Presentation is loading. Please wait.

Presentation is loading. Please wait.

Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, CRMA.

Similar presentations


Presentation on theme: "Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, CRMA."— Presentation transcript:

1 Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, CRMA

2 Overview Definition of Computer Forensics Definition of Computer Forensics Computer Forensics & Auditing Computer Forensics & Auditing Why We Need Computer Forensics Why We Need Computer Forensics The Process (Do’s & Don’ts)‏ The Process (Do’s & Don’ts)‏ Identification Identification Collection of Evidence Collection of Evidence Required Documentation Required Documentation Imaging Imaging Examination Examination Report Preparation Report Preparation Returning of Evidence Returning of Evidence

3 Definition of Computer Forensics Computer forensics involves the: Computer forensics involves the: Identification Identification Collection Collection Preservation Preservation Examination, and Examination, and Analysis of digital information Analysis of digital information Digital Information becomes Digital Evidence

4 What is Digital Evidence? Digital evidence is any information of value that is either stored or transmitted in a binary form, including digital audio, image, and video. Digital evidence is any information of value that is either stored or transmitted in a binary form, including digital audio, image, and video.

5 Computer Forensic Examination The Computer forensic examination is: The Computer forensic examination is: Locating digital evidence Locating digital evidence Evidence can withstand close scrutiny or a legal challenge. Evidence can withstand close scrutiny or a legal challenge.

6 Computer Forensics & Auditing Computer forensics can support your audit and investigation objectives: Computer forensics can support your audit and investigation objectives: An Effective System of Internal Controls; An Effective System of Internal Controls; Reliability of Financial Reporting; Reliability of Financial Reporting; Compliance with federal and state laws; Compliance with federal and state laws; Detection of Fraud, Waste, and Abuse Detection of Fraud, Waste, and Abuse

7 Audit of Travel Expenses Planning Phase Planning Phase Used an audit program customized to my specific environment and risks assessed Used an audit program customized to my specific environment and risks assessed Gained access to Travel expense data and appropriate analysis tools, such as ACL Gained access to Travel expense data and appropriate analysis tools, such as ACL Gain an Understanding Gain an Understanding of the business processes, including procedures for approving, recording and reimbursing expenses

8 Audit of Travel Expenses Risks Assessment) Considered Red Flags (Risks Assessment) Most Frequent Travelers Falsified or manipulated receipts Claims for meals or mileage only Inflated mileage totals on personal car usage

9 Audit of Travel Expenses You select the most frequently reimbursed employee by summarizing the travel expenses. You select the most frequently reimbursed employee by summarizing the travel expenses. You then obtain supporting evidence to determine if the travel actually occurred, is overstated or understated, accurate, classified correctly in the financial statements, etc.. You then obtain supporting evidence to determine if the travel actually occurred, is overstated or understated, accurate, classified correctly in the financial statements, etc..

10 Audit of Travel Expenses Professional Skepticism An attitude that includes a questioning mind and a critical assessment of audit evidence. The auditor should not assume that management is either honest nor dishonest. An attitude that includes a questioning mind and a critical assessment of audit evidence. The auditor should not assume that management is either honest nor dishonest. Computer Forensics Examination Locating digital evidence that can withstand close scrutiny or a legal challenge. Locating digital evidence that can withstand close scrutiny or a legal challenge.

11 Audit of Travel Expenses Request the services of a computer forensics expert to analyze the employees’ hard drive to determine if digital evidence can be found to support the falsification of the travel reimbursement form. Request the services of a computer forensics expert to analyze the employees’ hard drive to determine if digital evidence can be found to support the falsification of the travel reimbursement form.

12 Audit of Travel Expenses Computer Forensic Results: Computer Forensic Results: Digital evidence proved this employee did not travel at all. Digital evidence proved this employee did not travel at all. s s Telephone calls made from within the building using VOIP Telephone calls made from within the building using VOIP Facility access logs proved the employee was in the building during the days he was supposed to be on travel status. Facility access logs proved the employee was in the building during the days he was supposed to be on travel status. A signature block of the supervisor was found, on the employees hard drive. A signature block of the supervisor was found, on the employees hard drive. Hash values of the signature image agreed with the hash value of the signature image used on the fraudulent travel reimbursements. Hash values of the signature image agreed with the hash value of the signature image used on the fraudulent travel reimbursements.

13 Audit of Travel Expenses Travel Reimbursement Fraud Travel Reimbursement Fraud More than $100,000 of fraudulent reimbursements were found made to this one employees. More than $100,000 of fraudulent reimbursements were found made to this one employees. Are our internal controls over travel expenditures weak or strong? Are our internal controls over travel expenditures weak or strong? Control Weaknesses found: Control Weaknesses found: Staying with Friend and Family (Produce no receipts) Staying with Friend and Family (Produce no receipts)

14 Why We Need Computer Forensics ( Reasons for Computer Forensic Services) Inappropriate Use of Computer Systems Inappropriate Use of Computer Systems Determining a Security Breach Determining a Security Breach Detection of Disloyal Employees Detection of Disloyal Employees Evidence for Disputed Dismissals Evidence for Disputed Dismissals Malicious File Identification Malicious File Identification Theft of Information Assets Theft of Information Assets Forgeries of Documents Forgeries of Documents

15 The Process  Identification  Collection of Evidence  Required Documentation  Imaging  Examination  Report Preparation  Returning of Evidence

16 Identification AUDITOR’S ROLE (Forensic Specialist) 1. 1.Determine if reason for computer forensics is appropriate Identify where additional digital evidence may reside. AUDITEE’S ROLE (ex. University) 1.Determine when to use Computer Forensic Services: 2.Identify where digital evidence may reside.

17 Collection of Evidence IT AUDITOR’S ROLE – –Help Client Secure the computer to be examined – –Require and Complete Necessary Forms – – Securely Collect Computer from Client AUDITEE’S ROLE –Ensure that computer to be examined remains secure until collected –Notify Appropriate Personnel –Complete Chain of Custody Form

18 Collection of Evidence – (Do's & Don'ts)‏ Do not disturb the computer in question. Do not disturb the computer in question.

19  Computer is off, Leave it off Collection of Evidence – Do's & Don'ts‏ (con’t)

20  Computer is on, Leave it on Collection of Evidence – Do's & Don'ts‏ (con’t)

21  Do not run any programs on the computer. Collection of Evidence – Do's & Don'ts‏ (con’t)

22  Do not make any changes Collection of Evidence – Do's & Don'ts‏ (con’t)

23  Do Not Insert Anything Into The Computer Collection of Evidence – Do's & Don'ts‏ (con’t)

24  Secure the computer Collection of Evidence – Do's & Don'ts‏ (con’t)

25 Required Documentation Computer Forensic Request Form Computer Forensic Request Form Chain of Custody Form Chain of Custody Form Signatures Signatures Disclosures and Disclaimers Disclosures and Disclaimers

26 Required Documentation

27 Auditor’s Role Assign a Case Number Assign an auditor or computer forensic expert Date & Time When device was secured AUDITEE’S Role Document Date & Time of Request Name of Requestor Date & Time Client secured the device Agency Name Head of the Agency Name

28 Required Documentation Auditor’s Role Document: Serial Numbers Mac Address -Static IP Address Make & Model AUDITEE’S Role Document: Reason For Request Desired Objectives

29 Approval From Relevant Parties Approvals should be obtained from: Approvals should be obtained from: Head of the Agency or Company Head of the Agency or Company Audit Director Audit Director Legal Counsel, and Legal Counsel, and Human Resources Human Resources

30 AUDITOR’S Role Sign and Date form Obtain Director and Legal Counsel approval AUDITEE’S Role Sign and Date form Obtain Agency Head Approval Required Documentation

31 Additional Chain of Custody Form Chain of Custody form continued on the reverse side of the computer forensic request form. Device Serial# FAS Make Model SignaturePrint Name ReasonDateTime Relinquished By: Received By:

32 Why Are These Documents Necessary? Collect important information Collect important information Legal Aspects Legal Aspects Get out of jail free card Get out of jail free card

33 Scan Hardcopies We scan all hardcopy forms to PDF and this electronic copy is kept with the images of the evidence. We scan all hardcopy forms to PDF and this electronic copy is kept with the images of the evidence.

34 Imaging AUDITOR’S ROLE – –Determine where to perform the image: – –Onsite – –In the Lab AUDITEE’S ROLE –escort our staff to physically collect the computer from the computer’s secure location.

35 Hardware Imaging

36 Imaging Here are some of the procedures we use during imaging to ensure that evidence collected is clearly identified and preserved: Here are some of the procedures we use during imaging to ensure that evidence collected is clearly identified and preserved:

37 Tag Evidence We manually tag all evidence items with an assigned case number using the following naming convention: We manually tag all evidence items with an assigned case number using the following naming convention: Case Number and Hard Drive Serial Number Case Number and Hard Drive Serial Number (Ex., Agency Name – HDD Serial#) (Ex., Agency Name – HDD Serial#)

38 Connect Hard drive to Write Blocker

39 Connect Write Blocker to the hard drive

40 Imaging Regular Hard Drive To image a regular sized hard drive, implement the following procedures: To image a regular sized hard drive, implement the following procedures: Request the client to purchase a storage device. Request the client to purchase a storage device. Reduces Cost Reduces Cost Ensure enough space is available to process the evidence. Ensure enough space is available to process the evidence. Easy transfer of images to client Easy transfer of images to client

41 Storage Device

42 Organize Evidence Information Create the following folders on the destination drive for every case: Create the following folders on the destination drive for every case: Case Name-Evidence Item Number (Folder) Case Name-Evidence Item Number (Folder) 1. Evidence (sub-folder) 1. HDD1 (sub-folder) 2. HDD2 (sub-folder) 2. Export (sub-folder) 3. Temp (sub-folder) 4. Index (sub-folder) 5. Drive Geometry (sub-folder) 6. Report (sub-folder) 7. Case Back-up (sub-folder) Place all images produced in the Evidence Folder

43 Use FTK Imager Create the image using FTK imager Create the image using FTK imager Through experience, we have found this to be one of the easiest and most portable software to create images. Also, this image can be used in both FTK and Encase. Through experience, we have found this to be one of the easiest and most portable software to create images. Also, this image can be used in both FTK and Encase.

44 Image Physical Drive Always image the Physical drive. Always image the Physical drive.

45 Imaging Remove hard drive from the Write Block device. Remove hard drive from the Write Block device. Reassemble the computer Reassemble the computer Ensure evidence remains tagged. Ensure evidence remains tagged.

46 Imaging If court action is anticipated, preserve the original evidence if possible. If court action is anticipated, preserve the original evidence if possible. If original evidence cannot be preserved, NC Court Rules of evidence allow for the image to be admitted as evidence. If original evidence cannot be preserved, NC Court Rules of evidence allow for the image to be admitted as evidence.

47 Imaging FTK can take a few days to process your image. FTK can take a few days to process your image. During this time, we return to our normal audit work During this time, we return to our normal audit work

48 Examination/Analysis Run Keyword Searches Run Keyword Searches Obtain from Client Obtain from Client Review Corroborating Evidence Review Corroborating Evidence s s Surveillance Video Surveillance Video DVD & CDs DVD & CDs

49 Forensic Report The auditor will issue a report to appropriate personnel once the examination is completed. The auditor will issue a report to appropriate personnel once the examination is completed.

50 Questions????


Download ppt "Practical Application of Computer Forensics Lisa Outlaw, CISA, CISSP, CRMA."

Similar presentations


Ads by Google