digits. - Note not all data will have distributions as
predicted by Benford's Law. Sometimes there is
valid rationale for certain numbers occurring
more frequently than expected. For example, if a
company sends a large amount of correspondence
via courier, and the cost is a standard rate
(6.12) for sending a package of under one pound,
then the first digit (6) or the first two digits
(61) may occur more often than predicted by
Benford's Law.
42Benford's Law Case Study Signature Authority
- The auditors for Z Company were investigating
possible fraud in the contracting section, where
thousands of contracts were raised every month.
They used Benford's Law to examine the first two
digits of the contract amount. The results of
their analysis revealed that the digits 49 were
in the data more often than expected. - Classifying on the contracting officer for all
contracts with 49 as the first two digits
determined that the contracting manager was
raising contracts for 49,00049,999 to avoid
contracting regulations. - Contracts under 50,000 could be sole-sourced
contracts greater than 50,000 had to be
submitted to the bidding process. He was raising
contracts just under the financial limit and
directing them to a company owned by his wife.