Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, CRMA.

Practical Application of Practical Application of Computer Forensics Computer Forensics

Lisa Outlaw, CISA, CISSP, CRMALisa Outlaw, CISA, CISSP, CRMA

OverviewOverview Definition of Computer ForensicsDefinition of Computer Forensics Computer Forensics & AuditingComputer Forensics & Auditing Why We Need Computer Forensics Why We Need Computer Forensics The Process (Do’s & Don’ts)The Process (Do’s & Don’ts)

IdentificationIdentification Collection of EvidenceCollection of Evidence Required DocumentationRequired Documentation ImagingImaging ExaminationExamination Report PreparationReport Preparation Returning of EvidenceReturning of Evidence

Definition of Computer ForensicsDefinition of Computer Forensics

Computer forensics involves the: Computer forensics involves the: IdentificationIdentification CollectionCollection PreservationPreservation Examination, and Examination, and Analysis of digital informationAnalysis of digital information

Digital Information becomes Digital EvidenceDigital Information becomes Digital Evidence

What is Digital Evidence?What is Digital Evidence?

Digital evidence is any information of value Digital evidence is any information of value that is either stored or transmitted in a that is either stored or transmitted in a binary form, including digital audio, image, binary form, including digital audio, image, and video.and video.

Computer Forensic ExaminationComputer Forensic Examination

The Computer forensic examination The Computer forensic examination is:is:

Locating digital evidence Locating digital evidence Evidence can withstand close Evidence can withstand close

scrutiny or a legal challenge. scrutiny or a legal challenge.

Computer Forensics & AuditingComputer Forensics & Auditing Computer forensics can support your audit Computer forensics can support your audit

and investigation objectives:and investigation objectives: An Effective System of Internal Controls; An Effective System of Internal Controls; Reliability of Financial Reporting;Reliability of Financial Reporting; Compliance with federal and state laws;Compliance with federal and state laws; Detection of Fraud, Waste, and Abuse Detection of Fraud, Waste, and Abuse

Audit of Travel ExpensesAudit of Travel Expenses

Planning PhasePlanning Phase Used an audit program Used an audit program

customized to my customized to my specific environment specific environment and risks assessedand risks assessed

Gained access to Gained access to Travel expense data Travel expense data and appropriate and appropriate analysis tools, such as analysis tools, such as ACL•ACL•

Gain an Gain an UnderstandingUnderstanding

Gain an Gain an Understanding of the Understanding of the business processes, business processes, including procedures including procedures for approving, for approving, recordingrecording

and reimbursing and reimbursing expensesexpenses


Considered Red Flags (Risks Assessment)Risks Assessment)

Most Frequent Travelers Falsified or manipulated receipts Claims for meals or mileage only Inflated mileage totals on personal car usage


You select the most frequently reimbursed You select the most frequently reimbursed employee by summarizing the travel employee by summarizing the travel expenses.expenses.

You then obtain supporting evidence to You then obtain supporting evidence to determine if the travel actually occurred, is determine if the travel actually occurred, is overstated or understated, accurate, overstated or understated, accurate, classified correctly in the financial classified correctly in the financial statements, etc..statements, etc..

Audit of Travel ExpensesAudit of Travel ExpensesProfessional SkepticismAn attitude that includes a questioning mind An attitude that includes a questioning mind and a critical assessment of audit evidence. and a critical assessment of audit evidence. The auditor should not assume that The auditor should not assume that management is either honest nor dishonest. management is either honest nor dishonest.

Computer Forensics ExaminationLocating digital evidence that can withstand Locating digital evidence that can withstand close scrutiny or a legal challenge. close scrutiny or a legal challenge.


Request the services of a computer Request the services of a computer forensics expert to analyze the employees’ forensics expert to analyze the employees’ hard drive to determine if digital evidence hard drive to determine if digital evidence can be found to support the falsification of can be found to support the falsification of the travel reimbursement form.the travel reimbursement form.

Audit of Travel ExpensesAudit of Travel Expenses Computer Forensic Results:Computer Forensic Results:

Digital evidence proved this employee did not travel at all.Digital evidence proved this employee did not travel at all. EmailsEmails Telephone calls Telephone calls made from within the building using VOIPmade from within the building using VOIP Facility access logs Facility access logs proved the employee was in the proved the employee was in the

building during the days he was supposed to be on travel building during the days he was supposed to be on travel status. status.

A A signature block signature block of the supervisor was found, on the of the supervisor was found, on the employees hard drive.employees hard drive.

Hash values of the signature image Hash values of the signature image agreed with the hash agreed with the hash value of the signature image used on the fraudulent travel value of the signature image used on the fraudulent travel reimbursements. reimbursements.


Travel Reimbursement FraudTravel Reimbursement Fraud More than $100,000 of fraudulent More than $100,000 of fraudulent

reimbursements were found made to this one reimbursements were found made to this one employees.employees.

Are our internal controls over travel Are our internal controls over travel expenditures weak or strong?expenditures weak or strong?

Control Weaknesses found:Control Weaknesses found: Staying with Friend and Family (Produce no Staying with Friend and Family (Produce no

receipts)receipts)

Why We Need Computer Forensics Why We Need Computer Forensics ((Reasons for Computer Forensic Services)Reasons for Computer Forensic Services)

Inappropriate Use of Computer SystemsInappropriate Use of Computer Systems Determining a Security BreachDetermining a Security Breach Detection of Disloyal Employees Detection of Disloyal Employees Evidence for Disputed DismissalsEvidence for Disputed Dismissals Malicious File Identification Malicious File Identification Theft of Information AssetsTheft of Information Assets Forgeries of DocumentsForgeries of Documents

The ProcessThe Process

(1)(1)IdentificationIdentification

(2)(2)Collection of EvidenceCollection of Evidence

(3)(3)Required DocumentationRequired Documentation

(4)(4)ImagingImaging

(5)(5)ExaminationExamination

(6)(6)Report PreparationReport Preparation

(7)(7)Returning of EvidenceReturning of Evidence

IdentificationIdentification

AUDITOR’S ROLEAUDITOR’S ROLE

(Forensic Specialist)1. Determine if reason for

computer forensics is appropriate.

2. Identify where additional digital evidence may reside.

AUDITEE’S ROLEAUDITEE’S ROLE

(ex. University)1. Determine when to use

Computer Forensic Services:

2. Identify where digital evidence may reside.

Collection of EvidenceCollection of Evidence

• IT AUDITOR’S ROLE– Help Client Secure the

computer to be examined

– Require and Complete Necessary Forms

– Securely Collect Computer from Client

• AUDITEE’S ROLE– Ensure that computer

to be examined remains secure until collected

– Notify Appropriate Personnel

– Complete Chain of Custody Form

Collection of Evidence – Collection of Evidence – (Do's & Don'ts)(Do's & Don'ts)

Do not disturb the computer in question. Do not disturb the computer in question.

Computer is off, Leave it offComputer is off, Leave it off

Collection of Evidence – Collection of Evidence – Do's & Don'tsDo's & Don'ts (con’t) (con’t)

Computer is on, Leave it onComputer is on, Leave it on


Do not run any programs on the Do not run any programs on the computer.computer.


Do not make any changesDo not make any changes


Do Not Insert Anything Into The Do Not Insert Anything Into The ComputerComputer


Secure the computerSecure the computer


Required DocumentationRequired Documentation

Computer Forensic Request Form Computer Forensic Request Form

Chain of Custody FormChain of Custody Form

Signatures Signatures

Disclosures and Disclaimers Disclosures and Disclaimers


Auditor’s Role Assign a Case Number

Assign an auditor or

computer forensic expert

Date & Time When device was secured

AUDITEE’S Role Document Date & Time

of Request Name of Requestor Date & Time Client

secured the device Agency Name Head of the Agency

Name

Required DocumentationRequired DocumentationAuditor’s Role Document: Serial Numbers Mac Address -Static IP

Address Make & Model

AUDITEE’S RoleDocument: Reason For Request Desired Objectives

Approval From Relevant Parties Approval From Relevant Parties

Approvals should be obtained from:Approvals should be obtained from: Head of the Agency or CompanyHead of the Agency or Company Audit DirectorAudit Director Legal Counsel, and Legal Counsel, and Human Resources Human Resources

AUDITOR’S Role Sign and Date form Obtain Director and

Legal Counsel approval

AUDITEE’S Role Sign and Date form Obtain Agency Head

Approval


Additional Chain of Custody Form

Chain of Custody form continued on the reverse side of the computer forensic request form.

Device Serial#

FAS

Make Model

Signature Print Name

Reason Date Time

Relinquished By:

Received By:

Why Are These Documents Why Are These Documents Necessary?Necessary?

Collect important informationCollect important information Legal AspectsLegal Aspects

Get out of jail free cardGet out of jail free card

Scan HardcopiesScan Hardcopies

We scan all hardcopy forms to PDF and this electronic We scan all hardcopy forms to PDF and this electronic copy is kept with the images of the evidence.copy is kept with the images of the evidence.

ImagingImaging

AUDITOR’S ROLEAUDITOR’S ROLE– Determine where to

perform the image:– Onsite

– In the Lab

AUDITEE’S ROLEAUDITEE’S ROLE– escort our staff to

physically collect the computer from the computer’s secure location.

Hardware Imaging

ImagingImaging Here are some of the procedures we use Here are some of the procedures we use

during imaging to ensure that evidence during imaging to ensure that evidence collected is clearly identified and preserved:collected is clearly identified and preserved:

Tag EvidenceTag Evidence

We manually tag all evidence items with an We manually tag all evidence items with an assigned case number using the following naming assigned case number using the following naming convention:convention:

Case Number and Hard Drive Serial Number Case Number and Hard Drive Serial Number (Ex., 01-2008-04-Agency Name – HDD Serial#)(Ex., 01-2008-04-Agency Name – HDD Serial#)

Connect Hard drive to Write BlockerConnect Hard drive to Write Blocker

Connect Write Blocker to Connect Write Blocker to the hard drivethe hard drive

Imaging Regular Hard DriveImaging Regular Hard Drive

To image a regular sized To image a regular sized hard drive, implement hard drive, implement the following procedures:the following procedures: Request the client to Request the client to

purchase a storage device. purchase a storage device. Reduces CostReduces Cost Ensure enough space is Ensure enough space is

available to process the available to process the evidence. evidence.

Easy transfer of images to Easy transfer of images to clientclient

Storage DeviceStorage Device

•

Organize Evidence InformationOrganize Evidence Information Create the following folders on the Create the following folders on the

destination drive for every case:destination drive for every case: Case Name-Evidence Item Number (Folder)Case Name-Evidence Item Number (Folder)

1.1. Evidence (sub-folder)Evidence (sub-folder)1.1. HDD1 (sub-folder)HDD1 (sub-folder)2.2. HDD2 (sub-folder)HDD2 (sub-folder)

2.2. Export (sub-folder)Export (sub-folder)3.3. Temp (sub-folder)Temp (sub-folder)4.4. Index (sub-folder)Index (sub-folder)5.5. Drive Geometry (sub-folder)Drive Geometry (sub-folder)6.6. Report (sub-folder)Report (sub-folder)7.7. Case Back-up (sub-folder)Case Back-up (sub-folder)

Place all images produced in the Evidence Folder

Use FTK Imager Use FTK Imager Create the image using FTK imagerCreate the image using FTK imager

Through experience, we have found this to be one of the Through experience, we have found this to be one of the easiest and most portable software to create images. easiest and most portable software to create images. Also, this image can be used in both FTK and Encase. Also, this image can be used in both FTK and Encase.

Image Physical DriveImage Physical Drive

Always image the Physical drive.Always image the Physical drive.

ImagingImaging

Remove hard drive from the Write Remove hard drive from the Write Block device. Block device.

Reassemble the computerReassemble the computer Ensure evidence remains tagged.Ensure evidence remains tagged.

ImagingImaging

If court action is anticipated, preserve the If court action is anticipated, preserve the original evidence if possible.original evidence if possible.

If original evidence cannot be preserved, If original evidence cannot be preserved, NC Court Rules of evidence allow for the NC Court Rules of evidence allow for the image to be admitted as evidence. image to be admitted as evidence.

ImagingImaging

FTK can take a few days to process FTK can take a few days to process your image.your image.

During this time, we return to our During this time, we return to our normal audit work normal audit work

Examination/AnalysisExamination/Analysis

Run Keyword SearchesRun Keyword Searches Obtain from ClientObtain from Client

Review Corroborating Review Corroborating EvidenceEvidence EmailsEmails Surveillance VideoSurveillance Video DVD & CDsDVD & CDs

Forensic ReportForensic Report

The auditor will issue a report to The auditor will issue a report to appropriate personnel once the appropriate personnel once the examination is completed.examination is completed.

Questions????Questions????

Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, CRMA.

Documents

Transcript of Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, CRMA.