Investigative (1)

8/8/2019 Investigative (1)

1/85

1

Er. Akash Sharma

Er. Robin Singh

Information Technology

Audit & Forensic Techniques

Cyber College All rightsreserved.


2/85

2

IT Forensic Techniques for Auditors

Presentation Focus

Importance ofIT Forensic Techniquesto Organizations

Importance ofIT Forensic Techniquesto Auditors

Audit Goals of Forensic Investigation

Digital Crime Scene Investigation

Illustration of Forensic Tools

A Forensic Protocol



3/85

3

Forensic Computing Defined

Forensic Computing is the process ofidentifying, preserving, analyzing, andpresenting digital evidence in a mannerthat is legally acceptable in a court of law

Our interest is in

Identifying and preserving evidence,

post-mortemsystem analysis todetermine extent and nature of attack, and

the forensic framework



4/85

4

Importance ofIT Forensic

Techniques to OrganizationsCorporate Fraud Losses in 2004

Cost companies an average loss of assets

over $ 1.7 million A 50% increase over 2003

Over one third of these frauds were

discovered by accident, making "chance"the most common fraud detection tool. PriceWaterhouseCoopers, Global Economic Crime Survey

2005



5/85

5

Importance of IT Forensic Techniques to Organizations

The New Corporate

Environment Sarbanes-Oxley 2002

COSO and COBIT

SAS 94 and SAS 99 ISO 9000 and ISO 17799

Gramm-Leach-Bliley Act

US Foreign Corrupt Practices Act

all of these have altered the corporateenvironment and made forensic techniquesa necessity!



6/85

6

Importance of IT Forensic Techniques to Auditors

SAS 99SAS No. 99 - Consideration of Fraud in aFinancial Statement Audit - requires auditorsto

Understand fraud

Gather evidence about the existence offraud

Identify and respond to fraud risks

Document and communicate findings

Incorporate a technology focus Cyber College All rightsreserved.


7/85

7


IntellectualProperty Losses

Rapid increase in theft ofIP 323%over five year period 1999-2004

75% of estimated annual losses wereto an employee, supplier or contractor

Digital IP is more susceptible to theft

Employees may not view it as theft



8/85

8


Network Fraud Companies now highly reliant on networks

Networks increasingly vulnerable to attacks

Viruses, Trojans, Rootkits can addbackdoors

Social Engineering including Phishing andPharming

Confidential and proprietary informationcan be compromised

Can create a corporate liability Cyber College All rightsreserved.


9/85

9 Cyber College All rightsreserved.


10/85

10

Net Detector



11/85

11


Security Challenges Technology expanding and becoming

more sophisticated

Processes evolving and integratingwith technologies

People under trained

Policies outdated Organizations at risk

People

Technology

Policies

Processes



12/85

12 Cyber College All rights

reserved.


13/85

13 Cyber College All rights

reserved.


14/85

14

Importance ofIT ForensicTechniques to Auditors

Majority of fraud is uncovered by chance

Auditors often do not look for fraud

Prosecution requires evidence Value ofIT assets growing

Treadway Commission Study

Undetected fraud was a factor in one-halfof the 450 lawsuits against independentauditors.



15/85

15


Auditors Knowledge, Skills,

Abilities Accounting

Auditing

IT (weak)Needed

Increased IT knowledge

Fraud and forensic accounting knowledge

Forensic investigative and analytical skillsand abilities



16/85

16


Knowledge, Skills, Abilities:

NeedsAuditors need KSAs to

Build a digital audit trail

Collect usable courtroom electronicevidence

Trace an unauthorized system user

Recommend or review security policies

Understand computer fraud techniques Analyze and valuate incurred losses



17/85

17


KSA Needs (cont.)

Understand information collected fromvarious computer logs

Be familiar with the Internet, web servers,firewalls, attack methodology, securityprocedures &penetration testing

Understand organizational and legal

protocols for incident handling Establish relationships with IT, risk

management, security, law enforcement Cyber College All rights

reserved.


18/85

18

Audit Goals of a Forensic

Investigation Uncover fraudulent or criminal cyber

activity

Isolate evidentiary matter (freeze scene) Document the scene

Create a chain-of-custody for evidence

Analyze digital information

Communicate results



19/85

19

Audit Goals of a Forensic Investigation

Immediate Concerns

What is level of certainty that a problemexists?

Is this a criminal act? Child porn, money laundering

When should law enforcement be involved?

Can the system be isolated?

Is a subpoena necessary?

Is the intrusion internal or external?

Are suspects known?

Is extent of loss/damage known? Cyber College All rights

reserved.


20/85

20


Immediate Response

Shut down computer (pull plug)

Bit-streammirror-image of data

Begin a traceback to identify possible loglocations

Contact system administrators onintermediate sites to request log

preservation Contain damage

Collect local logs

Begin documentation Cyber College All rights

reserved.


21/85

21


Continuing Investigation

Implement measures to stop furtherloss

Communicate to management and auditcommittee regularly

Analyze copy of digital files Ascertain level and nature of loss

Identify perpetrator(s) Develop theories about motives Maintain chain-of-custody



22/85

22

Digital Crime Scene

InvestigationGoal: Determine what fraud events

occurred

by using digital evidence

Three Phases:

Preserve & Document Scene

Analyze/Search & Document Data

Reconstruct & Document Fraud Event



23/85

23


Scene Preservation &

Documentation Goal: Preserve the state of asmany digital objects as possible

and document the crime scene. Methods:

Shut system down

Unplug (best)

Do nothing

Bag and tag



24/85

24

Treat every incident as if itwill end up in a criminal

prosecution.


Investigative Axiom



25/85

25


Incidents &Investigations

Incident/Crime: An event thatviolates a policy or law

Investigation: A process thatdevelops and tests hypotheses toanswer questions about events thatoccurred



26/85

26


Rules of Evidence

Complete

Authentic

Admissible

Reliable

Believable



27/85

27


Requirements for Evidence

Computer logs Must not be modifiable

Must be complete Appropriate retention rules



28/85

28


Problems with Digital

Investigation Timing essential electronic evidence

volatile

Auditor may violate rules of evidence

NEVERwork directly on the evidence

Skills needed to recover deleted data

or encrypted data



29/85

29


Extract, process, interpret

Work on the imaged data or safe copy

Data extracted may be in binary form

Process data to convert it tounderstandable form

Reverse-engineer to extract disk partitioninformation, file systems, directories, files, etc

Software available for this purpose

Interpret the data search for key words,phrases, etc.

Cyber College All rights

reserved.


30/85

30


Technology

Magnetic disks contain data after deletion

Overwritten data may still be salvaged

Memory still contains data after switch-off Swap files and temporary files store data

Most OSs perform extensive logging (so

do network routers)


reserved.


31/85

31

Disk Geometry

Track

Sector

Cylinder

(Clusters are

groups of

Sectors)


reserved.


32/85

32

Slack Space

End of FileEnd of File Slack SpaceSlack Space

Last Cluster in a FileLast Cluster in a File


reserved.


33/85

33


Order of Volatility

Preserve most volatile evidence first

Registers, caches, peripheralmemory

Memory (kernel, physical) Network state

Running processes

Disk

Floppies, backupmedia

CD-ROMs, printouts


reserved.


34/85

34


Digital Forensic InvestigationA process that uses science andtechnology to examine digital objects

and that develops and tests theories,which can be entered into a court oflaw, to answer questions about eventsthat occurred.

IT Forensic Techniques are used tocapture and analyze electronic dataand develop theories.


reserved.


35/85

35

Illustration of Forensic Tools

Forensic Software Tools are used for

Data imaging

Data recovery Data integrity

Data extraction

Forensic Analysis Monitoring


reserved.


36/85

36

Data Imaging

EnCase

Reduces internal investigationcosts

Platform independent

Automated analysis saves time

Supports electronic records audit

Creates logical evidence files eliminating need to capture entirehard drives


reserved.


37/85

37

Data Imaging

EnCase

Previews computers over thenetwork to determine whetherrelevant evidence exists:

Unallocated/allocated space Deleted files File slack Volume slack File system attributes

CD ROMs/DVDs Mounted FireWire and USB devices Mounted encrypted volumes Mounted thumb drives


reserved.


38/85

38

Data Recovery

File Recovery with PC Inspector


reserved.


39/85

39

Data Eradication

Securely Erasing Files


reserved.

D t I t it


40/85

40

Data Integrity

MD5

Message Digest a hashing algorithm usedto generate a checksum

Available online as freeware

Any changes to file will change the

checksumUse:

Generate MD5 of system or critical filesregularly

Keep checksums in a secure place tocompare against later if integrity isquestioned


reserved.


41/85

41

Data Integrity

MD5 Using HashCalc


reserved.


42/85

42

Data Integrity

HandyBits EasyCrypto


reserved.


43/85

43

Data Integrity

Private Disk


reserved.


44/85

44

Data Monitoring

Tracking Log Files


reserved.


45/85

45

Data Monitoring

PC System Log


reserved.


46/85

46

Security Software Log Entries


reserved.


47/85

47


reserved.


48/85

48

Free Log Tools


reserved.


49/85

49


reserved.


50/85

50

Audit Command Language

(ACL) ACL is the market leader in

computer-assisted audit technologyand is an established forensics tool.

Clientele includes

70percent of the Fortune 500companies

over two-thirds of the Global 500

the Big Four public accounting firms


reserved.


51/85

51

Forensic Tools

Audit Command Language

ACL is a computer data extraction andanalytical audit tool with auditcapabilities

Statistics

Duplicates and Gaps

Stratify and Classify

Sampling

Benford Analysis


reserved.


52/85


reserved.

52


53/85

53


reserved.


54/85

54


reserved.


55/85

55


reserved.


56/85

56


reserved.


57/85

57

Forensic Tools: ACL

Benford Analysis

States that the leading digitin some numerical series isfollows an exponential rather

than normal distribution Applies to a wide variety of

figures: financial results,electricity bills, street

addresses, stock prices,population numbers, deathrates, lengths of rivers

Le g

D g

Pr b b

1 30.1 %

2 17.6 %

3 12.5 %

4 9.7 %

5 7.9 %

6 6.7 %

7 5.8 %

8 5.1 %

9 4.6 %


reserved.


58/85

58


reserved.


59/85

59


reserved.


60/85

60


reserved.

Data Monitoring


61/85

61

g

Employee Internet Activity

Spector captures employee web activityincluding keystrokes, email, and snapshots toanswer questions like:

Which employees are spending the most timesurfing web sites?

Which employees chat the most? Who is sending the most emails with

attachments?

Who is arriving to work late and leavingearly?

What are my employees searching for on theInternet?


reserved.


62/85

62

Data Monitoring : Spector

Recorded Email


reserved.


63/85

63


Recorded Web Surfing


reserved.


64/85


65/85

65


Recorded Snapshots


reserved.


66/85

66


reserved.


67/85

67

Data Capture : Key Log Hardware

KeyKatcher

Records chat, e-mail, internet &

more

Is easier to use than parental

control software Identifies internet addresses

Uses no system resources

Works on all PC operating

systemsUndetectable by software

www.lakeshoretechnology.com Cyber College All rights

reserved.

Background Checks


68/85

68

Background Checks


reserved.


69/85

69http://www.expressmetrix.com/solutions/


reserved.


70/85

70


reserved.


71/85

71


reserved.


72/85

72


reserved.


73/85

73


reserved.


74/85

74

Developing a Forensic Protocol

The response plan must include acoordinated effort that integrates a numberof organizational areas and possibly

external areasResponse to fraud events musthave toppriority

Key players must exist at allmajor organizationallocations

People

Technology

Policies

Processes


reserved.


75/85

l


76/85

76

A Forensic Protocol

Security Exposures

Organizations may possess criticaltechnology skills but

Skills are locked in towers IT,Security, Accounting, Auditing

Skills are centralized while fraudevents can be decentralized

Skills are absent vacations, illnesses,etc


reserved.


77/85

77

A Forensic Protocol

The Role ofPolicies

They define the actions you can take

They must be clear and simple to

understand The employee must acknowledge that

he or she read them, understandsthem and will comply with them

They cant violate law


reserved.


78/85

78

A Forensic Protocol

Forensic Response Control

Incident Response Planning

Identify needs and objectives

Identify resources Create policies, procedures

Create a forensic protocol

Acquire needed skills

Train

Monitor Cyber College All rights

reserved.


79/85

79

A Forensic Protocol

Documenting the Scene

Note time, date, persons present

Photograph and video the scene

Draw a layout of the scene

Search for notes (passwords) that might beuseful

Ifpossible freeze the system such that the

current memory, swap files, and even CPUregisters are saved or documented


reserved.


80/85

80

A Forensic Protocol

Forensic Protocol

First responder triggers alert

Team response

Freeze scene Begin documentation

Auditors begin analysis

Protect chain-of-custody

Reconstruct events and develop theories

Communicate results of analysis


reserved.


81/85

81

A Forensic Protocol

Protocol Summary

Ensure appropriate policies

Preserve the crime scene (victim computer)

Act immediately to identify and preserve logs

on intermediate systems Conduct your investigation

Obtain subpoenas or contact law enforcementif necessary

Key: Coordination between functional areas


reserved.

Conclusion


82/85

82

Conclusion

IT Forensic Investigative Skills Can

Decrease occurrence of fraud

Increase the difficulty of committingfraud

Improve fraud detection methods

Reduce total fraud losses

Auditors trained in these skills are

more valuable to the organization! Cyber College All rights

reserved.


83/85

83

Questions or Comments?

Er. Akash SharmaEr. Ro in Sin h

akash@cy ercolle e.asia


reserved.

Web Reso ces


84/85

84

Web Resources

ACL http://www.acl.com/Default.aspx?bhcp=1

Eraser http://www.heidi.ie/eraser/

Private Disk http://www.private-disk.net/

HashCalc http://www.slavasoft.com/hashcalc/index.htm

PC Inspector http://www.download.com/3000-2242-10066144.html

VeriSign http://www.verisign.com

HandyBits Encryption http://www.handybits.com/

EnCase http://www.handybits.com/


reserved.

W b R ( t )


85/85

Web Resources (cont.)

Spectorhttp://www.spectorsoft.com/ Stolen ID Searchhttps://www.stolenidsearch.com/ Abika Background Check

http://www.abika.com/ Guide to Log Managementhttp://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf ACFE Fraud Prevention Checkuphttp://www.acfe.com/documents/Fraud_Prev_Checkup_IA.pdf NetWitnesshttp://www.netwitness.com/

GASP Std V 7.0 Free Softwarehttp://www.bsa.org/usa/antipiracy/Free-Software-Audit-Tools.cfm Federal Guidelines for Searcheshttp://www.cybercrime.gov/searchmanual.htm

C b C ll All i ht

Documents

Investigative (1)