Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

50
Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013

Transcript of Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

Page 1: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

Grover Kearns, PhD, CPA, CFE

Computer Forensics for AccountantsClass 2

Summer 2013

Page 2: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

2

Laptop Security Tips

Treat it like cash. Get it out of the car...don’t ever leave it behind. Keep it locked...use a security cable. Keep it off the floor...or at least between your

feet. Keep passwords separate...not near the laptop

or case. Don’t leave it “for just a sec”...no matter where

you are. Pay attention in airports...especially at security.

Page 3: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

3

Importance of IT Forensic Techniques to

Organizations The New Corporate Environment Sarbanes-Oxley 2002 SAS 78, 80, 94, 99 COSO and COBIT ISO 9000 and ISO 17799 Gramm-Leach-Bliley Act US Foreign Corrupt Practices Act…all of these have altered the corporate

environment and made forensic techniques a necessity!

Page 4: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

4

Importance of IT Forensic Techniques to Auditors SAS 99SAS No. 99 - Consideration of Fraud in a Financial Statement Audit - requires auditors to … Understand fraud Gather evidence about the existence of fraud Identify and respond to fraud risks Document and communicate findings Incorporate a technology focus

Page 5: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

5

Importance of IT Forensic Techniques to Auditors Majority of fraud is uncovered by chance Auditors often do not look for fraud Prosecution requires evidence Value of IT assets growing

Treadway Commission Study … Undetected fraud was a factor in one-half of

the 450 lawsuits against independent auditors.

Page 6: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

6

Digital Crime Scene Investigation Digital Forensic Investigation

A process that uses science and technology to examine digital objects and that develops and tests theories, which can be entered into a court of law, to answer questions about events that occurred.

IT Forensic Techniques are used to capture and analyze electronic data and develop theories.

Page 7: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

7

Audit Goals of a Forensic Investigation Uncover fraudulent or criminal cyber activity Isolate evidentiary matter (freeze scene) Document the scene Create a chain-of-custody for evidence Reconstruct events and analyze digital

information Communicate results

Page 8: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

8

Audit Goals of a Forensic Investigation

Immediate Response Shut down computer (pull plug) Bit-stream mirror-image of data Begin a traceback to identify possible log

locations Contact system administrators on

intermediate sites to request log preservation Contain damage and stop loss Collect local logs Begin documentation

Page 9: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

9

Audit Goals of a Forensic Investigation

Continuing Investigation Implement measures to stop further loss Communicate to management and audit

committee regularly Analyze copy of digital files Ascertain level and nature of loss Identify perpetrator(s) Develop theories about motives Maintain chain-of-custody

Page 10: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

10

Disk Geometry

Track

Sector

Cylinder

(Clusters aregroups ofSectors)

Page 11: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

11

Slack Space

End of FileEnd of File Slack SpaceSlack Space

Last Cluster in a FileLast Cluster in a File

Page 12: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

12

Data Recovery

File Recovery with PC Inspector

Page 13: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

13

Data Eradication

Securely Erasing Files

Page 14: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

14

Data Integrity

MD5 Message Digest – a hashing algorithm used to

generate a checksum Available online as freeware Any changes to file will change the checksumUse: Generate MD5 of system or critical files

regularly Keep checksums in a secure place to

compare against later if integrity is questioned

Page 15: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

15

Data Integrity

MD5 Using HashCalc

Page 16: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

16

Data Integrity HandyBits EasyCrypto

Page 17: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

17

Audit Command Language (ACL) ACL is the market leader in computer-

assisted audit technology and is an established forensics tool.

Clientele includes … 70 percent of the Fortune 500 companies over two-thirds of the Global 500 the Big Four public accounting firms

Page 18: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

18

Forensic Tools

Audit Command Language

ACL is a computer data extraction and analytical audit tool with audit capabilities …StatisticsDuplicates and GapsStratify and ClassifySamplingBenford Analysis

Page 19: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.
Page 20: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

20

Page 21: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

21

Page 22: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

22

Page 23: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

23

Page 24: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

24

Forensic Tools: ACL

Benford Analysis States that the leading digit in

some numerical series follows an exponential distribution

Applies to a wide variety of figures: financial results, electricity bills, street addresses, stock prices, population numbers, death rates, lengths of rivers

Leading Digit

Probability

1 30.1 % 2 17.6 % 3 12.5 % 4 9.7 % 5 7.9 % 6 6.7 % 7 5.8 % 8 5.1 % 9 4.6 %

Page 25: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

25

Page 26: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

26

Ll

Page 27: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

27

Page 28: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

28

Page 29: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

29

Practical applications for Benford's law and digital analysis Accounts payable data. Estimations in the general ledger. The relative size of inventory unit prices among

locations. Duplicate payments. Computer system conversion (for example, old to

new system; accounts receivable files). Processing inefficiencies due to high quantity/low

dollar transactions. New combinations of selling prices. Customer refunds.

Page 30: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

30

Page 31: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

31

Page 32: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

32

Background Checks

Page 33: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

33

Page 34: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

34

Page 35: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

35

Developing a Forensic Protocol

The response plan must include a coordinated effort that integrates a number of organizational areas and possibly external areas

Response to fraud events must have top priority

Key players must exist at all major organizational locations

People

Technology

Policies

Processes

Page 36: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

36

A Forensic Protocol

Security Exposures

Organizations may possess critical technology skills but …

Skills are locked in towers – IT, Security, Accounting, Auditing

Skills are centralized while fraud events can be decentralized

Skills are absent – vacations, illnesses, etc

Page 37: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

37

A Forensic Protocol

The Role of Policies

They define the actions you can take They must be clear and simple to understand The employee must acknowledge that he or

she read them, understands them and will comply with them

They can’t violate law

Page 38: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

38

A Forensic Protocol Forensic Response Control

Incident Response Planning … Identify needs and objectives Identify resources Create policies, procedures Create a forensic protocol Acquire needed skills Train Monitor

Page 39: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

39

A Forensic Protocol

Documenting the Scene Note time, date, persons present Photograph and video the scene Draw a layout of the scene Search for notes (passwords) that might be

useful If possible freeze the system such that the

current memory, swap files, and even CPU registers are saved or documented

Page 40: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

40

A Forensic Protocol Forensic Protocol

First responder triggers alert Team response

Freeze scene Begin documentation

Auditors begin analysis Protect chain-of-custody Reconstruct events and develop theories Communicate results of analysis

Page 41: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

41

A Forensic Protocol Protocol Summary Ensure appropriate policies Preserve the crime scene (victim computer) Act immediately to identify and preserve logs

on intermediate systems Conduct your investigation Obtain subpoenas or contact law

enforcement if necessary

Key: Coordination between functional areas

Page 42: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

42

Conclusion

Computer Forensic Skills Can … Decrease occurrence of fraud Increase the difficulty of committing fraud Improve fraud detection methods Reduce total fraud losses

Auditors trained in these skills are more valuable to the organization!

Page 43: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

43

Preventing Internal Attacks: Common Sense Measures Notify employees that their use of the company's personal computers,

computer networks, and Internet connections will be monitored. Then do it.

Limit physical access to computers - imposition of passwords; magnetic card readers; and biometrics, which verifies the user's identity through matching patterns in hand geometry, signature or keystroke dynamics, neural networks (the pattern of nerves in the face), DNA fingerprinting, retinal imaging, or voice recognition. More traditional site control methods such as sign-in logs and security badges can also be useful.

Classify information based on its importance, assigning security clearances to employees as needed.

Eliminate nonessential modems that could be used to transmit information.

Monitor activities of employees who keep odd hours at the office. Includes extensive background checks in the company's hiring process ,

especially in cases where the employee would be handling sensitive information.

Stress the importance of confidential passwords to employees.

Page 44: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

44

Preventing External Attacks: Common Sense Measures Install and use anti-virus software programs that

scan PCs, computer networks, CDROMs, tape drives, diskettes, and Internet material, and destroy viruses when found.

Update anti-virus programs on a regular basis. Ensure that all individual computers are equipped

with anti-virus programs. Remove administrative rights from employees. Make sure that the company has a regular policy of

backing up (copying) important files and storing them in a safe place, so that the impact of corrupted files is minimized.

Page 45: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

45

The CERT Web site posts the latest security alerts and also provides security-related documents, tools, and training seminars.

CERT offers 24-hour technical assistance in the event of Internet security breaches.

Page 46: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

46

Malicious Internet Programs

Virus – Program that attaches itself to other programs and infects them.

Trojan – Disguised as legitimate program but designed to take control of computer. Can be used to attack other computers (zombies).

Worm – Network aware virus that replicates using file sharing or e-mail.

Over 115,000 known viruses, trojans, and worms. 70% of all e-mail traffic is SPAM!

Page 47: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

47

Spyware

Programs used to gather information about you and relay it to an Internet advertising company for resale.

Browser cookies can be used to track your activity.

Gathering practices and use of personal information generally not clear during web site usage or program installation.

Page 48: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

48

http://www.vtinfragard.org/vtinfosafe/InformationResources.html

Page 49: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

49

Page 50: Grover Kearns, PhD, CPA, CFE Computer Forensics for Accountants Class 2 Summer 2013.

50

Questions or Comments?