Presentation is loading. Please wait.

Presentation is loading. Please wait.

Forensic and Investigative Accounting Chapter 14 Digital Forensics Analysis © 2011 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL 60646-6085.

Published byNorman Thompson Modified over 8 years ago

Similar presentations

Presentation on theme: "Forensic and Investigative Accounting Chapter 14 Digital Forensics Analysis © 2011 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL 60646-6085."— Presentation transcript:

1 Forensic and Investigative Accounting Chapter 14 Digital Forensics Analysis © 2011 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL 60646-6085 1 800 248 3248 www.CCHGroup.com

2 Chapter 14Forensic and Investigative Accounting2 Hacker Defined A hacker is generally defined as an individual or group whose intent is to gain access to a computer network for malicious purposes.

3 Chapter 14Forensic and Investigative Accounting3 Collecting Clues and Evidence A forensic investigator needs to be familiar with the protocols used on the Internet to be able to collect clues about either internal or external attackers. In addition, when law enforcement officials send requests or subpoenas for information about a company’s logs, the forensic analyst must understand the type of information being sought.

4 Chapter 14Forensic and Investigative Accounting4 Protocols Internet protocols are those rules allowing different operating systems and machines to communicate with one another over the Internet.

5 Chapter 14Forensic and Investigative Accounting5 Transmission Control Protocol (TCP) and Internet Protocol (IP) TCP/IP protocols are the communication guidelines used and widely supported over the Internet. TCP/IP protocols are the communication guidelines used and widely supported over the Internet. Almost every packet of information sent over the Internet uses the datagrams contained within a TCP/IP envelope. The datagrams consist of layers of information needed to verify the packet and get the information from the sender’s to the receiver’s location following traffic control guidelines. Almost every packet of information sent over the Internet uses the datagrams contained within a TCP/IP envelope. The datagrams consist of layers of information needed to verify the packet and get the information from the sender’s to the receiver’s location following traffic control guidelines.

6 Chapter 14Forensic and Investigative Accounting6 Transmission Control Protocol (TCP) and Internet Protocol (IP) Message encapsulation is used in sending the packets. In message encapsulation, each layer of information in the sent packet is interpreted by the same layer at the receiving end of the transmission. Additionally, each layer can only communicate with the one directly above or below it.

7 Chapter 14Forensic and Investigative Accounting7 Transmission Control Protocol (TCP) and Internet Protocol (IP) Application Layer Transportation Layer Network Layer Data Link Layer Hardware Layer Electronic Impulse Layered Operating System Interconnection (OSI) Model

8 Chapter 14Forensic and Investigative Accounting8 Transmission Control Protocol (TCP) and Internet Protocol (IP) The application layer issues the commands that define the operations. The application layer issues the commands that define the operations. The transportation layer functions to provide reliable message delivery. The transportation layer functions to provide reliable message delivery. The network layer controls the route the data takes to get to its destination. The network layer controls the route the data takes to get to its destination. (continued on next slide)

9 Chapter 14Forensic and Investigative Accounting9 Transmission Control Protocol (TCP) and Internet Protocol (IP) The data link layer transfers the datagram from one network node to another. The data link layer transfers the datagram from one network node to another. The hardware layer (or physical layer) provides the means of sending and receiving data on a network by converting bits into voltages for transmission to a coax cable. The hardware layer (or physical layer) provides the means of sending and receiving data on a network by converting bits into voltages for transmission to a coax cable.

10 Chapter 14Forensic and Investigative Accounting10 IP Address Defined An IP address is a 32-bit number (four bytes) that identifies the sender and recipient who is sending or receiving a packet of information over the Internet.

11 Chapter 14Forensic and Investigative Accounting11 New Version of IP Addresses IPv4 is being replaced with IPv6. IPv4 is being replaced with IPv6. The reason for the change is that the 32 bit version has run out of IP addresses. The reason for the change is that the 32 bit version has run out of IP addresses. IPv6 uses 64-bits. IPv6 uses 64-bits. IPv6 provides for approximately 340,282,366,920,938,000,000,000,000, 000,000,000,000 unique IP addresses. IPv6 provides for approximately 340,282,366,920,938,000,000,000,000, 000,000,000,000 unique IP addresses.

12 Chapter 14Forensic and Investigative Accounting12 Web Log Entries One important method for finding the web trail of an attacker is in examining web logs. One important method for finding the web trail of an attacker is in examining web logs. Recorded network logs provide information needed to trace all website usage. Recorded network logs provide information needed to trace all website usage.

13 Chapter 14Forensic and Investigative Accounting13 Web Log Entries Information provided in a log includes the visitor’s IP address, geographical location, the actions the visitor performs on the site, browser type, time on page, and the site the visitor used before arriving. Information provided in a log includes the visitor’s IP address, geographical location, the actions the visitor performs on the site, browser type, time on page, and the site the visitor used before arriving. Logs should be stored on a separate computer from the web server hosting the site so they cannot be easily altered. Logs should be stored on a separate computer from the web server hosting the site so they cannot be easily altered.

14 Chapter 14Forensic and Investigative Accounting14 TCPDUMP TCPDUMP is a form of network sniffer that can disclose most of the information contained in a TCP/IP packet. TCPDUMP is a form of network sniffer that can disclose most of the information contained in a TCP/IP packet. A sniffer is a program used to secretly capture datagrams moving across a network and disclose the information contained in the datagram’s network protocols. A sniffer is a program used to secretly capture datagrams moving across a network and disclose the information contained in the datagram’s network protocols.

15 Chapter 14Forensic and Investigative Accounting15 Decoding Simple Mail Transfer Protocol (SMTP) SMTP is the protocol used to send e-mail over the Internet. SMTP is the protocol used to send e-mail over the Internet. SMTP server logs can be used to check the path of the e-mail from the sending host to the receiving host. SMTP server logs can be used to check the path of the e-mail from the sending host to the receiving host.

16 Chapter 14Forensic and Investigative Accounting16 Decoding Simple Mail Transfer Protocol (SMTP) Most of the important information about the origin of an e-mail message is in the long form of the header. The most important data for tracing purposes is the IP addresses and the message ID.

17 Chapter 14Forensic and Investigative Accounting17 Tracing and Decoding IP Addresses Traceroute Traceroute Whois Whois Ping Ping Finger searches Finger searches

18 Chapter 14Forensic and Investigative Accounting18 Narrowing the Search Preliminary Incident Response Form Preliminary Incident Response Form John Doe subpoena John Doe subpoena

19 Forensic Audit The forensic audit is an audit performed to determine whether fraud is being committed in the executive boardroom. The monitoring methods used in a forensic audit are investigative, directed at top-level executives, and do not rely on a traditional accounting audit practices. The forensic audit is an audit performed to determine whether fraud is being committed in the executive boardroom. The monitoring methods used in a forensic audit are investigative, directed at top-level executives, and do not rely on a traditional accounting audit practices. Chapter 14Forensic and Investigative Accounting19

20 Chapter 14Forensic and Investigative Accounting20 Due Diligence Searches Internet databases Internet databases –General searches –Name, telephone number, and e-mail address search engines –Internet relay chat (IRC), FTP, and Listserv searches –Usenet postings search –Legal records –Instant messaging (IM) Web page searches Web page searches Government data searches Government data searches Miscellaneous searches Miscellaneous searches

Download ppt "Forensic and Investigative Accounting Chapter 14 Digital Forensics Analysis © 2011 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL 60646-6085."

Similar presentations

Click to continue Network Protocols. Click to continue Networking Protocols A protocol defines the rules of procedures, which computers must obey when.

Click to continue Network Protocols. Click to continue Networking Protocols A protocol defines the rules of procedures, which computers must obey when.
Network Layer and Transport Layer.

Network Layer and Transport Layer.
The Internet Useful Definitions and Concepts About the Internet.

The Internet Useful Definitions and Concepts About the Internet.
Chapter Extension 7 How the Internet Works © 2008 Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 7 How the Internet Works © 2008 Prentice Hall, Experiencing MIS, David Kroenke.
Networking Theory (part 2). Internet Architecture The Internet is a worldwide collection of smaller networks that share a common suite of communication.

Networking Theory (part 2). Internet Architecture The Internet is a worldwide collection of smaller networks that share a common suite of communication.
Introduction to Management Information Systems Chapter 5 Data Communications and Internet Technology HTM 304 Fall 07.

Introduction to Management Information Systems Chapter 5 Data Communications and Internet Technology HTM 304 Fall 07.
Lesson 19 Internet Basics.

Lesson 19 Internet Basics.
©Brooks/Cole, 2003 Chapter 6 Computer Networks. ©Brooks/Cole, 2003 Understand the rationale for the existence of networks. Distinguish between the three.

©Brooks/Cole, 2003 Chapter 6 Computer Networks. ©Brooks/Cole, 2003 Understand the rationale for the existence of networks. Distinguish between the three.
Chapter Overview TCP/IP Protocols IP Addressing.

Chapter Overview TCP/IP Protocols IP Addressing.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
Process-to-Process Delivery:

Process-to-Process Delivery:
15-1 More Chapter 15 Goals Compare and contrast various technologies for home Internet connections Explain packet switching Describe the basic roles of.

15-1 More Chapter 15 Goals Compare and contrast various technologies for home Internet connections Explain packet switching Describe the basic roles of.
Internet Vulnerabilities & Criminal Activities 1.2 – 9/12/2011 Structure of Internet Communications 1.2 – 9/12/2011 Structure of Internet Communications.

Internet Vulnerabilities & Criminal Activities 1.2 – 9/12/2011 Structure of Internet Communications 1.2 – 9/12/2011 Structure of Internet Communications.
Module 1: Reviewing the Suite of TCP/IP Protocols.

Module 1: Reviewing the Suite of TCP/IP Protocols.
Forensic and Investigative Accounting

Forensic and Investigative Accounting
Hands-On Microsoft Windows Server 2003 Networking Chapter Three TCP/IP Architecture.

Hands-On Microsoft Windows Server 2003 Networking Chapter Three TCP/IP Architecture.
Lesson 24. Protocols and the OSI Model. Objectives At the end of this Presentation, you will be able to:

Lesson 24. Protocols and the OSI Model. Objectives At the end of this Presentation, you will be able to:
Networking Computer network A collection of computing devices that are connected in various ways in order to communicate and share resources Usually,

Networking Computer network A collection of computing devices that are connected in various ways in order to communicate and share resources Usually,
 TCP/IP is the communication protocol for the Internet  TCP/IP defines how electronic devices should be connected to the Internet, and how data should.

 TCP/IP is the communication protocol for the Internet  TCP/IP defines how electronic devices should be connected to the Internet, and how data should.
Chapter 9.

Chapter 9.

Similar presentations

Ads by Google