Information Technology Forensic Techniques for Auditors
Download
Report
Transcript Information Technology Forensic Techniques for Auditors
Catching Al Capone:
What All Accountants Should Know About
Computer Forensics
Grover Kearns, PhD, CPA, CFE, CITP
S
c
a
r
f
a
c
e
Eliot
Ness
Catching Al Capone
Capone was known to be responsible for a
wide array of felonies and violent crimes but
evidence was lacking
Witnesses tended to disappear
Direct evidence was needed
Business records provide direct evidence
Careful search, analysis, and handling of
data are required to produce data that are
acceptable as evidence
5
Survey Shows Companies Fear
Fraud, But Many Not Prepared
Ernst & Young's 9th Global Fraud Survey:
Fraud Risk in Emerging Markets
60 percent of multinationals say they believe
fraud is more likely to occur in emerging
market operations than developed markets
Robust internal controls remain the first line
of defense against fraud for companies in all
markets
6
Why
Accountants and auditors …
are better positioned to detect computer
based fraud
can assist in maintaining a chain-of-custody
for digital evidence
can better communicate with IT employees
can promote IT-based internal controls
can assist in the efficient use of IT resources
8
Common Applications of Computer
Forensics
Employee internet abuse
Unauthorized disclosure of corporate
information and data
common, but decreasing
accidental and intentional
Industrial espionage
Damage assessment
Criminal fraud and deception cases
9
Cardinal Rules of Evidence Handling
Only use tools and methods that have been
tested and evaluated to validate their
accuracy and reliability.
Handle the original evidence as little as
possible to avoid changing the data.
Establish and maintain the chain of custody.
Document everything done.
Never exceed personal knowledge
10
Forensic Accountants are Involved In
Criminal Investigations
Shareholders' and Partnership Disputes
Personal Injury Claims
Business Interruption
Fraud Investigations
Matrimonial Disputes
Professional Negligence
Mediation and Arbitration
11
Computer forensics can be defined as the
collection and analysis of data from
computersystems, networks, communication
streams (wireless) and storage media in a
manner that is admissible in a court of law.
-CERT
12
“Computer forensics” can thus not afford solely to
concern itself with procedures and methods of handling
computers, the hardware from which they are made up
and the files they contain. The ultimate aim of forensic
investigation is use in legal proceedings [Mandia 01].
The objective in computer forensics is quite
straightforward. It is to recover, analyze and present
computer based material in such a way that it is useable
as evidence in a court of law [Mandia 01].
Digital Crime Scene Investigation
Digital Forensic Investigation
A process that uses science and technology
to examine digital objects and that develops
and tests theories, which can be entered into
a court of law, to answer questions about
events that occurred.
IT Forensic Techniques are used to capture
and analyze electronic data and develop
theories.
14
Audit Goals of a Forensic Investigation
Uncover fraudulent or criminal cyber activity
Isolate evidentiary matter (freeze scene)
Document the scene
Create a chain-of-custody for evidence
Reconstruct events and analyze digital
information
Communicate results
15
Audit Goals of a Forensic Investigation
Immediate Response
Shut down computer (pull plug)
Bit-stream mirror-image of data
Begin a traceback to identify possible log
locations
Contact system administrators on
intermediate sites to request log preservation
Contain damage and stop loss
Collect local logs
Begin documentation
16
Audit Goals of a Forensic Investigation
Continuing Investigation
Implement measures to stop further loss
Communicate to management and audit
committee regularly
Analyze copy of digital files
Ascertain level and nature of loss
Identify perpetrator(s)
Develop theories about motives
Maintain chain-of-custody
17
Digital Crime Scene Investigation
Scene Preservation & Documentation
Goal: Preserve the state of as many
digital objects as possible and
document the crime scene.
Methods:
Shut system down
Unplug (best)
Do nothing
Bag and tag
18
Audit Goals of a Forensic Investigation
Requirements for Evidence
Computer logs …
Must not be modifiable
Must be complete
Appropriate retention rules
19
Digital Crime Scene Investigation
Problems with Digital Investigation
Timing essential – electronic evidence
volatile
Auditor may violate rules of evidence
NEVER work directly on the evidence
Skills needed to recover deleted data or
encrypted data
20
Digital Crime Scene Investigation
Extract, process, interpret
Work on the imaged data or “safe copy”
Data extracted may be in binary form
Process data to convert it to
understandable form
Reverse-engineer to extract disk partition
information, file systems, directories, files, etc
Software available for this purpose
Interpret the data – search for key words,
phrases, etc.
21
Digital Crime Scene Investigation
Technology
Magnetic disks contain data after deletion
Overwritten data may still be salvaged
Memory still contains data after switch-off
Swap files and temporary files store data
Most OS’s perform extensive logging (so do
network routers)
22
Role of a First Responder
Essentially the first person notified and reacting
to the security incident
Responsibilities:
Determine the severity of the incident
Collect as much information about the
incident as possible
Document all findings
Share this collected information to determine
the root cause
23
Importance of Computer Forensics to
Accountants
First Responder
IT Auditor
Member of CERT
Maintain Chain-of-Evidence
Document Scene
Develop Investigatory Process
Manage Investigatory Process
Advanced Certifications (CISA etc)
24
Beginning of Accounting
About 9,000 BC
Double Entry
Accounting
25
A Little Bit of History
Our numbering system is based on a Hindu
system that came into the Arabic world about
776 CE.
This replaced the Roman that is still used
today (at the end of movie credits).
26
A Little Bit of History
Pingala (c. 5th-2nd
century B.C.)
An Indian scholar,
used binary numbers
in the form of short
and long syllables
(think Morse code).
Base 10 versus Base 2
When we talk
numbers, we use
a base 10 system,
because we use
ten characters to
write out all of our
numbers.
0123456789
• Computers using binary
language operate on a
base-2 number system,
because the two numbers
they use are “0” and “1”.
01
These are called
binary digits or bits.
Alphabet Soup
We use the English
language consistingAa Bb Cc Dd Ee Ff Gg Hh Ii Jj Kk Ll Mm
of 26 characters. Nn Oo Pp Qq Rr Ss Tt Uu Vv Ww Xx Yy Zz
Aa = 01000001 01100001
Zz = 01011010 01111010
8 bits = 1 byte
• Computers use binary
language consisting of
2 characters, arranged
together in groups of
eight, to communicate.
The Byte Scale
This is where it gets tricky.
31
Binary Numbering System
Placeholder
Power
Digital
Digital
Binary
Binary
Placeholder
Power
Digital
Digital
Binary
Binary
5
4
10^4
10,000
2^4
16
4
3
3
2
10^3
1,000
2^3
8
10^2
100
2^2
4
2
1
10^1
10
2^1
2
1
0
10^0
1
2^0
1
10
9
8
7
6
9
8
7
6
5
10^9
10^8
10^7
10^6
10^5
1,000,000 100,000,000 10,000,000 1,000,000 100,000
2^9
2^8
2^7
2^6
2^5
512
256
128
64
32
32
Placeholders
In the value 5,736,941 the 3 stands for
30,000 because of its location in the fifth
place or 3 x 104 power.
Nearly all numbering systems use
placeholders. An exception is the Roman
where they write down numbers from
biggest to smallest. Ex. MCMXCVIII is
1998.
33
Binary to Decimal
Power
Binary
Value
Binary Value
1111
1000
1 0101
1 1111
4
3
2^4
16
2
2^3
8
1
2^2
4
0
2^1
2
2^0
1
Decimal Value
8 + 4 + 2 + 1 = 15 OR 16 -1 = 15
16
16 + 4 + 1 = 21
16 + 8 + 4 + 2 + 1 = 31 OR 2^5 - 1 = 32 - 1 = 31
34
Hands-on Activity 1
Use your math skills to calculate the binary
number for the base-10 number provided.
24
16
23
8
22
4
21
2
20
1
__
__
__
__
__
=
21
Hands-on Activity 1
Answer
Use your math skills to calculate the binary
number for the base-10 number provided.
24
16
23
8
22
4
21
2
20
1
1
0
1
0
1
=
21
Hands-on Activity 2
24
16
23
8
22
4
21
2
20
1
__
__
__
__
__
=
7
__
__
__
__
__
=
17
__
__
__
__
__
=
31
Hands-on Activity 2
Answer
24
16
23
8
22
4
21
2
20
1
0
0
1
1
1
=
7
1
0
0
0
1
=
17
1
1
1
1
1
=
31
Hands-on Activity 3
Use your math skills to translate the binary number
into the decimal number it represents.
24
16
23
8
22
4
21
2
1
1
0
0
1
1
1
0
20
1
1
=
?
=
?
Hands-on Activity 3
Answer
Use your math skills to translate the binary number
into the decimal number it represents.
24
16
23
8
22
4
21
2
1
1
0
0
1
1
1
0
20
1
1
=
24
=
29
Do I Really Need to Know This?
41
Hexadecimal
0, 1, 2, 3, 4, 5, 6, 7, 8, 9
A = 10
B = 11
C = 12
D = 13
E = 14
F = 15 (highest hex value in one place)
42
Hexadecimal
Placeholder
Power
Digital
Digital
Hexadecimal
Hexadecimal
5
4
4
3
10^4 10^3
10,000 1,000
16^4 16^3
65,536 4,096
3
2
10^2
100
16^2
256
2
1
10^1
10
16^1
16
1
0
10^0
1
16^0
1
43
Hexadecimal
Power
Hexadecimal
Hexadecimal
4
3
16^4 16^3
65,536 4,096
2
16^2
256
1
16^1
16
0
16^0
1
Hex Value
F
ABC
2D05
1000
FFF
Decimal Value
15 x 1 = 15
10 x 256 + 11 x 16 + 12 x 1 = 2,748
2 x 4,096 + 13 x 256 + 5 x 1 = 11,525
4,096
4,096 -1 = 4,095
44
Hexadecimal and Binary
Base 16 (0-9, A, B, C, D, E, F)
Short-hand for binary
Decimal Hex
Binary
255
FF
1111 1111
256
100
1 0000 0000
4,095
FFF
111 1111 1111
4,096 1000 1 0000 0000 0000
45
Odometer Effect
When a value reaches its maximum for
the placeholders and you add 1, it rolls
over. For example, in decimal
999,999
add 1
1,000,000
Decimal
Binary
Hex
255
1111 1111
FF
1
1
1
256 1 0000 0000
100
46
Hands-on Activity 1
Use your math skills to calculate the hex
number for the base-10 number provided.
164
163
65,536 4,096
162
256
161
16
_
_
_
_
_
_
_
__
_
_
160
1
=
4,095
=
65,535
47
Hands-on Activity 1
Answer
Use your math skills to calculate the hex
number for the base-10 number provided.
164
163
65,536 4,096
F
162
256
161
16
160
1
F
F
F
=
4,095
F
F
F
=
65,535
48
Hands-on Activity 2
Use your math skills to calculate the hex
number for the base-10 number provided.
164
163
65,536 4,096
162
256
161
16
_
_
_
_
_
_
_
__
_
_
160
1
=
83,041
=
297,036
49
Hands-on Activity 2
Answer
Use your math skills to calculate the hex
number for the base-10 number provided.
164
163
65,536 4,096
162
256
161
16
160
1
1
4
4
6
1
=
83,041
4
8
8
4
C
=
297,036
50
Hands-on Activity 3
Use your math skills to calculate the hex
number for the base-10 number provided.
164
163
65,536 4,096
1
162
256
161
16
160
1
1
B
A
D
=
?
A
2
0
C
=
?
51
Hands-on Activity 3
Answer
163
164
65,536 4,096
1
162
256
161
16
160
1
1
B
A
D
=
7,085
A
2
0
C
=
107,020
52
Hands-on Activity
1. Calculate how many bytes are in a 500
GB hard drive.
2. How many bytes are in a 64 MB memory
chip?
3. A hard drive has 1 terabyte of data. How
many kilobytes is that?
Hands-on Activity
Answers
1. Calculate how many bytes are in a 500 GB
hard drive.
500 x 1,000,000,000 = 500,000,000,000
2. How many bytes are in a 64 MB memory chip?
64 x 1,000,000 = 64,000,000
3. A hard drive has 1 terabyte of data. How
many kilobytes is that?
1,000,000,000,000 = 1,000,000,000 kbytes
Hands-on Activity
Your computer just received the following
binary message from the keyboard.
Translate the message into English.
01001000 01100101 01111001 00101100 00100000 01111001 01101111
01110101 00100111 01110110 01100101 00100000 01101100 01100101
01100110 01110100 00100000 01110100 01101000 01100101
00100000 01000011 01000001 01010000 01010011 00100000
01101100 01101111 01100011 01101011 00100000 01101011 01100101
01111001 00100000 01101111 01101110 00100001
Hands-on Activity
Your computer just received the following
binary message from the keyboard.
Translate the message into English.
01001000 01100101 01111001 00101100 00100000 01111001 01101111
01110101 00100111 01110110 01100101 00100000 01101100 01100101
01100110 01110100 00100000 01110100 01101000 01100101
00100000 01000011 01000001 01010000 01010011 00100000
01101100 01101111 01100011 01101011 00100000 01101011 01100101
01111001 00100000 01101111 01101110 00100001
Just kidding!
Hexadecimal Editors
Many freewares available.
HxD is a popular editor.
57
The Hex Editor
58
jpg file opened in HxD editor.
Note JFIF
59
gif file opened in HxD editor.
Note GIF and 47 49 46 signature.
60
exe file opened in HxD editor.
Note 2E 65 78 65 is .exe
61
MS Word document opened in HxD editor.
62
MS Excel spreadsheet opened in HxD editor.
Note DO CF 11 EO signature for all MS files.
63
Bitmap image opened in HxD editor.
Note 42 4D signature for bitmap files.
64
File Signatures in Hex
File Type
Signature
PDF
25 50 44 46
JPG
FF D8 FF E0
EXE
4D 5A 90 00
DLL
4D 5A 90 00
DOC
D0 CF 11 E0
XLS
D0 CF 11 E0
65
A PDF file opened in a Hex Editor
66
A PDF file opened in NotePad
67
A BMP file opened in a Hex Editor
68
A JPG file opened in a Hex Editor
69
“Accountants are supposed to function
as the nation’s watchdogs.”
~ U.S. Supreme Court, 1984
70
Watch Dog’s Need Big Teeth
71
End Class 2 Lecture
Questions?
72