Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grover Kearns, PhD, CPA, CFE, CITP Catching Al Capone : What All Accountants Should Know About Computer Forensics.

Published byJames Patrick Modified over 9 years ago

Similar presentations

Presentation on theme: "Grover Kearns, PhD, CPA, CFE, CITP Catching Al Capone : What All Accountants Should Know About Computer Forensics."— Presentation transcript:

1 Grover Kearns, PhD, CPA, CFE, CITP Catching Al Capone : What All Accountants Should Know About Computer Forensics

2 ScarfaceScarface

3 Eliot Ness

4

5 Catching Al Capone Capone was known to be responsible for a wide array of felonies and violent crimes but evidence was lacking Witnesses tended to disappear Direct evidence was needed Business records provide direct evidence Careful search, analysis, and handling of data are required to produce data that are acceptable as evidence 5

6 Survey Shows Companies Fear Fraud, But Many Not Prepared Ernst & Young's 9th Global Fraud Survey: Fraud Risk in Emerging Markets 60 percent of multinationals say they believe fraud is more likely to occur in emerging market operations than developed markets Robust internal controls remain the first line of defense against fraud for companies in all markets 6

7

8 8 Why Accountants and auditors … are better positioned to detect computer based fraud can assist in maintaining a chain-of-custody for digital evidence can better communicate with IT employees can promote IT-based internal controls can assist in the efficient use of IT resources

9 Common Applications of Computer Forensics Employee internet abuse  common, but decreasing Unauthorized disclosure of corporate information and data  accidental and intentional Industrial espionage Damage assessment Criminal fraud and deception cases 9

10 Cardinal Rules of Evidence Handling Only use tools and methods that have been tested and evaluated to validate their accuracy and reliability. Handle the original evidence as little as possible to avoid changing the data. Establish and maintain the chain of custody. Document everything done. Never exceed personal knowledge 10

11 Forensic Accountants are Involved In Criminal Investigations Shareholders' and Partnership Disputes Personal Injury Claims Business Interruption Fraud Investigations Matrimonial Disputes Professional Negligence Mediation and Arbitration 11

12 Computer forensics can be defined as the collection and analysis of data from computersystems, networks, communication streams (wireless) and storage media in a manner that is admissible in a court of law. -CERT 12

13 “Computer forensics” can thus not afford solely to concern itself with procedures and methods of handling computers, the hardware from which they are made up and the files they contain. The ultimate aim of forensic investigation is use in legal proceedings [Mandia 01]. The objective in computer forensics is quite straightforward. It is to recover, analyze and present computer based material in such a way that it is useable as evidence in a court of law [Mandia 01].

14 14 Digital Crime Scene Investigation Digital Forensic Investigation A process that uses science and technology to examine digital objects and that develops and tests theories, which can be entered into a court of law, to answer questions about events that occurred. IT Forensic Techniques are used to capture and analyze electronic data and develop theories.

15 15 Audit Goals of a Forensic Investigation Uncover fraudulent or criminal cyber activity Isolate evidentiary matter (freeze scene) Document the scene Create a chain-of-custody for evidence Reconstruct events and analyze digital information Communicate results

16 16 Audit Goals of a Forensic Investigation Immediate Response Shut down computer (pull plug) Bit-stream mirror-image of data Begin a traceback to identify possible log locations Contact system administrators on intermediate sites to request log preservation Contain damage and stop loss Collect local logs Begin documentation

17 17 Audit Goals of a Forensic Investigation Continuing Investigation Implement measures to stop further loss Communicate to management and audit committee regularly Analyze copy of digital files Ascertain level and nature of loss Identify perpetrator(s) Develop theories about motives Maintain chain-of-custody

18 18 Digital Crime Scene Investigation Scene Preservation & Documentation Goal: Preserve the state of as many digital objects as possible and document the crime scene. Methods:  Shut system down  Unplug (best)  Do nothing Bag and tag

19 19 Audit Goals of a Forensic Investigation Requirements for Evidence Computer logs … Must not be modifiable Must be complete Appropriate retention rules

20 20 Digital Crime Scene Investigation Problems with Digital Investigation Timing essential – electronic evidence volatile Auditor may violate rules of evidence NEVER work directly on the evidence Skills needed to recover deleted data or encrypted data

21 21 Digital Crime Scene Investigation Extract, process, interpret Work on the imaged data or “safe copy” Data extracted may be in binary form Process data to convert it to understandable form  Reverse-engineer to extract disk partition information, file systems, directories, files, etc  Software available for this purpose Interpret the data – search for key words, phrases, etc.

22 22 Digital Crime Scene Investigation Technology Magnetic disks contain data after deletion Overwritten data may still be salvaged Memory still contains data after switch-off Swap files and temporary files store data Most OS’s perform extensive logging (so do network routers)

23 Role of a First Responder Essentially the first person notified and reacting to the security incident Responsibilities: Determine the severity of the incident Collect as much information about the incident as possible Document all findings Share this collected information to determine the root cause 23

24 Importance of Computer Forensics to Accountants First Responder IT Auditor Member of CERT Maintain Chain-of-Evidence Document Scene Develop Investigatory Process Manage Investigatory Process Advanced Certifications (CISA etc) 24

25 Beginning of Accounting About 9,000 BC 25 Double Entry Accounting

26 A Little Bit of History Our numbering system is based on a Hindu system that came into the Arabic world about 776 CE. This replaced the Roman that is still used today (at the end of movie credits). 26

27 A Little Bit of History Pingala (c. 5th-2nd century B.C.) An Indian scholar, used binary numbers in the form of short and long syllables (think Morse code).

28 Base 10 versus Base 2 When we talk numbers, we use a base 10 system, because we use ten characters to write out all of our numbers. Computers using binary language operate on a base-2 number system, because the two numbers they use are “0” and “1”. 0 1 2 3 4 5 6 7 8 9 0 1 These are called binary digits or bits.

29 Alphabet Soup We use the English language consisting of 26 characters. Computers use binary language consisting of 2 characters, arranged together in groups of eight, to communicate. Aa Bb Cc Dd Ee Ff Gg Hh Ii Jj Kk Ll Mm Nn Oo Pp Qq Rr Ss Tt Uu Vv Ww Xx Yy Zz Aa = 01000001 01100001 Zz = 01011010 01111010 8 bits = 1 byte

30 The Byte Scale

31 This is where it gets tricky. 31

32 Binary Numbering System 32

33 Placeholders In the value 5,736,941 the 3 stands for 30,000 because of its location in the fifth place or 3 x 10 4 power. Nearly all numbering systems use placeholders. An exception is the Roman where they write down numbers from biggest to smallest. Ex. MCMXCVIII is 1998. 33

34 Binary to Decimal 34

35 Hands-on Activity 1 Use your math skills to calculate the binary number for the base-10 number provided. __= 2424 23232 2121 2020 168421 21

36 Hands-on Activity 1 Answer Use your math skills to calculate the binary number for the base-10 number provided. 2424 23232 2121 2020 168421 = 1 010121

37 Hands-on Activity 2 __= 31 __= 2424 23232 2121 2020 168421 7 __= 17

38 Hands-on Activity 2 Answer 2424 23232 2121 2020 168421 = 1 000117 = 1 111131 = 0 01117

39 Hands-on Activity 3 = ? 2424 23232 2121 2020 168421 1 = 0? 1 1 1 11 0 0 Use your math skills to translate the binary number into the decimal number it represents.

40 Hands-on Activity 3 Answer = 29 2424 23232 2121 2020 168421 1 = 024 1 1 1 11 0 0 Use your math skills to translate the binary number into the decimal number it represents.

41 Do I Really Need to Know This? 41

42 Hexadecimal 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 A = 10 B = 11 C = 12 D = 13 E = 14 F = 15 (highest hex value in one place) 42

43 Hexadecimal 43

44 Hexadecimal 44

45 Hexadecimal and Binary Base 16 (0-9, A, B, C, D, E, F) Short-hand for binary Decimal Hex Binary 255 FF 1111 1111 256 100 1 0000 0000 4,095 FFF 111 1111 1111 4,096 1000 1 0000 0000 0000 45

46 Odometer Effect When a value reaches its maximum for the placeholders and you add 1, it rolls over. For example, in decimal 46

47 Hands-on Activity 1 Use your math skills to calculate the hex number for the base-10 number provided. 47 = 65,535 16 4 16 3 16 2 16 1 16 0 65,536 4,096 25616 1 = 4,095 _ _ _ _ _ _ _ __ _ _

48 Hands-on Activity 1 Answer Use your math skills to calculate the hex number for the base-10 number provided. 48 = F65,535 F F F 16 4 16 3 16 2 16 1 16 0 65,536 4,096 25616 1 = F4,095 F F

49 Hands-on Activity 2 Use your math skills to calculate the hex number for the base-10 number provided. 49 = 297,036 16 4 16 3 16 2 16 1 16 0 65,536 4,096 25616 1 = 83,041 _ _ _ _ _ _ _ __ _ _

50 Hands-on Activity 2 Answer Use your math skills to calculate the hex number for the base-10 number provided. 50 = 297,036 16 4 16 3 16 2 16 1 16 0 65,536 4,096 25616 1 = 83,041 1 4 4 6 1 4 8 8 4 C

51 Hands-on Activity 3 Use your math skills to calculate the hex number for the base-10 number provided. 51 1 = 2? A 0 C 16 4 16 3 16 2 16 1 16 0 65,536 4,096 25616 1 = B? 1 A D

52 Hands-on Activity 3 Answer 52 1 = 2107,020 A 0 C 16 4 16 3 16 2 16 1 16 0 65,536 4,096 25616 1 = B7,085 1 A D

53 Hands-on Activity 1. Calculate how many bytes are in a 500 GB hard drive. 2. How many bytes are in a 64 MB memory chip? 3. A hard drive has 1 terabyte of data. How many kilobytes is that?

54 Hands-on Activity Answers 1. Calculate how many bytes are in a 500 GB hard drive. 500 x 1,000,000,000 = 500,000,000,000 2. How many bytes are in a 64 MB memory chip? 64 x 1,000,000 = 64,000,000 3. A hard drive has 1 terabyte of data. How many kilobytes is that? 1,000,000,000,000 = 1,000,000,000 kbytes

55 Hands-on Activity Your computer just received the following binary message from the keyboard. Translate the message into English. 01001000 01100101 01111001 00101100 00100000 01111001 01101111 01110101 00100111 01110110 01100101 00100000 01101100 01100101 01100110 01110100 00100000 01110100 01101000 01100101 00100000 01000011 01000001 01010000 01010011 00100000 01101100 01101111 01100011 01101011 00100000 01101011 01100101 01111001 00100000 01101111 01101110 00100001

56 Hands-on Activity Your computer just received the following binary message from the keyboard. Translate the message into English. 01001000 01100101 01111001 00101100 00100000 01111001 01101111 01110101 00100111 01110110 01100101 00100000 01101100 01100101 01100110 01110100 00100000 01110100 01101000 01100101 00100000 01000011 01000001 01010000 01010011 00100000 01101100 01101111 01100011 01101011 00100000 01101011 01100101 01111001 00100000 01101111 01101110 00100001 Just kidding!

57 Hexadecimal Editors Many freewares available. HxD is a popular editor. 57

58 The Hex Editor 58

59 59 jpg file opened in HxD editor. Note JFIF

60 60 gif file opened in HxD editor. Note GIF and 47 49 46 signature.

61 61 exe file opened in HxD editor. Note 2E 65 78 65 is.exe

62 62 MS Word document opened in HxD editor.

63 63 MS Excel spreadsheet opened in HxD editor. Note DO CF 11 EO signature for all MS files.

64 64 Bitmap image opened in HxD editor. Note 42 4D signature for bitmap files.

65 File Signatures in Hex 65 File TypeSignature PDF25 50 44 46 JPGFF D8 FF E0 EXE4D 5A 90 00 DLL4D 5A 90 00 DOCD0 CF 11 E0 XLSD0 CF 11 E0

66 66 A PDF file opened in a Hex Editor

67 67 A PDF file opened in NotePad

68 68 A BMP file opened in a Hex Editor

69 69 A JPG file opened in a Hex Editor

70 “Accountants are supposed to function as the nation’s watchdogs.” 70 ~ U.S. Supreme Court, 1984

71 Watch Dog’s Need Big Teeth 71

72 End Class 2 Lecture Questions? 72

Download ppt "Grover Kearns, PhD, CPA, CFE, CITP Catching Al Capone : What All Accountants Should Know About Computer Forensics."

Similar presentations

Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.

Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, ITIL Certified.
DATA PROCESSING SYSTEMS

DATA PROCESSING SYSTEMS
Computer Forensics.

Computer Forensics.
Evidence Collection & Admissibility Computer Forensics BACS 371.

Evidence Collection & Admissibility Computer Forensics BACS 371.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
We’ve got what it takes to take what you got! NETWORK FORENSICS.

We’ve got what it takes to take what you got! NETWORK FORENSICS.
In the subject line write PLZ ADD ME in all caps. Send me first and last names and eMail addresses. If I do not confirm your request that means I did not.

In the subject line write PLZ ADD ME in all caps. Send me first and last names and addresses. If I do not confirm your request that means I did not.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
BACS 371 Computer Forensics

BACS 371 Computer Forensics
Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.

Evidence Computer Forensics. Law Enforcement vs. Citizens  Search must have probable cause –4 th amendment search warrant  Private citizen not subject.
ABC Book by student/teacher name

ABC Book by student/teacher name
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.

COS/PSA 413 Lab 4. Agenda Lab 3 write-ups over due –Only got 9 out of 10 Capstone Proposals due TODAY –See guidelines in WebCT –Only got 4 out of 10 so.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Learning Letter Sounds Jack Hartman Shake, Rattle, and Read

Learning Letter Sounds Jack Hartman Shake, Rattle, and Read
Introduction to Computer Forensics Fall 2007. Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (http://www.forensics.nl).http://www.forensics.nl.

Introduction to Computer Forensics Fall Computer Crime Computer crime is any criminal offense, activity or issue that involves computers (
Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.

Security+ All-In-One Edition Chapter 20 – Forensics Brian E. Brzezicki.
COEN 252 Computer Forensics Introduction to Computer Forensics  Thomas Schwarz, S.J. 2009 w/ T. Scocca.

COEN 252 Computer Forensics Introduction to Computer Forensics  Thomas Schwarz, S.J w/ T. Scocca.
COEN 152 Computer Forensics Introduction to Computer Forensics.

COEN 152 Computer Forensics Introduction to Computer Forensics.
Ms. Giannini Kindergarten Language Arts Lesson 2.

Ms. Giannini Kindergarten Language Arts Lesson 2.

Similar presentations

Ads by Google