Grover Kearns, Ph.D., CPA, CFE, CITP Computer Forensics for Accountants Additional Materials 1

Embed Size (px)

Text of Grover Kearns, Ph.D., CPA, CFE, CITP Computer Forensics for Accountants Additional Materials 1

  • Slide 1
  • Grover Kearns, Ph.D., CPA, CFE, CITP Computer Forensics for Accountants Additional Materials 1
  • Slide 2
  • File Signatures in Hex 2 File TypeSignature PDF25 50 44 46 JPGFF D8 FF E0 EXE4D 5A 90 00 DLL4D 5A 90 00 DOCD0 CF 11 E0 XLSD0 CF 11 E0
  • Slide 3
  • Corrupt the File Shift Left or Right Hex editors allow you to shift bits right or left Result? The file looks like garbage. To view file, reverse the process. 3
  • Slide 4
  • Beat File Signature Analysis Anti-forensic approach to stop EnCase and similar tools from identifying file types. Change the file extension. Use hex editor to alter the file signature MZ for executable files 4
  • Slide 5
  • Hide Files in Open Sight First change the file signature Second change the file extension Example: plan.doc becomes plan.jpg 5
  • Slide 6
  • 6 In the hex editor the hex values 42 4D is the signature for a bitmap file. These can easily be changed to another value such as D0 CF 11 E0 for a.doc file.
  • Slide 7
  • Hibernate Mode
  • Slide 8
  • Hibernate or Sleep? 8
  • Slide 9
  • 9
  • Slide 10
  • Timestomp.exe Freeware that allows time stamps to be altered. This code will change the file creation to 10/8/2005. timestomp.exe c:\test.txt -z "Saturday 10/08/2005 2:02:02 PM" timestomp.exe c:\test.txt -a "Saturday 10/08/2005 2:02:02 PM" 10
  • Slide 11
  • 11
  • Slide 12
  • Changing Time Stamp 12
  • Slide 13
  • Computers are Obedient They Do What They are Told Everything is represented in 1s and 0s The bytes are interpreted according to user instructions The bytes may represent numbers, dates, text, colors, sounds, etc. Representation may also depend on hardware such as audio cards, video cards, etc. 13
  • Slide 14
  • Dates in Excel 14 DATE Number Sunday, January 01, 1900 1 Monday, June 10, 2013 41,435 Tuesday, June 11, 2013 41,436 Wednesday, June 12, 2013 41,437
  • Slide 15
  • Obfuscation: Simple Hiding Technique 15 11/25/2001 $ 37,220 3/15/2023 $ 45,000 5/24/2002 $ 37,400 8/29/1953 $ 19,600 2/10/2140 $ 87,700 8/20/2088 $ 68,900 2/18/1982 $ 30,000 1/23/2792 $ 325,820
  • Slide 16
  • Assumed Trust 16
  • Slide 17
  • Top 10 Social Networking Websites 1. Facebook 2. YouTube 3. Twitter 4. Squidoo 5. Hubpages 17 6. MySpace 7. LinkedIn 8. Classmates 9. Xanga 10. Weebly
  • Slide 18
  • Facebook Can You Do This? My middle name __________, my age ___, my favorite soda _______, my birthday ___/___/___, whose the love of my life ______, my best friend _____, my favorite color ______, my eye color _______, my hair color ______ my favorite food ________ and my mom's name __________. Put this as your status and see who knows you best. 18
  • Slide 19
  • 19
  • Slide 20
  • Your friend [Name here] just answered a question about you! Was it possible that an old friend answered a question about me that I needed to "unlock?" Absolutely. When you click on the link, the next screen should give you pause: 21 Questions is requesting permission to... (a) access your name, profile picture, gender, networks, user ID, friends and any other information shared with everyone... (b) send you email... (c) post to your wall... and... (d) access your data any time... regardless of whether or not you're using their application. 20
  • Slide 21
  • Look at the video I found of you! LOL. 21 Big Problems in One Click
  • Slide 22
  • Were Stuck! (and 5 Things Never to Post) You or Your Family's Full Birth Dates Your Relationship Status Your Current Location The Fact That You Are Home Alone Pictures of Your Kids Tagged With Their Names 22
  • Slide 23
  • Secret Crush 23
  • Slide 24
  • Meet Sophie Draufster Born on Facebook and LinkedIn in 2010 Purpose: Social engineering of executives at large consulting firms Facebook Friends: 105 LinkedIn Requests: 133 Divulging of PII: 73 Date Requests: 33 24
  • Slide 25
  • Spear Phishing Like phishing but targeted to a specific person or group using personalized information that lends credibility. Typically diverts to a spoofed web page requesting PII, card numbers, etc. May request clicking link that downloads malware. 25
  • Slide 26
  • Linked-In and Spearphishing 26 Cybercriminals datamine LinkedIn for information about companies and employees. That information is used to launch spearphishing attacks. Corporate directories also exist online, providing a wealth of information for spearphishers. Malicious LinkedIn invitation reminders redirect you to a webpage that installs malware onto your computer. If you click, hackers can potentially steal your confidential data.
  • Slide 27
  • Top 5 Social Media Security Threats Lack of a social media policysocial media policy Your employees Social networking sites Social engineering Mobile apps 27
  • Slide 28
  • Should We Block SN Sites? Allowing access to social network sites influences user behavior in a way that increases corporate risk. Chris Poulin, Chief Security Officer at Q1 Labs There is no need to block access to social network sites. The risks can be easily addressed and the downsides of blocking are greater than potential problems. Shel Holtz, Principal of Holtz Communication + Technology One study shows 54% of U.S. companies restrict employees from visiting sites like Facebook, Twitter and LinkedIn. 28
  • Slide 29
  • Social Networking Headlines Hackers hijack Obama's, Britney's Twitter accounts Twitter wrestles with multiple worm attacks Phishers, viruses target Facebook users Twitter/Google Apps hack raises questions about cloud security High-profile organizations ban Facebook, Twitter Twitter victimized by distributed denial-of-service attack Facebook shuts down Beacon program, donates $9.5 million to settle lawsuit Facebook unveils controversial new privacy settings 29
  • Slide 30
  • Seven Most Lethal Social Networks Hacks 1. Impersonation and targeted personal attacks 2. Spam and bot infections 3. Weaponized OpenSocial and other social networking applications 4. Crossover of personal to professional online presence 5. XSS, CSRF attacks 6. Identity theft 7. Corporate espionage 30
  • Slide 31
  • Common Social Media Policies Be transparent Be connected Be thoughtful Strive for accuracy Do not mix personal with business Think twice before posting 31
  • Slide 32
  • Social Networking Policy Employees are forbidden from using social networks to post or display comments about co-workers, supervisors that are vulgar, obscene, threatening, harassing, or a violation of Company XYZs policies on discrimination or harassment. Employees may not use social networks to disclose any confidential or proprietary information about Company XYZ or its employees, customers or business partners. Employees should refrain from speaking on behalf of Company XYZ when not authorized. 32
  • Slide 33
  • Social Networking Policy (cont.) Display a warning banner on all systems Policy should state that company has right to inspect all computers on-site at will without notice Policy should include employees own computer, cell phone, briefcase, purses, etc. 33
  • Slide 34
  • 34
  • Slide 35
  • Are Passwords Effective Not always. Strong passwords are difficult to impossible to crack Social engineering attacks are effective against strong passwords Companies should have and enforce a strong password policy. Companies should train employees to social engineering attacks. 35
  • Slide 36
  • Online Information About You Name(s) Address Phone Birthdate Spouse Children High School 36 Workplace Education Relatives Names Pets Names Criminal History Email Address SSN (?)
  • Slide 37
  • 37 Card Readers: Is Your PII Safe? Guide to Computer Forensics and Investigations37 SIM SD Smart Card Mag Stripe
  • Slide 38
  • 38
  • Slide 39
  • 39
  • Slide 40
  • 40
  • Slide 41
  • 41 Not on Windows 8!
  • Slide 42
  • 42 Bring your system back from the dead!
  • Slide 43
  • Next More hacks and theft of PII and IP Social engineering combined with hacks Office 2013 safer BYOD Cloud Computing XBRL Need for extensive employee training 43
  • Slide 44
  • Even reasonable intelligent people make mistakes! 44
  • Slide 45
  • Even reasonable intelligent people make mistakes! How much will those mistakes cost your organization? 45
  • Slide 46
  • Grover Kearns, Ph.D., CPA, CFE, CITP Gregory, Sharer & Stuart Term Professor in Forensic Accounting gkearns@usfsp.edu 46