ACC 4613

Forensic Accounting

Digital Forensic
Substantial parts of the lecture notes on
Digital Forensic are provided by:
Mr. Felix Lum
Managing Director of Fulcrum Asia

IS4234 NUS Prof. Larry Lam 1

Digital Forensic
What is Digital Forensics?
Characteristics of Digital Evidence
Need For Computer Forensics
Computer Forensics Process
Static Forensics vs Live Forensics
Impact on Business Processes and IT Governance
Digital Investigation Future Trends
Career in Digital Investigation
Digital Forensic
The application of any scientific principles or
techniques in identifying, preserving, seizing,
recovering, reconstructing, and/or analyzing
digital evidence related to a specific investigation.
It is both an art and science
Characteristics of Digital Evidence
Digital evidence is extremely volatile
The suspects name is John Content 1
The suspects name is Joan Content 2
Content 1 MD5 = 7e6c8f0d5e3a218a5b9387f1c764a784
Content 2 MD5 = c48d0f4fe739b278428922597b7e07e3
We only change 1 alphabet from h to a

MD5 is an algorithm which generates a cryptographic hash

value. MD5, like other cryptographic hash functions, takes
as input a sequence of bits and produces a fixed size output
regardless of the size of the input.
Characteristics of Digital Evidence
Digital evidence needs to be handled carefully so as
to be usable in court
Digital evidence can be changed either deliberately
or accidentally
Chain of custody for digital evidence is important
Need For Digital Forensics
Evolution of Information Technology has made digital
forensic work easier
With the same token, it has also made hacking and other
digital crimes easier to commit
Criminals are also learning diligently
To-date, we may not be able to find a business that
doesnt rely on computers and information technologies.
Proliferation of Digital Evidence
How Digital Evidence is Created
User Created
Text (documents, emails, IM, etc)
Address Books
Images, Videos
Databases
Computer Created
Logs
Metadata
Registry Files
Backup
Swap Files
Cache, cookies, etc
Need For Computer Forensics
Computer as a target
Eg. Hack computer, Espionage
Computer as a tool
An instrument to commit a traditional crime
Computer used incidentally in the course of a crime
Computer used in a minor role in a crime
Eg. Mobile phone of a deceased person
Need For Computer Forensics
Old crime in new guise
Falsification of invoices
Illegal Activities Betting, Loanshark
Pornography
Industrial Espionage
New crime because of IT
Hacking to steal information
Credit Card Fraud
Need For Computer Forensics
Cybercrime is a business:
Getting more organized, professional and targeted
Hackers are going for profit and not glory
No longer Script kiddies era
For Sale:
Managed exploit providers are purchasing malware
from the underground, resell to spam distributors
Getting paid to infect 1.3 million computers
worldwide
Resulting in SGD $320 million in losses

11
Case Study TJ Max
TJX largest international apparel and home fashion
departmental store chain in US
Computer system compromised in July 2005,
discovered only in December 2006
Customer data were stolen
At least 45.7 million customers affected
Case Study TJ Max
Hackers stored data in encrypted servers in Eastern
Europe and US
Data was put for sale in those countries
Credit cards were cloned to withdraw thousands
from ATM
Cost at least US$118M
US$107M provided as reserves for future loss
US$11M cost of investigation
2013 hack hit all 3 billion Yahoo accounts
It affected all 3 billion accounts at Yahoo, triple the original
estimate, the online giant's parent company, Verizon said on
Tuesday (Oct 3, 2017) following a new analysis of the incident.
The statement said that the estimate is based on "new
intelligence" following an investigation with the assistance of
outside forensic experts into the incident in August 2013.
"The investigation indicates that the user account information
that was stolen did not include passwords in clear text, payment
card data, or bank account information. The company is
continuing to work closely with law enforcement."
The Yahoo breach was already believed to be the largest ever in
terms of numbers of users affected. But a recently disclosed
breach by credit agency Equifax is seen as potentially more
damaging because of the sensitivity of the data leaked.
AFP/de, October 4, 2017
Equifax shares slump after massive data breach
Equifax Inc's shares tumbled 18 percent on Sept 8, 2017 after the
provider of consumer credit scores revealed that hackers may have
stolen personal details of nearly half of the American adult population in
one of the largest data breaches.
The breach was discovered on July 29 and that criminals exploited a
vulnerability in a website application to gain access to certain files that
included names, Social Security numbers and drivers' license numbers.
Equifax said hackers breached the accounts between mid-May and July,
potentially accessing information of 143 million Americans. Accounts of
some UK and Canadian residents were also compromised.
The shares earlier touched US$117.25, their lowest in more than seven
months. Shares of rival TransUnion were down 4 percent, while Experian
shares were down 1.3 percent.
Equifax handles data on more than 820 million consumers and more
than 91 million businesses worldwide and manages a database with
employee information from more than 7,100 employers, according to its
website.
Reuters, Aishwarya Venugopal and Sweta Singh in Bengaluru, Sept 8, 2017
Areas in Computer Forensics
Data Forensics
PC, Server, Documents, Databases
Live Forensics
Network Forensics, Packet Capturing
Incident Response
Mobile Devices Forensics
Mobile Phone, PDA, GPS
Video/Picture Forensics
CCTV recordings, Digital Photo Manipulation
Key Legislations for Computer Crimes
Evidence Act (Cap 97)
Section 35
Computer Misuse Act (Cap 50A)
Addresses computer crimes and provide stiff penalties for
violation of the law
Penal Code (Cap 224)
Amended to cover electronic medium and new offences
such as credit card skimming, distribution of pornography
etc.
The Digital Forensic Process
Seizing and
Identifying the Preserving
computers Evidence

Presenting the Recovering &

Evidence Analysing the Files
Identifying the Computers
Each case is unique
Need to be familiar with various set ups
Need to be able to identify components of a
computer
Must recognize the hardware devices or any storage
devices that may contain digital evidence
Seizing & Preserving Evidence
Follow international best practice in securing digital
evidence will ensure they will not be destroyed or
contaminated
Documenting the setup of a PC or network will
strengthen the quality of evidence in court
Photographing the premises and setup will help in
documentation
Seizing & Preserving Evidence
In computer forensics, make an exact copy of the
WHOLE storage media including free space (bit-
stream copy)
Eg. 250GB hard disk with 100GB free space
Normal copying will copy about 150GB
Bit-stream copying will copy all 250GB
Ensure that we do not miss any evidence in the free
space
Deleted documents
Temporary files
Seizing & Preserving Evidence
Ensure that the forensic copy is an exact copy of
the suspects hard disk through the use of digital
fingerprinting
Digital fingerprinting is done by using an industry
standard integrity check called MD5 or SHA1
MD5 128-bit

SHA1 160-bit
Recovering & Analyzing Files
Never work on the original evidence
If one has to, make sure one is competent and documents
every action in the process
Analysis must be done using working copy
Hard disk, Tape and CDR
A copy will also be archived for record purposes
Recovering & Analyzing Files
This is done in a controlled environment
Restricted access to room
Restricted access to evidence
Possible to limit the access even to folders

Document the procedures and actions taken to

recover the data
Presenting the Evidence
Computer evidence can be filed in court
Documentation made earlier will be used to
support and prepare the report
Need to work with investigator and legal counsel
Presenting the Evidence
Report put up must be simple-to-understand,
organized and avoid any technical jargon
Report should facilitate and hasten the litigation
process
Officers involved in seizing evidence may need to
appear in court to give testimony or demonstrate
with the evidence
Be prepared to be cross examined
Traditional Dead Forensics
Common practice Pulling the plug
Safe State - Further alteration is prevented
Risk of corrupting the system
RAM is not captured
Password, running processes, ports open, etc
Allows bit-for-bit imaging of the storage devices
Extremely useful when in hostile environment
Live Forensics The Evolving Trend
More data could be lost forever if volatile data is not
captured from a live or remote system
RAM can contains vital information such as
unencrypted data, running processes, passwords, etc
Avoid risk of corrupting a computer or have no access
to remote computer
Used to be a tedious process, but new tools are
available to make it easier to do live forensics
Eg. EnCase Enterprise, AccessData FTK, F-Response, X-ways
Live Forensics in an Enterprise
Live Forensics in an Enterprise
Why Corporations Pull the Plug
Organization have no idea what to do
A lot has been compromised, minimize lost of data
Internal first responders have not been trained to do
live forensics
Response time too slow
 Impact on Business Processes
and IT Governance
There will always be motivating factors for internal and
external people to steal information from you
Greed

Hatred

Jealousy
 Impact on Business Processes
and IT Governance
Strategy to tackle cybercrime in an organization
Deterrence

Data Loss Prevention

Virtualization

Forensics

Crisis Handling Policy

 Impact on Business Processes
and IT Governance
Deterrence through education and publicity
Publicity
Acceptable Use Policy (AUP)
Remove Administrators rights for PC
Put up clear notices on the activities are all tracked
Educate staff that they will be caught no matter how they
steal
Make presence felt by regular auditing
Internal forensics and monitoring must be in place
 Impact on Business Processes
and IT Governance
Should the organization implement a Data Loss
Prevention (DLP) System?
Data Loss Prevention (DLP) System
To detect and prevent unauthorized transmission of
information to an unauthorized party
RSA, McAfee, Symantec, Pawaa
DLP allows companies to monitor network traffic,
detect incidents and block inappropriate incidents
Drivers: DLP converging with GRC

Key Driver:

Common thread
between all
these
regulations is
to protect
corporate and
customer
information and
control
endpoints!
Source: Telesoft
Monitor::Alert::Block::Scan::Encrypt
A Good Source for Digital Forensic Investigation
Comprehensive monitoring of End Point activities

USB/CD/DVD/BT/IR
Emails/web mails
File activities
Application activities
Network/web activities
Sensitive content
Clipboard/screenshots
Print activities
Configuration changes
Visibility to User behavior must be a fundamental control
 The Latest Webpon for End Point Security
Control and track the files after they are they are in the hands of others
Files can only be open with valid
USERID and passwords
Files can be auto-shredded after a
number of failed access attempts
Files have an expiry date
The rightful owner of the files will be
alerted once the files are opened and the
locations of where the files are open are
tracked
Visibility to User behavior must be a fundamental control
 IP Addresses
An Internet Protocol address (IP address) is a numerical
label assigned to each device connected to a computer
network that uses the Internet Protocol for communication.
An IP address serves two principal functions: host or
network interface identification and location addressing.

Version 4 of the Internet Protocol (IPv4) defines an IP

address as a 32-bit number. However, because of the
growth of the Internet and the depletion of available IPv4
addresses, a new version of IP (IPv6), using 128 bits for the
IP address, was developed in 1995, and standardized as RFC
2460 in 1998. IPv6 deployment has been ongoing since the
mid-2000s.

39
 MAC Addresses
A media access control address (MAC address) of a
computer is a unique identifier assigned to network
interfaces for communications at the data link layer of a
network segment. MAC addresses are used as a network
address for most IEEE 802 network technologies, including
Ethernet and Wi-Fi. Logically, MAC addresses are used in
the media access control protocol sublayer of the OSI
reference model.

40
Analyzing the Combination of IP
Addresses and MAC Addresses for Access Security
The combination of IP addresses and MAC addresses can help
indicate where certain devices were used. Furthermore, the web
browser and OS used give further details of each access. The
changes of these combinations, together with the time lapse and
frequency can serve as indicators of abnormalities.

Examples of these combinations:

1. Same IP address is associated with many MAC addresses
2. Same MAC address is associated with different IP addresses
on a weekly basis
3. Same MAC address is associated with many IP addresses of
difference countries within an hour
4. An Internet banking customer usually signs on his account
with the same IP address and MAC address, but now signing
on his account with different IP address and MAC address.
 Singapore to have new academy
to train cybersecurity professionals
More needs to be done, because Singapore is more exposed
than many other countries to cyberattacks, said Acting Prime
Minister Teo Chee Hean.
To address this, and as part of efforts to invest in its people, the
Cyber Security Agency (CSA) will develop a new academy to
train cybersecurity professionals, and it will partner leading
industry partners to train those in government and critical
information infrastructure (CII) sectors.
This will be opened in the later part of this fiscal year, and will
be expanded later to include cybersecurity professionals for the
wider community.
US-based cybersecurity vendor FireEye will be its first partner to
help provide training in incident response and malware analysis.
By Kevin Kwang @KevinKwang, CAN, 19 Sept 2017
 What It Takes to Be A Digital Investigator
Understanding of the soups and nuts of a computer is
essential
You are a digital coroner
Sense of fearlessness to face complex technology
Career in Digital Investigation
Computer Forensics skills will be a basic
requirement
ACE, EnCE, GCFA
Skills requirement for e-discovery
Possible areas of work
Law enforcement
Consultancy firms
Security firms
MNCs
Be your own Boss