Download presentation
Presentation is loading. Please wait.
1
Chapter 7: Investigating Theft Acts
Fraud Examination, 4E Chapter 7: Investigating Theft Acts I added animations-effects to slide 6. The words who, how, how much slide in from left. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
2
Learning Objectives Discuss theft investigation methods and how they are used to investigate suspected fraud. Understand how to coordinate an investigation, using a vulnerability chart. Describe the nature of surveillance and covert operations. Understand the effectiveness of invigilation to investigate fraud. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
3
Learning Objectives Explain how to obtain physical evidence and how it can be used in a fraud investigation. Understand how to seize and analyze electronic information from cell phones, hard drives, , and other sources. Use trash and other social engineering methods to investigate fraud. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
4
When Should You Investigate Fraud?
Consider the following: strength of the predication cost of the investigation exposure or amount that could have been taken the signal that investigation or noninvestigation will send to others in the organization © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
5
When Should You Investigate Fraud?
risks of investigating and not investigating public exposure or loss of reputation from investigating and not investigating nature of the possible fraud © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
6
Fraud Investigation Methods
Once there is predication, determine the: Who? How? How much? Questions of the fraud. Added animation to the words “ who?”, “how”, and “how much”. They phase in from the left. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
7
Fraud Investigation Methods
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
8
Theft Act Investigative Methods
Methods that directly investigate the fraud act Surveillance and covert operations Invigilation Obtaining physical evidence Gathering electronic evidence © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
9
Theft Act Investigative Methods
When beginning a fraud investigation it is often useful to develop theories One way to develop such theories is to use a vulnerability chart © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
10
Theft Act Investigative Methods
© 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
11
Theft Act Investigative Methods
Surveillance and Covert Operations Rely on the senses—especially hearing and seeing © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
12
Theft Act Investigative Methods
The three types of surveillance: stationary or fixed point Record events occurring at a scene Log includes time, place, and events moving or tailing Following the suspect Should only be done by professionals electronic surveillance Video camera © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
13
Theft Act Investigative Methods
Invigilation Involves close supervision of suspects during an examination period Strict temporary controls are implemented so that committing fraud is almost impossible © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
14
Invigilation Diagram © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
15
Theft Act Investigative Methods
Physical Evidence Involves analyzing objects such as: inventory, assets, and broken locks substances such as grease and fluids traces such as paints and stains impressions such as cutting marks, tire tracks, and fingerprints or searching computers © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
16
Theft Act Investigative Methods
Steps for gathering electronic evidence Caution: The gathering of electronic evidence is a highly technical task that must be performed correctly. You may want to include a computer forensics specialist on your team. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
17
Theft Act Investigative Methods
Step 1: Secure the Device and Perform Initial Tasks Need to have the legal right to seize the hardware Exercise care with respect to chain of custody, evidence marking, etc. Take pictures of the seizure site and have neutral witnesses on the scene © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
18
Theft Act Investigative Methods
After the preliminary steps of securing the Device and performing initial tasks: Turn the computer off by cutting power to the machine (or by removing the battery on laptops) DO NOT TURN THE COMPUTER OFF NORMALLY © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
19
Theft Act Investigative Methods
Step 2: Clone the Device & Calculate CRC Checksum Perform a bit-for-bit copy of the entire hard drive Calculate the CRC checksum Seal away the original disk Perform investigation on the cloned copy © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
20
Theft Act Investigative Methods
Cyclic redundancy check (CRC) number: a calculation based on the contents of a disk or file Create the CRC immediately after the bit-for-bit copy You can prove later that: Your cloned hard drive exactly matched the original drive You have not modified data since the hard was seized. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
21
Theft Act Investigative Methods
The two primary checksum methods used today are the MD5 and SHA-1 algorithms © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
22
Theft Act Investigative Methods
Step 3: Search the Device Manually Common areas to search include: Computer logs such as Web activity, recent files on the Start menu, Web favorites, and the browser history. The “My Documents” folder—most applications save data to this location. The trash can or recycle bin. USB keys, CDs, or disks found around the computer. © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
23
Theft Act Investigative Methods
Recently loaded files listed in the “File” menu of many applications Chat logs and client caches © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
24
Theft Act Investigative Methods
Step 4: Search the Device Using Automated Procedures Forensic Software Packages Guidance Software’s Encase Forensic Edition AccessData’s The Forensic Toolkit (FTK) Open Source Packages e-fence Inc.’s Helix Remote-Exploit.org’s Backtrack © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
25
Theft Act Investigative Methods
Systems Many copies may exist (sender, receiver, server) Includes text messaging in certain countries Web-based (Hotmail, GMail, Yahoo! Mail) is more difficult to search © 2011 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.