Grover Kearns, PhD, CPA, CFE

1
Computer Forensics for AccountantsClass
2Summer 2013

• Grover Kearns, PhD, CPA, CFE

2
Laptop Security Tips

• Treat it like cash.
• Get it out of the car...dont ever leave it
  behind.
• Keep it locked...use a security cable.
• Keep it off the floor...or at least between your
  feet.
• Keep passwords separate...not near the laptop or
  case.
• Dont leave it for just a sec...no matter where
  you are.
• Pay attention in airports...especially at
  security.

3
Importance of IT Forensic Techniques to
Organizations The New Corporate Environment

• Sarbanes-Oxley 2002
• SAS 78, 80, 94, 99
• COSO and COBIT
• ISO 9000 and ISO 17799
• Gramm-Leach-Bliley Act
• US Foreign Corrupt Practices Act
• all of these have altered the corporate
  environment and made forensic techniques a
  necessity!

4
Importance of IT Forensic Techniques to Auditors
SAS 99

• SAS No. 99 - Consideration of Fraud in a
  Financial Statement Audit - requires auditors to
  
• Understand fraud
• Gather evidence about the existence of fraud
• Identify and respond to fraud risks
• Document and communicate findings
• Incorporate a technology focus

5
Importance of IT Forensic Techniques to Auditors

• Majority of fraud is uncovered by chance
• Auditors often do not look for fraud
• Prosecution requires evidence
• Value of IT assets growing
• Treadway Commission Study
• Undetected fraud was a factor in one-half of the
  450 lawsuits against independent auditors.

6
Digital Crime Scene Investigation Digital
Forensic Investigation

• A process that uses science and technology to
  examine digital objects and that develops and
  tests theories, which can be entered into a court
  of law, to answer questions about events that
  occurred.
• IT Forensic Techniques are used to capture and
  analyze electronic data and develop theories.

7
Audit Goals of a Forensic Investigation

• Uncover fraudulent or criminal cyber activity
• Isolate evidentiary matter (freeze scene)
• Document the scene
• Create a chain-of-custody for evidence
• Reconstruct events and analyze digital
  information
• Communicate results

8
Audit Goals of a Forensic Investigation
Immediate Response

• Shut down computer (pull plug)
• Bit-stream mirror-image of data
• Begin a traceback to identify possible log
  locations
• Contact system administrators on intermediate
  sites to request log preservation
• Contain damage and stop loss
• Collect local logs
• Begin documentation

9
Audit Goals of a Forensic Investigation
Continuing Investigation

• Implement measures to stop further loss
• Communicate to management and audit committee
  regularly
• Analyze copy of digital files
• Ascertain level and nature of loss
• Identify perpetrator(s)
• Develop theories about motives
• Maintain chain-of-custody

10
Disk Geometry
11
Slack Space
End of File
Slack Space
Last Cluster in a File
12
Data RecoveryFile Recovery with PC Inspector
13
Data EradicationSecurely Erasing Files
14
Data IntegrityMD5

• Message Digest a hashing algorithm used to
  generate a checksum
• Available online as freeware
• Any changes to file will change the checksum
• Use
• Generate MD5 of system or critical files
  regularly
• Keep checksums in a secure place to compare
  against later if integrity is questioned

15
Data IntegrityMD5 Using HashCalc
16
Data Integrity HandyBits EasyCrypto
17
Audit Command Language (ACL)

• ACL is the market leader in computer-assisted
  audit technology and is an established forensics
  tool.
• Clientele includes
• 70 percent of the Fortune 500 companies
• over two-thirds of the Global 500
• the Big Four public accounting firms

18
Forensic ToolsAudit Command Language

• ACL is a computer data extraction and analytical
  audit tool with audit capabilities
• Statistics
• Duplicates and Gaps
• Stratify and Classify
• Sampling
• Benford Analysis

19
(No Transcript)
20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
Forensic Tools ACLBenford Analysis

• States that the leading digit in some numerical
  series follows an exponential distribution
• Applies to a wide variety of figures financial
  results, electricity bills, street addresses,
  stock prices, population numbers, death rates,
  lengths of rivers

25
(No Transcript)
26
Ll
27
(No Transcript)
28
(No Transcript)
29
Practical applications for Benford's law and
digital analysis

• Accounts payable data.
• Estimations in the general ledger.
• The relative size of inventory unit prices among
  locations.
• Duplicate payments.
• Computer system conversion (for example, old to
  new system accounts receivable files).
• Processing inefficiencies due to high
  quantity/low dollar transactions.
• New combinations of selling prices.
• Customer refunds.

30
(No Transcript)
31
(No Transcript)
32
Background Checks
33
(No Transcript)
34
(No Transcript)
35
Developing a Forensic Protocol

• The response plan must include a coordinated
  effort that integrates a number of organizational
  areas and possibly external areas
• Response to fraud events must
  have top priority
• Key players must exist at all
  major organizational
  locations

36
A Forensic ProtocolSecurity Exposures

• Organizations may possess critical technology
  skills but
• Skills are locked in towers IT, Security,
  Accounting, Auditing
• Skills are centralized while fraud events can be
  decentralized
• Skills are absent vacations, illnesses, etc

37
A Forensic ProtocolThe Role of Policies

• They define the actions you can take
• They must be clear and simple to understand
• The employee must acknowledge that he or she read
  them, understands them and will comply with them
• They cant violate law

38
A Forensic Protocol Forensic Response Control

• Incident Response Planning
• Identify needs and objectives
• Identify resources
• Create policies, procedures
• Create a forensic protocol
• Acquire needed skills
• Train
• Monitor

39
A Forensic ProtocolDocumenting the Scene

• Note time, date, persons present
• Photograph and video the scene
• Draw a layout of the scene
• Search for notes (passwords) that might be useful
• If possible freeze the system such that the
  current memory, swap files, and even CPU
  registers are saved or documented

40
A Forensic Protocol Forensic Protocol

• First responder triggers alert
• Team response
• Freeze scene
• Begin documentation
• Auditors begin analysis
• Protect chain-of-custody
• Reconstruct events and develop theories
• Communicate results of analysis

41
A Forensic Protocol Protocol Summary

• Ensure appropriate policies
• Preserve the crime scene (victim computer)
• Act immediately to identify and preserve logs on
  intermediate systems
• Conduct your investigation
• Obtain subpoenas or contact law enforcement if
  necessary
• Key Coordination between functional areas

42
Conclusion

• Computer Forensic Skills Can
• Decrease occurrence of fraud
• Increase the difficulty of committing fraud
• Improve fraud detection methods
• Reduce total fraud losses
• Auditors trained in these skills are more
  valuable to the organization!

43
Preventing Internal Attacks Common Sense Measures

• Notify employees that their use of the company's
  personal computers, computer networks, and
  Internet connections will be monitored. Then do
  it.
• Limit physical access to computers - imposition
  of passwords magnetic card readers and
  biometrics, which verifies the user's identity
  through matching patterns in hand geometry,
  signature or keystroke dynamics, neural networks
  (the pattern of nerves in the face), DNA
  fingerprinting, retinal imaging, or voice
  recognition. More traditional site control
  methods such as sign-in logs and security badges
  can also be useful.
• Classify information based on its importance,
  assigning security clearances to employees as
  needed.
• Eliminate nonessential modems that could be used
  to transmit information.
• Monitor activities of employees who keep odd
  hours at the office.
• Includes extensive background checks in the
  company's hiring process , especially in cases
  where the employee would be handling sensitive
  information.
• Stress the importance of confidential passwords
  to employees.

44
Preventing External Attacks Common Sense Measures

• Install and use anti-virus software programs that
  scan PCs, computer networks, CDROMs, tape drives,
  diskettes, and Internet material, and destroy
  viruses when found.
• Update anti-virus programs on a regular basis.
• Ensure that all individual computers are equipped
  with anti-virus programs.
• Remove administrative rights from employees.
• Make sure that the company has a regular policy
  of backing up (copying) important files and
  storing them in a safe place, so that the impact
  of corrupted files is minimized.

45

• The CERT Web site posts the latest security
  alerts and also provides security-related
  documents, tools, and training seminars.
• CERT offers 24-hour technical assistance in the
  event of Internet security breaches.

46
Malicious Internet Programs

• Virus Program that attaches itself to other
  programs and infects them.
• Trojan Disguised as legitimate program but
  designed to take control of computer. Can be used
  to attack other computers (zombies).
• Worm Network aware virus that replicates using
  file sharing or e-mail.
• Over 115,000 known viruses, trojans, and worms.
  70 of all e-mail traffic is SPAM!

47
Spyware

• Programs used to gather information about you and
  relay it to an Internet advertising company for
  resale.
• Browser cookies can be used to track your
  activity.
• Gathering practices and use of personal
  information generally not clear during web site
  usage or program installation.

48
http//www.vtinfragard.org/vtinfosafe/InformationR
esources.html
49
(No Transcript)
50
Questions or Comments?