Technology in Forensic Acoounting Investigation

Post on 08-Apr-2018

226 views 0 download

Transcript of Technology in Forensic Acoounting Investigation

8/7/2019 Technology in Forensic Acoounting Investigation 1/12


Page 1 of 12




By: Mohamad Marulli, University of Wollongong, NSW Australia


1. Introduction

In today’s life, people always touched by digital equipments. While many areas of our

lives get benefits from these kinds of technology, there are some areas that vulnerably to have

negative effects. In term of frauds, many perpetrators use these digital equipments as tools to

help them to commit frauds. Smith (2005, p 119) argues that “almost every financial fraud

incorporates the use of computer and digital equipments…” Digital equipment such as

computer also become as target of fraud. Volonino, Anzaldua and Godwin (2006, p 6) divide

computer crimes into two categories, as a target and as a tool. Crimes against a computer

include attacks on networks that cause them to crash, and unauthorized access to, ortampering with, information systems, programs, or data. In addition, digital evidences are

different from ordinary documentary evidences. Digital evidence can easily and

unintentionally can be destroyed and made inadmissible as courtroom evidence by either the

perpetrators or those who firstly find the evidence (Smith, 2005). So technology is essentially

an enemy in terms of frauds from auditor’s perspective.

Fortunately, like double sided sword, technology is also the auditors’ friend to conceal

frauds. Because computer can be used as both a target and a tool in any fraud, data stored in

computer is a perfect evidence to conceal fraud. If auditors know the correct way topreserved, acquire and analysis data stored in a computer which suspected to become a target

of fraud or used as a tool in fraud, the data will become high quality evidence in the court.

Pearson and Singleton (2008) argue that the need to obtain, manage and analyse digital

evidence is critical for the success of future accounting professional. Thus, the benefit of 

technology such as computer and other digital equipments outweighs its negative side. This

article will explains the evolution of technology used in an investigation then product review

of the tools that usually used in digital forensic by forensic accountant and an evaluation of 

the use of those tools. 

2. The history of computer forensic in investigation

Sheetz (2007) states in order to understand the evolution of technology used in

forensic accounting investigation, we have to know the machine themselves. Sheetz (2007)

divides the evolution of computer into three categories, sizes, languages and networks. The

8/7/2019 Technology in Forensic Acoounting Investigation 2/12


Page 2 of 12

first computers built in the early 1950’s were housed in buildings dedicated solely to their

operation (Sheetz 2007). Today we can see people walk on the street handing their computer.

The second evolution category made by Sheetz is programming language. The first

computers actually only did the same task they dedicated to. Those computers were not

programmable as we see in the world today. The first high level programming language used

to communicate with computer binary code: a series of 0s and 1s. The second layer of 

programming language was known as assembler language which turned the binary code into

human language. Based on this assembler language, an IBM employee created FORTRAN

and the computer revolution began. Following FORTRAN, many languages, that are much

simpler than the machine language, are developed.

The last evolution of computer is internet. The idea to connecting the computers began

when the research facilities at the University of California at Los Angeles, the University of 

California at Santa Barbara, Stanford and the Utah University develop ARPANET (Advanced

Research Projects Agency Network). From this humble network, internet is emerging to the

scale that we see today. Connecting a computer to internet for any reason including exchange

of information, e-commerce, or even defence is necessity in the world today.

Back to technology used in fraud investigation, we can refer to audit technology.

Elliot and Jacobson (1987) explain the evolution of EDP audit in USA. According to them,

EDP audit begins in the 1960’s when American Institute of Certified Public Accountant

(AICPA) released a publication of Auditing and EDP. Later, the ideas of that book appeared

in many auditing standards published by AICPA. Elliot and Jacobson explain at earlier stage

of EDP auditing, auditors use ‘around the computer’ method. This method was relying on

user controls and verifying output by its relationship to input. The next level was to use test

data. In applying this technique, the auditor tested data through the client’s computer and

compared the independently calculated results to the results produced by the client’s

computer. Generalized audit software was soon available and provided a simpler approach.

Pearson and Singleton (2008) state that the idea of digital forensic or computer

forensic emerged in the middle of 1980 when the FBI implemented its Magnetic Media

Program and performed only three examinations of computers. According to them, digital

evidence was institutionalized in 1995 with the formation of the International Organization on

Computer Evidence (IOCE). So the development of computer forensic actually exists in the

last 20 years.


3. Investigation tools

8/7/2019 Technology in Forensic Acoounting Investigation 3/12


Page 3 of 12

Forensic accounting in conducting investigation in this internet era uses many

investigation tools. Ranging from data mining software to data analysis and sometime the

same tools that used by hackers. Here some of those tools used by forensic accounting.

A. Helix

Helix3TM ( is “an internal tool to provide the ability to acquire

forensically sound images of many types of hard drives and partitions on systems running

unique setups such as RAID arrays” (Gleason & Fahey, 2006, p 9). There are many products

in the world that offer the capabilities that Helix has. However, Helix different from many

other software imaging because, Helix developed based on Knoppix (one variant of Linux)

which are open source and free. At this time e-fense, Inc. promotes Helix3TM Pro to digital

forensic examiners with the compulsory to a one year forum membership for US$ 239.

However Helix3 2009R1 which is beta version of Helix3 Pro can be downloaded for free.

Helix can run in three different environments: Mac OS X, Windows and Linux with

one simple to use interface. Helix can be used either as live forensic imaging or as

forensically sound environment to boot any

x86 systems. And because turning off a

suspected computer may destroy the

evidence, many digital forensic examiners do

that with extra carefulness. Before booting a

suspected computer the best way to turn off 

the computer is by unplug the power, because

when we press the shutdown button, the

computer will be systemically shutdown by software. The bootable Helix actually runs in

Linux side. Once Helix finished the boot process, X Windows will automatically start and

present the Helix desktop. By default Helix set all devices in target computer as read only, so

they cannot be easily modified even with Helix itself.

Another way of using Helix is by live Helix. This method is the best method for

acquiring disk image from the system that

cannot be turned off or taken offline for an

extended period of time. To use Helix, you

should first read the warning. As it has been

pointed out several times in the manual, using

Helix in a live environment will make

changes to the system – that is on of the

Figure 1 Helix desktop in Linux 

Figure 2 Helix desktop live in Windows 

8/7/2019 Technology in Forensic Acoounting Investigation 4/12


Page 4 of 12

inherent risks in a live-response situation. But remember, just inserting this CD has modified

the system – even just leaving the system turned on is modifying the system. So you need to

make your decision, and when ready, press the “I Agree” button to continue. Once the user

accepts the agreement, the main screen will appear.

There are no differences in terms of application that Helix offers to between Helix

bootable method and Helix live method. Helix offers six main options to examine the system

under investigation (Gleason & Fahey, 2006). These options are described below:

1. Preview System Information

This option provides the basic information of the system such as Operating system

version, network information, owner information, and a summary of the drives on the


2. Acquire a “live” image of a System using dd

This option will allow the investigator to make exact copies of hard drives, floppy disks,

or memory, and store them on local removable media, or over a network.

3. Incident Response tools for Operating Systems

This option provides access to 20 tools, all of which can be run directly from the

CDROM. Once you click the icon, a small triangle will appear, next to the icon.

Clicking on this small triangle will provide access to the others pages of tools.

4. Documents pertaining to Incident Response, Computer Forensics, Computer Security &

Computer Crime

The option provides the user with access to some common reference documents in PDF

format. The documents include a chain of custody form, preservation of digital evidence

information, Linux forensics Guide for beginners, and forensic examination for digital

evidence guide. These documents are highly recommended, and the investigator should

review them before attempting any forensic examination. 

5. Browse contents of the CD-ROM and Host OS

This is a simple file browser that will provide the investigator with information about the

selected file. It will display the filename, created, accessed and modified dates, Attributes,

CRC, MD5 and the file size.  

6. Scan for Pictures from a system

This tool will allow the investigator to quickly scan the system to see if there are any

suspect graphic images on the suspect system. Many different graphic formats are

recognized, and displayed as thumbnails.

Helix legitimacy in preparing and manage digital evidence in a court is recognized by

many digital forensic examiners and law enforcement. Gleason and Fahey (2006) claim many

Government agencies and Law Enforcement community across the globe including

8/7/2019 Technology in Forensic Acoounting Investigation 5/12


Page 5 of 12

Indonesian Taxation Office have turned to Helix as their forensic acquisition standard due to

its functionality and cost effectiveness. Although in live environment, Helix will make

changes to the system, forensic accounting may use other tools to patch the Helix weaknesses

to make digital evidence admissible in the court.

B. ACL Desktop

Audit Command Language (ACL) is developed by ACL Service Ltd (

Foundation of ACL concepts and practices (2006, p 2) defines ACL as a tool to read and

analyse type of files scattered across numerous database on different platforms. ACL Service

Ltd claims that ACL provides immediate visibility into transactional data critical to your

organization enabling you to: analyse entire data populations for complete assurance; identify

trends, pinpoint exceptions and highlight

potential areas of concern; locate errors and

potential fraud; identify control issues and

ensure compliance with organizational and

regulatory standards; age and analyse financial

or any other time sensitive transactions; and

cleanse and normalize data to ensure

consistency and accurate result ( In generic term ACL is a Generalized Audit

Software (GAS).

ACL maintains data integrity by read only access to all data that they accessed, that is

why the source data is never changed, altered or deleted. Mason (2007) explains that rule 901

of the US Federal Rules of Evidence requires that evidence submitted in the court have to be

authentic. Further Mason (2007) states that data integrity is one factor out of six that proving

the authenticity of evidence.

ACL features built in analysis

command so there is no programming

language needed. In addition for automate

analytical procedures, ACL provides script for

auditors who want more customizedprogrammable commands.

One of analysis command in ACL is

Benford’s Law analysis. In auditing especially

in fraud detecting, Benford’s Law is commonly used as an analysis tolls by many auditors

including internal, external and governmental (Cleary & Thibodeu 2005). ACL use Benford’s

Law analysis in a digit-by-digit basis and not the test-by-test basis as statisticians (Cleary &

Figure 3 ACL Desktop 

Figure 4 Benford's Law graph in ACL 

8/7/2019 Technology in Forensic Acoounting Investigation 6/12


Page 6 of 12

Thibodeu 2005). As a result, according to Cleary and Thibodeu (2005) auditors who want to

relay on this analysis should understand that using a digit-by-digit basis in Benford’s Law as

ACL does, might increase the chances of findings actual fraudulent entries.

At this time the newer version of ACL is ACL Desktop ver. 9.1 and the new

improvement is, it can read and analysis PDF file. However despite of the powerful function

of ACL, its price is quite expensive. In Indonesia, ACL desktop retail price is US$3,000 for

two users and including one year subscription to ACL support. 

C. UltraBlock 

UltraBlock ( is a brand name for forensic write blocker

hardware. The purpose of this hardware is to prevent the digital forensic accounting to modify

the data that they accessed. It is very important for digital forensic accounting to maintain the

data submitted to a court as evidence remain authentic. Therefore when they access and

analyse the evidence they have to be very careful not to modify, change or alter the data.

UltraBlock is compatible with all leading software imaging application including Helix,

EnCase or other software imaging.

Digital Intelligence offers UltraBlock into one full kit (UltraKitIII) and separate

device. UltraKit retail price is range about US$1,369 to US$1,599 (plus FireWire). UltraKitIII

consists of four main products and their accessories. Those main products can be bought

separately. The four main products are UltraBlock eSATA IDE-SATA Write Blocker,

UltraBlock SCSI, UltraBlock USB and UltraBlock Forensic Card Reader.


Figure 5 UltraBlock Family   

The UltraBlock eSATA IDE-SATA is an eSATA/FireWire/USB to Parallel IDE / 

SATA Bridge Board with Forensic Write Protection. By connecting a suspect drive to the

UltraBlock IDE-SATA, a digital forensic accounting can be assure that no writes,

modifications, or alterations can occur to the attached drive. The UltraBlock SCSI is used to

8/7/2019 Technology in Forensic Acoounting Investigation 7/12


Page 7 of 12

acquire data from a SCSI hard drive in a forensically sound write-protected environment.

Combination of those two devices makes forensic accounting can forensically access and

analysis all hard drive available in the market today. The UltraBlock Forensic USB Write

Blocker brings secure, hardware-based write blocking to the world of USB mass storage

devices and the UltraBlock Forensic Card Reader can be used for writing and the forensic

acquisition of information found on multimedia and memory cards. All those devices are set

with ‘Read Only’ as default but when necessary forensic accounting can configure them to

‘Read Write’ to testing or validation purpose.

D. Advance Hash Calculator

Maintaining integrity of evidence is one of the most things that should be concerned

by forensic accounting. Once the integrity of evidence

is questionable, the evidence will lost its power in the

court. The worst case, the admission of evidence in the

court will be rejected. One method that can be used to

maintain integrity data in terms of digital forensic is

by using hash value. The common hash value methods

are MD5 and SHA-1. These hash value program, are

include in forensic software imaging such as Helix and EnCase. However, Advance Hash

Calculator offers more than MD5 and SHA-1 method to calculate hash value.

Advance Hash Calculator, developed by Filesland

( ) supports CRC32, GOSThash, MD2, MD4, MD5, SHA-1, SHA2-256, SHA2-384, SHA2-

512 hash algorithms. Although

MD5 and SHA-1 are the common

hashing method, both of them are

very vulnerable of collision.

Wang and Yu (2005) proved that

it is not difficult to break MD5

and SHA-1 hash function. US Department of Commerce announces that all federalgovernment agencies in US use SHA-2 family after 2010

( Therefore, by using Advance Hash

Calculator, forensic accounting can maintain data integrity more securely without worrying of 

any collision.



Figure 6 Advance Hash Calculator 

Figure 7 Advance Hash Calculator's Hash Type

8/7/2019 Technology in Forensic Acoounting Investigation 8/12


Page 8 of 12

E. Passware Kit Forensic

Passware Kit Forensic ( is a tool for evidence discovery

solution reports all password-protected items on a computer and gains access to these items

using the fastest decryption and password

recovery algorithms. Passware can recovered

many password in all files including difficult and

strong type password. Passware Kit Forensic

includes a Portable version that runs from a USB

drive and finds encrypted files, recovers files and

websites passwords without modifying files or

settings on the host computer. Passware Kit

Forensic also able to decrypts BitLocker and TrueCrypt of hardisk. Passware Kit Forensic is

suitable for forensic purpose and maintain the authenticity of evidences. The main weakness of Passware is that its basic methods such as Dictionary, Xieve,

Brute-force and Known Password/Previous Passwords apply only for English password. If the

password is set with language other than English, Passware needs long time to recover it.

Unless, the forensic accounting have enough knowledge about encryption to modify the

method through new attacks editor function. Another weakness is the price for this tool is

quite expensive. Passware Kit Forensic is offered for US$795 for single user.


4. Evaluation of Digital Forensic Tools

Mc Kemmish (1999) defines digital forensic as “process of identifying, preserving,

analyzing, and presenting digital evidence in a manner that is legally acceptable” (cited in

Lim 2008, p 7). So the forensic accounting who wants to discover fraud in digital

environment must comply with the rules of evidence in order to make digital evidence

admissible in the court. IOCE (2002, p 11) states general principles regarding digital evidence

as follow: a) The general rules of evidence should be applied to all digital evidence; b) Upon

seizing digital evidence, actions taken should not change that evidence; c) When it is

necessary for a person to access original digital evidence that person should be suitably

trained for the purpose; d) All activity relating to the seizure, access, storage or transfer of 

digital evidence must be fully documented, preserved and available for review; and e) An

individual is responsible for all actions taken with respect to digital evidence whilst the digital

evidence is in their possession. This guidance will help forensic accounting profession to

identify, analyse and present digital evidences that admissible in the court.

The investigation tools describe above may help forensic accountant to detect, deter

and resolve fraud faster. Golden, Skalak and Clayton (2006) state that handling digital

Figure 8 Passware Kit Forensic 9.7 

8/7/2019 Technology in Forensic Acoounting Investigation 9/12


Page 9 of 12

evidence requires establishment chain of custody as with documentary evidence. Further

Golden, Skalak and Clayton (2006) propose the ways to establish chain of custody such as: by

keeping documentation on all procedures and/or applications performed on the digital

evidence, by storing the electronic media in a secure location, by making bit-by-bit image

copy of the hard drive rather than a file system copy, by analysing the copy rather than the

original, and by using forensic software to prove the integrity of the original contents. Most of 

forensic tools used by forensic accounting can maintain the data integrity so the authenticity

of evidence can be protected. The authentic evidences are admissible in the court and that is

the goal of forensic accounting engagement.

However, there are some considerations that should be kept in mind of forensic

accounting before using technology in an investigation. Golden, Skalak and Clayton (2006,

pp. 387-388) describe eight considerations for gathering digital evidence:

1. The computer is not a substitute for forensic accounting judgement and experience. It

cannot replace document reviews, interviews and follow up steps.

2. If possible, data should be gathered at the outset of engagement and prior to the initial

field visit.

3. Data obtained should be checked for accuracy and completeness, because incorrect

and incompleteness data set may cause to premature and incorrect conclusions.

4. The complexity of the tools used should be commensurate with the size and

complexity of engagement.

5. Some forensic accounting investigators may place too much reliance on the tool itself.

6. Ensure that planned procedures are allowed from a legal perspective and that any

evidence gathered may be used for legal purposes if required.

7. Data collection across national boundaries must be done with proper legal advice

about the export data or about the type of data being collected.

8. Proper computer forensic techniques must be used to avoid inadvertently altering


Those pitfalls will help the forensic accounting from the more common mistake and to ensure

that the evidences found are admissible in the court.


5. Conclusion

Technology has two sides, it can be harmful in the hand of criminals and it can be

useful in the hand of right people. Forensic accounting investigators receive many benefits

from technology used in an investigation. The benefits such as efficiency, the ability to

handling large data to ensure complete assurance, the ability to maintain integrity of data can

be given by technology easily. However, the technology demand high skilled person to

8/7/2019 Technology in Forensic Acoounting Investigation 10/12


Page 10 of 12

optimize its power. In addition some consideration of using technology in gathering digital

evidence should be noted. Like a hammer, we can build a house with hammer but we cannot

build a house just using a hammer. The same is true in the field of digital forensics. Before

forensic accounting examines any system, forensic accounting need to make sure that forensic

accounting has permission to examine that system. Forensic accounting needs to know the legal

aspects of collection, documentation, and preservation of digital evidence. 
























8/7/2019 Technology in Forensic Acoounting Investigation 11/12


Page 11 of 12



ACL Service Ltd. 2010, ACL Desktop edition, accessed 22-05-2010, 

Cleary, R & Thibodeau, JC 2005, “Applying digital analysis using Benford's Law to detect

fraud: the dangers of type I error”, Auditing: a journal of practice and theory, Vol.

24, No. 1, pp. 77-81, accessed 21-05-2010, ProQuest database

Digital Intelligence 2010, Forensic Write Blocker , accessed 22-05-2010, 

Elliot, RK & Jacobson PD 1987 “Audit technology: a heritage and promise”, Journal of 

accountancy, Vol. 163, No. 5, pp. 198-217, accessed 18-05-2010, ProQuest database

e-fense 2010, Don't let your company data walk out the door!, accessed 20-04-2010, 

Filesland 2010, Advance Hash Calculator , accessed 20-04-2010,  

Foundation of ACL concepts and practices 2006, ACL certified training material, ACL

Service Ltd., Vancouver, Canada

Gleason, BJ & Fahey, D 2006, Helix 1.7 for beginners: manual version 2006.03.07 , manual


Golden, T W, Skalak, SL & Clayton, MM 2006, A Guide to forensic accounting investigation,

John Willey & Sons, Hoboken, New Jersey

IOCE 2002, Guidelines for best practice in the forensic examination of digital technology,

Guidelines, IOCE, accessed 23-05-2010,


Lim, N 2008, Digital forensic certification versus Forensic science certification: Proceedings

of the Conference on Digital Forensics, Security and Law, January 1, pp. 1-13,

accessed 21-05-2010, ProQuest database

Mason, S 2007, “Authentic digital records: laying the foundation for evidence”, Informationmanagement journal, Vol. 41, No. 5, pp. 32-40, accessed 21-05-2010, ProQuest


Passware Inc. 2010, Passware Kit Forensic 9.7 , accessed 25-04-2010, 

8/7/2019 Technology in Forensic Acoounting Investigation 12/12


Page 12 of 12

Pearson, TA & Singleton, TW 2008, “Fraud and forensic accounting in the digital

environment”, Issues in accounting education, Vol. 23, No. 4, pp. 545-559, accessed

9-04-2010, pdffiles1/ nij / grants / 217589.pdf  

Smith, GS 2005, “Computer forensics: helping to achieve the auditor’s fraud mission?”,

Journal of forensic accounting, Vol. VI, No. 1, pp. 119-134, accessed 29-04-2010,


Sheetz, M 2007 Computer forensics: an essential guide for accountants, lawyers, and 

managers, John Wiley & Sons, Hoboken, New Jersey

Vlonino, L, Anzaldua, R & Godwin, J 2007, Computer forensics principles and practices,

Prentice Education, Upper Saddle River, New Jersey

Wang, X & Yu, H 2005, “How to break MD5 and other hash functions”, unpublished paper  

USC , Los Angeles, accessed 22-05-2010,
