View
217
Download
0
Category
Preview:
Citation preview
Forensic and Investigative AccountingForensic and Investigative Accounting
Chapter 13
Investigation of Electronic Data:
A Brief Introduction
© 2011 CCH. All Rights © 2011 CCH. All Rights Reserved.Reserved.
4025 W. Peterson Ave.4025 W. Peterson Ave.
Chicago, IL 60646-6085Chicago, IL 60646-6085
1 800 248 32481 800 248 3248
www.CCHGroup.comwww.CCHGroup.com
Chapter 13 Forensic and Investigative Accounting 2
Definition of Computer ForensicsDefinition of Computer Forensics
Computer forensics is the analysis of electronic Computer forensics is the analysis of electronic data and residual data for the purposes of its data and residual data for the purposes of its recovery, legal preservation, authentication, recovery, legal preservation, authentication, reconstruction, and presentation to solve or aid in reconstruction, and presentation to solve or aid in solving technology-based crimes.solving technology-based crimes.
Digital ForensicsDigital Forensics
Digital forensics is the investigation of all Digital forensics is the investigation of all electronic devices such as cell phones, electronic devices such as cell phones, Blackberries, and iPods as well as Blackberries, and iPods as well as computers to meet all the collection and computers to meet all the collection and preservation goals of computer forensics. preservation goals of computer forensics.
Chapter 13 Forensic and Investigative Accounting 3
Chapter 13 Forensic and Investigative Accounting 4
SAS No. 99 Guidelines for SAS No. 99 Guidelines for Testing Digital DataTesting Digital Data
SAS No. 99 states:SAS No. 99 states:
In an IT environment, it may be necessary In an IT environment, it may be necessary for the auditor to employ computer-assisted for the auditor to employ computer-assisted audit techniques (for example, report audit techniques (for example, report writers, software or data extraction tools, or writers, software or data extraction tools, or other system-based techniques) to identify other system-based techniques) to identify the journal entries or other adjustments to the journal entries or other adjustments to be tested.be tested.
Chapter 13 Forensic and Investigative Accounting 5
IT Guidelines under COSO FrameworkIT Guidelines under COSO Framework
Guidelines have been established for these areas:Guidelines have been established for these areas:
1.1. Internal control environmentInternal control environment
2.2. Objective settingObjective setting
3.3. Event identificationEvent identification
4.4. Risk assessmentRisk assessment
5.5. Risk responseRisk response
6.6. Control activitiesControl activities
7.7. Information and communicationInformation and communication
8.8. MonitoringMonitoring
Chapter 13 Forensic and Investigative Accounting 6
COBIT’s GoalsCOBIT’s Goals
COBIT’s goals are to set control objectives COBIT’s goals are to set control objectives for IT compliance using a strategic planning for IT compliance using a strategic planning perspective and at the same time to outline, in perspective and at the same time to outline, in detail, the proper procedures to be followed detail, the proper procedures to be followed for specific compliance measures.for specific compliance measures.
ISO/IEC 1799:2005 Information ISO/IEC 1799:2005 Information Technology – Security TechniquesTechnology – Security Techniques
Guidelines published by the International Guidelines published by the International Organization for Standardization and used Organization for Standardization and used as standardization for security. as standardization for security. They include They include standards for security policy; the organization of standards for security policy; the organization of information security; asset management; human information security; asset management; human resources security; physical and environment resources security; physical and environment security; communication management; access security; communication management; access controls; information acquisition; incident controls; information acquisition; incident management; continuity management; and management; continuity management; and compliancecompliance
Chapter 13 Forensic and Investigative Accounting 7
Chapter 13 Forensic and Investigative Accounting 8
Technical Skills for Digital Technical Skills for Digital Evidence CollectionEvidence Collection
Necessary skills are based on the following Necessary skills are based on the following requirements:requirements:
1.1. Understanding of various operating systemsUnderstanding of various operating systems
2.2. Quickly identifying pertinent digital dataQuickly identifying pertinent digital data
3.3. Properly preserving dataProperly preserving data
4.4. Properly securing dataProperly securing data
5.5. Properly collecting dataProperly collecting data
6.6. Maintaining a proper chain of custodyMaintaining a proper chain of custody
Chapter 13 Forensic and Investigative Accounting 9
Forensic Investigative ToolsForensic Investigative Tools
Imaging software:Imaging software: EnCaseEnCase SafeBackSafeBack
Data extraction or data mining software:Data extraction or data mining software: ACLACL Data Extraction and Analysis (IDEA)Data Extraction and Analysis (IDEA)
Data Mining StrategiesData Mining Strategies
Link Analysis: Identify correlations in the Link Analysis: Identify correlations in the databasedatabase
Case Base Reasoning: Associations with Case Base Reasoning: Associations with past datapast data
Sequence Analysis: Relationships based on Sequence Analysis: Relationships based on timelinestimelines
Cluster Analysis: Separating groups into Cluster Analysis: Separating groups into their distinctive characteristicstheir distinctive characteristics
Chapter 13 Forensic and Investigative Accounting 10
Zipf’s LawZipf’s Law
Uses frequency distributions to identify Uses frequency distributions to identify anomalies that may be an indicator of anomalies that may be an indicator of financial fraud.financial fraud.
Chapter 13 Forensic and Investigative Accounting 11
Audit TrailsAudit Trails
Computer logs found in software such as Computer logs found in software such as PeopleSoft and SAP can be used to trace PeopleSoft and SAP can be used to trace the activities of employees to determine if the activities of employees to determine if they are following unauthorized policies they are following unauthorized policies that may be an indicator of fraudulent that may be an indicator of fraudulent activity.activity.
Chapter 13 Forensic and Investigative Accounting 12
Log ParsersLog Parsers
Log Parsers are utility programs that allow Log Parsers are utility programs that allow the investigator to be able to format raw log the investigator to be able to format raw log entries into a format that is useful for an entries into a format that is useful for an investigation. investigation.
Chapter 13 Forensic and Investigative Accounting 13
ConclusionsConclusions
Expanded methods to standardize security Expanded methods to standardize security policies are being made in an attempt ot policies are being made in an attempt ot make it more difficult for cybercrimes to make it more difficult for cybercrimes to attack the financial databases of companies. attack the financial databases of companies. The passage of time will determine the The passage of time will determine the success of these methods. success of these methods.
Chapter 13 Forensic and Investigative Accounting 14
Recommended