Forensics, Fraud and Analytical Techniques

1
Forensics, Fraud and Analytical Techniques

• Computer Forensics (Chapter 12)
• Practicum Dell Computer Corporation
• (Planning Materiality and Tolerable Misstatement)

2
Schedule (revised)
3
For next week

• Comprehensive review of ISMT300T IS Audit course
  Materials
• Example question for test
• Suggested review readings

4
Dell Computer

• Materiality and Tolerable Error

5
Crime Doesnt Pay?

• As Willie Sutton the bank robber said when asked
  why he robbed banks
• 'because that's where the money is
• Sutton robbed banks and he was good at it. He
  made no bones about that. He usually packed a
  gun, either a pistol or a Thompson submachine gun
• "You can't rob a bank on charm and personality"
• "Why did I rob banks? Because I enjoyed it. I
  loved it. I was more alive when I was inside a
  bank, robbing it, than at any other time in my
  life. I enjoyed everything about it so much that
  one or two weeks later I'd be out looking for the
  next job. But to me the money was the chips,
  that's all."
• From Where the Money Was The Memoirs of a Bank
  Robber (Viking Press, New York, 1976)

6
Why Computer Crime?

• Because that's where the money is (c. 2005)
• Money is no longer held in physical form
• How much money is being handled daily by computer
  exchange systems in 2005?
• Foreign exchange 2 trillion daily
• Derivatives markets 5 trillion daily
• Outstanding derivatives positions 200 trillion
• NYSE daily activity 1.6 trillion daily

7
Types of Computer CrimeBusiness as a Victim

• Employee Thefts
• Payroll Fraud
• Fraudulent
• Billing Schemes
• Fraud
• Committed by outsiders
• Management Thefts
• Corporate Thefts

8
Types of Computer CrimeBusiness as a Vehicle

• Organized Crime
• Money laundering
• Theft from Minority Shareholders
• Other Stock Market Fraud
• Bankruptcy Fraud

9
Crimes new venue

• The Internet (With an estimated 1 billion people
  ) is now in a golden age of criminal invention.
• It's a "dot-con" boom, in which electronic crime
  runs rampant in a frantic search for business
  models.
• Even encryption, supposedly a defensive measure,
  has become a tool for extortion
• witness the weird new crime of breaking into a
  computer, encrypting its contents, and then
  demanding a payoff to supply a password to the
  victim's own data.
• The crime's so new, it doesn't even have a name
  yet.
• All the classic scams and rackets that city
  sharpies push on rubes can be digitized
• once there were a few relatively uncomplicated
  viruses, now there are torrents of fast-evolving,
  multifaceted viruses.
• Where once there was just small-time credit-card
  fraud, now there is international credit-card
  racketeering.
• Computer-network password theft has turned into
  sophisticated ID fraud that robs patrons of banks
  and online auction sites.
• Spam, once an occasional rude violation of
  "netiquette," now arrives by the ton (12.9
  billion pieces a day worldwide last May,
  according to the e-mail security firm IronPort)
• Then there are the newer electronic crimes,
  proliferating so fast that even experts have
  trouble keeping up with the jargon. Phishing.
  Spear phishing. Pharming. DDOS. DDOS protection
  rackets. Spyware. Scumware. Web site defacement.
  Botnets. Keylogging.

10
FBI 2005 Computer Crime and Security Survey

• Companies with sales of less than 10 million per
  year
• spent 643 per employee on computer security each
  year.
• For companies with more than 1 billion in annual
  revenue
• the amount spent on security dropped to 247 per
  employee.
• The survey found that companies in the utilities
  business spent the most on computer security
• on average, 190 per employee per year.
• Next highest on the list were transportation and
  telecommunication companies, with average annual
  costs per employee of 187 and 132, respectively.

11
Computer Criminals Today

• The largest class of crime is Internet based
• Generally, there is a form of compartmentalization
  , from the top down
• At the top of the food chain is someone who has
  the financial means to organize a group
• This individual, acting as the criminal kingpin,
  puts together a plan and then assembles the
  necessary technologically savvy individuals.
• These groups work together without central
  organization
• Many members are recruited through acquaintances
  others are found online
• Individuals use Web sites, online forums, and IRC
  channels to advertise their services and meet
  their colleagues. Many others visit these sites
  to learn how to get started in the business.
• The scene is always looking for rooters,
  scanners, curriers various hacking specialties
• Once they've learned those skills, hackers
  commonly operate as freelancers, working on
  projects in an area of expertise--whether it be
  writing exploits, building botnet networks, or
  designing fake Web sites
• And like legitimate businesspeople and
  freelancers, they must build a reputation before
  they can get hired for lucrative work.

12
Hotspots for Internet crime

• Brazil, Bulgaria, China, Estonia, Hungary,
  Indonesia, Japan, Latvia, Malaysia, North Korea,
  Romania, Russia, and the United States are major
  centers for organized hacking
• Why are certain areas hotspots?
• Places where there's a significant amount of
  activity usually have a technically advanced
  population and a large population of computer
  users.
• You also have a poor economy, so you have people
  with the technical skills to do good work, but
  they can't find a job that will provide for them,
  
• so they may have to resort to doing things that
  are against the law
• These hotspots (other than the United States and
  Japan) also tend to be countries where laws and
  law enforcement lag
• hackers will find the weakest link, the country
  with no laws

13
Denial-of-service (DoS attack)

• A "denial-of-service" attack is characterized by
  an explicit attempt by attackers to prevent
  legitimate users of a service from using that
  service. Examples include
• attempts to "flood" a network, thereby preventing
  legitimate network traffic
• attempts to disrupt connections between two
  machines, thereby preventing access to a service
• attempts to prevent a particular individual from
  accessing a service
• attempts to disrupt service to a specific system
  or person
• Details are at http//www.cert.org/tech_tips/denia
  l_of_service.html

14
Zombies

• Zombies do a lot of the heavy lifting
• malware-infected computers that an online puppet
  master controls
• Set to work in thousands or even tens of
  thousands, the machines in a zombie network or
  "botnet" attempt to carry out the high-tech money
  grab.
• Botnets are popular because of their increasing
  sophistication and multiple uses.
• versatile zombie armies pull in cash for their
  controllers in a variety of ways.
• Sending spam (a big money-maker)is one common
  use.
• Zombie networks can also steal personal
  information for purposes of identity theft.
• When botnets are used to launch a DDoS attack,
• the ringleader instructs each zombie computer to
  send a flood of data to a particular Web site.
• By itself, the data from a single PC can't hurt a
  site.
• But multiply that traffic by 10,000 or more
  computers, and a Web site can easily be
  overwhelmed and cut off from the Internet.
• E.g., MyDoom had a rather unsophisticated means
  of controlling host machines.
• Once it insinuated itself into an unprotected PC,
• anyone who knew a not-so-secret five-digit code
  could commandeer the computer for any desired
  purpose
• As a result, MyDoom-compromised computers were
  very popular with online criminals for a while

15
Botnets

• Malware turned an average of 172,009 previously
  healthy computers into zombies every day during
  May 2005
• CipherTrust, an e-mail security company that
  tracks botnets
• As processing power improves and broadband
  Internet connections become more widespread,
  zombie computers will be able to send more spam
  or hit Web sites harder
• and botnets will become more powerful.
• Also, the ability to shuffle funds
• including ransom payments
• anonymously through convoluted Internet paths
  using human mules (in much the same way as in the
  drug trade) and online payment services
• means that criminals can revisit old approaches.

16
Cops and Robbers

• Some botnets consist of phalanxes of from 15,000
  to 50,000 zombie PCs that are controlled by
  groups of people dispersed around the world
• Christopher Painter, deputy chief of the Computer
  Crime section of the U.S. Department of Justice.
• Most perpetrators are adults who execute
  extremely sophisticated assaults. "They don't
  brag, and they cover their tracks very well,"
  (Painter)
• One notorious cybergang, called Shadowcrew,
  reportedly had 4000 members scattered across the
  United States, Brazil, Spain, and Russia.

17
Objectives

• Money is these cybergangs' primary motivation
• The asking price for temporary use of an army of
  20,000 zombie PCs today is 2000 to 3000,
  according to a June posting on SpecialHam.com, an
  electronic forum for hackers
• Marshaling their armies of zombie PCs, online
  extortionists may threaten to crash a company's
  Web site unless they are paid off.
• Hackers are not shy about asking for 20,000 to
  30,000 from companies.

18
Payoffs

• Companies know it's far cheaper to pay the
  hackers than to get knocked offline and lose
  hundreds of thousands of dollars in lost business
• Many extortionists go unreported because
  businesses are unwilling to volunteer evidence of
  their coercion to law enforcement officials,
• corporations don't want to admit to their
  customers, stockholders, and business partners
  their networks were ever vulnerable to an attack.
• only about 20 percent of computer intrusions are
  ever reported to law enforcement agencies.
• The US Secret Service receives between 10 and 15
  inquiries per week from businesses owners who
  believe they may be the target of a cyberattack.
• 2004 survey conducted by the Computer Security
  Institute

19
Case Study Protx

• When the first extortion e-mail popped into
  Michael Alculumbre's inbox, he had no idea it was
  about to cost his business nearly 500,000.
• The note arrived in early November of last year,
  as Alculumbre's London-based transaction
  processing company, Protx was being hit by a
  nasty distributed denial of service (DDoS)
  attack.
• Zombie PCs from around the world were flooding
  Protx.com (the company's Web site) and the
  transaction processing server that was the
  commercial heart of the business.
• In extortion e-mail's broken English, someone
  identifying himself as Tony Martino proposed a
  classic organized-crime protection scheme.
• "You should pay 10,000," Martino wrote. "When we
  receive money, we stop attack immediately.
• The e-mail even promised one year's protection
  from other attackers for the 10,000 fee.
• "Many companies paid us, and use our protection
  right now," Martino said. "Think about how much
  money you lose, while your servers are down."
• A 2004 PriceWaterhouseCoopers survey of more than
  1000 businesses in the UK found that,
• on average, companies spent more than 17,000 on
  their worst security incident that year.
• For large companies, that amount was closer to
  210,000, the study found.
• For companies of either size, most of the loss
  was due to the disruption in their ability to do
  business, with expenses for troubleshooting the
  incident and actual cash spent responding to it
  accounting for considerably less.

20
Case Study Protx

• By scrambling its IT staff and prohibiting
  traffic from zombie servers
• at one point, Protx.com simply blocked all
  traffic originating from the Western United
  States
• that company managed to survive the first wave of
  the attack against it.
• But the 13-person company's biggest cost involved
  preparing for the next assaults, consisting of
  thousands of server requests, which came in
  January and April of 2005.
• The April attack, which lasted for more than five
  days, was the most severe,
• as Protx and the attackers engaged in a kind of
  online cat and mouse
• Just as Alculumbre's technicians found one way to
  block the flood of unwanted server messages, the
  attackers would switch to another tack.
• At one point, the cybercrooks used a new exploit
  of Microsoft's Microsoft Internet Information
  Services server that caused the Protx Web site to
  crash whenever certain types of secure messages
  got through.
• Protx responded by installing an SSL accelerator
  and analyzing the messages before letting them
  through.
• On the final day of the April assault, the
  attackers hit Protx with everything they had.
• At the peak of the assault, the company's servers
  were processing 800 megabits of traffic per
  second, the equivalent of more than 530 T1 lines
  firing at full capacity.

21
Case Study Protx

• Just a few years ago, financially motivated
  attackers tended to focus on fringe businesses
  like online gaming sites.
• Transaction processors like Protx are now choice
  prey for extortionists,
• If you bring down your payment processor, you can
  bring down hundreds of online processors
• Transaction processors like Protx will do
  everything in their power not to be offline
• therefore, they are investing heavily in security
  and bandwidth.
• Protx ended up spending a whopping 38,000 per
  employee on security in 2004

22
Client-side Targets

• About 60 percent of new vulnerabilities now
  affect client-side applications
• like Web browsers and media players
• And those vulnerabilities are drawing all the
  wrong sorts of attention
• In 2005, unwanted network traffic targeting
  Symantec Veritas BackupExec
• rocketed to 500,000 instances within days of an
  announced security hole in the product,
• up from a previous maximum of about 50,000
  instances.
• Microsoft Office, Internet Explorer, Firefox, and
  AOL Instant Messenger also suffered from serious
  reported vulnerabilities, as did RealPlayer and
  iTunes

23
Focus of Client-side Attacks

• Attackers now target
• backup and recovery programs,
• as well as "the antivirus and other security
  tools that most organizations think are keeping
  them safe
• SANS Top 20 report for 2005 on the most critical
  Internet vulnerabilities
• The shift toward finding and exploiting
  vulnerabilities in programs represents a major
  change from past years,
• when Windows and other operating systems and
  Internet services like Web and e-mail servers
  were the preferred targets.

24
Client-side CrimeRecent Problem Software

• Some of the latest application holes
• Sony BMG's XCP copy protection Used ham-fisted
  rootkit code to hide every file name that began
  with the characters "sys" virus writers soon
  released worms and Trojan horse programs to
  leverage the XCP cloaking features
• Symantec/Veritas NetBackup A buffer overflow
  vulnerability in a file used by NetBackup clients
  and servers
• Macromedia Inc.'s Flash Player A buffer
  overflow in some versions of the Macromedia Flash
  Player
• Skype Technologies S.A.'s Skype A critical
  buffer overflow vulnerability in versions of the
  free Internet phone app

25
SANS (SysAdmin, Audit, Network, Security)
Institute The 20 Most Critical Internet
Security Vulnerabilities

• Top Vulnerabilities in Windows Systems
• W1. Windows Services
• W2. Internet Explorer
• W3. Windows Libraries
• W4. Microsoft Office and Outlook Express
• W5. Windows Configuration Weaknesses
• Top Vulnerabilities in Cross-Platform
  Applications
• C1. Backup Software
• C2. Anti-virus Software
• C3. PHP-based Applications
• C4. Database Software
• C5. File Sharing Applications
• C6. DNS Software
• C7. Media Players
• C8. Instant Messaging Applications
• C9. Mozilla and Firefox Browsers
• C10. Other Cross-platform Applications
• Top Vulnerabilities in UNIX Systems
• U1. UNIX Configuration Weaknesses

26
Phishing

• California has passed an antiphishing law,
• the Anti-Phishing Act of 2005
• With the passage of the Anti-Phishing Act of
  2005, California joins such states as Texas, New
  Mexico, and Arizona, all of which adopted
  antiphishing legislation earlier this year.
• Phishing victims are typically sent fraudulent
  e-mail designed to trick them into revealing
  personal information, like bank account numbers,
  user names, and passwords.
• Under the Anti-Phishing Act, these victims may
  seek to recover either the cost of the damages
  they have suffered or 500,000, whichever is
  greater government prosecutors can also seek
  penalties of up to 2500 per phishing violation.
• Phishing attacks have been on the rise. Research
  firm Gartner estimates that 73 million U.S.
  Internet users received phishing e-mails during
  the 12 months ended May 2005, up 28 percent from
  the previous year.

27
Malware

• The mischief-making hacker of the 1990s gives way
  to the determined high-tech thief of the 21st
  century
• The 2005 E-Crime Watch survey of security and law
  enforcement
• estimated an average loss of 506,670 per
  organization due to malware
• It's gotten so bad that the U.S. Secret Service
  and Carnegie Mellon University's Computer
  Emergency Response Team (CERT)
• last year stopped publishing the number of
  computer crime incidents, saying
• "Given the widespread use of automated attack
  tools, attacks against Internet-connected systems
  have become so commonplace that counts of the
  number of incidents reported provide little
  information with regard to assessing the scope
  and impact of attacks."

28
How to Build a Legal Case
29
Inference Network Analysis

• Legal cases are proved through inferences.
• These inferences, built in chains, must lead
  logically from point A to point B
• He strength (or weakness) of these inferences
  determines the strength of the legal case

30
Chain of Inferences

• Suppose we want to link the defendant (and
  ex-football player and aspiring movie star) to
  the murder of his ex-wife
• Initially the evidence is weak (dotted line)
• The defendant and victim were divorced, and that
  may have been motive for the murder, but that is
  a weak case

31
The Bloody Glove

• Our investigation has uncovered a bloody glove at
  the crime scene
• Immediately there is an inference that the glove
  is somehow involved in the murder. If we later
  learn that DNA from the bloody glove matches the
  victim
• The inferential relationship between murder and
  glove become strong
• Although the connection between the defendant and
  the victim is still tenuous,
• The connection between the victim and the glove
  is strong.
• We re not yet satisfied, and the investigation
  continues

32
Establishing Ownership

• The forensic examiners at the crime lab have
  determined that the gloves are in fact a very
  expensive brand sold only in movie-star /
  football players. They are so unique that only
  25 pairs have been sold in the past year.
• This information alone does mot necessarily
  strengthen the inferential relationship to the
  defendant.
• However, taken in combination with the fact that
  a par of these gloves was purchased on the
  ex-football players credit card two months
  earlier,
• we are strengthening our chain of inference.

33
Uniquely Connecting the Gloves to their Owner

• Finally our forensic experts compare the DNA from
  the skin cells found on the glove's lining with
  those of the defendant they match
• Up until now, we have only bee able to link the
  defendant inferentially as the owner of similar
  gloves.
• Now we can link him as the owner of these
  particular gloves (the dotted arrow becomes solid)

34
Analytical and Automated Fraud Auditing Approaches
35
Computer Assisted Techniques for Fraud Detection

• Audit software has commands that support the
  auditor's requirement to review transactions for
  fraud such as the existence of duplicate
  transactions, missing transactions, and
  anomalies. Some examples of these commands
  include
• comparing employee addresses with vendor
  addresses to identify employees that are also
  vendors
• searching for duplicate check numbers to find
  photocopies of company checks
• searching for vendors with post office boxes
  for addresses
• analyzing the sequence of all transactions to
  identify missing checks or invoices
• identifying vendors with more than one vendor
  code or more than one mailing address
• finding several vendors with the same mailing
  address and
• sorting payments by amount to identify
  transactions that fall just under financial
  control on contract limits.
• Audit software can be used to interrogate a
  company's data files and identify data patterns
  associated with fraud.
• Patterns such as negative entries in inventory
  received fields, voided transactions followed by
  "No Sale,"
• or a high percentage of returned items may
  indicate fraudulent activity.
• Auditors can use these data patterns to develop
  a "fraud profile" early in their review of
  operations.
• The patterns can function as auditor-specified
  criteria and transactions fitting the fraud
  profile can trigger auditor reviews.
• Systems can even be built to monitor transactions
  on an ongoing basis.
• Continuous monitoring is a proactive approach to
  the early detection of fraud.

36
Fraud Detection Using Digital Analysis

• A growing area of fraud prevention and detection
  involves the examination of patterns in data
  i.e., Digital Analysis
• The rationale is that unexpected patterns can be
  symptoms of fraud. A simple example of the
  application of this technique is a search for
  duplicate transactions, such as identical invoice
  or vendor numbers for the same amount.
• A simple digital analysis technique is to search
  for invoices with even dollar amounts, such as
  200.00 or 5,000.00.
• The existence of particular even amounts may be a
  symptom of fraud and should be examined.

37
Digital Analysis Case Study Even Amounts

• Travel expenses had always been a concern for the
  auditors of X Company since it was an area where
  the controls were weak.
• Employees had a maximum per diem rate when
  traveling but had to submit receipts to cover the
  actual expenses.
• Maximums were also established for meals
  breakfast 10.00, lunch 20.00, dinner 30.00,
  and hotel lodging 100.00.
• The auditors configured the audit software to
  identify meal expenses that were multiples of
  10.00.
• These transactions were compared to receipts to
  ensure that the amounts expensed were
  appropriate.
• A detailed review determined that many travelers
  were charging the maximum rates for meals even
  though their receipts did not justify the
  amounts.

38
Ratio Analysis

• Another useful fraud detection technique is the
  calculation of data analysis ratios for key
  numeric fields.
• Like financial ratios that give indications of
  the financial health of a company, data analysis
  ratios report on the fraud health by identifying
  possible symptoms of fraud.
• Three commonly employed ratios are
• the ratio of the highest value to the lowest
  value (max/min)
• the ratio of the highest value to the second
  highest value (max/max2) and
• the ratio of the current year to the previous
  year.
• For example, auditors concerned about prices
  customers were being charged for products could
  calculate the ratio of the maximum sales price to
  the minimum sales price for each product.
• If the ratio is close to 1.0, they can be sure
  that there is little variance between the highest
  and lowest prices charged to customers.
• However, if the ratio is large this could
  indicate that a customer was being charged too
  much or too little for the product.

39
Ratio Analysis Case Study Doctored Bills

• The auditors reviewed the patient billing system
  at Company Y to determine if the appropriate
  charges were being assessed by health care
  providers. An initial analysis of the data was
  performed to calculate the ratio of the highest
  and lowest charges for each procedure. A judgment
  was made that procedures with a max/min ratio of
  greater than 1.30 be noted and subjected to
  additional review.
• For a particular quarter, three procedures had
  ratios higher than 1.30, the highest being 1.42.
  A filter was used to identify the records related
  to the three procedures in question, and
  additional analysis was performed. This quickly
  determined that one doctor was charging
  significantly more than the other doctors for the
  same procedures. A comparison of charges from the
  billing system with payments in the accounts
  receivable system revealed that the doctor was
  skimming off the patient payments. The amount
  recorded in the receivable system was in line
  with the usual billing amount for the procedures.
  The doctor was unable to justify the higher
  prices or explain the difference in the billing
  and the receivable systems.
• The third ratio compares data from different
  years, departments or operating areas, and the
  like. For example, the ratio of last year's
  purchases to current year's purchases for each
  supplier can point to symptoms of fraud such as
  kickbacks in the contracting section. If the
  total purchases from a supplier has gone from
  100,000 to 400,000--a ratio of 4.0--further
  analysis may be in order.

40
Ratio Analysis Case Study Contracting Kickbacks

• Jonathan, one of the contracting officers, had
  devised a great win/win kickback scheme. The
  auditors decided to use digital analysis as part
  of their review of the contracting section. One
  of the analyses calculated the total contract
  amount by supplier for each of the past two
  years. A ratio of current year to previous year
  was calculated and the minimum, maximum, average,
  and highest and lowest five ratios were
  displayed. While the average was close to 1.0,
  the highest and lowest five values showed that
  some companies had significant decreases in
  business, while others had experienced
  significant increases in business.
• The auditors reviewed the details of all
  companies that had a ratio of less than 0.7 or
  more than 1.30. Totals were calculated by a
  contracting officer. For companies with an
  increase in business, the results revealed that
  Jonathan had raised many of the contracts. In
  comparison, Jonathan had raised no contracts with
  the companies that had seen a decrease in
  business. The auditors learned of Jonathan's
  kickback scheme when they interviewed salesmen
  from the companies that had ratios less than 0.7.
  Interviews with salesmen from the firms that had
  increased sales by 1.30 or more added credence to
  the fraud accusations. Both groups of salesmen
  said that they were told they would only get
  business if they paid Jonathan a kickback.

41
Benford's Law

• Benford's Law, developed by Frank Benford in the
  1920s, predicts the occurrence of digits in data.
  Benford's Law concludes that the first digit in a
  large population of transactions (10,000 plus)
  will most often be a 1. Less frequently will the
  first digit be a 2 even less frequently a 3.
• An analysis of the frequency distribution of the
  first or second digits can detect abnormal
  patterns in the data and may identify possible
  fraud. An even more focused test can be used to
  examine the frequency distribution of the first
  two digits (FTD). The formula for the expected
  frequencies is
• Expected FTD Frequency log(11/FTD)
• Therefore, the expected frequency of 13 is
  log(11/13). The expected frequencies range from
  0.041 for 10, to 0.004 for 99.
• Some audit software programs can be used to
  determine the frequency distribution for first
  digits, first two digits, and second digits.
• Note not all data will have distributions as
  predicted by Benford's Law. Sometimes there is
  valid rationale for certain numbers occurring
  more frequently than expected. For example, if a
  company sends a large amount of correspondence
  via courier, and the cost is a standard rate
  (6.12) for sending a package of under one pound,
  then the first digit (6) or the first two digits
  (61) may occur more often than predicted by
  Benford's Law.

42
Benford's Law Case Study Signature Authority

• The auditors for Z Company were investigating
  possible fraud in the contracting section, where
  thousands of contracts were raised every month.
  They used Benford's Law to examine the first two
  digits of the contract amount. The results of
  their analysis revealed that the digits 49 were
  in the data more often than expected.
• Classifying on the contracting officer for all
  contracts with 49 as the first two digits
  determined that the contracting manager was
  raising contracts for 49,00049,999 to avoid
  contracting regulations.
• Contracts under 50,000 could be sole-sourced
  contracts greater than 50,000 had to be
  submitted to the bidding process. He was raising
  contracts just under the financial limit and
  directing them to a company owned by his wife.