Professional Documents
Culture Documents
Forensic Accounting
Digital Forensic
Substantial parts of the lecture notes on
Digital Forensic are provided by:
Mr. Felix Lum
Managing Director of Fulcrum Asia
11
Case Study TJ Max
TJX largest international apparel and home fashion
departmental store chain in US
Computer system compromised in July 2005,
discovered only in December 2006
Customer data were stolen
At least 45.7 million customers affected
Case Study TJ Max
Hackers stored data in encrypted servers in Eastern
Europe and US
Data was put for sale in those countries
Credit cards were cloned to withdraw thousands
from ATM
Cost at least US$118M
US$107M provided as reserves for future loss
US$11M cost of investigation
2013 hack hit all 3 billion Yahoo accounts
It affected all 3 billion accounts at Yahoo, triple the original
estimate, the online giant's parent company, Verizon said on
Tuesday (Oct 3, 2017) following a new analysis of the incident.
The statement said that the estimate is based on "new
intelligence" following an investigation with the assistance of
outside forensic experts into the incident in August 2013.
"The investigation indicates that the user account information
that was stolen did not include passwords in clear text, payment
card data, or bank account information. The company is
continuing to work closely with law enforcement."
The Yahoo breach was already believed to be the largest ever in
terms of numbers of users affected. But a recently disclosed
breach by credit agency Equifax is seen as potentially more
damaging because of the sensitivity of the data leaked.
AFP/de, October 4, 2017
Equifax shares slump after massive data breach
Equifax Inc's shares tumbled 18 percent on Sept 8, 2017 after the
provider of consumer credit scores revealed that hackers may have
stolen personal details of nearly half of the American adult population in
one of the largest data breaches.
The breach was discovered on July 29 and that criminals exploited a
vulnerability in a website application to gain access to certain files that
included names, Social Security numbers and drivers' license numbers.
Equifax said hackers breached the accounts between mid-May and July,
potentially accessing information of 143 million Americans. Accounts of
some UK and Canadian residents were also compromised.
The shares earlier touched US$117.25, their lowest in more than seven
months. Shares of rival TransUnion were down 4 percent, while Experian
shares were down 1.3 percent.
Equifax handles data on more than 820 million consumers and more
than 91 million businesses worldwide and manages a database with
employee information from more than 7,100 employers, according to its
website.
Reuters, Aishwarya Venugopal and Sweta Singh in Bengaluru, Sept 8, 2017
Areas in Computer Forensics
Data Forensics
PC, Server, Documents, Databases
Live Forensics
Network Forensics, Packet Capturing
Incident Response
Mobile Devices Forensics
Mobile Phone, PDA, GPS
Video/Picture Forensics
CCTV recordings, Digital Photo Manipulation
Key Legislations for Computer Crimes
Evidence Act (Cap 97)
Section 35
Computer Misuse Act (Cap 50A)
Addresses computer crimes and provide stiff penalties for
violation of the law
Penal Code (Cap 224)
Amended to cover electronic medium and new offences
such as credit card skimming, distribution of pornography
etc.
The Digital Forensic Process
Seizing and
Identifying the Preserving
computers Evidence
SHA1 160-bit
Recovering & Analyzing Files
Never work on the original evidence
If one has to, make sure one is competent and documents
every action in the process
Analysis must be done using working copy
Hard disk, Tape and CDR
A copy will also be archived for record purposes
Recovering & Analyzing Files
This is done in a controlled environment
Restricted access to room
Restricted access to evidence
Possible to limit the access even to folders
Hatred
Jealousy
Impact on Business Processes
and IT Governance
Strategy to tackle cybercrime in an organization
Deterrence
Virtualization
Forensics
Key Driver:
Common thread
between all
these
regulations is
to protect
corporate and
customer
information and
control
endpoints!
Source: Telesoft
Monitor::Alert::Block::Scan::Encrypt
A Good Source for Digital Forensic Investigation
Comprehensive monitoring of End Point activities
USB/CD/DVD/BT/IR
Emails/web mails
File activities
Application activities
Network/web activities
Sensitive content
Clipboard/screenshots
Print activities
Configuration changes
Visibility to User behavior must be a fundamental control
The Latest Webpon for End Point Security
Control and track the files after they are they are in the hands of others
Files can only be open with valid
USERID and passwords
Files can be auto-shredded after a
number of failed access attempts
Files have an expiry date
The rightful owner of the files will be
alerted once the files are opened and the
locations of where the files are open are
tracked
Visibility to User behavior must be a fundamental control
IP Addresses
An Internet Protocol address (IP address) is a numerical
label assigned to each device connected to a computer
network that uses the Internet Protocol for communication.
An IP address serves two principal functions: host or
network interface identification and location addressing.
39
MAC Addresses
A media access control address (MAC address) of a
computer is a unique identifier assigned to network
interfaces for communications at the data link layer of a
network segment. MAC addresses are used as a network
address for most IEEE 802 network technologies, including
Ethernet and Wi-Fi. Logically, MAC addresses are used in
the media access control protocol sublayer of the OSI
reference model.
40
Analyzing the Combination of IP
Addresses and MAC Addresses for Access Security
The combination of IP addresses and MAC addresses can help
indicate where certain devices were used. Furthermore, the web
browser and OS used give further details of each access. The
changes of these combinations, together with the time lapse and
frequency can serve as indicators of abnormalities.