Fraud and Computer Forensics

Case Western Reserve University
Computer Fraud
February 24, 2011
Timothy M. Opsitnick, Esq.

Senior Partner and General Counsel
JurInnov Ltd.
John Liptak, ACE

Computer Forensics Analyst
© 2010 Property of JurInnov

© 2009Ltd. All Rights
Property of Reserved
JurInnov Ltd. All Rights Reserved
Who Are We?
JurInnov works with organizations that want to

more effectively manage matters involving
“Electronically Stored Information” (ESI).
– Electronic Discovery
– Computer Forensics
– Document and Case Management
– Computer & Information Security
2
© 2010 Property of JurInnov Ltd. All Rights Reserved
Presentation Overview
• Understanding Computing Environments

• Collecting Electronically Stored
Information
• Forensic Analysis Demonstration
• Types of Cases When Forensics Are Useful
3
What is Computer Forensics?
Computer Forensics is a scientific, systematic
inspection of the computer system and its contents
utilizing specialized techniques and tools for
recovery, authentication, and analysis of electronic
data. It is customarily used when a case involves issues
relating to reconstruction of computer usage, examination
of residual data, authentication of data by technical
analysis or explanation of technical features of data and
computer usage. Computer Forensics requires specialized
expertise that goes beyond normal data collection and
preservation techniques available to end-users or system
support personnel.
4
Types of “ESI”
• E-mail
• Office Files
• Database
• Ephemeral
• Legacy Systems
• Metadata
5
Sources of “ESI”
• Desktops • E-Mail
• Laptops • Archives
• CDs/DVDs • Cell Phones/PDAs
• Network Attached
• Thumb Drives
Storage Devices (NAS)
• Storage Area Networks • Memory Cards
(SAN) • External Storage Devices
• Servers • Cameras
• Databases • Printers
• Backup Tapes • GPS Devices

6
Why Computer Forensics?
• Reasons to use Computer Forensics

– Internal Company Investigations
• Alleged criminal activity
• Civil or Regulatory Preservation
– Receivership, Bankruptcy
– EEO issues
– Improper use of company assets
– Recovery of Accidentally or Intentionally Deleted Data
• Deleted is not necessarily deleted
• Recovery from Improper shutdowns
7
Types of Computer Fraud
• Fraud by computer manipulation

– Program or data manipulation
• Common internal computer fraud schemes

– Billing schemes
– Inventory fraud
– Payroll fraud
– Skimming
– Check tampering
– Register schemes
8
Types of Computer Fraud
• Fraud by damage to or modification of computer

data or programs
– Economic advantage over a competitor
– Theft of data or programs
– Holding data for ransom
– Sabotage
• Common external computer fraud schemes

– Telecommunications fraud
– Hacking
– Internet fraud
– Software piracy
9
How Does a Computer Operate?
• Hardware
– Processor
– Memory (RAM)
– Hard Drive
– CD/DVD Drive
– Motherboard
– Mouse/Keyboard
• Software
– Operating System
– Applications
10
How Does a Computer Operate?
• How is data stored on a hard drive?
• How is data “deleted” by the operating system?
11
12
13
14
Collecting “ESI”
• “Let’s let the IT staff do it.”
• Forensic Harvesting
– What is a forensic copy?
15
• Forensic Harvesting - Logical v Physical

– Logical / “Ghost” copy (Active Files)
• Data that is visible via the O.S.
– Physical
• Logical + File Slack + Unallocated Space +
system areas (MBR, Partition table, FAT/MFT)
16
17
• Network Harvest
• E-Mail Harvest
• Cell Phone / Device Seizure
18
Computer Forensics Process
• Interview Process/Needs Analysis
• Maintaining Chain of Custody
• Photograph Evidence
• Record Evidence Information (users, S/Ns, etc.)
• BIOS/CMOS Time
• Utilize Sanitized (“Wiped”) Drives
• Write Blocker
• On-Site Acquisition
• Forensic Lab Acquisition
19
Acquisition (Data Harvest)
• Software Tools
– EnCase (Guidance Software)
– Forensic Tool Kit (AccessData)
– Device Seizure (Paraben)
– Network Email Examiner (Paraben)
• Hardware Tools
– Write Blockers (Tableau)
– Talon (Logicube)
– Cell-Dek (Logicube)
20
Types of Data Acquisitions
• Image Types
– EnCase Image (.E01)
– DD Image (Linux)
– Custom Content Image (.AD1)
• ESI Locations
– Hard Drives
– Network Shares/Department Shares/Public Shares
– Server E-Mail
– Server Acquisition (On/Off)
– Cell Phone/PDA
– Thumb Drive/External Media
21
Forensic Considerations
• Transfer Speeds
– USB
– FireWire
– IDE
– SATA/eSATA
• Image Verification - MD5 Hash Values
• Work Copies
• Inventory Management
22
• Presentation Suspect Images
• Description: Physical Disk, 39102336 Sectors, 18.6GB
• Physical Size: 512
• Starting Extent: 1S0
• Name: Presentation Suspect Images
• Actual Date: 03/24/09 03:17:21PM
• Target Date: 03/24/09 03:17:21PM
• File Path: E:\Presentation image.E01
• Case Number: Presentation Drive
• Evidence Number: Presentation Suspect Images
• Examiner Name: Stephen W. St.Pierre
• Drive Type: Fixed
• File Integrity: Completely Verified, 0 Errors
• Acquisition Hash: 5cfa3830c3af83741da4f9adcfb896e1
• Verify Hash: 5cfa3830c3af83741da4f9adcfb896e1
• GUID: 04d345276275524c8a111824be6eb170
• EnCase Version: 5.05j
• System Version: Windows 2003 Server
• Total Size: 20,020,396,032 bytes (18.6GB)
• Total Sectors: 39,102,336
23
• Creating Work copy of original Backup Image
– Evidence Mover Log:
03/25/09 16:20:14 - Source file: F:\Evidence\Presentation image.E01
Destination file: G:\Evidence\Presentation image.E01.
Attempt# 1 Hash :9348B9FECFE8023FA3095FB710AFD678

Attempt# 1 Hash :363293E77BB1C974FD82DE7EC3CE1842

Attempt# 1 Hash :3AA6885A045E8F5D20899113A4848917
24
• Windows Encryption
– Encrypted File System (XP)
– BitLocker (Vista & Windows 7)
• Other Hardware or Software Encryption
– Laptop hard drives
– e.g., Truecrypt
25
Forensic Analysis
• Indexing
• Key Word Searching
• Filters
– AND/OR/NOT
– Date Range
– Specific File Types
26
Forensic Analysis
• Deletion
– Deleted Documents
– Recycle Bin (Deleted Dates/Info 2)
– Data Carving
– Unallocated Space
– Hard Drive Wiping
• Signature Analysis: File Extension vs. File
Signature
27
Forensic Analysis
• File Hash Analysis: Comparing Files

• Image Review/Analysis
• Internet History Analysis
• Analysis Examples …
28
Registry Overview
• Windows Registry – central database of the

configuration data for the OS and applications.
• Gold Mine of forensic evidence
• Registry Hive Keys
– Software
– System
– SAM (Security Account Manager)
– NTUSER.dat
29
Registry – Software
• What Operating System Installed?

• Date/Time OS Installed
• Product ID For Installed OS
• Programs That Run Automatically at Startup
(Place to Hide Virus)
• Profiles
30
Registry – System
• Mounted Devices
• Computer Name
• USB Plugged-In Devices (USBSTOR)
• Last System SHUT DOWN Time
• Time Zone
31
Registry – SAM & NTUSER.DAT
• SAM
– Local Accounts
• NTUSER.DAT
– Network Assigned Drive Letters
– Typed URLs (websites)
– Last Clean Shutdown Date/Time
– Username and Passwords
– Recent Documents
• Registry examples …
32
Unallocated Space Analysis
• Unallocated Space/Drive Free Space
• File Slack
33
Data Transfer Analysis
• FTP
• E-Mail
• External Drives
• Link Files (external/server)
• Internet History
• Webmail
• Created/Accessed/Modified Dates
34
Evidence/Analysis Reporting
• FTK Report (html based report)

• Evidence Presentation
• Final Expert Report
• Interpretation of Report
• Expert Testimony
35
Forensic Analyst
• Tips For Dealing With Your Forensics Analyst

• What to Expect From A Forensics Analyst
– Certifications
– Training
– Experience
– Testimony
36
Types of Cases When Forensics
Are Useful…
• Financial
– Receivership
– Bankruptcy
• General Litigation
– Commercial Litigation
– Product Liability
• Corporate
– Regulatory (SEC, Second Requests, FTC)
– Mergers/Acquisitions
37
Are Useful, cont.
• Intellectual Property
– Theft of Intellectual Property
– Temporary Restraining Order (TRO)
– Permanent Injunction
38
Are Useful, cont.
• Labor/Employment
– Violation of Non-Compete Agreements
– Sexual Harassment
– Age Discrimination
– Fraud/Embezzlement
– Other Violations of Company Policy
39
Are Useful, cont.
• Domestic Relations
– Divorce
– Custody
• Corporate Criminal
– Other Criminal
40
For assistance or additional information
• Phone: 216-664-1100
• Web: www.jurinnov.com
• Email: tim.opsitnick@jurinnov.com
john.liptak@jurinnov.com
JurInnov Ltd.
The Idea Center
1375 Euclid Avenue, Suite 400
Cleveland, Ohio 44115
41

Fraud and Computer Forensics

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Fraud and Computer Forensics

Transféré par

Droits d'auteur :

Formats disponibles

Case Western Reserve University

February 24, 2011

Timothy M. Opsitnick, Esq.

John Liptak, ACE

© 2010 Property of JurInnov

JurInnov works with organizations that want to

• Understanding Computing Environments

© 2009 Property of JurInnov Ltd. All Rights Reserved

• Reasons to use Computer Forensics

• Fraud by computer manipulation

• Common internal computer fraud schemes

• Fraud by damage to or modification of computer

• Common external computer fraud schemes

• How is data stored on a hard drive?

• How is data “deleted” by the operating system?

• “Let’s let the IT staff do it.”

• Forensic Harvesting - Logical v Physical

03/25/09 16:20:37 - Source file: F:\Evidence\Presentation image.E02

03/25/09 16:20:59 - Source file: F:\Evidence\Presentation image.E03

• File Hash Analysis: Comparing Files

• Windows Registry – central database of the

• What Operating System Installed?

• Unallocated Space/Drive Free Space

• FTK Report (html based report)

• Tips For Dealing With Your Forensics Analyst

Vous aimerez peut-être aussi