155

Chapter 14
Digital Forensics Analysis
CHAPTER SUMMARY
Overview
This chapter presents an overview of some of the more important steps and tools to use in profiling and tracing
perpetrators of cybercrimes, but these steps are preliminary, and the cybercriminal may remain untraceable.

Sifting for Cyber Clues

14,001

Collecting Evidence

All computers connected to the Internet are protected under federal law. Federal investigators can use subpoenas,
court orders, search warrants, and electronic surveillance, as well as traditional investigative methods. Investigators
without supporting legal authority are faced with using Internet forensic research to try to identify the cybercriminal
before the electronic trail disappears. Most cybercrimes leave clues for the forensic investigator provided the
investigator knows where to look.
14,011

Clues Versus Evidence

In tracking down these clues, both legal and technological factors should be considered. Most clues collected by
the forensic investigator are not going to meet the rigorous requirements of courtroom evidence unless the information
is uncovered by legal authorities and its evaluation is strictly controlled. Still, the clues collected by the forensic
investigator, who is not part of law enforcement, may provide legal authorities with enough preliminary information
to request a subpoena or search warrant, and thus speed up the collection of electronic evidence before it disappears.

Technical Searches
14,021

Internet Protocols: Technical Searches Begin Here

A forensic accountant should acquire a behind-the-scenes understanding of network traffic on the Internet.
An understanding begins with Internet protocols, which are those rules allowing different operating systems and
machines to communicate with one another over the Internet.
Transmission Control Protocol (TCP) and Internet Protocol (IP). TCP/IP protocols are the communication
guidelines used and widely supported over the Internet. Almost every packet of information sent over the Internet uses
the datagrams contained within a TCP/IP envelope. The datagram consists of layers of information needed to verify
the packet and get the information from the senders to the receivers locations following traffic control guidelines.
Message encapsulation is used in sending the packets. In message encapsulation, each layer of information in
the sent packet is interpreted by the same layer at the receiving end of the transmission. Additionally, each layer can
only communicate with the one directly above or below it.
The application layer issues the commands that define the operations such as those required for an e-mail or the
interpretation of the software protocol for a financial transaction request.
The transportation layer is responsible for ensuring the integrity, control, and proper connections between the
sending and receiving hosts.
The network layer controls the route the data takes to get to its destination. At this point, the envelope has a
phone number or in this case the IP address of its destination. An IP address is a 32-bit number that identifies the
sender and recipient who is sending or receiving a packet of information over the Internet.

2009 CCH. All Rights Reserved.

Chapter 14

156

Forensic and Investigative Accounting

The data link layer transfers the datagram from one network node to another and it also transmits the frames
sequentially to the network layer. The data link layer is split into two separate layers called the media access control
(MAC) and logical link control (LLC).
The hardware layer or physical layer provides the means of sending and receiving data on a network by
converting bits into voltages for transmission to a coax cable.
14,031

Decoding Packet Information

To learn who is visiting a website, it is necessary to decode packet information. Most web users would be
surprised about the information contained in the packets that are sent over the web as the users surf the Internet. Once
it is understood there is important information hidden in Internet packets, the need to study such information becomes
more obvious. The only way to quickly trace a fraud perpetrated on a companys website is by tracing the information
left behind by the attackers packets.
Web Log Entries. One important method for finding the web trail of the attacker is in examining web logs.
Recorded network logs provide information needed to trace all website usage. This information includes the visitors
IP address, geographical location, the actions the visitor performs on the site, browser type, time on page, and site the
visitor used before arriving.
TCPDUMP. Besides reviewing the raw log entries, the investigator can use more tools to analyze Internet
traffic information in packets sent to a compromised website by the attacker. One such tool is a Unix-based program
called TCPDUMP. TCPDUMP is a form of network sniffer that can disclose most of the information contained in a
TCP/IP packet. A sniffer is a program used to secretly capture datagrams moving across a network and disclose the
information contained in the datagrams network protocols.
14,041

Decoding Simple Mail Transfer Protocol (SMTP)

SMTP is the protocol used to send e-mail over the Internet. SMTP servers accept incoming messages into Port 25,
check addresses, store local messages, and forward messages to remote addresses. SMTP guidelines standardize e-mail
server logs. It is possible to directly enter and communicate with a SMTP mail server by telnetting into Port 25.
Path Checking. SMTP server logs are a useful source of information about the origin of e-mail messages. If
these logs are correctly maintained, they can be used to check the path of the e-mail from the sending host to the
receiving host.
Headers. To understand how perpetrators who send viruses and financial misinformation are traced through
their e-mail headers, it is necessary to understand some of the technical information found in e-mail headers. Most of
the important information about the origin of an e-mail message is in the long form of the header that most users of
e-mail never use or see.
14,051

Decoded IP Addresses: Tracing Tools

Once the information such as IP and MAC addresses are obtained from the server logs, it is necessary to try to
trace the criminals activities back to their source.
Traceroute. Several methods can be used to back trace an IP address. One such commonly used program
is traceroute. Traceroute provides the means to determine where an e-mail message or TCP/ IP packet originated.
Traceroute traces the route taken on the Internet between the source IP address and the destination IP address. It
provides information about the hops a packet takes from one router to another by listing the IP address and optionally
the domain name of the various routers along with the time it takes for the packet to traverse its Internet route to its
destination. Traceroute programs allow the investigator to see the route taken over a map of the United States or the
world to the exact geographical location of the originating IP address.
Whois. Whois searches can provide collaborating information after a traceroute search is used. Whois is another
freely available service providing identification information on almost any domain name and the administrators
who run it. Using the IP address from a web server log or e-mail header, Whois tells the investigator the name of
the organization running the domain name and its address, administrative and technical contact names and e-mail
addresses, country location, billing address, domain servers, and usually contact phone numbers.

Chapter 14

2009 CCH. All Rights Reserved.

Textbook Solutions

157

Ping. Ping is another tool that is used over the Internet to electronically query an identified IP address.
Conceptually, an Internet ping is similar to a sonar ping used by the Navy to identify an object in the water. The pings
sent are echoed back by the queried machine showing it is alive and listening. The purpose of a ping is to determine
whether a network host or PC is active and able to receive datagrams.
Machines on a network have either a static or dynamic (changing) IP address. A ping to a dynamic IP address
only provides temporary identification with a user as dynamic IP addresses are continually reassigned by an Internet
service provider (ISP) to new users coming online. A ping to a static IP address identifies the specific machine with
the queried IP. Identification is also related to the physical MAC address of the machine, i.e., its Ethernet adaptor ID.
If the MAC address is obtained, it provides exact information about the network machine that launched the attack.
Finger Searches. Finally, finger searches are a helpful alternative for the investigator trying to identify usage
patterns of a cybercriminal suspect on a network. Finger programs take the identified e-mail address and provide
information about users such as their home directory, real and login names, the last time they logged onto the system,
received or read their e-mail, the time they currently logged into the system, and how long they stayed on the system.
The information provided will vary with the fingering program used, and some programs only provide information
about the users who are currently on the network.
14,061

Decoded IP Addresses: Narrowing the Search

Once the trace back has identified the IP address and the ISP that is providing Internet access for the attacker,
the description of the attack and the information that has been collected can be reported to law enforcement.
Preliminary Incident Response Form. All incident information should be compiled prior to approaching law
enforcement officials for assistance. In preparing the report, special care should be taken in calculating the dollar
amount of the damages incurred from the attack. All intangible losses should be included in this estimate. Furthermore,
if the investigator knows that the attack is part of a coordinated effort by a hostile group against a number of sites, the
evidence for such a conclusion should be clearly disclosed in the Preliminary Incident Response Form.
John Doe Subpoena. If the case is in any way related to defamation, copyright or trademark infringement, or
breach of contract issues that have occurred over the Internet, it is possible to file a John Doe subpoena to obtain ISP
logs. Under a typical John Doe subpoena, the evidence being requested from an ISP is the identity of an unknown
person who used the ISP in performing an act against the company.
14,065

Tracing Financial Frauds to the Executive Boardroom

Financial frauds committed by executives in the boardroom have led to some of the largest fraud losses for public
companies. The tracing and investigative methods described in this chapter have outlined a number of measures that
can be used to trace fraudulent activity back to a perpetrator and these methods need to applied to company executives
who have the authority to override traditional internal controls.

Due Diligence Searches

14,071

Internet Databases: Informational Searches Begin Here

If the name of the suspect can be learned with a John Doe subpoena or by other means, the investigator may also
want to learn as much information about that person as possible. Several search engines and databases on the Internet
allow for collecting all manner of information about individuals and groups. Such information may include property
records, maps to suspects homes or businesses, voting records, telephone numbers, and e-mail addresses.
General Searches. In beginning a search on a person, the first step would be to use a search engine and
type in several variations of the persons name. One of the most widely used general search engines is Google
(http://google.com). When the Advanced Features of Google are selected, one can conduct searches of military and
government sites, Linux sites, and Microsoft related pages. Besides Google, there are several other good search
engines.
Name, Telephone Number, and E-Mail Address Search Engines. There are various search engines that
provide for searching a persons email address, phone number, address, and more.

2009 CCH. All Rights Reserved.

Chapter 14

158

Forensic and Investigative Accounting

Internet Relay Chat (IRC), FTP, and Listserv Searches. IRC is a chat room on the Internet following the
rules of client/server software. FTP is a file exchange system used over the Internet. A listserv uses an e-mail program
to automatically distribute e-mail to the names on the mailing list. Search engines can search IRC files, FTP sites, and
listservs to find information about a suspects interactions with other people on the Internet.
Usenet Postings Search. Usenet is an Internet discussion system consisting of a set of users submitted messages
or notes to the group, and each collection of similar notes or messages is called a newsgroup. One search of usenet
postings can be made from Google, which allows for searches on specific individual names, company names, and the
threads of the discussion that follow.
Legal Records. There are many ways to search public records and criminal databases. Some companies charge
a fee for criminal records, but guarantee real-time information.
Socializing Websites. The Internet has resulted in the development of socializing networks such FaceBook.
FaceBook is an interactive website where people post information and pictures about themselves as well as blogs
about their daily activities. FaceBook provides a way for acquaintances to keep up to date on each others activities.
At the beginning of September 2007, FaceBook provided a search engine of users profiles. The search engine allows
for searches without requiring the person making the search to be logged into the website. Such searches will be
available from Google and other search engines in the near future. FaceBook has indicated the information available
in these searches will be limited and controllable by FaceBook members. Another website that has aspects of a
social network is YouTube. Although YouTube was not developed as a social network, a review of the videos on
YouTube clearly shows that it is a source of information about individuals and their activities much like FaceBook.
StumbleUpon (stumbleupon.com) is an excellent search engine to use along with standard search engines to find
information contained in YouTube.
Instant Messaging (IM). IM and ICQ are programs set up to enable individuals to know when a group of their
friends are on the Internet. Afterward they can join an IRC-like chat room and exchange real-time e-mail. Instant
messaging is finding wider usage in corporations as a means to instantly communicate with colleagues who are inside
and outside the company network. It is possible to determine information about the person with whom information is
being exchanged.
14,081

Web Page Searches

If the suspect has a web page or a web page is part of the cybercrime, the web page should be viewed so the
coding in the page can be seen. The information disclosed shows date information and the location of servers where
pictures on the website are stored. Such storage does not have to be on the same server where the web page is hosted,
and it may provide a clue about the location of the suspect.
14,091

Government Data Searches

Government sites are available for searches on a state, federal, and international level.
14,101

Miscellaneous Searches

Before one forwards any chain letters, petitions, or virus warnings, HoaxKill (http://www.hoaxkill.com) should
be checked to see whether the message is a fake.
14,111

Conclusion

The forensic investigator needs to be able to quickly communicate with and interpret what computer technicians
are saying to solve a crime that may still be occurring. Without an understanding of logs, message IDs, IP addresses,
tracing methods, and Internet databases, a financial fraud investigators hopes of solving a cybercrime are slim. Of
course, quickly obtained evidence may be used to trace the criminal suspect, but due to the manner in which it was
collected, it may not be admissible in court. Once the suspect is identified, knowledgeable legal authorities should be
contacted.

Chapter 14

2009 CCH. All Rights Reserved.

Textbook Solutions

159

SOLUTIONS TO CHAPTER EXERCISES

1. In the TCP header, window is a 16-bit value. It gives the number of data bytes that the receiving host can
accept at one time. The window field shows how busy the recipient host is at the moment. The window tells
the sender the amount of packets the recipient is capable of accepting. If a window is close to zero and there
are no acknowledgments forthcoming, it indicates the recipient servers port is congested.
2. The answers to this question will vary. Students should be encouraged to select two hacker techniques briefly
mentioned in the chapter and then to collect more information about these methodologies.
IP spoofing. One of the methods mentioned in the chapter was IP spoofing. There are several ways to spoof
an IP address. The first step is to select an IP address to be spoofed. Then disable the PC with the spoofed
IP address or wait until it is certain that this static IP is not in use, i.e., the PC is shut down. At this point,
the hacker uses the selected IP address to gain entrance into the targeted computer and its files. The targeted
computer assumes the IP address is coming from a trusted server.
Sniffing. TCPDUMP is a sniffer that can be used by a network administrator or by a hacker to record information
going across a network. The information looked for by the hacker and the administrator are different. The
hacker tries to collect user logins, user or root passwords, and packet sequence numbers. It should be noted
that Telnet and FTP utilities transmit user names and passwords as clear text. Therefore such information is
easy to collect.
3. When a TCP/IP connection is made, the TCP layer forwards a connection request to the destination machine.
In the TCP request, there is an initial sequence number and port number. The message is then passed to the
IP layer which assembles a datagram for transmission to the destination machine with the correct IP address.
When the destination machine receives the connection request, it returns an acknowledgment sequence
number and port number. The acknowledgment contains the recipients new sequence number which is the
senders sequence number plus one, and an active ACK flag. Afterwards, the data stream exchange between
the two hosts can begin.
4. Identify the following IP addresses with an organization. At the time of this writing, the following associations
existed:
a. 207.246.6.128 ........................................................................................... Flagstaff Unified School District
b. 209.3.112.1 .........................................................................................Quest Communications, Denver, CO
c. 164.58.120.10 ...............................................................................Southeastern Oklahoma State University
d. 211.213.248.213 ............................................. Asia Pacific Network Information Center, Queensland, AU
Use ARIN.net to search out the organizations that own these IP addresses.
Online tables in an organizations Domain Name System server records both the IP numbers and the domain
names. For example, the DNS server resolves the 211.213.248.213 IP number into APNIC.com.
5. A bit is the smallest binary digit that a computer can hold. A bit has one of two values ... 0 or 1. These two
values represent an off or on state, respectively. Characters are composed of bits, and these characters
are all bytes. On most computers, a single byte equals eight bits. Byte stands for binary term.
6. There are several advantages to using the same layered set in the OSI Model. These are three of the major
advantages:
a. Manufacturers with different systems can interconnect through a standard interface.
b. The OSI Model standardizes connections for all the countries in the world.
c. It allows hardware and software to be portable on different systems.
7. The purpose of this short problem is to see some of the differences in search engines. In the following results,
Google and Altavista returned different sites in their top rankings. Thus, not even the top rankings for search
engines are not the same. For this reason, it is often better to use a meta search engine such as Dogpile. If the
combined sites returned by Google and Altavista were compared, there would be many duplications, but meta
search engines eliminate such duplications.

2009 CCH. All Rights Reserved.

Chapter 14

160

Forensic and Investigative Accounting

It is expected the returns from the three search engines would be different depending on the search date. As
of the time of this writing, the results are shown as follows.
Both Google and Altavista picked up federal government CDC websites in their first and second ranking for
leptospirosis, but the meta search engine Dogpile did not include CDC as a site until its third ranking. Google
included a foreign language website that could be translated into English. The other two search engines did
not have a foreign language website included in their rankings.
Google Search:
DBMDLeptospirosisGeneral Information Leptospirosis. . . . What is leptospirosis? Leptospirosis is a
bacterial disease that affects humans and animals. . . . How do people get leptospirosis? . . . www.cdc.gov/
ncidod/dbmd/diseaseinfo/leptospirosis_g.htm13kDec. 7, 2002CachedSimilar pages
CDC Travelers Health Information on Leptospirosis Leptospirosis. Description. Leptospirosis is a widespread
zoonosis that is endemic worldwide, with a higher incidence in tropical . . . www.cdc.gov/ travel/diseases/
lepto.htm25kCachedSimilar pages [More results from www.cdc.gov]
Leptospirosis[Translate this page] Leptospirosis. Dra. Marta Muoz Ch., Md. Veterinario. Prctica
privada. Dra. . . . La leptospirosis es una enfermedad zoontica con distribucin mundial. . . . Description:
Informacin sobre la espiroqueta, huspedes y tcnicas de diagnstico. Category: World > Espaol > . .
. Biologa > Microbiologa www.ucr.ac.cr/~gacetapc/Leptospirosis.html13kCachedSimilar pages
LEPTOSPIROSIS[Translate this page] Leptospirosis. )) Qu es? Es una enfermedad bacteriana
caracterizadapor fiebre acompaada de escalofros, dolor de cabeza, dolor . . . Description: Descripcin y
notas sobre transmisin y sntomas. Descripcin de casos de la epidemia de Achuapa, . . . Category: World
> Espaol > . . . > Enfermedades > Infecciosas > Leptospirosis www.ops.org.ni/desastre/dcivil/1998/ mitch/
opsnic/leptospirosis_new.html7kCachedSimilar pages
Altavista Search:
DBMDLeptospirosisGeneral Information Leptospirosis. Frequently Asked Questions. What is leptospirosis?
. . . What is leptospirosis? How do people get leptospirosis? www.cdc.gov/ncidod/dbmd/ diseaseinfo/leptos
. . . DBMDLeptospirosisTechnical Information Leptospirosis. Clinical Features Symptoms include fever,
headache, chills . . . Trends Leptospirosis continues to re-emerge as a notable source of . . . www.cdc.gov/
ncidod/dbmd/diseaseinfo/leptos . . . [More results from www.cdc.gov]
QHPSSLeptospirosis Leptospirosis. WHO/FAO/OIECollaborating Centre for Reference and Research on
Leptospirosis, Australia and Western Pacific Region . . . www.health.qld.gov.au/qpssb/sciensrv/ who/h . . .
Communicable Disease Fact Sheet Communicable Disease Fact Sheet, leptospirosis . . . www.health.state.
ny.us/nysdoh/consumer/lep . . .
Dogpile Search:
(1) Leptospirosis Patients Sourcebook The Official Patients Sourcebook on Human Leptospirosis. A
comprehensive manual for anyone interested in self-directed research on Leptospirosis. http:// www.
icongrouponline.com
(2) Information on leptospirosis in swineVisit thePigSite to get the latest info on leptospirosis, and details
on all other hog diseases. Latest swine news, feature articles, disease problem solver and more. http://
www.thepigsite.com
(3) Leptospirosis Details contraction, symptoms, spread and treatment of disease. Also includes frequently
asked questions and press releases. http://www.cdc.gov
8. The MAC address on a specific PC is an important identifier in trying to trace a fraud or other financial
cybercrime. The Address Resolution Protocol (ARP) utility in Windows allows for an easy and quick
determination of the MAC address on the machine. To do the analysis, click on Start, Programs, MSDOS
Prompt. At the DOS prompt, type in arp. The screen will show the MAC number. To print the screen, press
the Print Screen key, paste the saved screen in a word processing program, and print it out. The MAC
number should be shown as a 12-digit number at the bottom of the screen such as 20-54-52-43-00-01. This
number is a specific identifier on the PC.

Chapter 14

2009 CCH. All Rights Reserved.

Textbook Solutions

161

9. Incident Response Report.

a. In completing Part II of the Incident Response Form, each question should be completed. If the information
is unknown, unknown should be written in the space. This shows a reader of the report that the question
was not skipped.
Part II: Description of the Incident
(1) Date of the incident June 30, 2004
(2) GMT time of the incident -05.25EST
(3) Physical location of the attacked system (company headquarters, other site or state) Hyattsville, MD
(4) Operating system on the attacked system WinNT4
(5) Hardware 960 Series Gateway
(6) Security systems in use on the attacked system (name and version) Black Ice Firewall
(7) Mission of the attacked system (What is its function?) Provide web services to the companys
clients
(8) Describe how the attack was detected. It was discovered when routine maintenance was being
performed
(9) Describe the attackers activities (DOS, virus, sniffer, spoofing, social engineering, etc.) Installed a
sniffer on the web server
(10) Estimate time duration of the incident from detection to completion Currently ongoing
(11) If possible, estimate how long the attacker was on the system before being detected. Approximately
60 days
(12) Description of the damage done in the attack. Currently unknown, suspect user names and passwords
have been stolen. The attacker has likely installed a backdoor
(13) Provide an estimated dollar valuation of the damage (show calculations) Unknown at the present
time
(14) Describe activities taken by the victim up to the time of filing of the report. Installed a sniffer on the
web server (Effe Tech v.3.4)
(15) Attach copies of appropriate logs (up to 20) and collaborate the times on the logs. If the times on the
logs are not correct, reconcile them to the correct times.
The TCPDUMP log entry should be copied to the report.
b. The suspicious IP address is 250.14.130.1. The IP number would be checked to determine the name of
the organization that owns this address. The hacker probably used this organizations server to launch an
attack on MacVee.
c. The decision to leave the web server online also leaves the MacVee open to a possibly destructive attack
from the hacker. A well-skilled hacker can probably get past the defenses that Hank has instituted. Further,
if the hacker detects that Hank is trying to trap him, the hacker may destroy any remaining evidence of
this presence before Hank can retrieve it. If the system is left open and consequently the hacker creates
more damages for MacVee or another company, there may be a question of liability and the competence of
Hanks action. The advantage of leaving the web server online is that when the hacker comes back, Hank
may be able to keep him off of the rest of the network and collect ID information about the hacker that can
be presented to law enforcement.
d. Unfortunately in this case, it does not appear that law enforcement would be interested in the activities of
the hacker as no serious dollar damage has been done to the company as far as can be determined.
10. Attack! Attack! Personnel in several disparate departments should be notified about the attack. The selected
personnel should not continue to operate in their departmental roles as long as the investigation of the attack
is ongoing or as long as the attack, itself, is continuing. The emergency plan for dealing with a systems attack
needs to already be in place and not developed as the attack is progressing.

2009 CCH. All Rights Reserved.

Chapter 14

162

Forensic and Investigative Accounting

Personnel from the following departments should be singled out to become part of an emergency response
team to deal with the attack:
(1) Legal Department personnel should be combined with personnel from (2) IT. Legal needs to work closely
with IT personnel to ensure that ITs actions do not create additional liability for the company. If a site has been
successfully attacked, there is an automatic question raised about the competence of the system personnel. If
IT should take an action against an accused client or other person, it could create law suits and more losses for
the company. (3) Internal Audit needs to work with IT personnel to identify other critical systems that could be
damaged by the attacker. IT personnel need special training in order to be part of the emergency response team. It
cannot be assumed that normal IT functions will prepare them for an investigatory role in stopping, identifying,
and correcting the damage created by the attacker. (4) Higher level management needs to be quickly informed of
the attack so that they can decide whether outside legal authorities will be contacted. Additionally, higher-level
management needs to determine the level of public disclosure that will be made about the incident.
After the incident has been contained, higher management will need to determine if they will call in an
independent high tech security firm to check their systems and determine if there are any undetected programs
still left on the network by the attacker. The level of expertise to perform such a network sweep is beyond the
skills of most of the internal company systems personnel.
11. Finding Ports of Call. Netstat can be run with several flags that allow for different reported results in its
analysis. Netstat provides detailed information about who is connected to the ports on your computer and the
incoming and outgoing activity that is taking place on those ports. It can show you if a hacker is connected to
one of the 65,000+ ports on your computer.
To begin to use Netstat (on Windows XP) go to Start and select run. In Run, open cmd. This will
provide a command line reference in DOS (black screen). Run Netstat twice. The first time type Netstat -a.
The screen should show the following type of information:

Chapter 14

2009 CCH. All Rights Reserved.

Textbook Solutions

163

The Proto column refers to the web protocol being run on a specific port. Currently, there are only TCP and
UDP. Protocols can also include IP and ICMP. The Local Address is my machine and contains the address
and machine name (Stevenson) of the local machine. And as can be seen, the local machine appears to be
listening on a number of different ports such as Port 1025 (Stevenson:1025). The most curious port is 4664
which is open and listening. If there are unexplained ports on any Netstat output, it needs to be determined
who is connected to this port. The next column Foreign Address shows the name or address of the entity
controlling the port to whom the local PC is addressing information toward. For example, the ISP (local host)
is connected to Port 1285. The last column shows the state of the port: (1) closed and waiting, (2) listening, or
(3) established. Closed and waiting means your computer is ready to close a connection. Your computer has
just sent the close signal and it is waiting for a response from the server. Listening means there is an active
connection. Established means the initial connection has been established, and your PC is ready to accept the
connection.
Running Netstat with a -b flag will name the executable that is creating the connection and listening on a
specific port. This works in Windows XP with SP2 installed. You can see the results below.

2009 CCH. All Rights Reserved.

Chapter 14

164

Forensic and Investigative Accounting

It can be seen that Firefox.exe and Insight.exe are running two of the ports.
It would be possible to trace the IP numbers displayed in the Netstat report to the owners of those IP addresses
as an extension to this exercise.
Netstat can also be used to monitor packet traffic over these ports, but it is not discussed here.
12. Wheres the Teeth in Ethics? The question highlights a real situation at Hewlitt-Packard. HP seems to have
put mainly window dressing into its ethics program but the company has not enacted strong procedures for
identifying unethical behaviors. Prior to its demise, Arthur Andersen had an outstanding seminar series on
ethics. Enforcement of ethics needs more than rhetoric. Without additional measures, it is likely that unethical
procedures such as pretexting could occur within HP or as has been done in this case, outsourced by HP.
To strengthen the ethical program at HP, measures such as those described in the chapter could be adopted.
A forensic audit of the activities of HPs executives would have likely uncovered the pretexting situation.
Monitoring HPs executives, such as the logging and scrutiny of e-mails and other electronic communication,
needs to be implemented. Although communications avenues exist outside of e-mail messages, collected
e-mail messages are important sources for identifying unethical or unlawful acts. It may seem that those who
are committing these acts will avoid using e-mail messages. Yet once the uneasiness of knowing e-mail is
monitored wears off, e-mail communications are likely to return to their pre-monitoring patterns of usage.
13. Transfer it Here. The following case is partially based on press releases at the Sacramento, California FBI
website (http://sacramento.fbi.gov).
The two e-mails on 4/2 apparently made the digital investigators who were monitoring e-mail logs suspicious
as they showed it to the forensic accountant. It is a serious step to call the fraud team into session. So it is

Chapter 14

2009 CCH. All Rights Reserved.

Textbook Solutions

165

unlikely that the team would have been activated at this point. The forensic investigator should have put an
alert on any e-mail messages related to JW and LW after 4/2.
The e-mail message on 4/7 should have caused the forensic accountant to determine the nature of the STP
account mentioned in the e-mail. Investigation into the nature of the account would have shown that it was a
SureSouth investment account which was managed by JW. Knowing that JW was communicating information
about SureSouths investment accounts to JWs father provided evidence beyond e-mails that something more
was going on than just personal business between father and son. At that point, it would be expected that the
forensic accountant along with the digital investigators would have called a fraud team meeting. Members
of the team need to determine the amount of the fraud. They need to check JWs investment accountants and
the SureSouths approved investment accounts to determine how and where the funds are being moved. They
need to take these actions without alerting JW. At the moment, they do not want to confront JW. They want to
secure information about the location of the funds to ensure they do not lose the money. If they confront JW at
this point, the cash may seemly disappear. At this point, they may not want to contact their accounting firm. If
the accounting firm has been negligent in its auditing of SureSouth, they need documentation supporting such
a claim. Therefore, they should wait before notifying their auditors. Once team members have determined the
dollar amount of the fraud, they should contact the FBI.
A fraud team meeting should have been called on 4/7, but without a doubt the meeting needs to be convened
when the message on 4/16 is logged. At this point, it is fairly obvious that there is a cover up occurring.
The fraud teams actions need to be the same as noted in the previous paragraph. At this point, they need to
immediately notify the FBI about the fraud and amount of money involved as they begin to determine the
amount of the loss.
No one should wait until 6/27 to activate the fraud team. It should have been obvious to the students that the fraud
team needs to be called together prior to June in order to effectively take action to mitigate the financial fraud.
In the real case, the fraud was not uncovered until after the $2M was discovered to be missing. LW could only
return $23M to JW. He had lost $2M to investment swindlers in Europe. Prior to the discovery of the missing
cash, JW fled SureSouth. Concern arose over JWs absence that led internal auditors at SureSouth to start
checking his investment accounts for any irregularities. Eventually all were convicted by the FBI.
14. Footnote Number 27. There is a great deal of dissatisfaction with the level of undetected financial frauds
occurring in corporations. At the time of this writing, there is a call for dismantling of the Securities and
Exchange Commission as an independent governmental agency. Auditors have also been the target of the
publics dissatisfaction. Forensic audits, limited to high-level executives, have been suggested in the chapter
as a means to better identify financial frauds. In this case, which is based on an actual fraud (United States
Attorney Southern district of New York), an employee who is not a top executive has stolen confidential client
files which are an invaluable company asset.
The list of software in Footnote 27 is not an inclusive list. The students should be encouraged to use the
Internet to find expanded descriptions of these software packages as well as other similar software. The
software that should be selected is a software package that shows associations between individuals. Such a
software package is Maltego which maps relationships between employees and others. The second choice is
Visual Analytics which is used to uncover associations. The third choice is Confident Solutions that can check
process controls such as relationships between employees and others. This exercise should help the students
develop an understanding of other means used in digital forensics.
15. Forensic Audits. There are a number of reasons to argue argument against implementing forensic audits
which are directed at scrutinizing the activities of top-level corporate executives.
a. It is the job of accountants and auditors to investigate frauds, but it is not the job of accountants to detect
fraud before one has occurred.
b. There are no set guidelines for performing a forensic audit; therefore, there are opportunities for abuse of
individual privacy.
c. The forensic audit procedures are too intrusive into an individuals privacy.

2009 CCH. All Rights Reserved.

Chapter 14

166

Forensic and Investigative Accounting

d. Executives should not be treated as criminals or terrorists by having their privacy invaded.
e. As long an executive is successfully making money for the corporation, there is no need to investigate his
methods or activities.
f. A forensic audit can be performed by any independent organization; therefore, it will take business away
from accounting firms.
g. The cost of performing a forensic audit is too high.
h. No organizations are trained to perform a forensic audit.
i. The cross-disciplines of the professionals needed to implement a forensic audit make it almost impossible
to put into practice.
j. No one is using the software needed to implement a forensic audit.
k. Executives at major corporations will not allow such invasive procedures to be used to check on their
activities.
l. Forensic audits make every company appear as if they are run by untrustworthy crooks; otherwise, why
would these executives need to have such extensive controls placed on their activities.
16. LinkedIn. Students are generally unaware of the information on the Internet that can be collected about
them. The purpose of the evaluation by the second group is to illustrate the level of information revealed on
just one website. All this information is useful in developing the digital profile of an individual, and it is a
beginning link for finding out additional information about the individual. Note: It is necessary to register at
the LinkedIn site before a page can be created and the individual who created the page will know you have
viewed it.
You expect the group to collect the following information on the individuals LinkedIn page: (1) name; (2)
e-mail address(es); (3) current physical address; (4) educational background, probably back to high school;
(5) previous employment (employers names and address); (5) date of birth; (6) hobbies; (7) names of pets,
maybe names of friends; (8) names and addresses of references; (9) possibly previous physical addresses;
(10) names of LinkedIn associates. What can an unscrupulous person do with this information?
17. Profiling. The instructor may want to select one or two fraud cases for the entire classes ahead of time in order
to limit the variety in the answers submitted by the students. It also might be useful to use student groups on
this assignment. The chapter deals with Due Diligence Searches, and it would be expected the students would
use the methods that are described in the chapter to complete this assignment. The solutions to this question
would vary. If the student or team have problems finding out information about the individual they have
selected, allow them to select someone else.
Tracing Financial Frauds to the Executive Boardroom
There have been numerous financial frauds committed by top-level company executives. These criminals
have stolen millions of dollars from stockholders and other company stakeholders through their financial
frauds. The large number of these frauds raises questions as to whether traditional methods of providing
internal controls are still effective in controlling frauds implemented by executives who have the authority to
override these controls. A suggestion is made for the use of forensic audits as a measure to control unethical
executives in U.S. companies. The practices of a forensic audit would make the activities of company
executives more transparent and these prac-tices would make it more difficult for them to continue to steal
from their companies.

Chapter 14

2009 CCH. All Rights Reserved.