Fraud and Computer Forensics

8/6/2019 Fraud and Computer Forensics

1/41

2009 Property of JurInnov Ltd. All Rights Reserved

Case Western Reserve UniversityComputer Fraud

February 24, 2011

Timothy M. Opsitnick, Esq.

Senior Partner and General CounselJurInnov Ltd.

John Liptak, ACEComputer Forensics Analyst



2/41


Who Are We?

JurInnov works with organizations that want tomore effectively manage matters involving

Electronically Stored Information (ESI).

Electronic Discovery Computer Forensics

Document and Case Management

Computer & Information Security

2


3/41


Presentation Overview

Understanding Computing Environments

Collecting Electronically Stored

Information Forensic Analysis Demonstration

Types of Cases When Forensics Are Useful

3


4/41


What is Computer Forensics?

Computer Forensics is a scientific, systematicinspection of the computer system and its contentsutilizing specialized techniques and tools forrecovery, authentication, and analysis of electronicdata. It is customarily used when a case involves issues

relating to reconstruction of computer usage, examinationof residual data, authentication of data by technicalanalysis or explanation of technical features of data andcomputer usage. Computer Forensics requires specialized

expertise that goes beyond normal data collection andpreservation techniques available to end-users or systemsupport personnel.

4


5/41


Types of ESI

E-mail

Office Files

Database

Ephemeral

Legacy Systems

Metadata

5


6/41


Sources of ESI

Desktops

Laptops

CDs/DVDs

Network Attached

Storage Devices (NAS) Storage Area Networks

(SAN)

Servers

Databases

Backup Tapes

E-Mail Archives

Cell Phones/PDAs

Thumb Drives

Memory Cards

External Storage Devices

Cameras

Printers

GPS Devices

6


7/41


Why Computer Forensics?

Reasons to use Computer Forensics Internal Company Investigations

Alleged criminal activity

Civil or Regulatory Preservation

Receivership, Bankruptcy

EEO issues

Improper use of company assets

Recovery of Accidentally or Intentionally Deleted Data

Deleted is not necessarily deleted

Recovery from Improper shutdowns

7


8/41


Types of Computer Fraud

Fraud by computer manipulation Program or data manipulation

Common internal computer fraud schemes

Billing schemes Inventory fraud

Payroll fraud

Skimming

Check tampering

Register schemes

8


9/41


Types of Computer Fraud

Fraud by damage to or modification of computerdata or programs Economic advantage over a competitor

Theft of data or programs

Holding data for ransom

Sabotage

Common external computer fraud schemes Telecommunications fraud

Hacking

Internet fraud

Software piracy

9


10/41


How Does a Computer Operate?

Hardware

Processor

Memory (RAM)

Hard Drive

CD/DVD Drive Motherboard

Mouse/Keyboard

Software

Operating System

Applications

10


11/41


How Does a Computer Operate?

How is data stored on a hard drive?

How is data deleted by the operating system?

11


12/41


12


13/41


13


14/41


14


15/41


Collecting ESI

Lets let the IT staff do it.

Forensic Harvesting

What is a forensic copy?

15


16/41


Collecting ESI

Forensic Harvesting - Logical v Physical

Logical / Ghost copy (Active Files)

Data that is visible via the O.S.

Physical

Logical + File Slack + Unallocated Space +system areas (MBR, Partition table, FAT/MFT)

16


17/41


17


18/41


Collecting ESI

Network Harvest

E-Mail Harvest

Cell Phone / Device Seizure

18


19/41


Computer Forensics Process

Interview Process/Needs Analysis

Maintaining Chain of Custody

Photograph Evidence

Record Evidence Information (users, S/Ns, etc.)

BIOS/CMOS Time

Utilize Sanitized (Wiped) Drives

Write Blocker

On-Site Acquisition

Forensic Lab Acquisition

19


20/41


Acquisition (Data Harvest)

Software Tools

EnCase (Guidance Software)

Forensic Tool Kit (AccessData)

Device Seizure (Paraben)

Network Email Examiner (Paraben)

Hardware Tools

Write Blockers (Tableau)

Talon (Logicube) Cell-Dek (Logicube)

20


21/41


Types of Data Acquisitions

Image Types

EnCase Image (.E01)

DD Image (Linux)

Custom Content Image (.AD1)

ESI Locations

Hard Drives

Network Shares/Department Shares/Public Shares

Server E-Mail

Server Acquisition (On/Off) Cell Phone/PDA

Thumb Drive/External Media

21


22/41


Forensic Considerations

Transfer Speeds

USB

FireWire

IDE

SATA/eSATA

Image Verification - MD5 Hash Values

Work Copies

Inventory Management

22


23/41


Forensic Considerations Presentation Suspect Images

Description: Physical Disk, 39102336 Sectors, 18.6GB

Physical Size: 512

Starting Extent: 1S0

Name: Presentation Suspect Images

Actual Date: 03/24/09 03:17:21PM

Target Date: 03/24/09 03:17:21PM

File Path: E:\Presentation image.E01

Case Number: Presentation Drive

Evidence Number: Presentation Suspect Images Examiner Name: Stephen W. St.Pierre

Drive Type: Fixed

File Integrity: Completely Verified, 0 Errors

Acquisition Hash: 5cfa3830c3af83741da4f9adcfb896e1

Verify Hash: 5cfa3830c3af83741da4f9adcfb896e1 GUID: 04d345276275524c8a111824be6eb170

EnCase Version: 5.05j

System Version: Windows 2003 Server

Total Size: 20,020,396,032 bytes (18.6GB)

Total Sectors: 39,102,336

23


24/41


Forensic Considerations Creating Work copy of original Backup Image

Evidence Mover Log:

03/25/09 16:20:14 - Source file: F:\Evidence\Presentation image.E01

Destination file: G:\Evidence\Presentation image.E01.

Attempt# 1 Hash :9348B9FECFE8023FA3095FB710AFD678



Attempt# 1 Hash :363293E77BB1C974FD82DE7EC3CE1842



Attempt# 1 Hash :3AA6885A045E8F5D20899113A4848917

24


25/41


Forensic Considerations

Windows Encryption

Encrypted File System (XP)

BitLocker (Vista & Windows 7)

Other Hardware or Software Encryption Laptop hard drives

e.g., Truecrypt

25


26/41


Forensic Analysis

Indexing

Key Word Searching

Filters

AND/OR/NOT

Date Range

Specific File Types

26


27/41


Forensic Analysis

Deletion

Deleted Documents

Recycle Bin (Deleted Dates/Info 2)

Data Carving

Unallocated Space

Hard Drive Wiping

Signature Analysis: File Extension vs. FileSignature

27


28/41


29/41


Registry Overview

Windows Registry central database of theconfiguration data for the OS and applications.

Gold Mine of forensic evidence

Registry Hive Keys

Software

System

SAM (Security Account Manager) NTUSER.dat

29


30/41


Registry Software

What Operating System Installed?

Date/Time OS Installed

Product ID For Installed OS

Programs That Run Automatically at Startup(Place to Hide Virus)

Profiles

30


31/41


Registry System

Mounted Devices

Computer Name

USB Plugged-In Devices (USBSTOR)

Last System SHUT DOWN Time

Time Zone

31


32/41


Registry SAM & NTUSER.DAT SAM

Local Accounts

NTUSER.DAT

Network Assigned Drive Letters

Typed URLs (websites) Last Clean Shutdown Date/Time

Username and Passwords

Recent Documents

Registry examples

32


33/41


Unallocated Space Analysis

Unallocated Space/Drive Free Space

File Slack

33


34/41


Data Transfer Analysis

FTP

E-Mail

External Drives

Link Files (external/server)

Internet History

Webmail

Created/Accessed/Modified Dates

34


35/41


Evidence/Analysis Reporting

FTK Report (html based report)

Evidence Presentation

Final Expert Report

Interpretation of Report

Expert Testimony

35


36/41


Forensic Analyst

Tips For Dealing With Your Forensics Analyst

What to Expect From A Forensics Analyst

Certifications

Training

Experience

Testimony

36

Types of Cases When Forensics


37/41


Types of Cases When ForensicsAre Useful

Financial

Receivership

Bankruptcy

General Litigation

Commercial Litigation

Product Liability

Corporate

Regulatory (SEC, Second Requests, FTC) Mergers/Acquisitions

37



38/41


Types of Cases When ForensicsAre Useful, cont.

Intellectual Property

Theft of Intellectual Property

Temporary Restraining Order (TRO)

Permanent Injunction

38



39/41



Labor/Employment

Violation of Non-Compete Agreements

Sexual Harassment

Age Discrimination

Fraud/Embezzlement

Other Violations of Company Policy

39



40/41



Domestic Relations

Divorce

Custody

Corporate Criminal

Other Criminal

40


41/41

2010 t f td ll i ht d

For assistance or additional information

Phone: 216-664-1100

Web: www.jurinnov.com

Email: [email protected]

[email protected]

JurInnov Ltd.

The Idea Center

1375 Euclid Avenue, Suite 400

Cleveland, Ohio 44115

41