Catching Al Capone: What All Accountants Should Know About Computer ForensicsS c a r f a c ePowerPoint PresentationSlide 4Catching Al CaponeSurvey Shows Companies Fear Fraud, But Many Not PreparedSlide 7WhyCommon Applications of Computer ForensicsCardinal Rules of Evidence HandlingForensic Accountants are Involved InSlide 12Slide 13Digital Crime Scene Investigation Digital Forensic InvestigationAudit Goals of a Forensic InvestigationAudit Goals of a Forensic Investigation Immediate ResponseAudit Goals of a Forensic Investigation Continuing InvestigationDigital Crime Scene Investigation Scene Preservation & DocumentationAudit Goals of a Forensic Investigation Requirements for EvidenceDigital Crime Scene Investigation Problems with Digital InvestigationDigital Crime Scene Investigation Extract, process, interpretDigital Crime Scene Investigation TechnologyRole of a First ResponderImportance of Computer Forensics to AccountantsBeginning of AccountingA Little Bit of HistorySlide 27Base 10 versus Base 2Alphabet SoupThe Byte ScaleThis is where it gets tricky.Binary Numbering SystemPlaceholdersBinary to DecimalHands-on Activity 1Hands-on Activity 1 AnswerHands-on Activity 2Hands-on Activity 2 AnswerHands-on Activity 3Hands-on Activity 3 AnswerDo I Really Need to Know This?HexadecimalSlide 43Slide 44Hexadecimal and BinaryOdometer EffectSlide 47Slide 48Slide 49Slide 50Slide 51Slide 52Hands-on ActivityHands-on Activity AnswersSlide 55Slide 56Hexadecimal EditorsThe Hex EditorSlide 59Slide 60Slide 61Slide 62Slide 63Slide 64File Signatures in HexSlide 66Slide 67Slide 68Slide 69“Accountants are supposed to function as the nation’s watchdogs.”Watch Dog’s Need Big TeethEnd Class 2 Lecture Questions?Grover Kearns, PhD, CPA, CFE, CITPCatching Al Capone: What All Accountants Should Know About Computer ForensicsScarfaceEliotNessCatching Al CaponeCapone was known to be responsible for a wide array of felonies and violent crimes but evidence was lackingWitnesses tended to disappearDirect evidence was neededBusiness records provide direct evidenceCareful search, analysis, and handling of data are required to produce data that are acceptable as evidence5Survey Shows Companies Fear Fraud, But Many Not Prepared Ernst & Young's 9th Global Fraud Survey: Fraud Risk in Emerging Markets60 percent of multinationals say they believe fraud is more likely to occur in emerging market operations than developed marketsRobust internal controls remain the first line of defense against fraud for companies in all markets68WhyAccountants and auditors …are better positioned to detect computer based fraudcan assist in maintaining a chain-of-custody for digital evidencecan better communicate with IT employeescan promote IT-based internal controlscan assist in the efficient use of IT resourcesCommon Applications of Computer ForensicsEmployee internet abuse common, but decreasingUnauthorized disclosure of corporate information and data accidental and intentionalIndustrial espionage Damage assessmentCriminal fraud and deception cases9Cardinal Rules of Evidence Handling Only use tools and methods that have been tested and evaluated to validate their accuracy and reliability.Handle the original evidence as little as possible to avoid changing the data.Establish and maintain the chain of custody.Document everything done.Never exceed personal knowledge10Forensic Accountants are Involved InCriminal InvestigationsShareholders' and Partnership DisputesPersonal Injury ClaimsBusiness InterruptionFraud InvestigationsMatrimonial DisputesProfessional NegligenceMediation and Arbitration11Computer forensics can be defined as the collection and analysis of data from computersystems, networks, communication streams (wireless) and storage media in a manner that is admissible in a court of law.-CERT12“Computer forensics” can thus not afford solely to concern itself with procedures and methods of handling computers, the hardware from which they are made up and the files they contain. The ultimate aim of forensic investigation is use in legal proceedings [Mandia 01].The objective in computer forensics is quite straightforward. It is to recover, analyze and present computer based material in such a way that it is useable as evidence in a court of law [Mandia 01].14Digital Crime Scene Investigation Digital Forensic InvestigationA process that uses science and technology to examine digital objects and that develops and tests theories, which can be entered into a court of law, to answer questions about events that occurred. IT Forensic Techniques are used to capture and analyze electronic data and develop theories.15Audit Goals of a Forensic InvestigationUncover fraudulent or criminal cyber activityIsolate evidentiary matter (freeze scene)Document the sceneCreate a chain-of-custody for evidenceReconstruct events and analyze digital informationCommunicate results16Audit Goals of a Forensic Investigation Immediate ResponseShut down computer (pull plug)Bit-stream mirror-image of dataBegin a traceback to identify possible log locationsContact system administrators on intermediate sites to request log preservationContain damage and stop lossCollect local logsBegin documentation17Audit Goals of a Forensic Investigation Continuing InvestigationImplement measures to stop further lossCommunicate to management and audit committee regularlyAnalyze copy of digital filesAscertain level and nature of lossIdentify perpetrator(s)Develop theories about motivesMaintain chain-of-custody18Digital Crime Scene Investigation Scene Preservation & DocumentationGoal: Preserve the state of as many digital objects as possible and document the crime scene.Methods:Shut system down Unplug (best)Do nothingBag and tag19Audit Goals of a Forensic Investigation Requirements for EvidenceComputer logs …Must not be modifiableMust be completeAppropriate retention rules20Digital Crime Scene Investigation Problems with Digital InvestigationTiming essential – electronic evidence volatileAuditor may violate rules of evidenceNEVER work directly on the evidenceSkills needed to recover deleted data or encrypted data21Digital Crime Scene Investigation Extract, process, interpretWork on the imaged data or “safe copy”Data extracted may be in binary formProcess
View Full Document