1 / 50

Computer Forensics for Accountants Class 2 Summer 2013

Computer Forensics for Accountants Class 2 Summer 2013. Grover Kearns, PhD, CPA, CFE. Laptop Security Tips. Treat it like cash. Get it out of the car...don’t ever leave it behind. Keep it locked...use a security cable. Keep it off the floor...or at least between your feet.

max
Download Presentation

Computer Forensics for Accountants Class 2 Summer 2013

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Forensics for AccountantsClass 2Summer 2013 Grover Kearns, PhD, CPA, CFE

  2. Laptop Security Tips • Treat it like cash. • Get it out of the car...don’t ever leave it behind. • Keep it locked...use a security cable. • Keep it off the floor...or at least between your feet. • Keep passwords separate...not near the laptop or case. • Don’t leave it “for just a sec”...no matter where you are. • Pay attention in airports...especially at security.

  3. Importance of IT Forensic Techniques to OrganizationsThe New Corporate Environment • Sarbanes-Oxley 2002 • SAS 78, 80, 94, 99 • COSO and COBIT • ISO 9000 and ISO 17799 • Gramm-Leach-Bliley Act • US Foreign Corrupt Practices Act …all of these have altered the corporate environment and made forensic techniques a necessity!

  4. Importance of IT Forensic Techniques to AuditorsSAS 99 SAS No. 99 - Consideration of Fraud in a Financial Statement Audit - requires auditors to … • Understand fraud • Gather evidence about the existence of fraud • Identify and respond to fraud risks • Document and communicate findings • Incorporate a technology focus

  5. Importance of IT Forensic Techniques to Auditors • Majority of fraud is uncovered by chance • Auditors often do not look for fraud • Prosecution requires evidence • Value of IT assets growing Treadway Commission Study … • Undetected fraud was a factor in one-half of the 450 lawsuits against independent auditors.

  6. Digital Crime Scene InvestigationDigital Forensic Investigation A process that uses science and technology to examine digital objects and that develops and tests theories, which can be entered into a court of law, to answer questions about events that occurred. IT Forensic Techniques are used to capture and analyze electronic data and develop theories.

  7. Audit Goals of a Forensic Investigation • Uncover fraudulent or criminal cyber activity • Isolate evidentiary matter (freeze scene) • Document the scene • Create a chain-of-custody for evidence • Reconstruct events and analyze digital information • Communicate results

  8. Audit Goals of a Forensic InvestigationImmediate Response • Shut down computer (pull plug) • Bit-stream mirror-image of data • Begin a traceback to identify possible log locations • Contact system administrators on intermediate sites to request log preservation • Contain damage and stop loss • Collect local logs • Begin documentation

  9. Implement measures to stop further loss Communicate to management and audit committee regularly Analyze copy of digital files Ascertain level and nature of loss Identify perpetrator(s) Develop theories about motives Maintain chain-of-custody Audit Goals of a Forensic Investigation Continuing Investigation

  10. Track Sector (Clusters are groups of Sectors) Cylinder Disk Geometry

  11. Slack Space End of File Slack Space Last Cluster in a File

  12. Data RecoveryFile Recovery with PC Inspector

  13. Data EradicationSecurely Erasing Files

  14. Data IntegrityMD5 • Message Digest – a hashing algorithm used to generate a checksum • Available online as freeware • Any changes to file will change the checksum Use: • Generate MD5 of system or critical files regularly • Keep checksums in a secure place to compare against later if integrity is questioned

  15. Data IntegrityMD5 Using HashCalc

  16. Data IntegrityHandyBits EasyCrypto

  17. Audit Command Language (ACL) • ACL is the market leader in computer-assisted audit technology and is an established forensics tool. Clientele includes … • 70 percent of the Fortune 500 companies • over two-thirds of the Global 500 • the Big Four public accounting firms

  18. Forensic ToolsAudit Command Language ACL is a computer data extraction and analytical audit tool with audit capabilities … • Statistics • Duplicates and Gaps • Stratify and Classify • Sampling • Benford Analysis

  19. Forensic Tools: ACLBenford Analysis • States that the leading digit in some numerical series follows an exponential distribution • Applies to a wide variety of figures: financial results, electricity bills, street addresses, stock prices, population numbers, death rates, lengths of rivers

  20. Ll

  21. Practical applications for Benford's law and digital analysis • Accounts payable data. • Estimations in the general ledger. • The relative size of inventory unit prices among locations. • Duplicate payments. • Computer system conversion (for example, old to new system; accounts receivable files). • Processing inefficiencies due to high quantity/low dollar transactions. • New combinations of selling prices. • Customer refunds.

  22. Background Checks

  23. Technology People Policies Processes Developing a Forensic Protocol • The response plan must include a coordinated effort that integrates a number of organizational areas and possibly external areas • Response to fraud events must have top priority • Key players must exist at all major organizational locations

  24. A Forensic ProtocolSecurity Exposures Organizations may possess critical technology skills but … • Skills are locked in towers – IT, Security, Accounting, Auditing • Skills are centralized while fraud events can be decentralized • Skills are absent – vacations, illnesses, etc

  25. A Forensic ProtocolThe Role of Policies • They define the actions you can take • They must be clear and simple to understand • The employee must acknowledge that he or she read them, understands them and will comply with them • They can’t violate law

  26. A Forensic ProtocolForensic Response Control Incident Response Planning … • Identify needs and objectives • Identify resources • Create policies, procedures • Create a forensic protocol • Acquire needed skills • Train • Monitor

  27. A Forensic ProtocolDocumenting the Scene • Note time, date, persons present • Photograph and video the scene • Draw a layout of the scene • Search for notes (passwords) that might be useful • If possible freeze the system such that the current memory, swap files, and even CPU registers are saved or documented

  28. A Forensic ProtocolForensic Protocol • First responder triggers alert • Team response • Freeze scene • Begin documentation • Auditors begin analysis • Protect chain-of-custody • Reconstruct events and develop theories • Communicate results of analysis

  29. A Forensic ProtocolProtocol Summary • Ensure appropriate policies • Preserve the crime scene (victim computer) • Act immediately to identify and preserve logs on intermediate systems • Conduct your investigation • Obtain subpoenas or contact law enforcement if necessary Key: Coordination between functional areas

  30. Conclusion Computer Forensic Skills Can … • Decrease occurrence of fraud • Increase the difficulty of committing fraud • Improve fraud detection methods • Reduce total fraud losses Auditors trained in these skills are more valuable to the organization!

  31. Preventing Internal Attacks: Common Sense Measures • Notify employees that their use of the company's personal computers, computer networks, and Internet connections will be monitored. Then do it. • Limit physical access to computers - imposition of passwords; magnetic card readers; and biometrics, which verifies the user's identity through matching patterns in hand geometry, signature or keystroke dynamics, neural networks (the pattern of nerves in the face), DNA fingerprinting, retinal imaging, or voice recognition. More traditional site control methods such as sign-in logs and security badges can also be useful. • Classify information based on its importance, assigning security clearances to employees as needed. • Eliminate nonessential modems that could be used to transmit information. • Monitor activities of employees who keep odd hours at the office. • Includes extensive background checks in the company's hiring process , especially in cases where the employee would be handling sensitive information. • Stress the importance of confidential passwords to employees.

  32. Preventing External Attacks: Common Sense Measures • Install and use anti-virus software programs that scan PCs, computer networks, CDROMs, tape drives, diskettes, and Internet material, and destroy viruses when found. • Update anti-virus programs on a regular basis. • Ensure that all individual computers are equipped with anti-virus programs. • Remove administrative rights from employees. • Make sure that the company has a regular policy of backing up (copying) important files and storing them in a safe place, so that the impact of corrupted files is minimized.

  33. The CERT Web site posts the latest security alerts and also provides security-related documents, tools, and training seminars. • CERT offers 24-hour technical assistance in the event of Internet security breaches.

  34. Malicious Internet Programs • Virus – Program that attaches itself to other programs and infects them. • Trojan – Disguised as legitimate program but designed to take control of computer. Can be used to attack other computers (zombies). • Worm – Network aware virus that replicates using file sharing or e-mail. • Over 115,000 known viruses, trojans, and worms. 70% of all e-mail traffic is SPAM!

  35. Spyware • Programs used to gather information about you and relay it to an Internet advertising company for resale. • Browser cookies can be used to track your activity. • Gathering practices and use of personal information generally not clear during web site usage or program installation.

  36. http://www.vtinfragard.org/vtinfosafe/InformationResources.htmlhttp://www.vtinfragard.org/vtinfosafe/InformationResources.html

  37. Questions or Comments?

More Related