An Introduction to Computer Forensics

Forensic auditing deals with an extensive range of analytical work that is performed by expert accountants. This line of work typically involves an examination of the financial affairs of a company and is frequently connected with scrutinizing fraudulent activity. Forensic auditing consists of the entire investigation process, including having the investigator serve as an expert witness in a trial. Forensic accountants are even qualified to look into situations that are not fraud-related. These might include the settling of fiscal issues of a business or disputes between insurance claims.

The forensic investigation encompasses the necessary steps taken to collect evidence in a suspected fraud case. The forensic audit is comparable to a financial audit, where a planning stage, an evidence gathering phase, a review procedure, and a client report, are implemented. The auditor uses a variety of audit techniques to recognize and assemble evidence. The auditor may want to find proof of how long the fraud had been occurring or the manner it was conducted. The auditor can also gather evidence against the defendant if a court case were to proceed. The findings may include: the suspect’s intentions, any evidence of collusion, any physical evidence discovered, and comments made by the suspect. The intentions of this investigation would be to determine if fraud had occurred, identify those involved, measure the financial loss, and present findings to the client and possibly court. Much of the work of the auditor is prepared using tools and procedures that are implemented through computer technological means.

Introduction to Computer Forensics

The IS auditor often advises on fraud through the use of computer forensics and ensures organizational compliance with IT laws. Computer forensics involves the methods used to dig up information from storage medium using reliable and accurate tools. The aim is to find the reality behind a particular situation by identifying the attacker and gathering proof that can be used in a court of law. Additionally, computer forensics is used to help protect a company’s digital assets from further threats. During the investigation, the auditor must use discretion to maintain privacy and integrity of data. The auditor must also make sure data is only available to designated parties. The IS auditor can indicate if legal advice is needed for an organization and determine the areas that need to be deeply analyzed.

Computer forensics can been useful in a vast number of IT-related situations. Examples of these can include fraud, spying, murder, extortion, technology exploitation, malicious email, data leakage, stealing, spam, hacking and unlawful money transfers. Situations such as these can be resolved through detailed analysis of the events that occurred and the compiling of suitable evidence. The challenge in this kind of work is collecting data, protecting it, and making it dependable in a court of law. To do this, forensic analysis requires utilizing a precise set of resources and tools to group, process, understand, and make use of digital evidence. These resources ensure a thorough investigation of all activities to verify the attack, restore critical information, predict further threats, and make the digital data suitable in criminal proceedings. The remainder of this paper will focus on some of these resources and how they are leveraged to conduct a forensic audit investigation. The discussion will begin by identifying the software tools that are typically used and end with an exploration into the critical human resources that are needed for a successful investigation.

Software Resources used in Computer Forensics

It is often said that a craftsman is only as good as his tools. This expression holds true in the forensic auditing profession as well. The following section will outline several software resources that are often leveraged by forensic auditors to improve the efficiency and effectiveness of the investigation process.

Acquisition Tools

When conducting a forensic audit investigation, one of the first things that a forensic auditor must do is gather and preserve the digital evidence. This is called the acquisition process. During this process it is extremely important that the evidence be collected and stored using trusted methodologies and tools because it may later be used in a criminal or civil court action. Perhaps one of the most trusted software applications on the market today for doing this is NTI’s SafeBack. SafeBack is a tool used to create a mirror-image, or bit-stream backup file, of any storage device, such as a hard drive. NTI suggests, “The process is analogous to photography and the creation of a photo negative. Once the photo negative has been made several exact reproductions can be made of the original.” The proper collection and preservation of evidence is so vital to forensic auditing that large amounts of research are conducted in this area alone. In fact recent research and development has produced the digital evidence bag, which is further explained further below.

Digital Evidence Bags

Over the years, one of the most important tools used by crime scene investigators has been the plastic evidence bag. These bags help investigators collect and secure physical evidence, ensuring that the all important chain of custody is maintained. As a result of a recent ‘US Air Force Research Laboratory’ project, a similar concept named the digital evidence bag has been developed for the area of computer forensics. A digital evidence bag (DEB) is a universal container for digital evidence of any source. It allows the provenance to be recorded and continuity to be maintained throughout the life of the exhibit. In short, DEBs provide auditors with a reliable container for storing evidence until it is released, destroyed, etc.

A digital evidence bag consists of three parts, each serving a unique purpose: the tag, index, and bag files. The tag file is a plain text file that contains important metadata about the evidence including information related to the investigation (the time the DEB was created, a description of what, when and where the evidence was captured, etc.) Perhaps most importantly, this file also contains information related to the integrity of the DEB including its hash value and Tag Continuity Blocks (TCBs) that record when the DEB was accessed. The index file contains information related to the data itself including device used to capture it, the source and format. The bag file could be considered the “meat” of the DEB as it contains the actual evidence/data. While this could be in any format, it frequently takes shape as a stream of bits or logical files.

There are certain critical security elements intrinsic to a DEB that may help transform it from bleeding-edge science to a must have for forensic auditors. The first built-in security attribute is stringent authentication requirements. Accessing a DEB requires trimodal authentication (something you are, something you know, and something you have). The next security element intrinsic to DEBs is file integrity. As stated earlier, DEBs contain a tag file containing a hash value for the digital evidence. These digital signatures help ensure that the data has not been tampered with. Lastly, DEBs have the ability to automatically create and update a log of when the file was accessed and by whom. Having this technology in place is essential to ensuring that auditors are able to maintain the chain of custody necessary for pursing legal action. Digital evidence bags can play a vital role in protecting the evidence from corruption, allowing the evidence to proceed to the next step in the audit, analysis.

Analysis Tools

After the digital evidence has been properly gathered preserved, auditors must determine what portion of it constitutes actual evidence. This analysis process typically evolves several steps, each of which relies heavily on the speed and efficiency of differing software applications. Generally, the first tool that an auditor will use to examine digital evidence for clues is a file listing and documentation software package. These packages can examine a bit-stream image and produce a listing of programs and files that were present on the original device. While a listing of files is obviously an essential report, so too is the listing of installed programs. With it, an auditor can look for software that is typically used to hide, protect, encrypt or delete files from investigators. The mere presence of encryption packages such as ‘TrueCrypt’ or ‘Hide and Seek’ (a steganography tool that can hide files within images) show intent to hide evidence and will help the auditor determine which additional tools might be necessary.

Another vital tool set in the forensic auditor’s toolkit are file recovery tools. Many users think that once they delete a file from their computer, that the information contained within it is gone forever. Simply put, this is not the case. When a user deletes a file, the file is not actually destroyed. Instead, the pointer to the file is deleted leaving the contents of the file intact. All deleted files become part of the free space on the storage media which the computer subsequently uses to store new files. It is because of this that deleted files can often be recovered using a variety of commercial and free products on the market such as ProQuest’s ‘Lost & Found’ or ‘FreeUndelete’. When recovering deleted files, auditors should pay special attention to the file’s characteristics, examining when the file was last viewed and deleted.

After a list of suspicious files has been accumulated, the auditor will need a means of opening these files to investigate their contents. Obviously, a variety of file types (i.e. .doc, .gif, .xlsx, .pdf, etc) could exist on the image spanning a multitude of software vendors (i.e. Microsoft, Adobe, etc). In lieu of accumulating a massive library of vendor programs to open these files, auditors rely on file viewing software packages. File viewers allow the auditor to open a multitude of different file types from one place. One such software, Guidance Software’s ‘Encase’ product, boasts that it has the ability to view over 400 different file types from one location.

Investigating a suspicious file using a file viewer is relatively easy to do if it is in a recognized format. Often times however, criminals will attempt to disguise evidence by changing or removing a file’s extension. For example, someone trying to cover up an Excel spreadsheet of scrupulous transactions might change the file extension from .xls to .abc. This type of change will not fool the well tooled auditor as there are tools on the market that can easily uncover this type of guise. The first few bytes of most files contain a unique signature that is invisible to the end user, but identifies its file type. Products such as Maresware’s ‘DiskCat’ can compare this hidden signature with the visible file extension, easily identifying mismatches. Any such mismatch should send an immediate red flag to the forensic auditor to warrant further investigation.

Another way that wrongdoers attempt to hide evidence is my leveraging file encryption or password protection. When files are encrypted or password protected, their contents cannot be screened by digital search utilities, making them essentially invisible to forensic audit analysis. To deal with cases like this, forensic auditors leverage password crackers that are expressly designed for this purpose. The NTI corporation is perhaps the leader in this space, offering a suite of tools called the Password Recover Tool Kit. This toolkit is only made available to corporate and government clients ensuring that they only be used by forensic specialist and not for wrongdoing.

As described above, there are a plethora of tools available to assist forensic auditors with their investigations. These tools are primarily used to gather, protect and analyze evidence and if used properly can greatly increase the efficiency and effectiveness of a forensic audit. However, these tools alone do not ensure a successful investigation. Another key resource needed to conduct a forensic audit is well trained forensic auditor.

The Necessary Skills of Forensic Auditor

The auditing profession can be seen as a very complex and rule abundant profession to many, and under certain circumstances it can pass as being just that. However, as one becomes more acclimated with the profession they start to see the many different faces that this career can offer. Forensic Auditing, while it does involve similar criteria to other audits like financial statements audits, compliance audits, or information system audits, it can be viewed as more of an art than a science. Unlike the other types of audits that can be performed, forensic auditing is different in that the auditor uses more of his subjective irrational thinking rather than objective check sheets. Nevertheless, there are guidelines and areas of red flags that help point forensic auditors towards the use of a specific type of test or tool. It is because of these differences that forensic auditors must possess an altered and more unique skill set than traditional auditors. This is due to the fact that much of what forensic auditing deals with involves fraud and determining who and how it was committed, especially via computers and digital information. One of the biggest concerns and skills that one needs to be a forensic auditor is to have familiar law enforcement and IT backgrounds. These are not tough qualifications to wrap your head around because forensic auditors are seen and portrayed as detectives in many cases. Much of the data that they use to solve a case involves being able navigate and understand how information is stored via computers and the latest technology. Having a solid IT background — not only in software but hardware as well — is crucial for this work. In order to properly preserve evidence, you need to go out and properly handle large servers, desktops, laptops. You need to remove hard drives, make images of them and properly document everything you do. Many argue that the most important part of a forensic auditor is being able to effectively argue their findings in court. One has to remember that forensic auditing is done in order find out how fraud was committed and who was the one behind the act, not to mention how much the victim lost because of the illegal act. With that said, many times forensic auditors must testify in court against defendants, or even plaintiffs if the situation arises. That is why it is so important for forensic auditors to have the proper training and education on how to handle themselves in front of a judge. Many times a forensic auditor has all of the evidence needed to back up his conclusion, however, the defense could twist the subject in his favor and forensic auditors must be on their toes to respond accordingly. This is a tough trait to have and often takes time to develop, but just like anything you have to be willing work to reach where want to be.

Leave a Reply

Your email address will not be published. Required fields are marked *