Grover Kearns, PhD, CPA, CFE - PowerPoint PPT Presentation

1 / 50
About This Presentation
Title:

Grover Kearns, PhD, CPA, CFE

Description:

Title: Information Technology Forensic Techniques for Auditors Last modified by: Faculty, staff, student or affiliate. Created Date: 4/1/2002 12:44:37 PM – PowerPoint PPT presentation

Number of Views:191
Avg rating:3.0/5.0
Slides: 51
Provided by: facultyUs5
Category:

less

Transcript and Presenter's Notes

Title: Grover Kearns, PhD, CPA, CFE


1
Computer Forensics for AccountantsClass
2Summer 2013
  • Grover Kearns, PhD, CPA, CFE

2
Laptop Security Tips
  • Treat it like cash.
  • Get it out of the car...dont ever leave it
    behind.
  • Keep it locked...use a security cable.
  • Keep it off the floor...or at least between your
    feet.
  • Keep passwords separate...not near the laptop or
    case.
  • Dont leave it for just a sec...no matter where
    you are.
  • Pay attention in airports...especially at
    security.

3
Importance of IT Forensic Techniques to
Organizations The New Corporate Environment
  • Sarbanes-Oxley 2002
  • SAS 78, 80, 94, 99
  • COSO and COBIT
  • ISO 9000 and ISO 17799
  • Gramm-Leach-Bliley Act
  • US Foreign Corrupt Practices Act
  • all of these have altered the corporate
    environment and made forensic techniques a
    necessity!

4
Importance of IT Forensic Techniques to Auditors
SAS 99
  • SAS No. 99 - Consideration of Fraud in a
    Financial Statement Audit - requires auditors to
  • Understand fraud
  • Gather evidence about the existence of fraud
  • Identify and respond to fraud risks
  • Document and communicate findings
  • Incorporate a technology focus

5
Importance of IT Forensic Techniques to Auditors
  • Majority of fraud is uncovered by chance
  • Auditors often do not look for fraud
  • Prosecution requires evidence
  • Value of IT assets growing
  • Treadway Commission Study
  • Undetected fraud was a factor in one-half of the
    450 lawsuits against independent auditors.

6
Digital Crime Scene Investigation Digital
Forensic Investigation
  • A process that uses science and technology to
    examine digital objects and that develops and
    tests theories, which can be entered into a court
    of law, to answer questions about events that
    occurred.
  • IT Forensic Techniques are used to capture and
    analyze electronic data and develop theories.

7
Audit Goals of a Forensic Investigation
  • Uncover fraudulent or criminal cyber activity
  • Isolate evidentiary matter (freeze scene)
  • Document the scene
  • Create a chain-of-custody for evidence
  • Reconstruct events and analyze digital
    information
  • Communicate results

8
Audit Goals of a Forensic Investigation
Immediate Response
  • Shut down computer (pull plug)
  • Bit-stream mirror-image of data
  • Begin a traceback to identify possible log
    locations
  • Contact system administrators on intermediate
    sites to request log preservation
  • Contain damage and stop loss
  • Collect local logs
  • Begin documentation

9
Audit Goals of a Forensic Investigation
Continuing Investigation
  • Implement measures to stop further loss
  • Communicate to management and audit committee
    regularly
  • Analyze copy of digital files
  • Ascertain level and nature of loss
  • Identify perpetrator(s)
  • Develop theories about motives
  • Maintain chain-of-custody

10
Disk Geometry
11
Slack Space
End of File
Slack Space
Last Cluster in a File
12
Data RecoveryFile Recovery with PC Inspector
13
Data EradicationSecurely Erasing Files
14
Data IntegrityMD5
  • Message Digest a hashing algorithm used to
    generate a checksum
  • Available online as freeware
  • Any changes to file will change the checksum
  • Use
  • Generate MD5 of system or critical files
    regularly
  • Keep checksums in a secure place to compare
    against later if integrity is questioned

15
Data IntegrityMD5 Using HashCalc
16
Data Integrity HandyBits EasyCrypto
17
Audit Command Language (ACL)
  • ACL is the market leader in computer-assisted
    audit technology and is an established forensics
    tool.
  • Clientele includes
  • 70 percent of the Fortune 500 companies
  • over two-thirds of the Global 500
  • the Big Four public accounting firms

18
Forensic ToolsAudit Command Language
  • ACL is a computer data extraction and analytical
    audit tool with audit capabilities
  • Statistics
  • Duplicates and Gaps
  • Stratify and Classify
  • Sampling
  • Benford Analysis

19
(No Transcript)
20
(No Transcript)
21
(No Transcript)
22
(No Transcript)
23
(No Transcript)
24
Forensic Tools ACLBenford Analysis
  • States that the leading digit in some numerical
    series follows an exponential distribution
  • Applies to a wide variety of figures financial
    results, electricity bills, street addresses,
    stock prices, population numbers, death rates,
    lengths of rivers

25
(No Transcript)
26
Ll
27
(No Transcript)
28
(No Transcript)
29
Practical applications for Benford's law and
digital analysis
  • Accounts payable data.
  • Estimations in the general ledger.
  • The relative size of inventory unit prices among
    locations.
  • Duplicate payments.
  • Computer system conversion (for example, old to
    new system accounts receivable files).
  • Processing inefficiencies due to high
    quantity/low dollar transactions.
  • New combinations of selling prices.
  • Customer refunds.

30
(No Transcript)
31
(No Transcript)
32
Background Checks
33
(No Transcript)
34
(No Transcript)
35
Developing a Forensic Protocol
  • The response plan must include a coordinated
    effort that integrates a number of organizational
    areas and possibly external areas
  • Response to fraud events must
    have top priority
  • Key players must exist at all
    major organizational
    locations

36
A Forensic ProtocolSecurity Exposures
  • Organizations may possess critical technology
    skills but
  • Skills are locked in towers IT, Security,
    Accounting, Auditing
  • Skills are centralized while fraud events can be
    decentralized
  • Skills are absent vacations, illnesses, etc

37
A Forensic ProtocolThe Role of Policies
  • They define the actions you can take
  • They must be clear and simple to understand
  • The employee must acknowledge that he or she read
    them, understands them and will comply with them
  • They cant violate law

38
A Forensic Protocol Forensic Response Control
  • Incident Response Planning
  • Identify needs and objectives
  • Identify resources
  • Create policies, procedures
  • Create a forensic protocol
  • Acquire needed skills
  • Train
  • Monitor

39
A Forensic ProtocolDocumenting the Scene
  • Note time, date, persons present
  • Photograph and video the scene
  • Draw a layout of the scene
  • Search for notes (passwords) that might be useful
  • If possible freeze the system such that the
    current memory, swap files, and even CPU
    registers are saved or documented

40
A Forensic Protocol Forensic Protocol
  • First responder triggers alert
  • Team response
  • Freeze scene
  • Begin documentation
  • Auditors begin analysis
  • Protect chain-of-custody
  • Reconstruct events and develop theories
  • Communicate results of analysis

41
A Forensic Protocol Protocol Summary
  • Ensure appropriate policies
  • Preserve the crime scene (victim computer)
  • Act immediately to identify and preserve logs on
    intermediate systems
  • Conduct your investigation
  • Obtain subpoenas or contact law enforcement if
    necessary
  • Key Coordination between functional areas

42
Conclusion
  • Computer Forensic Skills Can
  • Decrease occurrence of fraud
  • Increase the difficulty of committing fraud
  • Improve fraud detection methods
  • Reduce total fraud losses
  • Auditors trained in these skills are more
    valuable to the organization!

43
Preventing Internal Attacks Common Sense Measures
  • Notify employees that their use of the company's
    personal computers, computer networks, and
    Internet connections will be monitored. Then do
    it.
  • Limit physical access to computers - imposition
    of passwords magnetic card readers and
    biometrics, which verifies the user's identity
    through matching patterns in hand geometry,
    signature or keystroke dynamics, neural networks
    (the pattern of nerves in the face), DNA
    fingerprinting, retinal imaging, or voice
    recognition. More traditional site control
    methods such as sign-in logs and security badges
    can also be useful.
  • Classify information based on its importance,
    assigning security clearances to employees as
    needed.
  • Eliminate nonessential modems that could be used
    to transmit information.
  • Monitor activities of employees who keep odd
    hours at the office.
  • Includes extensive background checks in the
    company's hiring process , especially in cases
    where the employee would be handling sensitive
    information.
  • Stress the importance of confidential passwords
    to employees.

44
Preventing External Attacks Common Sense Measures
  • Install and use anti-virus software programs that
    scan PCs, computer networks, CDROMs, tape drives,
    diskettes, and Internet material, and destroy
    viruses when found.
  • Update anti-virus programs on a regular basis.
  • Ensure that all individual computers are equipped
    with anti-virus programs.
  • Remove administrative rights from employees.
  • Make sure that the company has a regular policy
    of backing up (copying) important files and
    storing them in a safe place, so that the impact
    of corrupted files is minimized.

45
  • The CERT Web site posts the latest security
    alerts and also provides security-related
    documents, tools, and training seminars.
  • CERT offers 24-hour technical assistance in the
    event of Internet security breaches.

46
Malicious Internet Programs
  • Virus Program that attaches itself to other
    programs and infects them.
  • Trojan Disguised as legitimate program but
    designed to take control of computer. Can be used
    to attack other computers (zombies).
  • Worm Network aware virus that replicates using
    file sharing or e-mail.
  • Over 115,000 known viruses, trojans, and worms.
    70 of all e-mail traffic is SPAM!

47
Spyware
  • Programs used to gather information about you and
    relay it to an Internet advertising company for
    resale.
  • Browser cookies can be used to track your
    activity.
  • Gathering practices and use of personal
    information generally not clear during web site
    usage or program installation.

48
http//www.vtinfragard.org/vtinfosafe/InformationR
esources.html
49
(No Transcript)
50
Questions or Comments?
Write a Comment
User Comments (0)
About PowerShow.com