forensic and investigative accounting chapter 14 digital forensics analysis © 2013 cch...
TRANSCRIPT
Forensic and Investigative AccountingForensic and Investigative Accounting
Chapter 14
Digital Forensics Analysis
© 2013 CCH Incorporated. All Rights © 2013 CCH Incorporated. All Rights Reserved.Reserved.
4025 W. Peterson Ave.4025 W. Peterson Ave.
Chicago, IL 60646-6085Chicago, IL 60646-6085
800 248 3248800 248 3248
CCHGroup.comCCHGroup.com
Chapter 14 Forensic and Investigative Accounting 2
Hacker DefinedHacker Defined
A A hackerhacker is generally defined as an individual is generally defined as an individual or group whose intent is to gain access to a or group whose intent is to gain access to a computer network for malicious purposes.computer network for malicious purposes.
Chapter 14 Forensic and Investigative Accounting 3
Collecting Clues and EvidenceCollecting Clues and Evidence
A forensic investigator needs to be familiar A forensic investigator needs to be familiar with the protocols used on the Internet to be with the protocols used on the Internet to be able to collect clues about either internal or able to collect clues about either internal or external attackers.external attackers.In addition, when law enforcement officials In addition, when law enforcement officials send requests or subpoenas for information send requests or subpoenas for information about a company’s logs, the forensic analyst about a company’s logs, the forensic analyst must understand the type of information being must understand the type of information being sought.sought.
Chapter 14 Forensic and Investigative Accounting 4
ProtocolsProtocols
Internet Internet protocolsprotocols are those rules allowing are those rules allowing different operating systems and machines to different operating systems and machines to communicate with one another over the communicate with one another over the Internet.Internet.
Chapter 14 Forensic and Investigative Accounting 5
Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) and Internet Protocol (IP)and Internet Protocol (IP)
TCP/IP protocols are the communication guidelines TCP/IP protocols are the communication guidelines used and widely supported over the Internet.used and widely supported over the Internet.
Almost every packet of information sent over the Almost every packet of information sent over the Internet uses the Internet uses the datagrams datagrams contained within a contained within a TCP/IP envelope. The datagrams consist of layers TCP/IP envelope. The datagrams consist of layers of information needed to verify the packet and get of information needed to verify the packet and get the information from the sender’s to the receiver’s the information from the sender’s to the receiver’s location following traffic control guidelines.location following traffic control guidelines.
Chapter 14 Forensic and Investigative Accounting 6
Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) and Internet Protocol (IP)and Internet Protocol (IP)
Message encapsulationMessage encapsulation is used in sending the is used in sending the packets. In message encapsulation, each layer packets. In message encapsulation, each layer of information in the sent packet is interpreted of information in the sent packet is interpreted by the same layer at the receiving end of the by the same layer at the receiving end of the transmission. Additionally, each layer can only transmission. Additionally, each layer can only communicate with the one directly above or communicate with the one directly above or below it.below it.
Chapter 14 Forensic and Investigative Accounting 7
Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) and Internet Protocol (IP)and Internet Protocol (IP)
Application Layer
Transportation Layer
Network Layer
Data Link Layer
Hardware Layer
Electronic Impulse
Layered Operating System Interconnection (OSI) Model
Chapter 14 Forensic and Investigative Accounting 8
Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) and Internet Protocol (IP)and Internet Protocol (IP)
The The application layerapplication layer issues the commands issues the commands that define the operations.that define the operations.
The The transportation layertransportation layer functions to functions to provide reliable message delivery.provide reliable message delivery.
The The network layernetwork layer controls the route the controls the route the data takes to get to its destination.data takes to get to its destination.
(continued on next slide)(continued on next slide)
Chapter 14 Forensic and Investigative Accounting 9
Transmission Control Protocol Transmission Control Protocol (TCP) and Internet Protocol (IP)(TCP) and Internet Protocol (IP)
The The data link layerdata link layer transfers the datagram transfers the datagram from one network node to another.from one network node to another.
The The hardware layerhardware layer (or physical layer) (or physical layer) provides the means of sending and provides the means of sending and receiving data on a network by converting receiving data on a network by converting bits into voltages for transmission to a coax bits into voltages for transmission to a coax cable.cable.
Chapter 14 Forensic and Investigative Accounting 10
IP Address DefinedIP Address Defined
An An IP addressIP address is a 32-bit number (four bytes) is a 32-bit number (four bytes) that identifies the sender and recipient who is that identifies the sender and recipient who is sending or receiving a packet of information sending or receiving a packet of information over the Internet.over the Internet.
Chapter 14 Forensic and Investigative Accounting 11
New Version of IP AddressesNew Version of IP Addresses
IPv4 is being replaced with IPv6.IPv4 is being replaced with IPv6. The reason for the change is that the 32 The reason for the change is that the 32
bit version has run out of IP addresses.bit version has run out of IP addresses. IPv6 uses 64-bits.IPv6 uses 64-bits. IPv6 provides for approximately IPv6 provides for approximately
340,282,366,920,938,000,000,000,000,340,282,366,920,938,000,000,000,000,000,000,000,000 unique IP addresses.000,000,000,000 unique IP addresses.
Chapter 14 Forensic and Investigative Accounting 12
Web Log EntriesWeb Log Entries
One important method for finding the One important method for finding the web trail of an attacker is in examining web trail of an attacker is in examining web logs.web logs.
Recorded network logs provide Recorded network logs provide information needed to trace all website information needed to trace all website usage.usage.
Chapter 14 Forensic and Investigative Accounting 13
Web Log EntriesWeb Log Entries
Information provided in a log includes the Information provided in a log includes the visitor’s IP address, geographical location, visitor’s IP address, geographical location, the actions the visitor performs on the site, the actions the visitor performs on the site, browser type, time on page, and the site the browser type, time on page, and the site the visitor used before arriving.visitor used before arriving.
Logs should be stored on a separate Logs should be stored on a separate computer from the web server hosting the computer from the web server hosting the site so they cannot be easily altered.site so they cannot be easily altered.
Chapter 14 Forensic and Investigative Accounting 14
TCPDUMPTCPDUMP
TCPDUMP is a form of network sniffer that TCPDUMP is a form of network sniffer that can disclose most of the information can disclose most of the information contained in a TCP/IP packet.contained in a TCP/IP packet.
A sniffer is a program used to secretly A sniffer is a program used to secretly capture datagrams moving across a network capture datagrams moving across a network and disclose the information contained in and disclose the information contained in the datagram’s network protocols.the datagram’s network protocols.
Chapter 14 Forensic and Investigative Accounting 15
Decoding Simple Mail Transfer Decoding Simple Mail Transfer Protocol (SMTP)Protocol (SMTP)
SMTP is the protocol used to send e-mail SMTP is the protocol used to send e-mail over the Internet.over the Internet.
SMTP server logs can be used to check the SMTP server logs can be used to check the path of the e-mail from the sending host to path of the e-mail from the sending host to the receiving host.the receiving host.
Chapter 14 Forensic and Investigative Accounting 16
Decoding Simple Mail Transfer Decoding Simple Mail Transfer Protocol (SMTP)Protocol (SMTP)
Most of the important information about the Most of the important information about the origin of an e-mail message is in the long origin of an e-mail message is in the long form of the header. The most important data form of the header. The most important data for tracing purposes is the IP addresses and for tracing purposes is the IP addresses and the message ID.the message ID.
Chapter 14 Forensic and Investigative Accounting 17
Tracing and Decoding IP AddressesTracing and Decoding IP Addresses
TracerouteTraceroute WhoisWhois PingPing Finger searchesFinger searches
Chapter 14 Forensic and Investigative Accounting 18
Narrowing the SearchNarrowing the Search
Preliminary Incident Response FormPreliminary Incident Response Form John Doe subpoenaJohn Doe subpoena
Forensic AuditForensic Audit
The forensic audit is an The forensic audit is an auditaudit performed to performed to determine whether fraud is being committed determine whether fraud is being committed in the executive boardroom. The in the executive boardroom. The monitoring methods used in a forensic audit monitoring methods used in a forensic audit are investigative, directed at top-level are investigative, directed at top-level executives, and do not rely on a traditional executives, and do not rely on a traditional accounting audit practices. accounting audit practices.
Chapter 14 Forensic and Investigative Accounting 19
Fraud Response TeamFraud Response Team
A fraud response team is a group of A fraud response team is a group of organizational employees and independent organizational employees and independent contractors who are called together to deal contractors who are called together to deal with a fraud event.with a fraud event.
A fraud response team would include A fraud response team would include attorneys, computer forensic analysts, attorneys, computer forensic analysts, forensic accountants, human resource staff, forensic accountants, human resource staff, and public relations professionals. and public relations professionals.
Chapter 14 Forensic and Investigative Accounting 20
Chapter 14 Forensic and Investigative Accounting 21
Due Diligence SearchesDue Diligence Searches Internet databasesInternet databases
– General searchesGeneral searches– Name, telephone number, and e-mail address search Name, telephone number, and e-mail address search
enginesengines– Internet relay chat (IRC), FTP, and Listserv searchesInternet relay chat (IRC), FTP, and Listserv searches– Usenet postings searchUsenet postings search– Legal recordsLegal records– Instant messaging (IM)Instant messaging (IM)
Web page searchesWeb page searches Government data searchesGovernment data searches Miscellaneous searchesMiscellaneous searches