Grover Kearns, PhD, CPA, CFE

Class 10

1

What is Forensic Accounting?

Forensic accounting is accounting that is suitable for legal review, offering the highest level of assurance, and including the now generally accepted connotation of having been arrived at in a scientific fashion.

Encompasses investigation, dispute resolution and litigation support.

2

Forensic Accounting Specialist

A forensic accountant combines accountancy and computer forensics to analyze financial data and find evidence that would be legally valid during a court proceeding.

Is engaged in electronic discovery investigating digital evidence from computers and other devices.

Can acquire, analyze and report on digital evidence.

Conducts special audits aka a review, a due diligence, an investigative audit, or a forensic audit. Each label has its own connotations.

3

Essential MS Security

Malicious Software Removal Tool Microsoft Security Essentials Update Adobe, Flash, Java

Uninstall old Java Avira Anti-Virus Free Update Security Patches Weekly Update Anti-Virus at Least Weekly

4

Trust everyone

… but always cut the cards.

5

6

Passware Kit Forensic 9.5http://www.lostpassword.com/kit-forensic.htm

7

Paraben Sticks

8

What are Hidden Files?

A file with a special hidden attribute turned on, so that the file is not normally visible to users.

Hidden files mainly serve to hide important operating system-related files and user preferences. 9

Find Hidden Files Turn on Windows

operating system preference to show hidden files. In Explorer > Tools >

Folder options… > View > Select “Show hidden files, folders, and drives” > OK

Use software to search for hidden files.

10

Click the Microsoft Office Button , point to Prepare, and then click Inspect Document.

In the Document Inspector dialog box, click Inspect.

Review the inspection results. If Document Inspector finds comments and tracked changes, you are prompted to click Remove All next to Comments, Revisions, Versions, and Annotations.

Oops! Your comments are showing.The purchasing agent is a boob…

12

Don’t send the annotations with the document!

Remove personal information from file before distribution.

Alternatives:*Send as .pdf*Save as .rtf and then reconvert to .doc

Properties can provide information on file name, final author and company (is this the company that you expected?).

Note dates, last saved by, and total editing time.

Other Methods to Conceal

Change the file extension Data.xls becomes Data.jpg

Change font color to background In a Word document change font color to

white, etc. Hide rows and columns in spreadsheets Use steganography

16

Steganography

Steganography comes from the Greek words Steganós (Covered) and Graptos (Writing).

The goal is to hide messages inside other harmless messages in such a way that no one apart from the sender and intended recipient even realizes there is a hidden message

Hide any type of binary file in any other binary file

Security through obscurity

17

The Good Watermarks (Copyright Protection) Unique Hash Value Tag Notes Confidentiality Encryption Anonymity Private Communication

The Bad Industrial Espionage Terrorism Pornography Malware

Steganography

18

Digital Steganography Text in media files

Audio files Picture files Video files

Pictures in media files Other picture files Video files

Files archived in other pictures Popular data formats (carriers)

.bmp .doc .gif .jpeg .mp3 .txt .wav

This image contains hidden text

19

Picture in Picture

Can you see any differences? (the one on the left is meaner) 20

File Size Comparisons

21

QuickCrypto

Type secret message here.

22

What is a Virtual Machine?

A virtual machine is a tightly isolated software container that can run its own operating systems and applications as if it were a physical computer. A virtual machine behaves exactly like a physical computer and contains it own virtual (ie, software-based) CPU, RAM hard disk and network interface card (NIC).

23

What is a Virtual Machine?

An operating system can’t tell the difference between a virtual machine and a physical machine, nor can applications or other computers on a network. A virtual machine is composed entirely of software and contains no hardware components whatsoever.

24

Creating a USB Boot

The easiest way to turn a USB flash drive into a bootable Windows 7 installer is by using the tool Microsoft offers

25

Q. If I already have the hashes (produced by hash.exe) of my operating system, how difficult is it to compare the current hashes of the same files to make certain none have been altered?

A. It is a simple 3 line batch file using hash.exe and compare.exe. It should take approximately 10 minutes to complete.

26

Q. How do I dump the contents of RAM on a Windows machine?

A. Use the nifty freeware WinDump!

27

28

Q. What is a packet sniffer?A. It sniffs packets! It actually captures certain

packets or headers to ascertain network quality. It can also be used in a nefarious fashion.

WireShark aka Ethereal is a popular freeware packet sniffer.Do you know what a packet is?

What is a Honeypot?

In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.

29

Brief E-mail Header

30

31

Full Header

32

Email Servers and Clients

33

Horizontal & Vertical Analysis of Income Stmt

34

12/31/2009 12/31/2008

Sales $4,000,000 $3,300,000Cost of Goods Sold 2,200,000 1,650,000

----------------- -----------------Gross Profit $1,800,000 $1,650,000

Operating Expenses: Depreciation $738,000 $576,000 Advertising 45,000 38,000 Other 120,000 140,000

-------------- --------------Total Operating Expense $903,000 $754,000

Operating Income $897,000 $896,000Interest on Long-Term Debt 80,000 80,000

-------------- --------------Income Before Taxes $817,000 $816,000Taxes 326,800 326,400

-------------- --------------Net Income $490,200 $489,600

Dividends Declared on Preferred Stock$220,000 $220,000Dividends on Common Stock 290,200 299,600

-------------- --------------Net Income to Retained Earnings ($20,000) ($30,000)

BUSTER'S COMPUTER STORE COMPARATIVE INCOME STATEMENTS

FYE 12/31/09 and 12/31/08 HORIZONTAL VERTICALANALYSIS ANALYSIS2009/2008 2009

21.2% 100.0%33.3% 55.0%

9.1% 45.0%

28.1% 18.5%18.4% 1.1%

-14.3% 3.0%

19.8% 22.6%

0.1% 22.4%0.0% 2.0%

0.1% 20.4%0.1% 8.2%

0.1% 12.3%

0.0% 5.5%-3.1% 7.3%

-33.3% -0.5%

Horizontal: Pct change from prior periodVertical: Divide each item by Sales

Revenues

35

Horizontal & Vertical Anal. of Balance Sheet

ASSETS: 12/31/2009 12/31/08

Cash $1,200,000 $1,100,000 Accounts Receivable 780,000 550,000 Inventory 1,850,000 1,600,000 Fixed Assets (net) 8,200,000 7,200,000

------------------ ------------------- Total Assets $12,030,000 $10,450,000

LIABILITIES:

Accounts Payable $1,200,000 $900,000 Long Term Debt 1,730,000 430,000

----------------- ----------------- Total Liabilities $2,930,000 $1,330,000

STOCKHOLDERS EQUITY:

Preferred stock, $100 par, 12% cum$1,800,000 $1,800,000 Common stock, $100 par 7,000,000 7,000,000 Retained Earnings 300,000 320,000

----------------- ----------------- Total $9,100,000 $9,120,000

Total Liabilities + $12,030,000 $10,450,000Stockholders Equity

BUSTER'S COMPUTER STORE COMPARATIVE BALANCE SHEETS

12/31/09 and 12/31/08 HORIZONTAL VERTICALANALYSIS ANALYSIS2009/2008 2009

9.1% 10.0%41.8% 6.5%15.6% 15.4%13.9% 68.2%

15.1% 100.0%

33.3% 10.0%302.3% 14.4%

120.3% 24.4%

0.0% 15.0%0.0% 58.2%

-6.3% 2.5%

-0.2% 75.6%

15.1% 100.0%

Horizontal: Pct change from prior periodVertical: Divide each item by Total

Assets

Extract / Filter

36

Use Data / Filter

Extract / Filter

37

Filters on any field and can use “if” and “where” type operators. Save new set in a worksheet or file.