Investigative (1)
-
Upload
robin-singh -
Category
Documents
-
view
222 -
download
0
Transcript of Investigative (1)
-
8/8/2019 Investigative (1)
1/85
1
Er. Akash Sharma
Er. Robin Singh
Information Technology
Audit & Forensic Techniques
Cyber College All rightsreserved.
-
8/8/2019 Investigative (1)
2/85
2
IT Forensic Techniques for Auditors
Presentation Focus
Importance ofIT Forensic Techniquesto Organizations
Importance ofIT Forensic Techniquesto Auditors
Audit Goals of Forensic Investigation
Digital Crime Scene Investigation
Illustration of Forensic Tools
A Forensic Protocol
Cyber College All rightsreserved.
-
8/8/2019 Investigative (1)
3/85
3
Forensic Computing Defined
Forensic Computing is the process ofidentifying, preserving, analyzing, andpresenting digital evidence in a mannerthat is legally acceptable in a court of law
Our interest is in
Identifying and preserving evidence,
post-mortemsystem analysis todetermine extent and nature of attack, and
the forensic framework
Cyber College All rightsreserved.
-
8/8/2019 Investigative (1)
4/85
4
Importance ofIT Forensic
Techniques to OrganizationsCorporate Fraud Losses in 2004
Cost companies an average loss of assets
over $ 1.7 million A 50% increase over 2003
Over one third of these frauds were
discovered by accident, making "chance"the most common fraud detection tool. PriceWaterhouseCoopers, Global Economic Crime Survey
2005
Cyber College All rightsreserved.
-
8/8/2019 Investigative (1)
5/85
5
Importance of IT Forensic Techniques to Organizations
The New Corporate
Environment Sarbanes-Oxley 2002
COSO and COBIT
SAS 94 and SAS 99 ISO 9000 and ISO 17799
Gramm-Leach-Bliley Act
US Foreign Corrupt Practices Act
all of these have altered the corporateenvironment and made forensic techniquesa necessity!
Cyber College All rightsreserved.
-
8/8/2019 Investigative (1)
6/85
6
Importance of IT Forensic Techniques to Auditors
SAS 99SAS No. 99 - Consideration of Fraud in aFinancial Statement Audit - requires auditorsto
Understand fraud
Gather evidence about the existence offraud
Identify and respond to fraud risks
Document and communicate findings
Incorporate a technology focus Cyber College All rightsreserved.
-
8/8/2019 Investigative (1)
7/85
7
Importance of IT Forensic Techniques to Organizations
IntellectualProperty Losses
Rapid increase in theft ofIP 323%over five year period 1999-2004
75% of estimated annual losses wereto an employee, supplier or contractor
Digital IP is more susceptible to theft
Employees may not view it as theft
Cyber College All rightsreserved.
-
8/8/2019 Investigative (1)
8/85
8
Importance of IT Forensic Techniques to Organizations
Network Fraud Companies now highly reliant on networks
Networks increasingly vulnerable to attacks
Viruses, Trojans, Rootkits can addbackdoors
Social Engineering including Phishing andPharming
Confidential and proprietary informationcan be compromised
Can create a corporate liability Cyber College All rightsreserved.
-
8/8/2019 Investigative (1)
9/85
9 Cyber College All rightsreserved.
-
8/8/2019 Investigative (1)
10/85
10
Net Detector
Cyber College All rightsreserved.
-
8/8/2019 Investigative (1)
11/85
11
Importance of IT Forensic Techniques to Organizations
Security Challenges Technology expanding and becoming
more sophisticated
Processes evolving and integratingwith technologies
People under trained
Policies outdated Organizations at risk
People
Technology
Policies
Processes
Cyber College All rightsreserved.
-
8/8/2019 Investigative (1)
12/85
12 Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
13/85
13 Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
14/85
14
Importance ofIT ForensicTechniques to Auditors
Majority of fraud is uncovered by chance
Auditors often do not look for fraud
Prosecution requires evidence Value ofIT assets growing
Treadway Commission Study
Undetected fraud was a factor in one-halfof the 450 lawsuits against independentauditors.
Cyber College All rightsreserved.
-
8/8/2019 Investigative (1)
15/85
15
Importance of IT Forensic Techniques to Auditors
Auditors Knowledge, Skills,
Abilities Accounting
Auditing
IT (weak)Needed
Increased IT knowledge
Fraud and forensic accounting knowledge
Forensic investigative and analytical skillsand abilities
Cyber College All rightsreserved.
-
8/8/2019 Investigative (1)
16/85
16
Importance of IT Forensic Techniques to Auditors
Knowledge, Skills, Abilities:
NeedsAuditors need KSAs to
Build a digital audit trail
Collect usable courtroom electronicevidence
Trace an unauthorized system user
Recommend or review security policies
Understand computer fraud techniques Analyze and valuate incurred losses
Cyber College All rightsreserved.
-
8/8/2019 Investigative (1)
17/85
17
Importance of IT Forensic Techniques to Auditors
KSA Needs (cont.)
Understand information collected fromvarious computer logs
Be familiar with the Internet, web servers,firewalls, attack methodology, securityprocedures &penetration testing
Understand organizational and legal
protocols for incident handling Establish relationships with IT, risk
management, security, law enforcement Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
18/85
18
Audit Goals of a Forensic
Investigation Uncover fraudulent or criminal cyber
activity
Isolate evidentiary matter (freeze scene) Document the scene
Create a chain-of-custody for evidence
Analyze digital information
Communicate results
Cyber College All rightsreserved.
-
8/8/2019 Investigative (1)
19/85
19
Audit Goals of a Forensic Investigation
Immediate Concerns
What is level of certainty that a problemexists?
Is this a criminal act? Child porn, money laundering
When should law enforcement be involved?
Can the system be isolated?
Is a subpoena necessary?
Is the intrusion internal or external?
Are suspects known?
Is extent of loss/damage known? Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
20/85
20
Audit Goals of a Forensic Investigation
Immediate Response
Shut down computer (pull plug)
Bit-streammirror-image of data
Begin a traceback to identify possible loglocations
Contact system administrators onintermediate sites to request log
preservation Contain damage
Collect local logs
Begin documentation Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
21/85
21
Audit Goals of a Forensic Investigation
Continuing Investigation
Implement measures to stop furtherloss
Communicate to management and auditcommittee regularly
Analyze copy of digital files Ascertain level and nature of loss
Identify perpetrator(s) Develop theories about motives Maintain chain-of-custody
Cyber College All rightsreserved.
-
8/8/2019 Investigative (1)
22/85
22
Digital Crime Scene
InvestigationGoal: Determine what fraud events
occurred
by using digital evidence
Three Phases:
Preserve & Document Scene
Analyze/Search & Document Data
Reconstruct & Document Fraud Event
Cyber College All rightsreserved.
-
8/8/2019 Investigative (1)
23/85
23
Digital Crime Scene Investigation
Scene Preservation &
Documentation Goal: Preserve the state of asmany digital objects as possible
and document the crime scene. Methods:
Shut system down
Unplug (best)
Do nothing
Bag and tag
Cyber College All rightsreserved.
-
8/8/2019 Investigative (1)
24/85
24
Treat every incident as if itwill end up in a criminal
prosecution.
Digital Crime Scene Investigation
Investigative Axiom
Cyber College All rightsreserved.
-
8/8/2019 Investigative (1)
25/85
25
Digital Crime Scene Investigation
Incidents &Investigations
Incident/Crime: An event thatviolates a policy or law
Investigation: A process thatdevelops and tests hypotheses toanswer questions about events thatoccurred
Cyber College All rightsreserved.
-
8/8/2019 Investigative (1)
26/85
26
Audit Goals of a Forensic Investigation
Rules of Evidence
Complete
Authentic
Admissible
Reliable
Believable
Cyber College All rightsreserved.
-
8/8/2019 Investigative (1)
27/85
27
Audit Goals of a Forensic Investigation
Requirements for Evidence
Computer logs Must not be modifiable
Must be complete Appropriate retention rules
Cyber College All rightsreserved.
-
8/8/2019 Investigative (1)
28/85
28
Digital Crime Scene Investigation
Problems with Digital
Investigation Timing essential electronic evidence
volatile
Auditor may violate rules of evidence
NEVERwork directly on the evidence
Skills needed to recover deleted data
or encrypted data
Cyber College All rightsreserved.
-
8/8/2019 Investigative (1)
29/85
29
Digital Crime Scene Investigation
Extract, process, interpret
Work on the imaged data or safe copy
Data extracted may be in binary form
Process data to convert it tounderstandable form
Reverse-engineer to extract disk partitioninformation, file systems, directories, files, etc
Software available for this purpose
Interpret the data search for key words,phrases, etc.
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
30/85
30
Digital Crime Scene Investigation
Technology
Magnetic disks contain data after deletion
Overwritten data may still be salvaged
Memory still contains data after switch-off Swap files and temporary files store data
Most OSs perform extensive logging (so
do network routers)
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
31/85
31
Disk Geometry
Track
Sector
Cylinder
(Clusters are
groups of
Sectors)
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
32/85
32
Slack Space
End of FileEnd of File Slack SpaceSlack Space
Last Cluster in a FileLast Cluster in a File
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
33/85
33
Digital Crime Scene Investigation
Order of Volatility
Preserve most volatile evidence first
Registers, caches, peripheralmemory
Memory (kernel, physical) Network state
Running processes
Disk
Floppies, backupmedia
CD-ROMs, printouts
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
34/85
34
Digital Crime Scene Investigation
Digital Forensic InvestigationA process that uses science andtechnology to examine digital objects
and that develops and tests theories,which can be entered into a court oflaw, to answer questions about eventsthat occurred.
IT Forensic Techniques are used tocapture and analyze electronic dataand develop theories.
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
35/85
35
Illustration of Forensic Tools
Forensic Software Tools are used for
Data imaging
Data recovery Data integrity
Data extraction
Forensic Analysis Monitoring
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
36/85
36
Data Imaging
EnCase
Reduces internal investigationcosts
Platform independent
Automated analysis saves time
Supports electronic records audit
Creates logical evidence files eliminating need to capture entirehard drives
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
37/85
37
Data Imaging
EnCase
Previews computers over thenetwork to determine whetherrelevant evidence exists:
Unallocated/allocated space Deleted files File slack Volume slack File system attributes
CD ROMs/DVDs Mounted FireWire and USB devices Mounted encrypted volumes Mounted thumb drives
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
38/85
38
Data Recovery
File Recovery with PC Inspector
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
39/85
39
Data Eradication
Securely Erasing Files
Cyber College All rights
reserved.
D t I t it
-
8/8/2019 Investigative (1)
40/85
40
Data Integrity
MD5
Message Digest a hashing algorithm usedto generate a checksum
Available online as freeware
Any changes to file will change the
checksumUse:
Generate MD5 of system or critical filesregularly
Keep checksums in a secure place tocompare against later if integrity isquestioned
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
41/85
41
Data Integrity
MD5 Using HashCalc
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
42/85
42
Data Integrity
HandyBits EasyCrypto
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
43/85
43
Data Integrity
Private Disk
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
44/85
44
Data Monitoring
Tracking Log Files
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
45/85
45
Data Monitoring
PC System Log
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
46/85
46
Security Software Log Entries
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
47/85
47
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
48/85
48
Free Log Tools
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
49/85
49
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
50/85
50
Audit Command Language
(ACL) ACL is the market leader in
computer-assisted audit technologyand is an established forensics tool.
Clientele includes
70percent of the Fortune 500companies
over two-thirds of the Global 500
the Big Four public accounting firms
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
51/85
51
Forensic Tools
Audit Command Language
ACL is a computer data extraction andanalytical audit tool with auditcapabilities
Statistics
Duplicates and Gaps
Stratify and Classify
Sampling
Benford Analysis
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
52/85
Cyber College All rights
reserved.
52
-
8/8/2019 Investigative (1)
53/85
53
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
54/85
54
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
55/85
55
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
56/85
56
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
57/85
57
Forensic Tools: ACL
Benford Analysis
States that the leading digitin some numerical series isfollows an exponential rather
than normal distribution Applies to a wide variety of
figures: financial results,electricity bills, street
addresses, stock prices,population numbers, deathrates, lengths of rivers
Le g
D g
Pr b b
1 30.1 %
2 17.6 %
3 12.5 %
4 9.7 %
5 7.9 %
6 6.7 %
7 5.8 %
8 5.1 %
9 4.6 %
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
58/85
58
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
59/85
59
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
60/85
60
Cyber College All rights
reserved.
Data Monitoring
-
8/8/2019 Investigative (1)
61/85
61
g
Employee Internet Activity
Spector captures employee web activityincluding keystrokes, email, and snapshots toanswer questions like:
Which employees are spending the most timesurfing web sites?
Which employees chat the most? Who is sending the most emails with
attachments?
Who is arriving to work late and leavingearly?
What are my employees searching for on theInternet?
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
62/85
62
Data Monitoring : Spector
Recorded Email
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
63/85
63
Data Monitoring : Spector
Recorded Web Surfing
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
64/85
-
8/8/2019 Investigative (1)
65/85
65
Data Monitoring : Spector
Recorded Snapshots
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
66/85
66
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
67/85
67
Data Capture : Key Log Hardware
KeyKatcher
Records chat, e-mail, internet &
more
Is easier to use than parental
control software Identifies internet addresses
Uses no system resources
Works on all PC operating
systemsUndetectable by software
www.lakeshoretechnology.com Cyber College All rights
reserved.
Background Checks
-
8/8/2019 Investigative (1)
68/85
68
Background Checks
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
69/85
69http://www.expressmetrix.com/solutions/
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
70/85
70
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
71/85
71
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
72/85
72
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
73/85
73
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
74/85
74
Developing a Forensic Protocol
The response plan must include acoordinated effort that integrates a numberof organizational areas and possibly
external areasResponse to fraud events musthave toppriority
Key players must exist at allmajor organizationallocations
People
Technology
Policies
Processes
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
75/85
l
-
8/8/2019 Investigative (1)
76/85
76
A Forensic Protocol
Security Exposures
Organizations may possess criticaltechnology skills but
Skills are locked in towers IT,Security, Accounting, Auditing
Skills are centralized while fraudevents can be decentralized
Skills are absent vacations, illnesses,etc
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
77/85
77
A Forensic Protocol
The Role ofPolicies
They define the actions you can take
They must be clear and simple to
understand The employee must acknowledge that
he or she read them, understandsthem and will comply with them
They cant violate law
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
78/85
78
A Forensic Protocol
Forensic Response Control
Incident Response Planning
Identify needs and objectives
Identify resources Create policies, procedures
Create a forensic protocol
Acquire needed skills
Train
Monitor Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
79/85
79
A Forensic Protocol
Documenting the Scene
Note time, date, persons present
Photograph and video the scene
Draw a layout of the scene
Search for notes (passwords) that might beuseful
Ifpossible freeze the system such that the
current memory, swap files, and even CPUregisters are saved or documented
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
80/85
80
A Forensic Protocol
Forensic Protocol
First responder triggers alert
Team response
Freeze scene Begin documentation
Auditors begin analysis
Protect chain-of-custody
Reconstruct events and develop theories
Communicate results of analysis
Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
81/85
81
A Forensic Protocol
Protocol Summary
Ensure appropriate policies
Preserve the crime scene (victim computer)
Act immediately to identify and preserve logs
on intermediate systems Conduct your investigation
Obtain subpoenas or contact law enforcementif necessary
Key: Coordination between functional areas
Cyber College All rights
reserved.
Conclusion
-
8/8/2019 Investigative (1)
82/85
82
Conclusion
IT Forensic Investigative Skills Can
Decrease occurrence of fraud
Increase the difficulty of committingfraud
Improve fraud detection methods
Reduce total fraud losses
Auditors trained in these skills are
more valuable to the organization! Cyber College All rights
reserved.
-
8/8/2019 Investigative (1)
83/85
83
Questions or Comments?
Er. Akash SharmaEr. Ro in Sin h
akash@cy ercolle e.asia
Cyber College All rights
reserved.
Web Reso ces
-
8/8/2019 Investigative (1)
84/85
84
Web Resources
ACL http://www.acl.com/Default.aspx?bhcp=1
Eraser http://www.heidi.ie/eraser/
Private Disk http://www.private-disk.net/
HashCalc http://www.slavasoft.com/hashcalc/index.htm
PC Inspector http://www.download.com/3000-2242-10066144.html
VeriSign http://www.verisign.com
HandyBits Encryption http://www.handybits.com/
EnCase http://www.handybits.com/
Cyber College All rights
reserved.
W b R ( t )
-
8/8/2019 Investigative (1)
85/85
Web Resources (cont.)
Spectorhttp://www.spectorsoft.com/ Stolen ID Searchhttps://www.stolenidsearch.com/ Abika Background Check
http://www.abika.com/ Guide to Log Managementhttp://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf ACFE Fraud Prevention Checkuphttp://www.acfe.com/documents/Fraud_Prev_Checkup_IA.pdf NetWitnesshttp://www.netwitness.com/
GASP Std V 7.0 Free Softwarehttp://www.bsa.org/usa/antipiracy/Free-Software-Audit-Tools.cfm Federal Guidelines for Searcheshttp://www.cybercrime.gov/searchmanual.htm
C b C ll All i ht