Post on 14-Dec-2015
Practical Application of Practical Application of Computer Forensics Computer Forensics
Lisa Outlaw, CISA, CISSP, CRMALisa Outlaw, CISA, CISSP, CRMA
OverviewOverview Definition of Computer ForensicsDefinition of Computer Forensics Computer Forensics & AuditingComputer Forensics & Auditing Why We Need Computer Forensics Why We Need Computer Forensics The Process (Do’s & Don’ts)The Process (Do’s & Don’ts)
IdentificationIdentification Collection of EvidenceCollection of Evidence Required DocumentationRequired Documentation ImagingImaging ExaminationExamination Report PreparationReport Preparation Returning of EvidenceReturning of Evidence
Definition of Computer ForensicsDefinition of Computer Forensics
Computer forensics involves the: Computer forensics involves the: IdentificationIdentification CollectionCollection PreservationPreservation Examination, and Examination, and Analysis of digital informationAnalysis of digital information
Digital Information becomes Digital EvidenceDigital Information becomes Digital Evidence
What is Digital Evidence?What is Digital Evidence?
Digital evidence is any information of value Digital evidence is any information of value that is either stored or transmitted in a that is either stored or transmitted in a binary form, including digital audio, image, binary form, including digital audio, image, and video.and video.
Computer Forensic ExaminationComputer Forensic Examination
The Computer forensic examination The Computer forensic examination is:is:
Locating digital evidence Locating digital evidence Evidence can withstand close Evidence can withstand close
scrutiny or a legal challenge. scrutiny or a legal challenge.
Computer Forensics & AuditingComputer Forensics & Auditing Computer forensics can support your audit Computer forensics can support your audit
and investigation objectives:and investigation objectives: An Effective System of Internal Controls; An Effective System of Internal Controls; Reliability of Financial Reporting;Reliability of Financial Reporting; Compliance with federal and state laws;Compliance with federal and state laws; Detection of Fraud, Waste, and Abuse Detection of Fraud, Waste, and Abuse
Audit of Travel ExpensesAudit of Travel Expenses
Planning PhasePlanning Phase Used an audit program Used an audit program
customized to my customized to my specific environment specific environment and risks assessedand risks assessed
Gained access to Gained access to Travel expense data Travel expense data and appropriate and appropriate analysis tools, such as analysis tools, such as ACL•ACL•
Gain an Gain an UnderstandingUnderstanding
Gain an Gain an Understanding of the Understanding of the business processes, business processes, including procedures including procedures for approving, for approving, recordingrecording
and reimbursing and reimbursing expensesexpenses
Audit of Travel ExpensesAudit of Travel Expenses
Considered Red Flags (Risks Assessment)Risks Assessment)
Most Frequent Travelers Falsified or manipulated receipts Claims for meals or mileage only Inflated mileage totals on personal car usage
Audit of Travel ExpensesAudit of Travel Expenses
You select the most frequently reimbursed You select the most frequently reimbursed employee by summarizing the travel employee by summarizing the travel expenses.expenses.
You then obtain supporting evidence to You then obtain supporting evidence to determine if the travel actually occurred, is determine if the travel actually occurred, is overstated or understated, accurate, overstated or understated, accurate, classified correctly in the financial classified correctly in the financial statements, etc..statements, etc..
Audit of Travel ExpensesAudit of Travel ExpensesProfessional SkepticismAn attitude that includes a questioning mind An attitude that includes a questioning mind and a critical assessment of audit evidence. and a critical assessment of audit evidence. The auditor should not assume that The auditor should not assume that management is either honest nor dishonest. management is either honest nor dishonest.
Computer Forensics ExaminationLocating digital evidence that can withstand Locating digital evidence that can withstand close scrutiny or a legal challenge. close scrutiny or a legal challenge.
Audit of Travel ExpensesAudit of Travel Expenses
Request the services of a computer Request the services of a computer forensics expert to analyze the employees’ forensics expert to analyze the employees’ hard drive to determine if digital evidence hard drive to determine if digital evidence can be found to support the falsification of can be found to support the falsification of the travel reimbursement form.the travel reimbursement form.
Audit of Travel ExpensesAudit of Travel Expenses Computer Forensic Results:Computer Forensic Results:
Digital evidence proved this employee did not travel at all.Digital evidence proved this employee did not travel at all. EmailsEmails Telephone calls Telephone calls made from within the building using VOIPmade from within the building using VOIP Facility access logs Facility access logs proved the employee was in the proved the employee was in the
building during the days he was supposed to be on travel building during the days he was supposed to be on travel status. status.
A A signature block signature block of the supervisor was found, on the of the supervisor was found, on the employees hard drive.employees hard drive.
Hash values of the signature image Hash values of the signature image agreed with the hash agreed with the hash value of the signature image used on the fraudulent travel value of the signature image used on the fraudulent travel reimbursements. reimbursements.
Audit of Travel ExpensesAudit of Travel Expenses
Travel Reimbursement FraudTravel Reimbursement Fraud More than $100,000 of fraudulent More than $100,000 of fraudulent
reimbursements were found made to this one reimbursements were found made to this one employees.employees.
Are our internal controls over travel Are our internal controls over travel expenditures weak or strong?expenditures weak or strong?
Control Weaknesses found:Control Weaknesses found: Staying with Friend and Family (Produce no Staying with Friend and Family (Produce no
receipts)receipts)
Why We Need Computer Forensics Why We Need Computer Forensics ((Reasons for Computer Forensic Services)Reasons for Computer Forensic Services)
Inappropriate Use of Computer SystemsInappropriate Use of Computer Systems Determining a Security BreachDetermining a Security Breach Detection of Disloyal Employees Detection of Disloyal Employees Evidence for Disputed DismissalsEvidence for Disputed Dismissals Malicious File Identification Malicious File Identification Theft of Information AssetsTheft of Information Assets Forgeries of DocumentsForgeries of Documents
The ProcessThe Process
(1)(1)IdentificationIdentification
(2)(2)Collection of EvidenceCollection of Evidence
(3)(3)Required DocumentationRequired Documentation
(4)(4)ImagingImaging
(5)(5)ExaminationExamination
(6)(6)Report PreparationReport Preparation
(7)(7)Returning of EvidenceReturning of Evidence
IdentificationIdentification
AUDITOR’S ROLEAUDITOR’S ROLE
(Forensic Specialist)1. Determine if reason for
computer forensics is appropriate.
2. Identify where additional digital evidence may reside.
AUDITEE’S ROLEAUDITEE’S ROLE
(ex. University)1. Determine when to use
Computer Forensic Services:
2. Identify where digital evidence may reside.
Collection of EvidenceCollection of Evidence
• IT AUDITOR’S ROLE– Help Client Secure the
computer to be examined
– Require and Complete Necessary Forms
– Securely Collect Computer from Client
• AUDITEE’S ROLE– Ensure that computer
to be examined remains secure until collected
– Notify Appropriate Personnel
– Complete Chain of Custody Form
Collection of Evidence – Collection of Evidence – (Do's & Don'ts)(Do's & Don'ts)
Do not disturb the computer in question. Do not disturb the computer in question.
Computer is off, Leave it offComputer is off, Leave it off
Collection of Evidence – Collection of Evidence – Do's & Don'tsDo's & Don'ts (con’t) (con’t)
Computer is on, Leave it onComputer is on, Leave it on
Collection of Evidence – Collection of Evidence – Do's & Don'tsDo's & Don'ts (con’t) (con’t)
Do not run any programs on the Do not run any programs on the computer.computer.
Collection of Evidence – Collection of Evidence – Do's & Don'tsDo's & Don'ts (con’t) (con’t)
Do not make any changesDo not make any changes
Collection of Evidence – Collection of Evidence – Do's & Don'tsDo's & Don'ts (con’t) (con’t)
Do Not Insert Anything Into The Do Not Insert Anything Into The ComputerComputer
Collection of Evidence – Collection of Evidence – Do's & Don'tsDo's & Don'ts (con’t) (con’t)
Secure the computerSecure the computer
Collection of Evidence – Collection of Evidence – Do's & Don'tsDo's & Don'ts (con’t) (con’t)
Required DocumentationRequired Documentation
Computer Forensic Request Form Computer Forensic Request Form
Chain of Custody FormChain of Custody Form
Signatures Signatures
Disclosures and Disclaimers Disclosures and Disclaimers
Required DocumentationRequired Documentation
Required DocumentationRequired Documentation
Auditor’s Role Assign a Case Number
Assign an auditor or
computer forensic expert
Date & Time When device was secured
AUDITEE’S Role Document Date & Time
of Request Name of Requestor Date & Time Client
secured the device Agency Name Head of the Agency
Name
Required DocumentationRequired DocumentationAuditor’s Role Document: Serial Numbers Mac Address -Static IP
Address Make & Model
AUDITEE’S RoleDocument: Reason For Request Desired Objectives
Approval From Relevant Parties Approval From Relevant Parties
Approvals should be obtained from:Approvals should be obtained from: Head of the Agency or CompanyHead of the Agency or Company Audit DirectorAudit Director Legal Counsel, and Legal Counsel, and Human Resources Human Resources
AUDITOR’S Role Sign and Date form Obtain Director and
Legal Counsel approval
AUDITEE’S Role Sign and Date form Obtain Agency Head
Approval
Required DocumentationRequired Documentation
Additional Chain of Custody Form
Chain of Custody form continued on the reverse side of the computer forensic request form.
Device Serial#
FAS
Make Model
Signature Print Name
Reason Date Time
Relinquished By:
Received By:
Why Are These Documents Why Are These Documents Necessary?Necessary?
Collect important informationCollect important information Legal AspectsLegal Aspects
Get out of jail free cardGet out of jail free card
Scan HardcopiesScan Hardcopies
We scan all hardcopy forms to PDF and this electronic We scan all hardcopy forms to PDF and this electronic copy is kept with the images of the evidence.copy is kept with the images of the evidence.
ImagingImaging
AUDITOR’S ROLEAUDITOR’S ROLE– Determine where to
perform the image:– Onsite
– In the Lab
AUDITEE’S ROLEAUDITEE’S ROLE– escort our staff to
physically collect the computer from the computer’s secure location.
Hardware Imaging
ImagingImaging Here are some of the procedures we use Here are some of the procedures we use
during imaging to ensure that evidence during imaging to ensure that evidence collected is clearly identified and preserved:collected is clearly identified and preserved:
Tag EvidenceTag Evidence
We manually tag all evidence items with an We manually tag all evidence items with an assigned case number using the following naming assigned case number using the following naming convention:convention:
Case Number and Hard Drive Serial Number Case Number and Hard Drive Serial Number (Ex., 01-2008-04-Agency Name – HDD Serial#)(Ex., 01-2008-04-Agency Name – HDD Serial#)
Connect Hard drive to Write BlockerConnect Hard drive to Write Blocker
Connect Write Blocker to Connect Write Blocker to the hard drivethe hard drive
Imaging Regular Hard DriveImaging Regular Hard Drive
To image a regular sized To image a regular sized hard drive, implement hard drive, implement the following procedures:the following procedures: Request the client to Request the client to
purchase a storage device. purchase a storage device. Reduces CostReduces Cost Ensure enough space is Ensure enough space is
available to process the available to process the evidence. evidence.
Easy transfer of images to Easy transfer of images to clientclient
Storage DeviceStorage Device
•
Organize Evidence InformationOrganize Evidence Information Create the following folders on the Create the following folders on the
destination drive for every case:destination drive for every case: Case Name-Evidence Item Number (Folder)Case Name-Evidence Item Number (Folder)
1.1. Evidence (sub-folder)Evidence (sub-folder)1.1. HDD1 (sub-folder)HDD1 (sub-folder)2.2. HDD2 (sub-folder)HDD2 (sub-folder)
2.2. Export (sub-folder)Export (sub-folder)3.3. Temp (sub-folder)Temp (sub-folder)4.4. Index (sub-folder)Index (sub-folder)5.5. Drive Geometry (sub-folder)Drive Geometry (sub-folder)6.6. Report (sub-folder)Report (sub-folder)7.7. Case Back-up (sub-folder)Case Back-up (sub-folder)
Place all images produced in the Evidence Folder
Use FTK Imager Use FTK Imager Create the image using FTK imagerCreate the image using FTK imager
Through experience, we have found this to be one of the Through experience, we have found this to be one of the easiest and most portable software to create images. easiest and most portable software to create images. Also, this image can be used in both FTK and Encase. Also, this image can be used in both FTK and Encase.
Image Physical DriveImage Physical Drive
Always image the Physical drive.Always image the Physical drive.
ImagingImaging
Remove hard drive from the Write Remove hard drive from the Write Block device. Block device.
Reassemble the computerReassemble the computer Ensure evidence remains tagged.Ensure evidence remains tagged.
ImagingImaging
If court action is anticipated, preserve the If court action is anticipated, preserve the original evidence if possible.original evidence if possible.
If original evidence cannot be preserved, If original evidence cannot be preserved, NC Court Rules of evidence allow for the NC Court Rules of evidence allow for the image to be admitted as evidence. image to be admitted as evidence.
ImagingImaging
FTK can take a few days to process FTK can take a few days to process your image.your image.
During this time, we return to our During this time, we return to our normal audit work normal audit work
Examination/AnalysisExamination/Analysis
Run Keyword SearchesRun Keyword Searches Obtain from ClientObtain from Client
Review Corroborating Review Corroborating EvidenceEvidence EmailsEmails Surveillance VideoSurveillance Video DVD & CDsDVD & CDs
Forensic ReportForensic Report
The auditor will issue a report to The auditor will issue a report to appropriate personnel once the appropriate personnel once the examination is completed.examination is completed.
Questions????Questions????