SlideShare a Scribd company logo

New_Delhi_31072015_CMA_Amit_Kumar_1.pdf forensic

P
PreciousChineka

The document discusses the critical role of IT forensic techniques in auditing and corporate fraud prevention, emphasizing their necessity due to increasing digital crimes and regulatory requirements. It covers the process of forensic computing, the importance of auditors possessing specific knowledge and skills, and the challenges faced during digital investigations. Additionally, it highlights the need for organizations to develop effective forensic protocols to respond to incidents of fraud.

Science
1 of 52
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
1 Information Technology Audit & Forensic Techniques CMA Amit Kumar
Amit Kumar & Co. (Cost Accountants) A perfect blend of Tax, Audit & Advisory services B-73/B, Sainik Nagar, Nawada, New Delhi-110059. T- 91 9999803612 & 011-2533 0030 E-mail :: akcadvisors@gmail.com Information Technology Audit & Forensic Techniques
3 IT Forensic Techniques for Auditors Presentation Focus  Importance of IT Forensic Techniques to Organizations  Importance of IT Forensic Techniques to Auditors  Audit Goals of Forensic Investigation  Digital Crime Scene Investigation  Illustration of Forensic Tools  A Forensic Protocol
4 Forensic Computing Defined Forensic Computing is the process of identifying, preserving, analyzing, and presenting digital evidence in a manner that is legally acceptable in a court of law Our interest is in …  Identifying and preserving evidence,  “post-mortem” system analysis to determine extent and nature of attack, and  the forensic framework
5 Importance of IT Forensic Techniques to Organizations Corporate Fraud Losses in 2004  Cost companies an average loss of assets over $ 1.7 million  A 50% increase over 2003  Over one third of these frauds were discovered by accident, making "chance" the most common fraud detection tool.  PriceWaterhouseCoopers, Global Economic Crime Survey 2005
6 Importance of IT Forensic Techniques to Organizations The New Corporate Environment  Sarbanes-Oxley 2002  COSO and COBIT  ISO 9000 and ISO 17799  Gramm-Leach-Bliley Act  US Foreign Corrupt Practices Act  Companies Act 2013 …all of these have altered the corporate environment and made forensic techniques a necessity!
7 Importance of IT Forensic Techniques to Organizations Intellectual Property Losses  Rapid increase in theft of IP – 323% over five year period 1999-2004  75% of estimated annual losses were to an employee, supplier or contractor  Digital IP is more susceptible to theft  Employees may not view it as theft
8 Importance of IT Forensic Techniques to Organizations Network Fraud  Companies now highly reliant on networks  Networks increasingly vulnerable to attacks  Viruses, Trojans, Rootkits can add backdoors  Social Engineering including Phishing and Pharming  Confidential and proprietary information can be compromised  Can create a corporate liability
9 Importance of IT Forensic Techniques to Organizations Security Challenges  Technology expanding and becoming more sophisticated  Processes evolving and integrating with technologies  People under trained  Policies outdated  Organizations at risk People Technology Policies Processes
10 Importance of IT Forensic Techniques to Auditors  Majority of fraud is uncovered by chance  Auditors often do not look for fraud  Prosecution requires evidence  Value of IT assets growing Treadway Commission Study …  Undetected fraud was a factor in one-half of the 450 lawsuits against independent auditors.
11 Importance of IT Forensic Techniques to Auditors Auditor’s Knowledge, Skills, Abilities  Accounting  Auditing  IT (weak) Needed …  Increased IT knowledge  Fraud and forensic accounting knowledge  Forensic investigative and analytical skills and abilities
12 Importance of IT Forensic Techniques to Auditors Knowledge, Skills, Abilities: Needs Auditor’s need KSAs to …  Build a digital audit trail  Collect “usable” courtroom electronic evidence  Trace an unauthorized system user  Recommend or review security policies  Understand computer fraud techniques  Analyze and valuate incurred losses
13 Importance of IT Forensic Techniques to Auditors KSA Needs (cont.)  Understand information collected from various computer logs  Be familiar with the Internet, web servers, firewalls, attack methodology, security procedures & penetration testing  Understand organizational and legal protocols for incident handling  Establish relationships with IT, risk management, security, law enforcement
14 Audit Goals of a Forensic Investigation Rules of Evidence  Complete  Authentic  Admissible  Reliable  Believable
15 Audit Goals of a Forensic Investigation Requirements for Evidence Computer logs …  Must not be modifiable  Must be complete  Appropriate retention rules
16 Digital Crime Scene Investigation Problems with Digital Investigation  Timing essential – electronic evidence volatile  Auditor may violate rules of evidence  NEVER work directly on the evidence  Skills needed to recover deleted data or encrypted data
17 Digital Crime Scene Investigation Extract, process, interpret  Work on the imaged data or “safe copy”  Data extracted may be in binary form  Process data to convert it to understandable form  Reverse-engineer to extract disk partition information, file systems, directories, files, etc  Software available for this purpose  Interpret the data – search for key words, phrases, etc.
18 Digital Crime Scene Investigation Technology  Magnetic disks contain data after deletion  Overwritten data may still be salvaged  Memory still contains data after switch-off  Swap files and temporary files store data  Most OS’s perform extensive logging (so do network routers)
19 Digital Crime Scene Investigation Order of Volatility  Preserve most volatile evidence first  Registers, caches, peripheral memory  Memory (kernel, physical)  Network state  Running processes  Disk  Floppies, backup media  CD-ROMs, printouts
20 Digital Crime Scene Investigation Digital Forensic Investigation A process that uses science and technology to examine digital objects and that develops and tests theories, which can be entered into a court of law, to answer questions about events that occurred. IT Forensic Techniques are used to capture and analyze electronic data and develop theories.
21 Illustration of Forensic Tools Forensic Software Tools are used for …  Data imaging  Data recovery  Data integrity  Data extraction  Forensic Analysis  Monitoring
22 Data Imaging  Reduces internal investigation costs  Automated analysis saves time  Supports electronic records audit  Creates logical evidence files — eliminating need to capture entire hard drives
23 Data Imaging  Previews computers over the network to determine whether relevant evidence exists:  Unallocated/allocated space  Deleted files  File slack  Volume slack  File system attributes  CD ROMs/DVDs  Mounted FireWire and USB devices  Mounted encrypted volumes  Mounted thumb drives
24 Data Integrity MD5  Message Digest – a hashing algorithm used to generate a checksum  Available online as freeware  Any changes to file will change the checksum Use:  Generate MD5 of system or critical files regularly  Keep checksums in a secure place to compare against later if integrity is questioned
25 Data Integrity MD5 Using HashCalc
26 Data Integrity Private Disk
27 Data Monitoring Tracking Log Files
28 Data Monitoring PC System Log
29 Audit Command Language (ACL)  ACL is the market leader in computer- assisted audit technology and is an established forensics tool. Clientele includes …  70 percent of the Fortune 500 companies  over two-thirds of the Global 500  the Big Four public accounting firms
30 Forensic Tools Audit Command Language ACL is a computer data extraction and analytical audit tool with audit capabilities … Statistics Duplicates and Gaps Stratify and Classify Sampling Benford Analysis
New_Delhi_31072015_CMA_Amit_Kumar_1.pdf forensic
32
33
34
35 Forensic Tools: ACL Benford Analysis  States that the leading digit in some numerical series is follows an exponential rather than normal distribution  Applies to a wide variety of figures: financial results, electricity bills, street addresses, stock prices, population numbers, death rates, lengths of rivers Leading Digit Probability 1 30.1 % 2 17.6 % 3 12.5 % 4 9.7 % 5 7.9 % 6 6.7 % 7 5.8 % 8 5.1 % 9 4.6 %
36
37 Data Monitoring Employee Internet Activity Spector captures employee web activity including keystrokes, email, and snapshots to answer questions like:  Which employees are spending the most time surfing web sites?  Which employees chat the most?  Who is sending the most emails with attachments?  Who is arriving to work late and leaving early?  What are my employees searching for on the Internet?
38 Data Monitoring : Spector Recorded Email
39 Data Monitoring : Spector Recorded Web Surfing
40 Data Monitoring : Spector Recording Keystrokes
41 Data Monitoring : Spector Recorded Snapshots
42 Data Capture : Key Log Hardware KeyKatcher  Records chat, e-mail, internet & more  Is easier to use than parental control software  Identifies internet addresses  Uses no system resources  Works on all PC operating systems  Undetectable by software www.lakeshoretechnology.com
43 Developing a Forensic Protocol  The response plan must include a coordinated effort that integrates a number of organizational areas and possibly external areas  Response to fraud events must have top priority  Key players must exist at all major organizational locations People Technology Policies Processes
44 Developing a Forensic Protocol End-to-End Forensic Analysis First rule of end-to-end forensic digital analysis  Primary evidence must always be corroborated by at least one other piece of relevant primary evidence to be considered a valid part of the evidence chain. Evidence that does not fit this description, but does serve to corroborate some other piece of evidence without itself being corroborated, is considered to be secondary evidence.  Exception: the first piece of evidence in the chain from the Identification layer
45 A Forensic Protocol Security Exposures Organizations may possess critical technology skills but …  Skills are locked in towers – IT, Security, Accounting, Auditing  Skills are centralized while fraud events can be decentralized  Skills are absent – vacations, illnesses, etc
46 A Forensic Protocol The Role of Policies  They define the actions you can take  They must be clear and simple to understand  The employee must acknowledge that he or she read them, understands them and will comply with them  They can’t violate law
47 A Forensic Protocol Forensic Response Control Incident Response Planning …  Identify needs and objectives  Identify resources  Create policies, procedures  Create a forensic protocol  Acquire needed skills  Train  Monitor
48 A Forensic Protocol Documenting the Scene  Note time, date, persons present  Photograph and video the scene  Draw a layout of the scene  Search for notes (passwords) that might be useful  If possible freeze the system such that the current memory, swap files, and even CPU registers are saved or documented
49 A Forensic Protocol Forensic Protocol  First responder triggers alert  Team response  Freeze scene  Begin documentation  Auditors begin analysis  Protect chain-of-custody  Reconstruct events and develop theories  Communicate results of analysis
50 A Forensic Protocol Protocol Summary  Ensure appropriate policies  Preserve the crime scene (victim computer)  Act immediately to identify and preserve logs on intermediate systems  Conduct your investigation  Obtain subpoenas or contact law enforcement if necessary Key: Coordination between functional areas
51 Conclusion IT Forensic Investigative Skills Can …  Decrease occurrence of fraud  Increase the difficulty of committing fraud  Improve fraud detection methods  Reduce total fraud losses Auditors trained in these skills are more valuable to the organization!
52 Questions or Comments?

More Related Content

PPTX
Business Intelligence (BI) Tools For Computer Forensic
Dhiren Gala
 
PPTX
Computer forensics toolkit
Milap Oza
 
PDF
Digital forensic
Chandan Sah
 
PPT
Digital Forensic
Cleverence Kombe
 
PPTX
Computer forensics powerpoint presentation
Somya Johri
 
PPTX
Computer forensics Slides
Varun Sehgal
 
PDF
Fundamental digital forensik
newbie2019
 
PDF
Computer forensic
ibraheem ogundele
 
Business Intelligence (BI) Tools For Computer Forensic
Dhiren Gala
 
Computer forensics toolkit
Milap Oza
 
Digital forensic
Chandan Sah
 
Digital Forensic
Cleverence Kombe
 
Computer forensics powerpoint presentation
Somya Johri
 
Computer forensics Slides
Varun Sehgal
 
Fundamental digital forensik
newbie2019
 
Computer forensic
ibraheem ogundele
 

Similar to New_Delhi_31072015_CMA_Amit_Kumar_1.pdf forensic (20)

PPTX
computer forensics
shivi123456
 
PDF
GDPR & Forensics Readiness -English
Studio Fiorenzi Security & Forensics
 
PPTX
ACC 626 - Forensics for IT
j9lai
 
PPTX
Acc 626 slidecast - Forensics for IT
j9lai
 
PPTX
Forensics for IT, final attempt
j9lai
 
PPTX
Forensics for IT - ACC 626
j9lai
 
PPTX
Acc 626 slidecast
j9lai
 
PPTX
Acc 626 slidecast - Forensics for IT
j9lai
 
PPTX
Acc 626 slidecast
j9lai
 
PPTX
ACC 626 - Forensics for IT
j9lai
 
PDF
To get round to the heart of fortress
STO STRATEGY
 
PPT
Computer forensics
Lalit Garg
 
PPTX
computer-forensics-8727-OHvDvOm.pptx
DaniyaHuzaifa
 
PPTX
computer-forensics-8727-OHvDvOm.pptx
ssuser2bf502
 
PPTX
Computer Forensics in Fighting Crimes
Isaiah Edem
 
PDF
Cyber forensics and auditing
Sweta Kumari Barnwal
 
PPTX
Securitarian
Rupesh Verma
 
PPT
Shariyaz abdeen data leakage prevention presentation
Shariyaz Abdeen
 
PDF
4.content (computer forensic)
JIEMS Akkalkuwa
 
PPTX
ppt on computer forensic concept and types
s48ourabh
 
computer forensics
shivi123456
 
GDPR & Forensics Readiness -English
Studio Fiorenzi Security & Forensics
 
ACC 626 - Forensics for IT
j9lai
 
Acc 626 slidecast - Forensics for IT
j9lai
 
Forensics for IT, final attempt
j9lai
 
Forensics for IT - ACC 626
j9lai
 
Acc 626 slidecast
j9lai
 
Acc 626 slidecast - Forensics for IT
j9lai
 
Acc 626 slidecast
j9lai
 
ACC 626 - Forensics for IT
j9lai
 
To get round to the heart of fortress
STO STRATEGY
 
Computer forensics
Lalit Garg
 
computer-forensics-8727-OHvDvOm.pptx
DaniyaHuzaifa
 
computer-forensics-8727-OHvDvOm.pptx
ssuser2bf502
 
Computer Forensics in Fighting Crimes
Isaiah Edem
 
Cyber forensics and auditing
Sweta Kumari Barnwal
 
Securitarian
Rupesh Verma
 
Shariyaz abdeen data leakage prevention presentation
Shariyaz Abdeen
 
4.content (computer forensic)
JIEMS Akkalkuwa
 
ppt on computer forensic concept and types
s48ourabh
 
Ad

Recently uploaded (20)

PDF
Directing Generative AI for Pharo Documentation
ESUG
 
PDF
JADESreveals a large population of low mass black holes at high redshift
Sérgio Sacani
 
PPTX
HETEROCYCLIC CHEMISTRY IN PHARMACEUTICAL CHEMISTRY
onwukapaul21
 
PPTX
How to access global TV channels with a VPN easily.pptx
harshitseo1
 
PDF
N-enhancement in GN-z11: First evidence for supermassive stars nucleosynthesi...
Sérgio Sacani
 
PDF
Visualizing our changing climate in real-time
Zachary Labe
 
PDF
Even Lighter Than Lightweiht: Augmenting Type Inference with Primitive Heuris...
ESUG
 
PPTX
Introduction to biochemistry.ppt-pdf_shotrs!
Vishnukanchi darade
 
PDF
Microbial Biofilms and Their Role in Chronic Infections
Prachi Virat
 
PDF
The Different States of Matter and its Characteristics
SophiaCasimero1
 
PPTX
LESSON 4_The Scientific Investigation.pptx
mariemoranteiron
 
PPT
Chemical bonding and molecular structure
karthikeyan
 
PPTX
Animal Cell and plant cell for junior high school
Safira NurSa'adah
 
PDF
Gamifying Agent-Based Models in Cormas: Towards the Playable Architecture for...
ESUG
 
PPTX
Modifications in RuBisCO system to enhance photosynthesis .pptx
raghumolbiotech
 
PPTX
1.pptx 2.pptx for biology endocrine system hum ppt
Dhananjaysankhla
 
PPTX
Discovery of Novel Antibiotics from Uncultured Microbes.pptx
SaakshiSharma26
 
PPTX
Embark on a journey of cell division and it's stages
sakyierhianmontero
 
PPTX
Prawn filtration system. also known by the name pokkalii cultivation
AnaghaCs4
 
PPT
An Introduction to Particle Accelerators.ppt
mowehe5553
 
Directing Generative AI for Pharo Documentation
ESUG
 
JADESreveals a large population of low mass black holes at high redshift
Sérgio Sacani
 
HETEROCYCLIC CHEMISTRY IN PHARMACEUTICAL CHEMISTRY
onwukapaul21
 
How to access global TV channels with a VPN easily.pptx
harshitseo1
 
N-enhancement in GN-z11: First evidence for supermassive stars nucleosynthesi...
Sérgio Sacani
 
Visualizing our changing climate in real-time
Zachary Labe
 
Even Lighter Than Lightweiht: Augmenting Type Inference with Primitive Heuris...
ESUG
 
Introduction to biochemistry.ppt-pdf_shotrs!
Vishnukanchi darade
 
Microbial Biofilms and Their Role in Chronic Infections
Prachi Virat
 
The Different States of Matter and its Characteristics
SophiaCasimero1
 
LESSON 4_The Scientific Investigation.pptx
mariemoranteiron
 
Chemical bonding and molecular structure
karthikeyan
 
Animal Cell and plant cell for junior high school
Safira NurSa'adah
 
Gamifying Agent-Based Models in Cormas: Towards the Playable Architecture for...
ESUG
 
Modifications in RuBisCO system to enhance photosynthesis .pptx
raghumolbiotech
 
1.pptx 2.pptx for biology endocrine system hum ppt
Dhananjaysankhla
 
Discovery of Novel Antibiotics from Uncultured Microbes.pptx
SaakshiSharma26
 
Embark on a journey of cell division and it's stages
sakyierhianmontero
 
Prawn filtration system. also known by the name pokkalii cultivation
AnaghaCs4
 
An Introduction to Particle Accelerators.ppt
mowehe5553
 
Ad

New_Delhi_31072015_CMA_Amit_Kumar_1.pdf forensic

  • 1. 1 Information Technology Audit & Forensic Techniques CMA Amit Kumar
  • 2. Amit Kumar & Co. (Cost Accountants) A perfect blend of Tax, Audit & Advisory services B-73/B, Sainik Nagar, Nawada, New Delhi-110059. T- 91 9999803612 & 011-2533 0030 E-mail :: [email protected] Information Technology Audit & Forensic Techniques
  • 3. 3 IT Forensic Techniques for Auditors Presentation Focus  Importance of IT Forensic Techniques to Organizations  Importance of IT Forensic Techniques to Auditors  Audit Goals of Forensic Investigation  Digital Crime Scene Investigation  Illustration of Forensic Tools  A Forensic Protocol
  • 4. 4 Forensic Computing Defined Forensic Computing is the process of identifying, preserving, analyzing, and presenting digital evidence in a manner that is legally acceptable in a court of law Our interest is in …  Identifying and preserving evidence,  “post-mortem” system analysis to determine extent and nature of attack, and  the forensic framework
  • 5. 5 Importance of IT Forensic Techniques to Organizations Corporate Fraud Losses in 2004  Cost companies an average loss of assets over $ 1.7 million  A 50% increase over 2003  Over one third of these frauds were discovered by accident, making "chance" the most common fraud detection tool.  PriceWaterhouseCoopers, Global Economic Crime Survey 2005
  • 6. 6 Importance of IT Forensic Techniques to Organizations The New Corporate Environment  Sarbanes-Oxley 2002  COSO and COBIT  ISO 9000 and ISO 17799  Gramm-Leach-Bliley Act  US Foreign Corrupt Practices Act  Companies Act 2013 …all of these have altered the corporate environment and made forensic techniques a necessity!
  • 7. 7 Importance of IT Forensic Techniques to Organizations Intellectual Property Losses  Rapid increase in theft of IP – 323% over five year period 1999-2004  75% of estimated annual losses were to an employee, supplier or contractor  Digital IP is more susceptible to theft  Employees may not view it as theft
  • 8. 8 Importance of IT Forensic Techniques to Organizations Network Fraud  Companies now highly reliant on networks  Networks increasingly vulnerable to attacks  Viruses, Trojans, Rootkits can add backdoors  Social Engineering including Phishing and Pharming  Confidential and proprietary information can be compromised  Can create a corporate liability
  • 9. 9 Importance of IT Forensic Techniques to Organizations Security Challenges  Technology expanding and becoming more sophisticated  Processes evolving and integrating with technologies  People under trained  Policies outdated  Organizations at risk People Technology Policies Processes
  • 10. 10 Importance of IT Forensic Techniques to Auditors  Majority of fraud is uncovered by chance  Auditors often do not look for fraud  Prosecution requires evidence  Value of IT assets growing Treadway Commission Study …  Undetected fraud was a factor in one-half of the 450 lawsuits against independent auditors.
  • 11. 11 Importance of IT Forensic Techniques to Auditors Auditor’s Knowledge, Skills, Abilities  Accounting  Auditing  IT (weak) Needed …  Increased IT knowledge  Fraud and forensic accounting knowledge  Forensic investigative and analytical skills and abilities
  • 12. 12 Importance of IT Forensic Techniques to Auditors Knowledge, Skills, Abilities: Needs Auditor’s need KSAs to …  Build a digital audit trail  Collect “usable” courtroom electronic evidence  Trace an unauthorized system user  Recommend or review security policies  Understand computer fraud techniques  Analyze and valuate incurred losses
  • 13. 13 Importance of IT Forensic Techniques to Auditors KSA Needs (cont.)  Understand information collected from various computer logs  Be familiar with the Internet, web servers, firewalls, attack methodology, security procedures & penetration testing  Understand organizational and legal protocols for incident handling  Establish relationships with IT, risk management, security, law enforcement
  • 14. 14 Audit Goals of a Forensic Investigation Rules of Evidence  Complete  Authentic  Admissible  Reliable  Believable
  • 15. 15 Audit Goals of a Forensic Investigation Requirements for Evidence Computer logs …  Must not be modifiable  Must be complete  Appropriate retention rules
  • 16. 16 Digital Crime Scene Investigation Problems with Digital Investigation  Timing essential – electronic evidence volatile  Auditor may violate rules of evidence  NEVER work directly on the evidence  Skills needed to recover deleted data or encrypted data
  • 17. 17 Digital Crime Scene Investigation Extract, process, interpret  Work on the imaged data or “safe copy”  Data extracted may be in binary form  Process data to convert it to understandable form  Reverse-engineer to extract disk partition information, file systems, directories, files, etc  Software available for this purpose  Interpret the data – search for key words, phrases, etc.
  • 18. 18 Digital Crime Scene Investigation Technology  Magnetic disks contain data after deletion  Overwritten data may still be salvaged  Memory still contains data after switch-off  Swap files and temporary files store data  Most OS’s perform extensive logging (so do network routers)
  • 19. 19 Digital Crime Scene Investigation Order of Volatility  Preserve most volatile evidence first  Registers, caches, peripheral memory  Memory (kernel, physical)  Network state  Running processes  Disk  Floppies, backup media  CD-ROMs, printouts
  • 20. 20 Digital Crime Scene Investigation Digital Forensic Investigation A process that uses science and technology to examine digital objects and that develops and tests theories, which can be entered into a court of law, to answer questions about events that occurred. IT Forensic Techniques are used to capture and analyze electronic data and develop theories.
  • 21. 21 Illustration of Forensic Tools Forensic Software Tools are used for …  Data imaging  Data recovery  Data integrity  Data extraction  Forensic Analysis  Monitoring
  • 22. 22 Data Imaging  Reduces internal investigation costs  Automated analysis saves time  Supports electronic records audit  Creates logical evidence files — eliminating need to capture entire hard drives
  • 23. 23 Data Imaging  Previews computers over the network to determine whether relevant evidence exists:  Unallocated/allocated space  Deleted files  File slack  Volume slack  File system attributes  CD ROMs/DVDs  Mounted FireWire and USB devices  Mounted encrypted volumes  Mounted thumb drives
  • 24. 24 Data Integrity MD5  Message Digest – a hashing algorithm used to generate a checksum  Available online as freeware  Any changes to file will change the checksum Use:  Generate MD5 of system or critical files regularly  Keep checksums in a secure place to compare against later if integrity is questioned
  • 29. 29 Audit Command Language (ACL)  ACL is the market leader in computer- assisted audit technology and is an established forensics tool. Clientele includes …  70 percent of the Fortune 500 companies  over two-thirds of the Global 500  the Big Four public accounting firms
  • 30. 30 Forensic Tools Audit Command Language ACL is a computer data extraction and analytical audit tool with audit capabilities … Statistics Duplicates and Gaps Stratify and Classify Sampling Benford Analysis
  • 32. 32
  • 33. 33
  • 34. 34
  • 35. 35 Forensic Tools: ACL Benford Analysis  States that the leading digit in some numerical series is follows an exponential rather than normal distribution  Applies to a wide variety of figures: financial results, electricity bills, street addresses, stock prices, population numbers, death rates, lengths of rivers Leading Digit Probability 1 30.1 % 2 17.6 % 3 12.5 % 4 9.7 % 5 7.9 % 6 6.7 % 7 5.8 % 8 5.1 % 9 4.6 %
  • 36. 36
  • 37. 37 Data Monitoring Employee Internet Activity Spector captures employee web activity including keystrokes, email, and snapshots to answer questions like:  Which employees are spending the most time surfing web sites?  Which employees chat the most?  Who is sending the most emails with attachments?  Who is arriving to work late and leaving early?  What are my employees searching for on the Internet?
  • 38. 38 Data Monitoring : Spector Recorded Email
  • 39. 39 Data Monitoring : Spector Recorded Web Surfing
  • 40. 40 Data Monitoring : Spector Recording Keystrokes
  • 41. 41 Data Monitoring : Spector Recorded Snapshots
  • 42. 42 Data Capture : Key Log Hardware KeyKatcher  Records chat, e-mail, internet & more  Is easier to use than parental control software  Identifies internet addresses  Uses no system resources  Works on all PC operating systems  Undetectable by software www.lakeshoretechnology.com
  • 43. 43 Developing a Forensic Protocol  The response plan must include a coordinated effort that integrates a number of organizational areas and possibly external areas  Response to fraud events must have top priority  Key players must exist at all major organizational locations People Technology Policies Processes
  • 44. 44 Developing a Forensic Protocol End-to-End Forensic Analysis First rule of end-to-end forensic digital analysis  Primary evidence must always be corroborated by at least one other piece of relevant primary evidence to be considered a valid part of the evidence chain. Evidence that does not fit this description, but does serve to corroborate some other piece of evidence without itself being corroborated, is considered to be secondary evidence.  Exception: the first piece of evidence in the chain from the Identification layer
  • 45. 45 A Forensic Protocol Security Exposures Organizations may possess critical technology skills but …  Skills are locked in towers – IT, Security, Accounting, Auditing  Skills are centralized while fraud events can be decentralized  Skills are absent – vacations, illnesses, etc
  • 46. 46 A Forensic Protocol The Role of Policies  They define the actions you can take  They must be clear and simple to understand  The employee must acknowledge that he or she read them, understands them and will comply with them  They can’t violate law
  • 47. 47 A Forensic Protocol Forensic Response Control Incident Response Planning …  Identify needs and objectives  Identify resources  Create policies, procedures  Create a forensic protocol  Acquire needed skills  Train  Monitor
  • 48. 48 A Forensic Protocol Documenting the Scene  Note time, date, persons present  Photograph and video the scene  Draw a layout of the scene  Search for notes (passwords) that might be useful  If possible freeze the system such that the current memory, swap files, and even CPU registers are saved or documented
  • 49. 49 A Forensic Protocol Forensic Protocol  First responder triggers alert  Team response  Freeze scene  Begin documentation  Auditors begin analysis  Protect chain-of-custody  Reconstruct events and develop theories  Communicate results of analysis
  • 50. 50 A Forensic Protocol Protocol Summary  Ensure appropriate policies  Preserve the crime scene (victim computer)  Act immediately to identify and preserve logs on intermediate systems  Conduct your investigation  Obtain subpoenas or contact law enforcement if necessary Key: Coordination between functional areas
  • 51. 51 Conclusion IT Forensic Investigative Skills Can …  Decrease occurrence of fraud  Increase the difficulty of committing fraud  Improve fraud detection methods  Reduce total fraud losses Auditors trained in these skills are more valuable to the organization!