1 / 42

Forensics, Fraud and Analytical Techniques

Forensics, Fraud and Analytical Techniques. Computer Forensics (Chapter 12) Practicum: Dell Computer Corporation (Planning Materiality and Tolerable Misstatement). Schedule (revised). For next week. Comprehensive review of ISMT300T IS Audit course Materials Example question for test

iria
Download Presentation

Forensics, Fraud and Analytical Techniques

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Forensics, Fraud and Analytical Techniques Computer Forensics (Chapter 12) Practicum: Dell Computer Corporation (Planning Materiality andTolerable Misstatement)

  2. Schedule (revised)

  3. For next week • Comprehensive review of ISMT300T IS Audit course Materials • Example question for test • Suggested review readings

  4. Dell Computer Materiality and Tolerable Error

  5. Crime Doesn’t Pay? • As Willie Sutton the bank robber said when asked why he robbed banks • 'because that's where the money is‘ • Sutton robbed banks and he was good at it. He made no bones about that. He usually packed a gun, either a pistol or a Thompson submachine gun • "You can't rob a bank on charm and personality" • "Why did I rob banks? Because I enjoyed it. I loved it. I was more alive when I was inside a bank, robbing it, than at any other time in my life. I enjoyed everything about it so much that one or two weeks later I'd be out looking for the next job. But to me the money was the chips, that's all." • From Where the Money Was: The Memoirs of a Bank Robber (Viking Press, New York, 1976)

  6. Why ‘Computer’ Crime? • ‘Because that's where the money is‘ (c. 2005) • Money is no longer held in physical form • How much money is being handled daily by computer exchange systems in 2005? • Foreign exchange $2 trillion daily • Derivatives markets $5 trillion daily • Outstanding derivatives positions $200 trillion • NYSE daily activity $1.6 trillion daily

  7. Types of Computer Crime:Business as a Victim • Employee Thefts • Payroll Fraud • Fraudulent • Billing Schemes • Fraud • Committed by outsiders • Management Thefts • Corporate Thefts

  8. Types of Computer Crime:Business as a Vehicle • Organized Crime • Money laundering • Theft from Minority Shareholders • Other Stock Market Fraud • Bankruptcy Fraud

  9. Crime’s new venue • The Internet (With an estimated 1 billion people ) is now in a golden age of criminal invention. • It's a "dot-con" boom, in which electronic crime runs rampant in a frantic search for business models. • Even encryption, supposedly a defensive measure, has become a tool for extortion • witness the weird new crime of breaking into a computer, encrypting its contents, and then demanding a payoff to supply a password to the victim's own data. • The crime's so new, it doesn't even have a name yet. • All the classic scams and rackets that city sharpies push on rubes can be digitized • once there were a few relatively uncomplicated viruses, now there are torrents of fast-evolving, multifaceted viruses. • Where once there was just small-time credit-card fraud, now there is international credit-card racketeering. • Computer-network password theft has turned into sophisticated ID fraud that robs patrons of banks and online auction sites. • Spam, once an occasional rude violation of "netiquette," now arrives by the ton (12.9 billion pieces a day worldwide last May, according to the e-mail security firm IronPort) • Then there are the newer electronic crimes, proliferating so fast that even experts have trouble keeping up with the jargon. Phishing. Spear phishing. Pharming. DDOS. DDOS protection rackets. Spyware. Scumware. Web site defacement. Botnets. Keylogging.

  10. FBI: 2005 Computer Crime and Security Survey • Companies with sales of less than $10 million per year • spent $643 per employee on computer security each year. • For companies with more than $1 billion in annual revenue • the amount spent on security dropped to $247 per employee. • The survey found that companies in the utilities business spent the most on computer security • on average, $190 per employee per year. • Next highest on the list were transportation and telecommunication companies, with average annual costs per employee of $187 and $132, respectively.

  11. Computer Criminals Today • The largest class of crime is Internet based • Generally, there is a form of compartmentalization, from the top down • At the top of the food chain is someone who has the financial means to organize a group • This individual, acting as the criminal kingpin, puts together a plan and then assembles the necessary technologically savvy individuals. • These groups work together without central organization • Many members are recruited through acquaintances; others are found online • Individuals use Web sites, online forums, and IRC channels to advertise their services and meet their colleagues. Many others visit these sites to learn how to get started in the business. • The scene is always looking for rooters, scanners, curriers [various hacking specialties] • Once they've learned those skills, hackers commonly operate as freelancers, working on projects in an area of expertise--whether it be writing exploits, building botnet networks, or designing fake Web sites • And like legitimate businesspeople and freelancers, they must build a reputation before they can get hired for lucrative work.

  12. Hotspots for Internet crime • Brazil, Bulgaria, China, Estonia, Hungary, Indonesia, Japan, Latvia, Malaysia, North Korea, Romania, Russia, and the United States are major centers for organized hacking • Why are certain areas hotspots? • Places where there's a significant amount of activity usually have a technically advanced population and a large population of computer users. • You also have a poor economy, so you have people with the technical skills to do good work, but they can't find a job that will provide for them, • so they may have to resort to doing things that are against the law • These hotspots (other than the United States and Japan) also tend to be countries where laws and law enforcement lag • hackers will find the weakest link, the country with no laws

  13. Denial-of-service (DoS attack) • A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include • attempts to "flood" a network, thereby preventing legitimate network traffic • attempts to disrupt connections between two machines, thereby preventing access to a service • attempts to prevent a particular individual from accessing a service • attempts to disrupt service to a specific system or person • Details are at http://www.cert.org/tech_tips/denial_of_service.html

  14. Zombies • Zombies do a lot of the heavy lifting • malware-infected computers that an online puppet master controls • Set to work in thousands or even tens of thousands, the machines in a zombie network or "botnet" attempt to carry out the high-tech money grab. • Botnets are popular because of their increasing sophistication and multiple uses. • versatile zombie armies pull in cash for their controllers in a variety of ways. • Sending spam (a big money-maker)is one common use. • Zombie networks can also steal personal information for purposes of identity theft. • When botnets are used to launch a DDoS attack, • the ringleader instructs each zombie computer to send a flood of data to a particular Web site. • By itself, the data from a single PC can't hurt a site. • But multiply that traffic by 10,000 or more computers, and a Web site can easily be overwhelmed and cut off from the Internet. • E.g., MyDoom had a rather unsophisticated means of controlling host machines. • Once it insinuated itself into an unprotected PC, • anyone who knew a not-so-secret five-digit code could commandeer the computer for any desired purpose • As a result, MyDoom-compromised computers were very popular with online criminals for a while

  15. Botnets • Malware turned an average of 172,009 previously healthy computers into zombies every day during May 2005 • CipherTrust, an e-mail security company that tracks botnets • As processing power improves and broadband Internet connections become more widespread, zombie computers will be able to send more spam or hit Web sites harder • and botnets will become more powerful. • Also, the ability to shuffle funds • including ransom payments • anonymously through convoluted Internet paths using human mules (in much the same way as in the drug trade) and online payment services • means that criminals can revisit old approaches.

  16. Cops and Robbers • Some botnets consist of phalanxes of from 15,000 to 50,000 zombie PCs that are controlled by groups of people dispersed around the world • Christopher Painter, deputy chief of the Computer Crime section of the U.S. Department of Justice. • Most perpetrators are adults who execute extremely sophisticated assaults. "They don't brag, and they cover their tracks very well," (Painter) • One notorious cybergang, called Shadowcrew, reportedly had 4000 members scattered across the United States, Brazil, Spain, and Russia.

  17. Objectives • Money is these cybergangs' primary motivation • The asking price for temporary use of an army of 20,000 zombie PCs today is $2000 to $3000, according to a June posting on SpecialHam.com, an electronic forum for hackers • Marshaling their armies of zombie PCs, online extortionists may threaten to crash a company's Web site unless they are paid off. • Hackers are not shy about asking for $20,000 to $30,000 from companies.

  18. Payoffs • Companies know it's far cheaper to pay the hackers than to get knocked offline and lose hundreds of thousands of dollars in lost business • Many extortionists go unreported because businesses are unwilling to volunteer evidence of their coercion to law enforcement officials, • corporations don't want to admit to their customers, stockholders, and business partners their networks were ever vulnerable to an attack. • only about 20 percent of computer intrusions are ever reported to law enforcement agencies. • The US Secret Service receives between 10 and 15 inquiries per week from businesses owners who believe they may be the target of a cyberattack. • 2004 survey conducted by the Computer Security Institute

  19. Case Study: Protx • When the first extortion e-mail popped into Michael Alculumbre's inbox, he had no idea it was about to cost his business nearly $500,000. • The note arrived in early November of last year, as Alculumbre's London-based transaction processing company, Protx was being hit by a nasty distributed denial of service (DDoS) attack. • Zombie PCs from around the world were flooding Protx.com (the company's Web site) and the transaction processing server that was the commercial heart of the business. • In extortion e-mail's broken English, someone identifying himself as Tony Martino proposed a classic organized-crime protection scheme. • "You should pay $10,000," Martino wrote. "When we receive money, we stop attack immediately.“ • The e-mail even promised one year's protection from other attackers for the $10,000 fee. • "Many companies paid us, and use our protection right now," Martino said. "Think about how much money you lose, while your servers are down." • A 2004 PriceWaterhouseCoopers survey of more than 1000 businesses in the UK found that, • on average, companies spent more than $17,000 on their worst security incident that year. • For large companies, that amount was closer to $210,000, the study found. • For companies of either size, most of the loss was due to the disruption in their ability to do business, with expenses for troubleshooting the incident and actual cash spent responding to it accounting for considerably less.

  20. Case Study: Protx • By scrambling its IT staff and prohibiting traffic from zombie servers • at one point, Protx.com simply blocked all traffic originating from the Western United States • that company managed to survive the first wave of the attack against it. • But the 13-person company's biggest cost involved preparing for the next assaults, consisting of thousands of server requests, which came in January and April of 2005. • The April attack, which lasted for more than five days, was the most severe, • as Protx and the attackers engaged in a kind of online cat and mouse: • Just as Alculumbre's technicians found one way to block the flood of unwanted server messages, the attackers would switch to another tack. • At one point, the cybercrooks used a new exploit of Microsoft's Microsoft Internet Information Services server that caused the Protx Web site to crash whenever certain types of secure messages got through. • Protx responded by installing an SSL accelerator and analyzing the messages before letting them through. • On the final day of the April assault, the attackers hit Protx with everything they had. • At the peak of the assault, the company's servers were processing 800 megabits of traffic per second, the equivalent of more than 530 T1 lines firing at full capacity.

  21. Case Study: Protx • Just a few years ago, financially motivated attackers tended to focus on fringe businesses like online gaming sites. • Transaction processors like Protx are now choice prey for extortionists, • If you bring down your payment processor, you can bring down hundreds of online processors • Transaction processors like Protx will do everything in their power not to be offline • therefore, they are investing heavily in security and bandwidth.“ • Protx ended up spending a whopping $38,000 per employee on security in 2004

  22. Client-side Targets • About 60 percent of new vulnerabilities now affect client-side applications • like Web browsers and media players • And those vulnerabilities are drawing all the wrong sorts of attention • In 2005, unwanted network traffic targeting Symantec Veritas BackupExec • rocketed to 500,000 instances within days of an announced security hole in the product, • up from a previous maximum of about 50,000 instances. • Microsoft Office, Internet Explorer, Firefox, and AOL Instant Messenger also suffered from serious reported vulnerabilities, as did RealPlayer and iTunes

  23. Focus of Client-side Attacks • Attackers now target • backup and recovery programs, • as well as "the antivirus and other security tools that most organizations think are keeping them safe • SANS Top 20 report for 2005 on the most critical Internet vulnerabilities • The shift toward finding and exploiting vulnerabilities in programs represents a major change from past years, • when Windows and other operating systems and Internet services like Web and e-mail servers were the preferred targets.

  24. Client-side Crime:Recent Problem Software • Some of the latest application holes: • * Sony BMG's XCP copy protection Used ham-fisted rootkit code to hide every file name that began with the characters "$sys$"; virus writers soon released worms and Trojan horse programs to leverage the XCP cloaking features • * Symantec/Veritas NetBackup A buffer overflow vulnerability in a file used by NetBackup clients and servers • * Macromedia Inc.'s Flash Player A buffer overflow in some versions of the Macromedia Flash Player • * Skype Technologies S.A.'s Skype A critical buffer overflow vulnerability in versions of the free Internet phone app

  25. SANS (SysAdmin, Audit, Network, Security) Institute: The 20 Most Critical Internet Security Vulnerabilities • Top Vulnerabilities in Windows Systems • W1. Windows Services • W2. Internet Explorer • W3. Windows Libraries • W4. Microsoft Office and Outlook Express • W5. Windows Configuration Weaknesses • Top Vulnerabilities in Cross-Platform Applications • C1. Backup Software • C2. Anti-virus Software • C3. PHP-based Applications • C4. Database Software • C5. File Sharing Applications • C6. DNS Software • C7. Media Players • C8. Instant Messaging Applications • C9. Mozilla and Firefox Browsers • C10. Other Cross-platform Applications • Top Vulnerabilities in UNIX Systems • U1. UNIX Configuration Weaknesses • U2. Mac OS X • Top Vulnerabilities in Networking Products • N1. Cisco IOS and non-IOS Products • N2. Juniper, CheckPoint and Symantec Products • N3. Cisco Devices Configuration Weaknesses

  26. Phishing • California has passed an antiphishing law, • the Anti-Phishing Act of 2005 • With the passage of the Anti-Phishing Act of 2005, California joins such states as Texas, New Mexico, and Arizona, all of which adopted antiphishing legislation earlier this year. • Phishing victims are typically sent fraudulent e-mail designed to trick them into revealing personal information, like bank account numbers, user names, and passwords. • Under the Anti-Phishing Act, these victims may seek to recover either the cost of the damages they have suffered or $500,000, whichever is greater; government prosecutors can also seek penalties of up to $2500 per phishing violation. • Phishing attacks have been on the rise. Research firm Gartner estimates that 73 million U.S. Internet users received phishing e-mails during the 12 months ended May 2005, up 28 percent from the previous year.

  27. Malware • The mischief-making hacker of the 1990s gives way to the determined high-tech thief of the 21st century • The 2005 E-Crime Watch survey of security and law enforcement • estimated an average loss of $506,670 per organization due to malware • It's gotten so bad that the U.S. Secret Service and Carnegie Mellon University's Computer Emergency Response Team (CERT) • last year stopped publishing the number of computer crime incidents, saying: • "Given the widespread use of automated attack tools, attacks against Internet-connected systems have become so commonplace that counts of the number of incidents reported provide little information with regard to assessing the scope and impact of attacks."

  28. How to Build a Legal Case

  29. Inference Network Analysis • Legal cases are proved through inferences. • These inferences, built in chains, must lead logically from point A to point B • He strength (or weakness) of these inferences determines the strength of the legal case

  30. Chain of Inferences • Suppose we want to link the defendant (and ex-football player and aspiring movie star) to the murder of his ex-wife • Initially the evidence is weak (dotted line) • The defendant and victim were divorced, and that may have been motive for the murder, but that is a weak case

  31. The Bloody Glove • Our investigation has uncovered a bloody glove at the crime scene • Immediately there is an inference that the glove is somehow involved in the murder. If we later learn that DNA from the bloody glove matches the victim • The inferential relationship between murder and glove become strong • Although the connection between the defendant and the victim is still tenuous, • The connection between the victim and the glove is strong. • We re not yet satisfied, and the investigation continues

  32. Establishing Ownership • The forensic examiners at the crime lab have determined that the gloves are in fact a very expensive brand sold only in movie-star / football players. They are so unique that only 25 pairs have been sold in the past year. • This information alone does mot necessarily strengthen the inferential relationship to the defendant. • However, taken in combination with the fact that a par of these gloves was purchased on the ex-football players credit card two months earlier, • we are strengthening our chain of inference.

  33. Uniquely Connecting the Gloves to their Owner • Finally our forensic experts compare the DNA from the skin cells found on the glove's lining with those of the defendant – they match • Up until now, we have only bee able to link the defendant inferentially as the owner of similar gloves. • Now we can link him as the owner of these particular gloves (the dotted arrow becomes solid)

  34. Analytical and Automated Fraud Auditing Approaches

  35. Computer Assisted Techniques for Fraud Detection • Audit software has commands that support the auditor's requirement to review transactions for fraud such as the existence of duplicate transactions, missing transactions, and anomalies. Some examples of these commands include: • * comparing employee addresses with vendor addresses to identify employees that are also vendors; • * searching for duplicate check numbers to find photocopies of company checks; • * searching for vendors with post office boxes for addresses; • * analyzing the sequence of all transactions to identify missing checks or invoices; • * identifying vendors with more than one vendor code or more than one mailing address; • * finding several vendors with the same mailing address; and • * sorting payments by amount to identify transactions that fall just under financial control on contract limits. • Audit software can be used to interrogate a company's data files and identify data patterns associated with fraud. • Patterns such as negative entries in inventory received fields, voided transactions followed by "No Sale," • or a high percentage of returned items may indicate fraudulent activity. • Auditors can use these data patterns to develop a "fraud profile" early in their review of operations. • The patterns can function as auditor-specified criteria; and transactions fitting the fraud profile can trigger auditor reviews. • Systems can even be built to monitor transactions on an ongoing basis. • Continuous monitoring is a proactive approach to the early detection of fraud.

  36. Fraud Detection Using Digital Analysis • A growing area of fraud prevention and detection involves the examination of patterns in data – i.e., Digital Analysis • The rationale is that unexpected patterns can be symptoms of fraud. A simple example of the application of this technique is a search for duplicate transactions, such as identical invoice or vendor numbers for the same amount. • A simple digital analysis technique is to search for invoices with even dollar amounts, such as $200.00 or $5,000.00. • The existence of particular even amounts may be a symptom of fraud and should be examined.

  37. Digital Analysis Case Study:Even Amounts • Travel expenses had always been a concern for the auditors of X Company since it was an area where the controls were weak. • Employees had a maximum per diem rate when traveling but had to submit receipts to cover the actual expenses. • Maximums were also established for meals: breakfast $10.00, lunch $20.00, dinner $30.00, and hotel lodging $100.00. • The auditors configured the audit software to identify meal expenses that were multiples of $10.00. • These transactions were compared to receipts to ensure that the amounts expensed were appropriate. • A detailed review determined that many travelers were charging the maximum rates for meals even though their receipts did not justify the amounts.

  38. Ratio Analysis • Another useful fraud detection technique is the calculation of data analysis ratios for key numeric fields. • Like financial ratios that give indications of the financial health of a company, data analysis ratios report on the fraud health by identifying possible symptoms of fraud. • Three commonly employed ratios are: • * the ratio of the highest value to the lowest value (max/min); • * the ratio of the highest value to the second highest value (max/max2); and • * the ratio of the current year to the previous year. • For example, auditors concerned about prices customers were being charged for products could calculate the ratio of the maximum sales price to the minimum sales price for each product. • If the ratio is close to 1.0, they can be sure that there is little variance between the highest and lowest prices charged to customers. • However, if the ratio is large this could indicate that a customer was being charged too much or too little for the product.

  39. Ratio Analysis Case Study:Doctored Bills • The auditors reviewed the patient billing system at Company Y to determine if the appropriate charges were being assessed by health care providers. An initial analysis of the data was performed to calculate the ratio of the highest and lowest charges for each procedure. A judgment was made that procedures with a max/min ratio of greater than 1.30 be noted and subjected to additional review. • For a particular quarter, three procedures had ratios higher than 1.30, the highest being 1.42. A filter was used to identify the records related to the three procedures in question, and additional analysis was performed. This quickly determined that one doctor was charging significantly more than the other doctors for the same procedures. A comparison of charges from the billing system with payments in the accounts receivable system revealed that the doctor was skimming off the patient payments. The amount recorded in the receivable system was in line with the usual billing amount for the procedures. The doctor was unable to justify the higher prices or explain the difference in the billing and the receivable systems. • The third ratio compares data from different years, departments or operating areas, and the like. For example, the ratio of last year's purchases to current year's purchases for each supplier can point to symptoms of fraud such as kickbacks in the contracting section. If the total purchases from a supplier has gone from $100,000 to $400,000--a ratio of 4.0--further analysis may be in order.

  40. Ratio Analysis Case Study:Contracting Kickbacks • Jonathan, one of the contracting officers, had devised a great win/win kickback scheme. The auditors decided to use digital analysis as part of their review of the contracting section. One of the analyses calculated the total contract amount by supplier for each of the past two years. A ratio of current year to previous year was calculated and the minimum, maximum, average, and highest and lowest five ratios were displayed. While the average was close to 1.0, the highest and lowest five values showed that some companies had significant decreases in business, while others had experienced significant increases in business. • The auditors reviewed the details of all companies that had a ratio of less than 0.7 or more than 1.30. Totals were calculated by a contracting officer. For companies with an increase in business, the results revealed that Jonathan had raised many of the contracts. In comparison, Jonathan had raised no contracts with the companies that had seen a decrease in business. The auditors learned of Jonathan's kickback scheme when they interviewed salesmen from the companies that had ratios less than 0.7. Interviews with salesmen from the firms that had increased sales by 1.30 or more added credence to the fraud accusations. Both groups of salesmen said that they were told they would only get business if they paid Jonathan a kickback.

  41. Benford's Law • Benford's Law, developed by Frank Benford in the 1920s, predicts the occurrence of digits in data. Benford's Law concludes that the first digit in a large population of transactions (10,000 plus) will most often be a 1. Less frequently will the first digit be a 2; even less frequently a 3. • An analysis of the frequency distribution of the first or second digits can detect abnormal patterns in the data and may identify possible fraud. An even more focused test can be used to examine the frequency distribution of the first two digits (FTD). The formula for the expected frequencies is: • Expected FTD Frequency = log(1+1/FTD) • Therefore, the expected frequency of 13 is log(1+1/13). The expected frequencies range from 0.041 for 10, to 0.004 for 99. • Some audit software programs can be used to determine the frequency distribution for first digits, first two digits, and second digits. • Note: not all data will have distributions as predicted by Benford's Law. Sometimes there is valid rationale for certain numbers occurring more frequently than expected. For example, if a company sends a large amount of correspondence via courier, and the cost is a standard rate ($6.12) for sending a package of under one pound, then the first digit (6) or the first two digits (61) may occur more often than predicted by Benford's Law.

  42. Benford's LawCase Study:Signature Authority • The auditors for Z Company were investigating possible fraud in the contracting section, where thousands of contracts were raised every month. They used Benford's Law to examine the first two digits of the contract amount. The results of their analysis revealed that the digits 49 were in the data more often than expected. • Classifying on the contracting officer for all contracts with 49 as the first two digits determined that the contracting manager was raising contracts for $49,000­$49,999 to avoid contracting regulations. • Contracts under $50,000 could be sole-sourced; contracts greater than $50,000 had to be submitted to the bidding process. He was raising contracts just under the financial limit and directing them to a company owned by his wife.

More Related