Saint Thomas University

Module 4 Assignment

Professor:

Chapter 13
1. Define computer forensics

“Computer forensics is the application of investigation and analysis techniques to gather and

preserve evidence from a particular computing device in a way that is suitable for presentation in

a court of law. The goal of computer forensics is to perform a structured investigation while

maintaining a documented chain of evidence to find out exactly what happened on a computing

device and who was responsible for it” (Rouse, 2013). It analyzes electronic data and residual

data to resolved technology-based crime. Most of today's financial crimes are committed through

computer systems. Therefore, forensics accountants must understand the methods that computer

evidence is obtained.

References:

Crumbley, D. L., Fenton, J. E. D., Smith, G. S., & Heitger, L. E. (2017). Forensic and

investigative accounting (8th ed.). Chicago, IL: Wolters Kluwer.

Rouse, Margaret. “What Is Computer Forensics (Cyber Forensics)? - Definition from

WhatIs.com.” SearchSecurity, TechTarget, 2 May 2013,

searchsecurity.techtarget.com/definition/computer-forensics.
3. List where some electronic evidence may be found of a crime.

“Electronic evidence of a crime is contained on employer-owned personal computers (PCs) and

mainframes, employees’ personal laptops, the company’s network, personal data assistants,

blackberries, digital cameras, pagers, iPads, external drives, dongles (security devices that must

be connected to a computer in order for certain software to run), memory sticks, scanners, floppy

disks, smart cards, cell phones, and web servers in external networks”(Crumbley, Smith, &

Heitger, 2017).

References:

Crumbley, D. L., Fenton, J. E. D., Smith, G. S., & Heitger, L. E. (2017). Forensic and

investigative accounting (8th ed.). Chicago, IL: Wolters Kluwer.

4. Summarize the guidelines SAS No. 31 provides for auditors.

American Institute of Certified

“Public Accountants’ (AICPA) Statement on Auditing Standards (SAS) No. 31, Evidential

Matter, provides guidelines for audit engagements encountering electronic Documents. It states

that for an accounting system predominately evaluated using electronic audit evidence, it may

not be practical or possible to reduce detection risk to an acceptable level using only substantive

tests for financial statement assertions. In these cases, the auditor should perform tests of system

controls to show they are strong enough to mitigate the risks inherent in electronic audit

evidence” (Crumbley, Smith, & Heitger, 2017). Using substantive evidence, along with system

control tests, should be sufficient for the auditor to issue an opinion. This audit may require the

application of generalized audit software or a continuous audit module to test controls.

References:

Crumbley, D. L., Fenton, J. E. D., Smith, G. S., & Heitger, L. E. (2017). Forensic and

investigative accounting (8th ed.). Chicago, IL: Wolters Kluwer.

6. Discuss any three of the technical skills needed for working with digital evidence collection.

- Properly Preserving Data: Like any other evidence, preserving digital evidence is essential, and

can save you a lot of time. It involves applying preservation technics and methodology. “The

investigator must know how to preserve the date and timestamps within any files that are being

analyzed for a possible financial fraud. Such skills require a basic familiarity with OS timestamp

and data protocols. Date and timestamp information show when changes to files were being

made and help in identifying who made the changes” (Crumbley, Smith, & Heitger, 2017).

-Properly Collecting Data: Data collection can gather reliable information, which is crucial to the

decision-making process. “When an initial review of the financial system data id done, the

auditor may have to use mirror imaging software to identify and collect electronic evidence by

making a bitstream, read only image” (Crumbley, Smith, & Heitger, 2017). After the data is

adequately secured, computer forensics can start to investigate.

-Properly Securing Data: This is not an easy task in today's digital world. Sensitive is

vulnerable. “Hashes are used in an investigation to find out if critical financial files have been

altered. (A hash, or hash value, is a number representing a string of text. The hash is much

smaller than the text itself, and it is very unlikely that some other text would ever produce the

same hash value.) The hashes quickly identify if a file’s integrity has been compromised”

(Crumbley, Smith, & Heitger, 2017).

“The most effective methods to ensure legal admissibility while preparing to engage a forensic

analyst include the following: Drive Imaging, Hash Values and Chain of Custody” (Hamilton,

retrieved, 2020)

References:

Crumbley, D. L., Fenton, J. E. D., Smith, G. S., & Heitger, L. E. (2017). Forensic and

investigative accounting (8th ed.). Chicago, IL: Wolters Kluwer.

Hamilton, M. K. (n.d.). 3 Methods to Preserve Digital Evidence for Computer Forensics.

Retrieved April 11, 2020, from https://ci.security/resources/news/article/3-methods-to-preserve-

digital-evidence-for-computer-forensics

7. From the Internet, determine the use of these software tools:

a. Nmap: Network mapper is a free network scanner that activates the NSE, which uses

scripts to perform scans. It is used to discover the devices running in the systems. It

detects hosts and services on a computer network by sending packets and analyzing the

responses. "Nmap can be used to monitor single hosts as well as vast networks that

encompass hundreds of thousands of devices and multitudes of subnets" (Ferranti, 2018).

b. John the Ripper is a free software to crack passwords It can crack LAM Manager hashes

using DES also NTLM hashes using MD5 and UNIX Linux and cisco. “It combines

several cracking modes in one program and is fully configurable for your particular needs

(you can even define a custom cracking mode using the built-in compiler supporting a

subset of C)” (tools.kali.org, retrieved, 2020).

c. TCPDump is a free software that runs under a command line interface. It is a common

packet analyzer. TCPDump prints the contents of network packets. “It can read packets
 from a network interface card or from a previously created saved packet file. TCPDump

can write packets to standard output or a file. It is also possible to use TCPDump for the

specific purpose of intercepting and displaying the communications of another user or

computer” (en.wikipedia.org, 2020).

d. Tripwire “is an intrusion detection system (IDS), which, constantly and automatically,

keeps your critical system files and reports under control if they have been destroyed or

modified by a cracker (or by mistake). It allows the system administrator to know

immediately what was compromised and fix it” (Fioretti, 2006).

e. THC – Scan “is a wardialer that works under DOS, Win95/98/NT/2K/XP, and all DOS

emulators (UNiX) on all 80x86 processors. It has ODBC databank support, completely

automated tone, carrier, vmb scanning, and a large palette of tools included. Comes with

full source code and has an interface for usage with Scavenger Dialer and THC-Login

Hacker” (Van Hauser, THC, 2005)

References:

Ferranti, M. (2018, August 17). What is Nmap? Why you need this network mapper. Retrieved

April 11, 2020, from https://www.networkworld.com/article/3296740/what-is-nmap-why-you-

need-this-network-mapper.html

Fioretti, M. (2006, April 28). How to Set Up and Use Tripwire. Retrieved April 11, 2020, from

https://www.linuxjournal.com/article/8758

John the Ripper. (n.d.). Retrieved April 11, 2020, from https://tools.kali.org/password-

attacks/john
Tcpdump. (2020, January 7). Retrieved April 11, 2020, from

https://en.wikipedia.org/wiki/Tcpdump

Van Hauser, THC. (2005, October 6). THC-Scan-2.01.zip. Retrieved April 11, 2020, from

https://packetstormsecurity.com/files/40446/THC-Scan-2.01.zip.html

11. Describe COBIT’s goals.

"COBIT stands for Control Objectives for Information and Related Technology. It is basically a

business framework that is used for the management and governance of the IT enterprise"

(mindmajix.com, retrieved 2020). You can find there the most updated methodology to evaluate

the internal control for high-tech networks. "Furthermore, it offers globally accepted practices,

principles, models, and analytic tools to increase the reliability of information systems”

(mindmajix.com, retrieved 2020)." The COBIT guidelines expand the general guides found in

the COSO requirements, recommended by the SEC, and provide a specific framework for

evaluating and reducing high technology fraud risks present in a networked environment”

(Crumbley, Smith, & Heitger, 2017).

References:

Crumbley, D. L., Fenton, J. E. D., Smith, G. S., & Heitger, L. E. (2017). Forensic and

investigative accounting (8th ed.). Chicago, IL: Wolters Kluwer.

What Is COBIT Framework - COBIT Principles? (n.d.). Retrieved April 11, 2020, from

https://mindmajix.com/cobit-framework

13. Can deleted files always be recovered? Explain your answer.

It depends on how the file was deleted, but must of the time, you can recover the data. However,

there is a humongous risk of contamination. Frequently just by removing a file, the system will

allow you to use the space that was not available before. "Such "deleted" data that is partially

overwritten can be recovered with imaging tools, so it is difficult to really delete electronic files,

but it is easy to contaminate them" (Crumbley, Smith, & Heitger, 2017). Companies that

continually use their computers are vulnerable to overwrite and damage their data. “The only

way to completely erase a file with no trace is to overwrite the data. The operating system will

eventually overwrite files that have no pointers in the directory tree structure, so the longer an

unpointed file remains in the hard drive the greater the probability that it has been overwritten.

There are also many "file erasing" software products currently on the market that will

permanently erase files by overwriting them (www.webopedia.com, retrieved 2020).

References:

Are Deleted Files Completely Erased? (n.d.). Retrieved April 11, 2020, from

https://www.webopedia.com/DidYouKnow/Hardware_Software/Erasing_Deleted_Files.asp

Crumbley, D. L., Fenton, J. E. D., Smith, G. S., & Heitger, L. E. (2017). Forensic and

investigative accounting (8th ed.). Chicago, IL: Wolters Kluwer.

17. In what ways can electronic evidence be destroyed so that it is no longer admissible in

court? Explain your answer.

Digital evidence is more likely to be contaminated and inadmissible than paper evidence. The

first person that finds the proof needs to know how to handle it; if not, the evidence can be

destroyed. For example, when "original digital files are copied, they are essentially destroyed for
evidentiary Purposes" (Crumbley, Smith, & Heitger, 2017). Also, by simply checking a client's

files or cross comparing data, digital files for forensic investigations are

contaminated"(Crumbley, Smith, & Heitger, 2017). The time plays a critical role in the value of

the evidence, the more time lapsing between initial fraud suspicions and the recovery of the

related digital, the less value of the evidence. Evidence can be destroyed by not turning off

"power to network hosting machines before they are disconnected from the network to

ensure"(Crumbley, Smith, & Heitger, 2017); and turning off computer equipment. If all

electronic evidence is not secured in a forensic environment, it can be destroyed.

References:

Crumbley, D. L., Fenton, J. E. D., Smith, G. S., & Heitger, L. E. (2017). Forensic and

investigative accounting (8th ed.). Chicago, IL: Wolters Kluwer.

19. Under the COSO framework, what general IT guidelines have been established?

The general information technology (IT) guidelines under the COSO framework have been

established for the following eight areas:

1. Internal control environment means the underlying corporate culture is evaluated for its views

on risk including risk-taking, ethical values, and adequate controls.

2. Objective setting evaluates whether there is a process in place for setting objectives that

correspond with the organization’s mission.

3. Event identification tries to determine how internal and external occurrences are separated by

the organization into risk and opportunity classifications and then how they correlate with

objectives.
4. Risk assessment determines whether there is an effective response for managing IT risks faced

by the organization.

5. Risk response deals with avoiding, accepting, or reducing such identified risk.

6. Control activities evaluate controls to determine whether effective controls are in place to

work effectively in controlling IT risk.

7. Information and communication must be established so that it allows information to be

broadly shared up and down the organization. It is also important to have assurances that the

proper information is identified and captured.

8. Correct monitoring is in place if it can be verified that the controls in place are effective

enough so that when weaknesses are detected there are corrective actions taken.

References:

Crumbley, D. L., Fenton, J. E. D., Smith, G. S., & Heitger, L. E. (2017). Forensic and

investigative accounting (8th ed.). Chicago, IL: Wolters Kluwer

24. What does comparing the hash values of two files show?

When evaluated hashes you can find out if a financial file has been altered. It is very unlikely

that some other text would ever produce the same hash value. When comparing the hash value of

two file “will show if they are the same or have been altered in any manner. Hash values allow

the forensic accountant to determine if two large financial files are the same” (Crumbley, Smith,

& Heitger, 2017).

References:
Crumbley, D. L., Fenton, J. E. D., Smith, G. S., & Heitger, L. E. (2017). Forensic and

investigative accounting (8th ed.). Chicago, IL: Wolters Kluwer

Chapter 14

4. Explain these terms.

a. Message encapsulation: “In message encapsulation, each layer of information in the sent

packet is interpreted by the same layer at the receiving end of the transmission.

Additionally, each layer can only communicate with the one directly above or below it”

(Crumbley, Smith, & Heitger, 2017).

b. Transportation layer: “This layer provides data to make the connection to the receiving

host computer. The transportation layer is responsible for ensuring the integrity, control,

and proper connections between the sending and receiving hosts” (Crumbley, Smith, &

Heitger, 2017).

c. Checksum field: It “is used to ensure data integrity by checking for errors in the data,

TCP header, and IP header. The sender’s server calculates a checksum for each TCP

packet sent based on the data in the packet. The checksum is placed in this field. The

recipient’s server recomputes the checksum and compares it with the one that was sent”

(Crumbley, Smith, & Heitger, 2017).

d. Flag data: It” is used to signal the connection state of the data exchange

e. Network layer. It “controls the route the data takes to get to its destination. IP operates at

this layer and sends the packets from the source to its destination network across various

subnets and through numerous routers.

f. Keylogger: It “is a software, program or hardware device that can be used to log all the

keystrokes made on a keyboard (typically covertly). If the user has encryption software,
 all the keystrokes are made in plaintext (i.e., before encryption). Thus, keylogging is

useful for collecting passwords, IP addresses, and all e-mails. When keylogger software

is used, the software must be secretly installed on the PC without the user’s knowledge,

which may be difficult to accomplish” (Crumbley, Smith, & Heitger, 2017).

g. Sniffer: It “is a program used to secretly capture datagrams moving across a network and

disclose the information contained in the datagram’s network protocols” (Crumbley,

Smith, & Heitger, 2017).

References:

Crumbley, D. L., Fenton, J. E. D., Smith, G. S., & Heitger, L. E. (2017). Forensic and

investigative accounting (8th ed.). Chicago, IL: Wolters Kluwer

15. Incident Response Report

Part II: Description of the Incident

1. Date of the incident: June 30th, 2004

2. GMT time of the incident: 05:25:10

3. Physical location of the attacked system (company headquarters, other site or state):

Hyattsville, Maryland

4. Operating system on the attacked system: WinNT4

5. Hardware: 960 series Gateway box (2.4 Ghz, 1024 MB and 1600 SDRam with a Xeon

Processor)
6. Security systems in use on the attacked system (name and version): Black Ice security system

7. Mission of the attacked system (What is its function?): To record passwords and usernames.

8. Describe how the attack was detected: Hank Law, the webmaster, detected a suspicious

activity on the web server. After checking, he detected a sniffer had been placed on

Windows.NET server.

9. Describe the attacker’s activities (DOS, virus, sniffer, spoofing, social engineering, etc.): The

hacker placed a sniffer on the Windows, NET server.

10. Estimate time duration of the incident from detection to completion: Less than 24 hours.

11. If possible, estimate how long the attacker was on the system before being detected: It could

be 60 days, since the last maintenance on the system May 1st, 2004 to the date of detection June

30th, 2004.

12. Description of the damage done in the attack: No apparent damages are described; however,

security is compromised because username and password are not safe anymore. It can be a data

breach.

13. Provide an estimated dollar valuation of the damage (show calculations). The price of the

new sniffer program “EffeTech HTTP Sniffer” is $199.00. They might also need to change the

security system and price can cost as little as $50 per year or as high as $6000.00. There is not

enough information to calculate the dollar valuation.

14. Describe activities taken by the victim up to the time of filing the report: The web server has

not been shut down but the webmaster hardened the access to other parts of the network from the

web server, and added a new sniffer program to the web box called the Effe Tech sniffer v.3.4.
15.Attach copies of appropriate logs (up to 20) and collaborate the times on the logs. If the times

on the logs are not correct, reconcile them to the correct times: No attachments

b. Identify the probable IP address the attacker used to enter MacVee’s system

250.14.130.1.5112

c. What are the advantages and disadvantages of not shutting down the server?

By not shutting down the server, the webmaster could get more information about the hacker and

even catch it. However, if the hacker can get away with the crime, he will have more time to get

more information and will damage the company more.

d. Would law enforcement authorities be interested in further pursing this crime through

the courts?

I would say “yes,” even though no apparent economic damages are exposed, and there is not

enough information about the incident. However, it could be a data breach since username and

passwords are compromised and, therefore, could end in an Invasion of Privacy.

18. The First Step. Assume members of a fraud response team have identified electronic e-mails

they believe are an incident of unethical behavior by the company’s CFO. If a fraud response

team meeting is called, under a limited scope forensic audit, what are the first steps you believe

should be taken by the group?

First, a quick preliminary investigation needs to be done to create a plan of action. A

comprehensive plan should be based on adequate knowledge of the issues. Once everything is
plan accordingly, the team can start collecting the relevant evidence. Report dates, time, and

circumstances of the initial report/discovery must be obtained. Like any other investigation,

taking notes, locating documents, analyzing assets, and proof of occurrence, as well as

confidentiality, are crucial.

29. What is the relationship between "brainstorming" as defined In SAS No. 99 and digital

forensics?

Research has shown the benefits of auditors engaging “brainstorming” discussions. “The

PCAOB reiterated that brainstorming team sessions should involve information technology

specialists, and such experts should be used to evaluate computer records to detect the

manipulation of electronic journal entries. These PCAOB recommendations imply that financial

auditors need a clear understanding of the fraud implications found in warnings provided by

computer forensic experts” (Crumbley, Smith, & Heitger, 2017). Information technology

specialists will bring a lot of information to the discussion and will add valuable tools to the

investigation. Furthermore, technology changes constantly, therefore, they might new techniques

to evaluate computer files.

References:

Crumbley, D. L., Fenton, J. E. D., Smith, G. S., & Heitger, L. E. (2017). Forensic and

investigative accounting (8th ed.). Chicago, IL: Wolters Kluwer

30. Where does a digital investigator start and why?

I think digital investigators start by identifying, collecting, and preserving the evidence.

Nowadays, it is more accessible to store and collect the evidence; however, there is a humungous

level of probability that the evidence gets tainted. Furthermore, there are so many devices that
can contain evidence that identifying them is crucial. I think a combination of these three

elements is where digital investigators start.