Académique Documents
Professionnel Documents
Culture Documents
IS AUDITING GUIDELINE
COMPUTER FORENSICS
DOCUMENT G28
Introduction—The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require
standards that apply specifically to IS auditing. One of the goals of the Information Systems Audit and Control Association (ISACA) is to
advance globally applicable standards to meet its vision. The development and dissemination of the IS Auditing Standards are a
cornerstone of the ISACA professional contribution to the audit community.
The objective of the IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing Standards.
Scope and Authority of IS Auditing Standards—The framework for the IS Auditing Standards provides multiple levels of guidance:
Standards define mandatory requirements for IS auditing and reporting.
Guidelines provide guidance in applying the IS Auditing Standards. The IS auditor should consider them in determining how to
achieve implementation of the standards, use professional judgment in their application and be prepared to justify any departure.
Procedures provide examples of procedures an IS auditor might follow in an audit engagement. Procedures should not be considered
inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtain the same
results. In determining the appropriateness of any specific procedure, group of procedures or test, the IS auditor should apply their own
professional judgment to the specific circumstances presented by the particular information systems or technology environment. The
procedure documents provide information on how to meet the standards when performing IS auditing work, but do not set requirements.
The words audit and review are used interchangeably. A full glossary of terms can be found on the ISACA web site at
www.isaca.org/glossary.
®
Holders of the Certified Information Systems Auditor (CISA ) designation are to comply with the IS Auditing Standards adopted by ISACA.
Failure to comply with these standards may result in an investigation into the CISA holder’s conduct by the ISACA Board of Directors or
appropriate ISACA committee and, ultimately, in disciplinary action.
Development of Standards, Guidelines and Procedures—The ISACA Standards Board is committed to wide consultation in the
preparation of the IS Auditing Standards, Guidelines and Procedures. Prior to issuing any documents, the Standards Board issues exposure
drafts internationally for general public comment. The Standards Board also seeks out those with a special expertise or interest in the topic
under consideration for consultation where necessary.
The following COBIT resources should be used as a source of best practice guidance:
Control Objectives—High-level and detailed generic statements of minimum good control
Control Practices—Practical rationales and “how to implement” guidance for the control objectives
Audit Guidelines—Guidance for each control area on how to obtain an understanding, evaluate each control, assess compliance and
substantiate the risk of controls not being met
Management Guidelines—Guidance on how to assess and improve IT process performance, using maturity models, metrics and
critical success factors
Each of these is organised by IT management process, as defined in COBIT Framework. COBIT is intended for use by business and IT
management as well as IS auditors. Its usage enables the understanding of business objectives and for the communication of best practices
and recommendations around a commonly understood and well-respected standard reference.
The Standards Board has an ongoing development programme and welcomes the input of ISACA members and other interested parties to
help identify emerging issues requiring new standards. Any suggestions should be e-mailed (standards@isaca.org), faxed
(+1.847.253.1443) or mailed (address provided at the end of this document) to ISACA International Headquarters, for the attention of the
director of research standards and academic relations.
1.3.3 During the conduct of computer investigation, it is critical that confidentiality is maintained and integrity is established for data and
information gathered and made available to appropriate authorities only. The IS auditor will play a crucial role in such instances
and may help the organisation by indicating whether legal advice is advisable and which technical aspects of the IS environment
need appropriate investigation. There may be instances were the IS auditor may be given information about a suspected
irregularity or illegal act and may be requested to use data analysis capabilities to gather further information.
1.3.4 Computer forensics has been applied in a number of areas including, but not limited to, fraud, espionage, murder, blackmail,
computer misuses, technology abuse, libel, malicious mails, information leakage, theft of intellectual property, pornography,
spamming, hacking and illegal transfer of funds. Computer forensics involves the detailed analysis of events in cyberspace and
collection of evidence. This guideline briefly describes the elements of computer forensics with the aim to aid the IS auditor in
considering such aspects warranted by a situation during the conduct of the assignment. The IS auditor should also communicate
the need for computer forensics for Internal investigations, which make up a large percentage of forensic investigations (vs.
external attacks):
Whistle-blower complaints
HR investigations
Fraud investigations
Compliance investigations—enforce compliance to various legal mandates and industry guidelines (e.g., Sarbanes-Oxley,
1.3.5 This guideline provides guidance in applying IS auditing standards S3 Professional Ethics and Standards, S4 Professional
Competence, S5 Planning, S6 Performance of Audit Work, while conducting a computer forensic review. The IS auditor should
consider it in determining how to achieve implementation of the above standards, use professional judgment in its application and
be prepared to justify any departure.
2. DEFINITIONS
3. AUDIT CHARTER
4. INDEPENDENCE
5. AUDIT CONSIDERATIONS
5.3.5 In any case, it is imperative that every kind of prudence is exercised, as it is extremely difficult to determine (and prove) the
location of the merchant.
5.6.3 The illegal use of a credit card over the Internet includes any action aimed to fraudulently obtain money, goods or services using
card data. A crime is committed even when the owner uses the card after its expiration.
1
The Rome Convention, 1980 European law, www.rome-convention.org/instruments/i_conv_cons_it.htm and the Vienna Convention, an
international agreement regarding import/export of goods signed in 1980, www.cisg.law.pace.edu/cisg/biblio/volken.html.
6.3 Imaging
6.3.1 This involves the bit-for-bit copy of seized data for the purposes of providing an indelible facsimile upon which multiple analyses
may be performed without fear of damaging the original data or information.
6.3.2 Imaging is made to capture the residual data of the target drive. An image copy duplicates the disk surface sector by sector as
opposed to a file-by-file copy that does not capture residual data. Residual data include deleted files, fragments of deleted files
and other data that are still existent on the disk surface. With appropriate tools, destroyed data (erased, even by re-formatting the
media) can also be recovered from the disk surface.
6.4 Extraction
6.4.1 This involves the identification and separation of potentially useful data from the imaged dataset. This includes the recovery of
damaged, corrupted or destroyed data, or data that have been tampered with to prevent detection.
6.4.2 The entire process of imaging and extraction must meet standards of quality, integrity and reliability. This includes the software
used to create the image and the media on which the image was made. A good benchmark would be whether the software is
used, relied upon or authorised by law enforcement agencies. The copies and evidence must be capable of independent
verification, i.e., the opponent and court must be convinced about the accuracy and reliability of the data, and that the data is
tamper proof.
6.4.3 Extraction includes examination of many sources of data, such as system logs, firewall logs, intrusion detection system logs, audit
trails and network management information.
6.5 Interrogation
6.5.1 This involves the querying of extracted data to determine if any prior indicators or relationships, such as telephone numbers, IP
addresses and names of individuals, exist in the data.
6.5.2 Accurate analyses of the extracted data are essential to make recommendations and prepare appropriate grounds of evidence
before the enforcement authorities.
6.6 Ingestion/Normalisation
6.6.1 This involves the transfer and storage of extracted data using appropriate techniques and in a format easily understood by
investigators. This may include the conversion of hexadecimal or binary information into readable characters, conversion of data
to another ASCII language set, or conversion to a format suitable for data analysis tools.
6.6.2 Possible relationships within data are extrapolated through techniques, such as fusion, correlation, graphing, mapping or time
lining, to develop investigative hypotheses.
7. REPORTING
7.2 Evidence
7.2.1 Electronic evidence ranges from mainframe computers and pocket-sized personal data assistant to floppy diskettes, CDs, tapes or
even the smallest electronic chip device.
7.2.2 Industry-specified best practices should be adhered to, proven tools should be utilized and due diligence should be exhibited to
provide reasonable assurance that evidence is not tampered with or destroyed. Integrity, reliability and confidentiality of the
evidence is absolutely necessary for arriving at a fair judgment by the law enforcement authorities. It is also critical that the
evidence is produced and made available at an appropriate time to the authorities.
7.2.3 Example of tracing Internet e-mail:
When an Internet e-mail message is sent, the user typically controls only the recipient line(s) (To and Bcc) and the subject
line.
Mail software adds the rest of the header information as it is processed. An example of an e-mail header follows:
Line 1 tells recipient computers who sent the message and where to send error messages (bounces and warning).
Lines 2 and 3 show the route the message took from sending to delivery. Each computer that receives this message adds a
received field with its complete address and time stamp; this helps in tracking delivery problems.
Line 4 is the message ID, a unique identifier for this specific message. This ID is logged and can be traced through
computers on the message route if there is a need to track the mail.
Line 5 shows the date, time and time zone when the message was sent.
Line 6 tells the name and e-mail address of the message originator (the sender).
Line 7 shows the name and e-mail address of the primary recipient; the address may be for a:
- Mailing list
- System-wide alias
- Personal username
Line 8 lists the names and e-mail addresses of the courtesy copy (Cc) recipients of the message. There may be blind carbon
copy (Bcc) recipients as well; these Bcc recipients get copies of the message, but their names and addresses are not visible
in the headers.
8. EFFECTIVE DATE
8.1 This guideline is effective for all information system audits beginning on or after 1 September 2004. A full glossary of terms can be
found on the ISACA web site at www.isaca.org/glossary.
APPENDIX
COBIT Reference
Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IT
processes and consideration of COBIT’s control objectives and associated management practices. In the review of computer forensics, the
COBIT processes likely to be the most relevant are classified below as primary and secondary. The process and control objectives to be
selected and adapted may vary depending on the specific scope and terms of reference of the assignment.
Primary:
PO8—Ensure compliance with external requirements
AI1—Identify automated solutions
DS1—Define and manage service levels
DS2—Manage third-party service
DS5—Ensure security systems
DS10—Manage problems and incidents
DS11—Manage data
M1—Monitor the process
M3—Obtain independent assurance
Secondary:
PO1—Define a strategic IT plan
PO4—Define the IT organisation and relationships
DS6—Identify and allocate costs
DS12—Manage facilities
DS13—Manage operations
M2—Assess internal control adequacy
Copyright © 2004
Information Systems Audit and Control Association
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Telephone: +1.847.253.1545
Fax: +1.847.253.1443
E-mail: standards@isaca.org
Web site: www.isaca.org