fraud and computer forensics
TRANSCRIPT
-
8/6/2019 Fraud and Computer Forensics
1/41
2009 Property of JurInnov Ltd. All Rights Reserved
Case Western Reserve UniversityComputer Fraud
February 24, 2011
Timothy M. Opsitnick, Esq.
Senior Partner and General CounselJurInnov Ltd.
John Liptak, ACEComputer Forensics Analyst
2010 Property of JurInnov Ltd. All Rights Reserved
-
8/6/2019 Fraud and Computer Forensics
2/41
2010 Property of JurInnov Ltd. All Rights Reserved
Who Are We?
JurInnov works with organizations that want tomore effectively manage matters involving
Electronically Stored Information (ESI).
Electronic Discovery Computer Forensics
Document and Case Management
Computer & Information Security
2
-
8/6/2019 Fraud and Computer Forensics
3/41
2010 Property of JurInnov Ltd. All Rights Reserved
Presentation Overview
Understanding Computing Environments
Collecting Electronically Stored
Information Forensic Analysis Demonstration
Types of Cases When Forensics Are Useful
3
-
8/6/2019 Fraud and Computer Forensics
4/41
2010 Property of JurInnov Ltd. All Rights Reserved
What is Computer Forensics?
Computer Forensics is a scientific, systematicinspection of the computer system and its contentsutilizing specialized techniques and tools forrecovery, authentication, and analysis of electronicdata. It is customarily used when a case involves issues
relating to reconstruction of computer usage, examinationof residual data, authentication of data by technicalanalysis or explanation of technical features of data andcomputer usage. Computer Forensics requires specialized
expertise that goes beyond normal data collection andpreservation techniques available to end-users or systemsupport personnel.
4
-
8/6/2019 Fraud and Computer Forensics
5/41
2010 Property of JurInnov Ltd. All Rights Reserved
Types of ESI
E-mail
Office Files
Database
Ephemeral
Legacy Systems
Metadata
5
-
8/6/2019 Fraud and Computer Forensics
6/41
2009 Property of JurInnov Ltd. All Rights Reserved
Sources of ESI
Desktops
Laptops
CDs/DVDs
Network Attached
Storage Devices (NAS) Storage Area Networks
(SAN)
Servers
Databases
Backup Tapes
E-Mail Archives
Cell Phones/PDAs
Thumb Drives
Memory Cards
External Storage Devices
Cameras
Printers
GPS Devices
6
-
8/6/2019 Fraud and Computer Forensics
7/41
2010 Property of JurInnov Ltd. All Rights Reserved
Why Computer Forensics?
Reasons to use Computer Forensics Internal Company Investigations
Alleged criminal activity
Civil or Regulatory Preservation
Receivership, Bankruptcy
EEO issues
Improper use of company assets
Recovery of Accidentally or Intentionally Deleted Data
Deleted is not necessarily deleted
Recovery from Improper shutdowns
7
-
8/6/2019 Fraud and Computer Forensics
8/41
2010 Property of JurInnov Ltd. All Rights Reserved
Types of Computer Fraud
Fraud by computer manipulation Program or data manipulation
Common internal computer fraud schemes
Billing schemes Inventory fraud
Payroll fraud
Skimming
Check tampering
Register schemes
8
-
8/6/2019 Fraud and Computer Forensics
9/41
2010 Property of JurInnov Ltd. All Rights Reserved
Types of Computer Fraud
Fraud by damage to or modification of computerdata or programs Economic advantage over a competitor
Theft of data or programs
Holding data for ransom
Sabotage
Common external computer fraud schemes Telecommunications fraud
Hacking
Internet fraud
Software piracy
9
-
8/6/2019 Fraud and Computer Forensics
10/41
2010 Property of JurInnov Ltd. All Rights Reserved
How Does a Computer Operate?
Hardware
Processor
Memory (RAM)
Hard Drive
CD/DVD Drive Motherboard
Mouse/Keyboard
Software
Operating System
Applications
10
-
8/6/2019 Fraud and Computer Forensics
11/41
2010 Property of JurInnov Ltd. All Rights Reserved
How Does a Computer Operate?
How is data stored on a hard drive?
How is data deleted by the operating system?
11
-
8/6/2019 Fraud and Computer Forensics
12/41
2010 Property of JurInnov Ltd. All Rights Reserved
12
-
8/6/2019 Fraud and Computer Forensics
13/41
2010 Property of JurInnov Ltd. All Rights Reserved
13
-
8/6/2019 Fraud and Computer Forensics
14/41
2010 Property of JurInnov Ltd. All Rights Reserved
14
-
8/6/2019 Fraud and Computer Forensics
15/41
2010 Property of JurInnov Ltd. All Rights Reserved
Collecting ESI
Lets let the IT staff do it.
Forensic Harvesting
What is a forensic copy?
15
-
8/6/2019 Fraud and Computer Forensics
16/41
2010 Property of JurInnov Ltd. All Rights Reserved
Collecting ESI
Forensic Harvesting - Logical v Physical
Logical / Ghost copy (Active Files)
Data that is visible via the O.S.
Physical
Logical + File Slack + Unallocated Space +system areas (MBR, Partition table, FAT/MFT)
16
-
8/6/2019 Fraud and Computer Forensics
17/41
2010 Property of JurInnov Ltd. All Rights Reserved
17
-
8/6/2019 Fraud and Computer Forensics
18/41
2010 Property of JurInnov Ltd. All Rights Reserved
Collecting ESI
Network Harvest
E-Mail Harvest
Cell Phone / Device Seizure
18
-
8/6/2019 Fraud and Computer Forensics
19/41
2010 Property of JurInnov Ltd. All Rights Reserved
Computer Forensics Process
Interview Process/Needs Analysis
Maintaining Chain of Custody
Photograph Evidence
Record Evidence Information (users, S/Ns, etc.)
BIOS/CMOS Time
Utilize Sanitized (Wiped) Drives
Write Blocker
On-Site Acquisition
Forensic Lab Acquisition
19
-
8/6/2019 Fraud and Computer Forensics
20/41
2010 Property of JurInnov Ltd. All Rights Reserved
Acquisition (Data Harvest)
Software Tools
EnCase (Guidance Software)
Forensic Tool Kit (AccessData)
Device Seizure (Paraben)
Network Email Examiner (Paraben)
Hardware Tools
Write Blockers (Tableau)
Talon (Logicube) Cell-Dek (Logicube)
20
-
8/6/2019 Fraud and Computer Forensics
21/41
2010 Property of JurInnov Ltd. All Rights Reserved
Types of Data Acquisitions
Image Types
EnCase Image (.E01)
DD Image (Linux)
Custom Content Image (.AD1)
ESI Locations
Hard Drives
Network Shares/Department Shares/Public Shares
Server E-Mail
Server Acquisition (On/Off) Cell Phone/PDA
Thumb Drive/External Media
21
-
8/6/2019 Fraud and Computer Forensics
22/41
2010 Property of JurInnov Ltd. All Rights Reserved
Forensic Considerations
Transfer Speeds
USB
FireWire
IDE
SATA/eSATA
Image Verification - MD5 Hash Values
Work Copies
Inventory Management
22
-
8/6/2019 Fraud and Computer Forensics
23/41
2010 Property of JurInnov Ltd. All Rights Reserved
Forensic Considerations Presentation Suspect Images
Description: Physical Disk, 39102336 Sectors, 18.6GB
Physical Size: 512
Starting Extent: 1S0
Name: Presentation Suspect Images
Actual Date: 03/24/09 03:17:21PM
Target Date: 03/24/09 03:17:21PM
File Path: E:\Presentation image.E01
Case Number: Presentation Drive
Evidence Number: Presentation Suspect Images Examiner Name: Stephen W. St.Pierre
Drive Type: Fixed
File Integrity: Completely Verified, 0 Errors
Acquisition Hash: 5cfa3830c3af83741da4f9adcfb896e1
Verify Hash: 5cfa3830c3af83741da4f9adcfb896e1 GUID: 04d345276275524c8a111824be6eb170
EnCase Version: 5.05j
System Version: Windows 2003 Server
Total Size: 20,020,396,032 bytes (18.6GB)
Total Sectors: 39,102,336
23
-
8/6/2019 Fraud and Computer Forensics
24/41
2010 Property of JurInnov Ltd. All Rights Reserved
Forensic Considerations Creating Work copy of original Backup Image
Evidence Mover Log:
03/25/09 16:20:14 - Source file: F:\Evidence\Presentation image.E01
Destination file: G:\Evidence\Presentation image.E01.
Attempt# 1 Hash :9348B9FECFE8023FA3095FB710AFD678
03/25/09 16:20:37 - Source file: F:\Evidence\Presentation image.E02
Destination file: G:\Evidence\Presentation image.E02.
Attempt# 1 Hash :363293E77BB1C974FD82DE7EC3CE1842
03/25/09 16:20:59 - Source file: F:\Evidence\Presentation image.E03
Destination file: G:\Evidence\Presentation image.E03.
Attempt# 1 Hash :3AA6885A045E8F5D20899113A4848917
24
-
8/6/2019 Fraud and Computer Forensics
25/41
2010 Property of JurInnov Ltd. All Rights Reserved
Forensic Considerations
Windows Encryption
Encrypted File System (XP)
BitLocker (Vista & Windows 7)
Other Hardware or Software Encryption Laptop hard drives
e.g., Truecrypt
25
-
8/6/2019 Fraud and Computer Forensics
26/41
2010 Property of JurInnov Ltd. All Rights Reserved
Forensic Analysis
Indexing
Key Word Searching
Filters
AND/OR/NOT
Date Range
Specific File Types
26
-
8/6/2019 Fraud and Computer Forensics
27/41
2010 Property of JurInnov Ltd. All Rights Reserved
Forensic Analysis
Deletion
Deleted Documents
Recycle Bin (Deleted Dates/Info 2)
Data Carving
Unallocated Space
Hard Drive Wiping
Signature Analysis: File Extension vs. FileSignature
27
-
8/6/2019 Fraud and Computer Forensics
28/41
-
8/6/2019 Fraud and Computer Forensics
29/41
2010 Property of JurInnov Ltd. All Rights Reserved
Registry Overview
Windows Registry central database of theconfiguration data for the OS and applications.
Gold Mine of forensic evidence
Registry Hive Keys
Software
System
SAM (Security Account Manager) NTUSER.dat
29
-
8/6/2019 Fraud and Computer Forensics
30/41
2010 Property of JurInnov Ltd. All Rights Reserved
Registry Software
What Operating System Installed?
Date/Time OS Installed
Product ID For Installed OS
Programs That Run Automatically at Startup(Place to Hide Virus)
Profiles
30
-
8/6/2019 Fraud and Computer Forensics
31/41
2010 Property of JurInnov Ltd. All Rights Reserved
Registry System
Mounted Devices
Computer Name
USB Plugged-In Devices (USBSTOR)
Last System SHUT DOWN Time
Time Zone
31
-
8/6/2019 Fraud and Computer Forensics
32/41
2010 Property of JurInnov Ltd. All Rights Reserved
Registry SAM & NTUSER.DAT SAM
Local Accounts
NTUSER.DAT
Network Assigned Drive Letters
Typed URLs (websites) Last Clean Shutdown Date/Time
Username and Passwords
Recent Documents
Registry examples
32
-
8/6/2019 Fraud and Computer Forensics
33/41
2010 Property of JurInnov Ltd. All Rights Reserved
Unallocated Space Analysis
Unallocated Space/Drive Free Space
File Slack
33
-
8/6/2019 Fraud and Computer Forensics
34/41
2010 Property of JurInnov Ltd. All Rights Reserved
Data Transfer Analysis
FTP
E-Mail
External Drives
Link Files (external/server)
Internet History
Webmail
Created/Accessed/Modified Dates
34
-
8/6/2019 Fraud and Computer Forensics
35/41
2010 Property of JurInnov Ltd. All Rights Reserved
Evidence/Analysis Reporting
FTK Report (html based report)
Evidence Presentation
Final Expert Report
Interpretation of Report
Expert Testimony
35
-
8/6/2019 Fraud and Computer Forensics
36/41
2010 Property of JurInnov Ltd. All Rights Reserved
Forensic Analyst
Tips For Dealing With Your Forensics Analyst
What to Expect From A Forensics Analyst
Certifications
Training
Experience
Testimony
36
Types of Cases When Forensics
-
8/6/2019 Fraud and Computer Forensics
37/41
2010 Property of JurInnov Ltd. All Rights Reserved
Types of Cases When ForensicsAre Useful
Financial
Receivership
Bankruptcy
General Litigation
Commercial Litigation
Product Liability
Corporate
Regulatory (SEC, Second Requests, FTC) Mergers/Acquisitions
37
Types of Cases When Forensics
-
8/6/2019 Fraud and Computer Forensics
38/41
2010 Property of JurInnov Ltd. All Rights Reserved
Types of Cases When ForensicsAre Useful, cont.
Intellectual Property
Theft of Intellectual Property
Temporary Restraining Order (TRO)
Permanent Injunction
38
Types of Cases When Forensics
-
8/6/2019 Fraud and Computer Forensics
39/41
2010 Property of JurInnov Ltd. All Rights Reserved
Types of Cases When ForensicsAre Useful, cont.
Labor/Employment
Violation of Non-Compete Agreements
Sexual Harassment
Age Discrimination
Fraud/Embezzlement
Other Violations of Company Policy
39
Types of Cases When Forensics
-
8/6/2019 Fraud and Computer Forensics
40/41
2010 Property of JurInnov Ltd. All Rights Reserved
Types of Cases When ForensicsAre Useful, cont.
Domestic Relations
Divorce
Custody
Corporate Criminal
Other Criminal
40
-
8/6/2019 Fraud and Computer Forensics
41/41
2010 t f td ll i ht d
For assistance or additional information
Phone: 216-664-1100
Web: www.jurinnov.com
Email: [email protected]
JurInnov Ltd.
The Idea Center
1375 Euclid Avenue, Suite 400
Cleveland, Ohio 44115
41