2 Allegation Anonymous Tip Ethics Line Risk Assessment Audit Continuous Auditing/Monitoring
3 Allegation Fraud and/or Abuse: Breaches of Confidentiality Running a Personal BusinessPornographySharing Copyrighted MaterialTravel and Business ExpensesUnlicensed Software UseTime and AttendanceHarassmentBriberyTheftDiscrimination
4 Assessing the Allegation Management:ReceivesReviewsAssignsGuidelines:Should exist for outlining the steps taken for obtaining digital evidence to support an investigation
5 Assessing the Allegation Support a Non IT InvestigationComplete an IT Investigation
7 Obtaining Digital Evidence Keep it ConfidentialOnly those with a “Need to Know”Physical ConfiscationUnplug, remove batteriesExternal storage devicesDigital cameraChain of custody formsCheck in and under everythingEvidence bagsDocument everything
8 Unstructured Data No Schemas No Organization Unpredictable Make Note of:ObviousNot so obviousPiece the puzzle from the outside-inStart in the ForestDon’t get lost in the trees… yet
9 Searching Unstructured Data InternetInstant MessengerDigital ForensicsServersDesktopsLaptopsMobile Devices
10 Searching the Internet Open ConnectionNo affiliationUse Alias:addressProfilesUser IDs
11 Searching the Internet Web ReportingGoogle Hacking“intext:”“filetype:”BlogsDeep WebPublic RecordsSocial Media
12 Searching eMail & IM Right to Privacy? Warning banners Real-time JournalingBack-ups.pst.nsf“Fly Over”Items of potential importanceKey words
13 Searching eMail & IM Can See It All Everything is Fair Game Interesting differences between professional and personal personasEverything is Fair GameWhat’s Happening?Substantiated?More information needed?Take notes
14 Digital ForensicsNetwork“Snapshot”Physical“Static”
15 ProDiscover Can connect to any computer on the network By IP addressBy computer nameInstalls remote agent executableRuns in the background as a ServiceCaptures image of hard drive over the networkDeleted filesEverything
16 ProDiscover User does not know they are being imaged Connected external drives can be accessedTimingAll or nothingUnix dd image formatSlower processing timeNetwork location
21 FTK Image Basics Data Carving File Types of Interest KFF Graphics Deleted FilesRecycle BinPersonalVideosKey Word Searches
22 DTSearch Indexed Faster searching And – both required Or – either requiredNotw/# - within number of words? – any character* - any number of characters~ - stems (good for tenses)% - fuzzy (good for misspellings)& - synonyms
33 Unstructured Data as Digital Evidence ActionsAccountabilityDates and TimesTie to Source Information& IM to imageInternet to imageMobile device to image
34 Structured Data Schemas Organized Predictable Silos Complexity But rarely cleanPredictableSilosComplexityData DictionaryKnowledge BaseTraining Resources
35 Obtaining Structured Data Is it:Complete?Verifiable?Source data?Transactional?Aggregated?Report?Does it have integrity?Has anyone else touched it?Will it need cleansed, reformatted?
36 Obtaining Structured Data Is it:Hierarchal?Relational?Fixed length?Variable length?Delimited?Mainframe?HL7?EDI?
37 Obtaining Structured Data Learn Application and System Process and Data FlowsObtain Access to the ApplicationObtain Direct Access to the Source DataLearn the Query LanguageAdmit You’re in Over Your HeadMake Friends with ITAsk for helpWithout loss of confidentialityInvolve ITLegacyRequire confidentiality
38 Obtaining Structured Data Source Systems:DB2OracleSQL ServerMainframeQuerying Tools:TOADQMFProprietary reporting toolsNo direct access available
39 Obtaining Structured Data Structured Query Language (SQL)Fairly standard across most platformsSome variationsPLSQLTSQLDatabasesSchemasTablesNormalizationFields/columnsPrimary keysForeign keys
40 Obtaining Structured Data Individual tables won’t always give you meaningful informationRelating those tables by primary and foreign keys, provides meaningful information
41 Obtaining Structured Data Tweak and Utilize Existing SQLWrite Your OwnCan be time consumingTrial and ErrorReconcile Back to ApplicationHave Others Validate the ResultsBack to source documentation if available
42 Obtaining Structured Data Some Enterprise Databases contain 30,000+ TablesData dictionaries should existDetermine the individual tables containing needed dataDetermine the primary and foreign key(s) to create the join(s)Write the SQL statement(s)
43 Obtaining Structured Data Joins are the DriversInner JoinAll records in Table B that have a match in Table AOuter Join (Left or Right)All records in Table A with or without a Match in Table B, and only those records in Table B that have a match in Table ACartesian JoinSomething is wrong
44 Obtaining Structured Data When Querying Enterprise Databases:Only what is necessaryNot all columns/recordsNo aggregatingApply date parametersWatch the processing timeSomething may be wrong with the SQLEdit and repeatTie to source information
45 Information to Evidence Microsoft Access & ExcelACLReformattingAppendingComputed fieldsAggregatingQueryingReporting
46 Structured Data as Digital Evidence Append the OutputLike data from differing sources rarely matchesCleansingRe-formattingReconcile to Source DataControl totalsRecord countsCreate New FunctionalityComputed fieldsGet to the answer
47 Standardize the Output Social Security NumbersBirthdatesAddressesNamesPhone NumbersZip Codes
48 Standardize the Output ACL creates its own “view” of the source data file with the .fil extension.fil is “read only”Source Data Remains Untouched
49 Standardize the Output STRING() STRING(Invoice_Nbr)VALUE()VALUE(Invoice_Pmt)DATE()DATE(Birthdate)
51 Standardize the Output If you aren’t going to add, subtract, multiply, divide, or calculate the field, format it as TextIf you are going to add, subtract, multiply, divide, or calculate the field, format it as Numeric or Date
52 Structured Data as Digital Evidence ActionsAccountabilityDates and TimesTie to Source InformationControl WeaknessesSegregation of dutiesApproval limitsLack of oversight
53 Presenting the Digital Evidence Report PreparationUnstructured informationStructured informationSupport the Allegation(s)Refute the Allegation(s)Consult with LawConsult with ManagementConsult with Senior Executives
54 CAATs Direct Access and the Right Tools Reactive Ad-hoc Proactive AutomateTake what’s been learned and apply to the entire population100% TestingException based
55 ACL Scripting Series of commands stored as a unit in an ACL project Executed repeatedly and automaticallyAny ACL command can be stored as a script302|Advanced ACL Concepts & Techniques, SCRIPTS (CANADA: ACL Services Ltd, 2006), 2.
56 ACL Scripting Standardizing Data: OPEN HR_Active DEFINE FIELD SSN_A COMPUTED REPLACE (SSN, “-”, “”)DEFINE FIELD SSN_B COMPUTED ALLTRIM(SUBSTR(SSN_A, 1, 9))DEFINE COLUMN DEFAULT VIEW SSN_B
57 ACL’s Audit Analytic Capability Model LEVEL 1 – BASICAudit specificClassificationsSummarizationsDuplicatesAd hocThe ACL Audit Analytic Capability Model: Navigating the journey from basic data analysis to continuous monitoring, WHITE PAPER (ACL Services Ltd, 2011), 3.
58 ACL’s Audit Analytic Capability Model LEVEL 2 – APPLIEDSpecific and repeatable testsStart with “low hanging fruit”Add additional and broader testsFocus on data accessEfficient script design for repeatabilityThe ACL Audit Analytic Capability Model: Navigating the journey from basic data analysis to continuous monitoring, WHITE PAPER (ACL Services Ltd, 2011), 5.
59 ACL’s Audit Analytic Capability Model LEVEL 3 – MANAGEDCentralized, secure, controlled, efficient data analysisMany people involvedProcesses and technology in placeServer environmentMultiple locationsThe ACL Audit Analytic Capability Model: Navigating the journey from basic data analysis to continuous monitoring, WHITE PAPER (ACL Services Ltd, 2011), 7.
60 ACL’s Audit Analytic Capability Model LEVEL 4 – AUTOMATEDComprehensive suites of tests developedTests scheduled regularlyConcurrent, ongoing auditing of multiple areasMore efficient and effective audit processThe ACL Audit Analytic Capability Model: Navigating the journey from basic data analysis to continuous monitoring, WHITE PAPER (ACL Services Ltd, 2011), 10.
61 ACL’s Audit Analytic Capability Model LEVEL 5 – MONITORINGProgress from continuous auditing to continuous monitoringExpanded to other business areasProcess owners notified immediately of exceptionsThe ACL Audit Analytic Capability Model: Navigating the journey from basic data analysis to continuous monitoring, WHITE PAPER (ACL Services Ltd, 2011), 12.
62 Forensics Lab Physical Security Logical Security Software Licensing SSNsCredit card numbersSoftware LicensingUpdates, upgradesHardware and Other PeripheralsStorageShort term, long termEnough?
63 Forensics Lab Forensic Workstation Processing workhorse SSD Memory JBODForensic DesktopSecondary processingImage reviewingForensics LaptopsOpen Internet LaptopDon’t do this on the company network
64 Forensics Lab Retention Inventory Back-ups and Recovery On-site, off-siteChain of CustodyPhysicalImageData Wiping and VerificationCIACOBIT
65 Challenges Time Consuming Satellite Locations Emerging Technologies System Processing/Data FlowsLack of documentationCloud ComputingHard Drive CapacitiesAnti Forensics
66 Challenges External Storage Devices Personal vs. Corporate BYOD False PositivesData SilosData IntegrityPasswordsEncryption
67 Summary Mixture of Art and Science Intuition Common sense Knowledge and use of toolsPersistenceTesting TheoriesResearchLearning
68 Conclusion No One Solution Expect the Unexpected Remain Fair and ObjectiveReport Just the Facts