Forensic and Investigative Accounting Chapter 13 Investigation of Electronic Data: A Brief Introduction © 2011 CCH. All Rights Reserved. 4025 W. Peterson

Forensic and Investigative AccountingForensic and Investigative Accounting

Chapter 13

Investigation of Electronic Data:

A Brief Introduction

© 2011 CCH. All Rights © 2011 CCH. All Rights Reserved.Reserved.

4025 W. Peterson Ave.4025 W. Peterson Ave.

Chicago, IL 60646-6085Chicago, IL 60646-6085

1 800 248 32481 800 248 3248

www.CCHGroup.comwww.CCHGroup.com

Chapter 13 Forensic and Investigative Accounting 2

Definition of Computer ForensicsDefinition of Computer Forensics

Computer forensics is the analysis of electronic Computer forensics is the analysis of electronic data and residual data for the purposes of its data and residual data for the purposes of its recovery, legal preservation, authentication, recovery, legal preservation, authentication, reconstruction, and presentation to solve or aid in reconstruction, and presentation to solve or aid in solving technology-based crimes.solving technology-based crimes.

Digital ForensicsDigital Forensics

Digital forensics is the investigation of all Digital forensics is the investigation of all electronic devices such as cell phones, electronic devices such as cell phones, Blackberries, and iPods as well as Blackberries, and iPods as well as computers to meet all the collection and computers to meet all the collection and preservation goals of computer forensics. preservation goals of computer forensics.



SAS No. 99 Guidelines for SAS No. 99 Guidelines for Testing Digital DataTesting Digital Data

SAS No. 99 states:SAS No. 99 states:

In an IT environment, it may be necessary In an IT environment, it may be necessary for the auditor to employ computer-assisted for the auditor to employ computer-assisted audit techniques (for example, report audit techniques (for example, report writers, software or data extraction tools, or writers, software or data extraction tools, or other system-based techniques) to identify other system-based techniques) to identify the journal entries or other adjustments to the journal entries or other adjustments to be tested.be tested.


IT Guidelines under COSO FrameworkIT Guidelines under COSO Framework

Guidelines have been established for these areas:Guidelines have been established for these areas:

1.1. Internal control environmentInternal control environment

2.2. Objective settingObjective setting

3.3. Event identificationEvent identification

4.4. Risk assessmentRisk assessment

5.5. Risk responseRisk response

6.6. Control activitiesControl activities

7.7. Information and communicationInformation and communication

8.8. MonitoringMonitoring


COBIT’s GoalsCOBIT’s Goals

COBIT’s goals are to set control objectives COBIT’s goals are to set control objectives for IT compliance using a strategic planning for IT compliance using a strategic planning perspective and at the same time to outline, in perspective and at the same time to outline, in detail, the proper procedures to be followed detail, the proper procedures to be followed for specific compliance measures.for specific compliance measures.

ISO/IEC 1799:2005 Information ISO/IEC 1799:2005 Information Technology – Security TechniquesTechnology – Security Techniques

Guidelines published by the International Guidelines published by the International Organization for Standardization and used Organization for Standardization and used as standardization for security. as standardization for security. They include They include standards for security policy; the organization of standards for security policy; the organization of information security; asset management; human information security; asset management; human resources security; physical and environment resources security; physical and environment security; communication management; access security; communication management; access controls; information acquisition; incident controls; information acquisition; incident management; continuity management; and management; continuity management; and compliancecompliance



Technical Skills for Digital Technical Skills for Digital Evidence CollectionEvidence Collection

Necessary skills are based on the following Necessary skills are based on the following requirements:requirements:

1.1. Understanding of various operating systemsUnderstanding of various operating systems

2.2. Quickly identifying pertinent digital dataQuickly identifying pertinent digital data

3.3. Properly preserving dataProperly preserving data

4.4. Properly securing dataProperly securing data

5.5. Properly collecting dataProperly collecting data

6.6. Maintaining a proper chain of custodyMaintaining a proper chain of custody


Forensic Investigative ToolsForensic Investigative Tools

Imaging software:Imaging software: EnCaseEnCase SafeBackSafeBack

Data extraction or data mining software:Data extraction or data mining software: ACLACL Data Extraction and Analysis (IDEA)Data Extraction and Analysis (IDEA)

Data Mining StrategiesData Mining Strategies

Link Analysis: Identify correlations in the Link Analysis: Identify correlations in the databasedatabase

Case Base Reasoning: Associations with Case Base Reasoning: Associations with past datapast data

Sequence Analysis: Relationships based on Sequence Analysis: Relationships based on timelinestimelines

Cluster Analysis: Separating groups into Cluster Analysis: Separating groups into their distinctive characteristicstheir distinctive characteristics


Zipf’s LawZipf’s Law

Uses frequency distributions to identify Uses frequency distributions to identify anomalies that may be an indicator of anomalies that may be an indicator of financial fraud.financial fraud.


Audit TrailsAudit Trails

Computer logs found in software such as Computer logs found in software such as PeopleSoft and SAP can be used to trace PeopleSoft and SAP can be used to trace the activities of employees to determine if the activities of employees to determine if they are following unauthorized policies they are following unauthorized policies that may be an indicator of fraudulent that may be an indicator of fraudulent activity.activity.


Log ParsersLog Parsers

Log Parsers are utility programs that allow Log Parsers are utility programs that allow the investigator to be able to format raw log the investigator to be able to format raw log entries into a format that is useful for an entries into a format that is useful for an investigation. investigation.


ConclusionsConclusions

Expanded methods to standardize security Expanded methods to standardize security policies are being made in an attempt ot policies are being made in an attempt ot make it more difficult for cybercrimes to make it more difficult for cybercrimes to attack the financial databases of companies. attack the financial databases of companies. The passage of time will determine the The passage of time will determine the success of these methods. success of these methods.


Documents

Forensic and Investigative Accounting Chapter 13 Investigation of Electronic Data: A Brief Introduction © 2011 CCH. All Rights Reserved. 4025 W. Peterson