Usi sing Dig g Digit ital al For oren ensi sics cs to to Id Iden enti tify & I y & Inves esti tiga gate te Fr Frau aud Pr Present nter: Damon on Hack cker, MBA, , CCE, E, CISA SA Preside ident Vestige ige Digit igital I l Inv nves estiga igations tions
Ves ● tige ( véŝ tĭj ) n. 1. A visible trace, evidence or sign of something that has once existed but now no longer exists or appears.
Overview • Open Your Eyes • Real-World Scenarios • What Computer Forensics Can and Cannot Do • Forensic Techniques Overview/Primer • What You Need to Know • Q&A
Xerox DocuColor 12 page, magnified 10x and photographed by the QX5 microscope under illumination from a Photon blue LED flashlight
Scenarios • Real-World Examples • Vestige Involved • Some Information is in Public Domain, Most is Not. • Information Changed to Protect the identities of those involved. • May be a compilation of more than one case to make a specific point or further protect identities.
Scenario 1 • The Scene: • Wrongful Termination lawsuit • Sending of “over -the- top” e -mails • Two places at once?
So, , where do we turn?
I.T.’s Findings Deposition ends: 11:15am in Detroit ------------------------ • Tracked IP Address How can this be?
I.T.’s Findings • Ventura, California
Kinko’s Kooperates • Registration/Login • Payment Method • Surveillence
Results
Scenario 2 • Tail-end of litigation • Plaintiff wins matter and is awarded attorneys fees • Disparate amounts spent between plaintiff & defendant • Defendant’s counsel believes Plaintiff’s counsel has “stuffed” time entry
Scenario 2 • Review of Time & Billing Software • No apparent manipulation • Chronology looked appropriate • Defendant’s analysis concluded no manipulation.
Scenario 2 • Vestige Analysis • Review of database, behind-the-scenes • Time & Billing software uses off-the-shelf back-end database, albeit not a common one • Vestige tools to review data at database level • Vestige created “parsing” utility to extract and review deleted records
Scenario 2 • Analysis reviewed approximately 40% overbilling occurring • “Stuffing” time entries sequentially at end of case • Replacement entries that were 2x-10x the amount of the deleted entries they replaced • Adjustment and sanctions
Scenario 3 • $30 Million shortage in commodities • $3 Billion company • 3000+ employees • 100s of thousands financial transactions • No initial persons of interest Hypothesis: Internal controls would require collusion to pull off fraud. Individuals ought to be communicating with one another.
Scenario 3 1. Take backup tape from email system last year 2. Take backup tape from email system last month 3. Index every word and frequency per user 4. Import word Index, frequency per user, and frequency count into Excel 5. Using Excel calculate median frequency per user for each word 6. Identify words having frequency per user far greater than median • Led to determination of “do you want cheese with that?” in excess of 2000% greater than median frequency for 3 individuals
Scenario 3 • Requests for financial statements accompanied by “Do you want cheese with that?” • Innocuous sounding word/phrase • Not in selection set for typical keyword search
Scenario 4 • Stolen Laptops • Law Enforcement’s involvement • Stupidity at its finest
Scenario 5 • Wage/Hour Class Action • Non-Exempt classified as Exempt • Timeframe stretches back 3-4 years
By the Numbers Fraud Statistics
Typical Fraud • Typical organization loses 5% of annual revenues to various frauds • $6.3 TRILLION issue worldwide • Median loss $150,000 • In 94.5% of cases in study, perpetrator took efforts to conceal the fraud! Source: 2016 Report to the Nations on Occupational Fraud and Abuse. The Association of Certified Fraud Examiners
Detecting Fraud • Time to detection – median is 18 months • How Fraud was Detected: • Tip – 39.1% • Internal Audit – 16.5% • Management Review – 13.4% • By Accident – 5.6% • Account Reconciliation – 5.5% • External Audit – 3.8%
Controls • Strong linkage between anti-fraud controls: • Significant decrease in cost • Decrease in duration of time-to-detection
Perpetrator • 94.5% are first-time offenders • Clean employment history • No criminal background • 79% of cases, perpetrator exhibited “red flag” behavior • Living beyond means • Financial Difficulties • Unusually close association with vendors/clients • Excessive control issues/wheeler-dealer attitude • Recent divorce / family problems
Why People Commit Fraud • The Psychology of Fraud Rationalization
In Intersection of f Technology & Fraud • Opportunity • Majority of financial transactions are Technology-linked • Less tangible – belief its harder to get caught • Availability of software • Personal accounting software • Document alteration • Access to information • Research on techniques & cover-up
What Dig igit ital Forensics Can and Cannot Do
What you can expect • Content • Keyword search for content/communication • ALL correspondence • Hidden information • Deleted information • Orphaned information • Encrypted information
• Correspondence • Memos • Emails • Instant messages • Faxes • Deleted • Old and forgotten
• Business Records • Financial data • Assets • Calculations • PRIOR DRAFTS • DELETED DRAFTS • Projections • Everything you could imagine
• Every Website visited • All pictures from those websites • Every Website from popups and popunders • All maps, from Mapquest for example
Every INTERNET SEARCH & the Search Results
What you can expect • Conceptual Analysis • How the computer was used • IM activity – dates/times, frequency, who • File Transfers • E-mails – activity • CD/DVD burning • Web-based E-mails • Attached hardware • Deletion activity • Other networks attached • Wiping activity • Remote Access activity • Software installed • Do we have the “Right” system?
What you can expect • Condition of evidence • Used by others • Formatted • Re-partitioned • Damaged • Wiped/Cleansed/Sanitized
What Digital Forensics Can’t Do • Find evidence that isn’t there • Never was on this evidence • May have been on this evidence but was overwritten • Wrong Interpretations • Artifact analysis • Example: Defragmenting • “Who was at the keyboard?” Some analysis will allow the answer to be inferred.
Sample Case
What You Need to Know
Locard’s Exchange Pri rinciple “In forensic science, Locard’s principle holds that the perpetrator of a crime will bring something into the crime scene and leave with something from it – both of which can be used as forensic evidence.”
Sources vs Documents • Identify Appropriate “Key” Devices • Key-players • Expanded Key-players • Administrative Assistants • Other likely correspondents, etc. • Observing Devices • Monitors, surveillance • Pass-Thru Devices • Routers, firewalls, servers, monitoring systems • Passive Devices • i.e. conveyor
Evidence Vola latility Registers, Cache • Rate at which evidence disappears Memory, Routing Tables, Process Tables Temporary Files Disk & Other “permanent” storage Logging & Monitoring Data Archives
Potential Sources ISP Honeypot Router Virtual Machines Firewall Cloud Service IDS/IPS General Network Sniffers Managed Switches Backup tapes/disks Servers Replication sites Workstations Disaster Recovery sites Other monitoring devices Digital Scale & other Measuring Devices (alarm system) RFID Data Log files “Black Boxes” GPS Video Surveillance Cell Tower Data Payment or other Registration Info Syslog
Methodology
Acquisition Authentication Analysis Presentation
Acquisition • First & Foremost: Evidence Preservation • Admissibility in Court • Protection of All Parties Involved… even the investigator • Avoid Contamination/Spoliation of Evidence
Acquisition • Completeness • “The Whole Truth” • Used & Unused (Unallocated) Space • Active & Inactive Systems • Seemingly “Inaccessible” Systems & Media
Acquisition • Methodology • Forensically-sound Bit-for-Bit Clone • Copy, clone, mirror • Write-protect • Place on Sterile Media • MD5 or other authentication hash • Chain of Custody • Seal Evidence
Authentication • Authenticate: • Prove “no change” • Prove Clones ARE the Same • Method • MD5 Hash (digital fingerprint) • Industry-standard, industry-recognized • 128-bit • 1 in 1x10 38 chance for deceiving • 1 in 100,000,000,000,000,000,000,000,000,000,000,000,000 • DNA Evidence is 1 in 1,000,000,000
Authenticate • Our Methodology • MD5 Hash – Digital Fingerprint MD5 702865f9ebd7478fbab050ed6b4612f0
Recommend
More recommend
