Jonathan D Piersaint
Module 5
St. Thomas University
Ch 13 Exercises 1, 3, 4, 6, 7, 11, 13, 17, 19, 24
1.Define computer forensics
The term computer forensics is used to describe the procedures applied to computers and
peripherals for gathering evidence that may be used in civil and criminal courts of law
3.List where some electronic evidence may be found of a crime.
Some electronic evidence that may be found with respect to a crime is contained on
employer-owned personal computer, and mainframes, employees’ personal laptops, the
company’s network, personal data assistants, blackberries, digital cameras, pagers, iPads,
external drives, memory sticks, scanners, floppy disks, smart cards, cell phones, and web
servers in external networks
4.Summarize the guidelines SAS No. 31 provides for auditors.
SAS No. 31 Evidence Matter, provides guidelines for audit engagements encountering
electronic documents. It may not be practical or possible to reduce detection risk to an
acceptable level using only substantive tests. In these cases, must perform tests of system
controls to show they are strong enough to mitigate the risks inherent in electronic audit
evidence.
6. Discuss any three of the technical skills needed for working with digital evidence collection.
1) Understanding of Various Operating Systems where the auditor may have to conduct a
preliminary review of electronic financial data. The analysis needs to be conducted
quickly with an evidentiary search of the target data on various operating systems (OS).
The auditor needs a basic familiarity with different Oss and their network file architecture
in order to locate pertinent files
2) Properly Preserving Data, the auditor needs to know how to preserve the data and
timestamps within any files that are being analyzed for a possible financial fraud. Such
skills require a basic familiarity with OS timestamp and data protocols. Data and
timestamp information show when changes to files were being made and help in
identifying who made the changes.
3) Properly Collecting Data when an initial review of the financial system data id done,
the auditor may have to use mirror imaging software to identify and collect electronic
evidence by making a bitstream, read only image. Once the data is secured, it can be
given to computer forensic analysis for further investigation.
7. From the Internet, determine the use of these software tools:
a) Nmap a security scanner and used to discover hosts and services on a computer
network, thus creating a “map” of the network. To accomplish its goal, Nmap sends
specially crafted packets to the target host and then analyzes the responses. Typically use
in auditing is the securing of a device or firewall by identifying the network connections
which can be made to, or through it, identifying open ports on a target host in preparation
for auditing and Auditing the security of a network by identifying new servers
b) John the Ripper is an example of software that can be used to crack passwords. There
are numerous free password crackers available for download from the Internet. These
crackers will run on various operating systems.
c) TCPDump is a common packet analyzer that runs under the command line. It allows
the user to display TCP/IP and other packets being transmitted or received over a network
to which the computer is attached. Distributed under the BSD license, tcpdump is free
software.
d) Tripwire is an internal control or process that performs the act of validating the
integrity of operating system and application software files using a verification method
between the current file state and the known, good baseline. This comparison method
often involves calculating a known cryptographic checksum of the file’s original baseline
and comparing with the calculated checksum of the current state of the file. The act of
performing file integrity monitoring is automated using internal controls such as an
application or process. Such monitoring can be performed randomly, at a defined polling
interval, or in real-time.
e) THC-Scan is a technique of using a modem to automatically scan a list of telephone
numbers, usually dialing every number in a local area code to search for computers,
bulletin board systems (computer servers) and fax machines. Hackers use the resulting
lists for various purposes: hobbyists for exploration, and crackers – malicious hackers
who specialize in breaching computer security – for guessing user accounts (by capturing
voicemail greetings), or locating modems that might provide an entry-point into computer
or other electronic systems. It may also be used by security personnel, for example, to
detect unauthorized devices, such as modems or faxes, on a company’s telephone
network.
11. Describe COBIT’s goals.
COBIT’s goals are to set control objectives for IT compliance using a strategic planning
perspective and at the same time to outline, in detail, the proper procedures to be
followed for specific compliance measures.
13. Can deleted files always be recovered? Explain your answer.
Usually deleted files can be recovered, but it depends on what was done to delete the
files. If the files are deleted using the standard delete button on a keyboard or placed into
the Recycle Bin, then they can be recovered fairly easily especially when the time
between deletion and recover is short. Such data has not actually been deleted. The OS
has simply designated the deleted data as now a useable space on the hard drive. The
longer the time period between deletion and recovery, the less data can be recovered. This
is due to the OS placing (writing) new data over ‘‘deleted’’ data in the cluster. There are
very expensive methods that can be used to recover data from electronic media even if
the media has been physically damaged.
17. In what ways can electronic evidence be destroyed so that it is no longer admissible in court?
Explain your answer.
When original digital files are copied, they are essentially destroyed for evidentiary
purposes.
Evidence is no longer admissible in court if it can be shown by opposing counsel that the
evidence has been tainted or accidentally altered in some manner either when it was still
on the suspect’s PC, as it was removed, or during the forensic examination. To prevent
such claims, the suspect’s PC must not be powered up or shut off; files must not be
opened or closed without a forensic expert being present. Laptops should have their
batteries disconnected first to ensure they have no energy source once their electrical
power cord is disconnected. Only view files in a bitstream or read-only mode to ensure
that evidence is legally secure. Use accepted algorithms to hash all evidence files. In
order to prevent claims of data contamination during the examination process, a closely
controlled chain of custody must be maintained over the electronic data.
19. Under the COSO framework, what general IT guidelines have been established?
Evaluating the internal control environment means the underlying corporate culture is
evaluated for its views on risk including risk-taking, ethical values, and adequate
controls.
Objective-setting evaluates whether there is a process in place for setting objectives that
correspond with the organization’s mission.
Event identification tries to determine how internal and external occurrences are
separated by the organization into risk and opportunity classifications and then how they
correlate with objectives.
Risk assessment determines whether there is an effective response for managing IT risks
faced by the organization.
Risk response deals with avoiding, accepting or reducing such identified risk.
Control activities evaluate controls to determine whether effective controls are in place
to work effectively in controlling IT risk.
Communication must be established so that it allows information to be broadly shared
up and down the organization. It is also important to have assurances that the proper
information is identified and captured.
Correct monitoring is in place if it can be verified that the controls in place are effective
enough so that when weaknesses are detected there are corrective actions taken.
Ch 14 Exercises 4, 15, 18, 29, 30
4. Explain these terms.
Message encapsulation.
o In message encapsulation, each layer of information in the sent packet is
interpreted by the same layer at the receiving end of the transmission.
Additionally, each layer can only communicate with the one directly above or
below it.
Transportation layer.
o This layer provides data to make the connection to the receiving host computer.
The transportation layer is responsible for ensuring the integrity, control, and
proper connections between the sending and receiving hosts. This responsibility
includes finding the proper entry port on the recipient’s web server
Checksum field.
o The checksum field is used to ensure data integrity by checking for errors in the
data, TCP header, and IP header. The sender’s server calculates a checksum for
each TCP packet sent based on the data in the packet. The checksum is placed in
this field. The recipient’s server recomputes the checksum and compares it with
the one that was sent.
Flag data.
o Flag data is used to signal the connection state of the data exchange
Network layer.
o controls the route the data takes to get to its destination. IP operates at this layer
and sends the packets from the source to its destination network across various
subnets and through numerous routers.
Keylogger.
o A keylogger is a software program or hardware device that can be used to log all
the keystrokes made on a keyboard (typically covertly). If the user has encryption
software, all the keystrokes are made in plaintext (i.e., before encryption).
15. a. Part II: Description of the Incident
1. Date of the incident:
o June 30 2004
2. GMT time of the incident:
o 05:25:10
3. Physical location of the attacked system (company headquarters, other site or state):
o Hyattsville, Maryland
4. Operating system on the attacked system:
o WinNT4 operating systems
5. Hardware:
o 960 series Gateway box (2.4 Ghz, 1024 MB and 1600 SDRam with a Xeon Processor
6. Security systems in use on the attacked system (name and version):
o Black Ice security system
7. Mission of the attacked system (What is its function?):
o Stores passwords and user names.
8.Describe how the attack was detected.
o The webmaster detected a suspicious activity on the web server. After checking, he
detected a sniffer had been placed on Windows.NET server.
9.Describe the attacker’s activities (DOS, virus, sniffer, spoofing, social engineering,
etc.).
o the attacker used a sniffer and placed it on the Windows.NET server.
10.Estimate time duration of the incident from detection to completion.
o Less then 24 hours.
11.If possible, estimate how long the attacker was on the system before being detected.
o From the last time maintenance was performed “May 1 2004” to the time the attack was
detected “June 30 2004” a total of 60 days.
12.Description of the damage done in the attack.
o
13.Provide an estimated dollar valuation of the damage (show calculations).
o With the information provide, a calculation of the damages just isn’t possible.
14.Describe activities taken by the victim up to the time of filing the report.
o The victim hardened the access to other parts of the network from the web server, and
added a new sniffer program to the web box called the Effe Tech sniffer v.3.4.
15.Attach copies of appropriate logs (up to 20) and collaborate the times on the logs. If
the times on the logs are not correct, reconcile them to the correct times.
o
b. Identify the probable IP address the attacker used to enter MacVee’s system.
o 250.14.130.1.5112
c. What are the advantages and disadvantages of not shutting down the server?
o The advantage that not shutting down the server is that the webmaster might be
able to get enough data to identify the attacker.
o The disadvantages are that the attacker can be a really smart one and be able to
get more information from the server.
d. Would law enforcement authorities be interested in further pursing this crime through
the courts?
o I don’t think they will want to pursue this as no actual monetary damages were
recorded.
18. The First Step. Assume members of a fraud response team have identified electronic e-mails
they believe are an incident of unethical behavior by the company’s CFO. If a fraud response
team meeting is called, under a limited scope forensic audit, what are the first steps you believe
should be taken by the group?
Perform a preliminary investigation before preparing a detailed plan of action relate to
the fraud. The complete planning should be based on adequate understanding of the
underlying issues.
The team should obtain relevant evidence through the location of documents, assets or
proof of the occurrence of fraud in the company.
Document date, time and details of initial report/discovery.
Take notes of all observations and actions
Maintain confidentiality
Developing an actual action plan. The plan should include all the information gathered
from the initial investigation to set the objectives to be achieved by the team and the
methodology to be used in accomplishing the stated objectives.
29. What is the relationship between “brainstorming” as defined In SAS No. 99 and digital
forensics?
With brainstorming, audit teams are required to hold a session to generate ideas about
how fraud might be committed concealed in an entity. Brainstorming team sessions
should
involve information technology specialists, and such experts should be used to
evaluate computer records to detect the manipulation of electronic journal entries.
These PCAOB recommendations imply that financial auditors need a clear
understanding of the fraud implications found in warnings provided by computer
forensic experts.
30. Where does a digital investigator start and why?
Digital investigators start with collecting and preserving the electronic trail of fraudulent
documents. I believe that because data can be destroyed and can be rendered inadmissible
in court with any slight issue and not following the proper collection of data laws, a
digital investigator should be start there.