Module 5 Assignment
docx
keyboard_arrow_up
School
Florida Memorial University *
*We aren’t endorsed by this school
Course
508
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
7
Uploaded by diondreanixon04
Diondrea Nixon
St. Thomas University
Professor Beyene
November 19, 2023
Module 5 Assignment
Chapter 13 Exercises
1. Define computer forensics.
Computer forensics is the specialized field of forensic science that involves analyzing electronic
data to recover, preserve, and present information for solving technology-based crimes. It plays a
crucial role in investigating financial fraud and other illicit activities involving computers. In the
context provided, it emphasizes the shift from traditional paper-based evidence to electronic
evidence and highlights the importance of understanding how computer evidence is collected and
analyzed in forensic investigations. The example involving Harry Towns illustrates the practical
application of computer forensics in uncovering the true perpetrator of financial fraud through
the analysis of digital evidence.
3. List where some electronic evidence may be found of a crime.
Electronic evidence of a crime may be found in the following locations:
1.
Employer-owned Personal Computers (PCs) and Mainframes:
These are likely to
contain evidence if they are the target of a criminal attack or used as tools to commit a
crime.
2.
Employees' Personal Laptops:
Personal laptops belonging to employees may contain
evidence if they are used in connection with criminal activities.
3.
Company's Network:
The overall network infrastructure of the company, including
servers and connected devices, may store electronic evidence.
4.
Personal Data Assistants (PDAs):
Portable electronic devices like PDAs may contain
relevant evidence.
5.
Blackberries, Digital Cameras, Pagers, iPads:
Various electronic devices owned or
used by employees within the organization could potentially store evidence.
6.
External Drives, Dongles, Memory Sticks:
External storage devices and security
devices connected to computers may contain evidence.
7.
Scanners, Floppy Disks, Smart Cards:
Various electronic peripherals and storage
media may hold relevant data.
8.
Cell Phones:
Personal and company-issued cell phones may store evidence related to
criminal activities.
9.
Web Servers in External Networks:
Servers located in external networks that are part
of the company's infrastructure may contain electronic evidence.
4. Summarize the guidelines SAS No. 31 provides for auditors.
SAS No. 31 focuses on providing guidance for audits involving significant electronic
information, addressing the need for testing controls, the definition of evidential matter
encompassing electronic information, and the consideration of time sensitivity in handling
electronic evidence. The additional guidance in ITA further enhances the auditor's approach to
electronic evidence in the context of entries processing, maintenance, or access.
6. Discuss any three of the technical skills needed for working with digital evidence collection.
Understanding of Various Operating Systems:
The auditor or accountant involved in
digital evidence collection must have a basic familiarity with different operating systems
(OSs) such as Windows 8 or 10, Android, or iOS. This knowledge is essential for
conducting a preliminary review of electronic financial data across different platforms.
The ability to navigate various OSs and understand their network file architecture is
crucial for locating pertinent files during an investigation.
Quickly Identifying Pertinent Digital Data:
In the event of an expanded investigation
or fraud suspicions, the investigator must know how to perform a read-only search that
does not alter the data. Time constraints may require the prioritization of the most volatile
data, such as cached data, which needs to be collected first. The investigator should be
aware of the rapid changes in technology, such as increasing RAM sizes, and adapt their
strategies for efficiently identifying and collecting relevant electronic evidence.
Properly Preserving Data:
Preservation of date and timestamps within files is essential
for analyzing potential financial fraud. The investigator needs to have a basic familiarity
with OS timestamp and data protocols. Understanding how to preserve this information is
crucial, as it shows when changes to files were made, aiding in the identification of those
responsible for the changes. The skill set includes the ability to ensure the integrity of the
data and prevent unintentional alterations during the investigation.
7. From the Internet, determine the use of these software tools:
a. Nmap.
b. John the Ripper.
c. TCPDump.
d. Tripwire.
e. THC – Scan
a.
Nmap (Network Mapper):
Nmap is a versatile open-source tool primarily used for network
discovery and security auditing. Security professionals deploy Nmap to map a network, identify
open ports, discover services running on those ports, and determine the operating system of
target systems. Its capabilities make it an essential tool for vulnerability assessment and
penetration testing.
b.
John the Ripper:
John the Ripper is a password cracking tool widely employed to test the
strength of passwords by attempting to crack password hashes. Security experts use it for both
offline and online password cracking, helping assess the vulnerability of systems to password-
related attacks and encouraging the implementation of robust password policies.
c.
TCPDump:
TCPDump is a packet analyzer utilized for capturing and displaying TCP/IP
packets in a network. It serves as a valuable tool for network troubleshooting, analysis, and
debugging. Security professionals leverage TCPDump to capture network traffic, enabling them
to identify potential security threats, detect malicious activities, and assess overall network
health.
d.
Tripwire:
Tripwire is an integrity checking and intrusion detection system that monitors
changes to specified files and directories on a system. It plays a crucial role in maintaining
system integrity by alerting administrators to unauthorized modifications, helping detect security
breaches or potential threats to the system's stability.
e.
THC-Scan (The Hacker's Choice Scan):
THC-Scan is a network security assessment tool
designed for scanning networks and uncovering vulnerabilities. Security professionals use it to
detect service versions, perform banner grabbing, and conduct vulnerability scanning. THC-Scan
aids in identifying potential weaknesses in a network, assisting organizations in strengthening
their security posture against potential cyber threats.
11. Describe COBIT’s goals.
COBIT, or Control Objectives for Information and Related Technologies, has several key goals.
It aims to establish effective IT control practices, align IT controls with regulatory requirements
like Sarbanes-Oxley, reduce high-tech fraud risks in networked environments, provide a
framework for IT audits, and emphasize the continuous monitoring of internal control
effectiveness, particularly in the context of financial reporting. COBIT's overarching objective is
to ensure that information technology supports organizational goals and contributes to robust
governance and risk management.
13. Can deleted files always be recovered? Explain your answer.
Deleted files can often be recovered using forensic tools like Encase. When a file is deleted, it is
not immediately removed from the storage device; instead, the space it occupies is marked as
available for new data. Until that space is overwritten by new information, the deleted file's
content remains recoverable. Forensic software, such as Encase, captures a read-only image of
the entire hard drive, including deleted files. This process allows investigators to reconstruct the
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
sequence of actions, recover deleted files, and analyze the digital history of a device. However, if
the space occupied by the deleted file is overwritten by new data, it becomes more challenging or
even impossible to recover the original content. Therefore, the successful recovery of deleted
files depends on whether the space they occupied has been reused or not.
17. In what ways can electronic evidence be destroyed so that it is no longer admissible in court?
Explain your answer.
Electronic evidence can be ruled inadmissible in court in several ways. Overwriting data, a
common practice with regular backups or cloud storage with limited retention periods, can lead
to the irreversible loss of the original content. Failure to preserve metadata during the collection
process can result in the loss of valuable contextual information. Common business practices
such as system checks, and disk optimization performed after receiving a storage request can
violate court orders and destroy evidence. Incomplete or forensically inaccurate images or hard
disk storage can compromise the integrity of evidence. Attempts by any party to hide or alter
Electronically Stored Information (ESI) can lead to extortion and data loss if precautions are not
taken. The unique challenges of solid-state drives (SSDs) that do not require immediate data
transfer and advanced security measures such as encryption can also contribute to the destruction
of electronic evidence. Finally, ignoring preservation requests and failing to comply with legal
obligations can jeopardize the admissibility of evidence at trial. To maintain the integrity of
electronic evidence, organizations must implement sound preservation practices when faced with
legal inquiries or forensic investigations.
19. Under the COSO framework, what general IT guidelines have been established?
The COSO framework, in alignment with the SEC's departure from existing AICPA accounting
guidelines for digital fraud prevention, outlines general IT guidelines in eight key areas. These
areas encompass the evaluation of the internal control environment, ensuring objective setting
processes align with the organization's mission, classifying internal and external occurrences into
risk and opportunity categories, managing IT risks effectively through risk assessment and
response, evaluating control activities for their efficacy, establishing effective information and
communication channels, and implementing monitoring procedures to verify control
effectiveness. A strong internal control environment is essential, fostering a culture that values
risk awareness, ethical values, and adequate controls. Monitoring ensures timely corrective
actions in response to identified weaknesses, contributing to robust IT controls and fraud
prevention within the organization.
24. What does comparing the hash values of two files show?
Comparing the hash values of two files serves as a method to determine if the files are identical
or if any alterations have been made. When a forensic accountant calculates and compares the
hash values of two separate files using algorithms such as MD5 and SHA1, matching hash values
indicate that the files are the same, while differing hash values suggest that the files have been
modified in some way. This process is valuable for forensic accountants analyzing large financial
files, as it helps verify the integrity and consistency of electronic data, ensuring that files have
not been tampered with or manipulated.
Chapter 14 Exercises
4. Explain these terms.
a. Message encapsulation.
b. Transportation layer.
c. Checksum field.
d. Flag data.
e. Network layer.
f. Keylogger.
g. Sniffer.
15. Incident Response Report. On June 30, 2004, 16. Attack! Attack! White Florist is a large
distributor of Hank Law, webmaster at the MacVee Software flowers on the U.S. East Coast. The
company has a web Company located in Hyattsville, Maryland, detected server farm where
customers can bulk order flowers suspicious activity on its web server. After checking, online.
Two days before Christmas, one of the comhe detected a sniffer had been placed on Windows.
pany’s busiest periods, its web server was subjected to NET Server. He assumed it was being
used to record a denial of service (DOS) attack. As a result, on Depasswords and user names.
The server is run on a cember 23 and 24, their customers could not place or960 series Gateway
box (2.4 GHz, 1024 MB and ders on the web server. Frank Folk, the CEO, estimates 1600
SDRam with a Xeon Processor) and a WinNT4 the loss at $1 million. The system administrator,
Carol operating system. A Black Ice security system is George, did not notify anyone in the
company about used. Hank had updated all software with the most the DOS attack until after the
first day of the attack: recent patches and last performed maintenance on December 24. At the
present time, the attacker or atthe system May 1, 2004. TCPDUMP, a sniffer, was tackers have
not been identified. Carol George does run on the network connected to the server. not believe
they will ever be able to identify the ata. In checking the sniffer’s logs, he found that tackers.
Frank Folk believes that the loss could have some log entries had been altered. He switched been
reduced and the hacker identified if the proper to early logs, and found the following log
enpeople in the company were immediately notified try: 05:25:10.695000 0A:E5:4D:F3:00:E10
about the attack. 0E:6B:00:F8:00:00 250.14.130.1.5112>135.135 .75.6.80:
1386754311:1386754311(0) win855. The unusual aspect of the log entry was the source port
5112. This port is not a commonly used one, and the attacker may have been try ing to hide his
presence on the compromised computer that he was using to attack MacVee’s website. Currently,
Hank has not shut the web server down, but he has hardened the access to other parts of the
network from the web server, and he added a new sniffer program to the web box called the Effe
Tech sniffer v.3.4. Hank is hoping the hacker will come back and Hank will get more identity
information about the hacker. Based on the information provided, complete Part II of the
Preliminary Incident Response Report in Figure 14.9 in the chapter. b. Identify the probable IP
address the attacker used to enter MacVee’s system. c. What are the advantages and
disadvantages of not shutting down the server? d. Would law enforcement authorities be
interested in further pursing this crime through the courts? You, as a noted forensics expert, have
been contacted to help White Florist determine who in the company should be immediately
involved in an investigatory role if such an attack is made on the company again. Identify
departments in the company to notify and the role they should play.
In response to the incident at White Florist, where a web server was subjected to a denial-of-
service (DOS) attack resulting in a significant financial loss, several actions and considerations
should be taken. The probable IP address of the attacker needs to be identified by analyzing logs
and network traffic, focusing on entries related to the suspicious activity. The decision to not shut
down the server comes with advantages such as the potential collection of additional evidence if
the attacker returns and ensuring business continuity during the investigation. However, it poses
risks like the potential for further compromise and concerns about data integrity. Law
enforcement authorities would likely be interested in pursuing the case through the courts given
the severity of the attack and the financial implications. For future incident response, key
departments to involve include the IT Security Team for analysis and mitigation, the Legal
Department for handling legal aspects and liaising with law enforcement, the Public
Relations/Communications team for managing external communications, and Executive
Management for strategic guidance and resource allocation decisions.
18. The First Step. Assume members of a fraud response team have identified electronic e-mails
they believe are an incident of unethical behavior by the company’s CFO. If a fraud response
team meeting is called, under a limited scope forensic audit, what are the first steps you believe
should be taken by the group?
If an email is discovered that indicates unethical behavior by a company's CFO, the anti-fraud
team should immediately begin a limited forensic investigation. An important first step includes
maintaining the integrity of electronic evidence by protecting relevant emails and associated
digital information while maintaining confidentiality. Legal advice is essential to comply with
laws and regulations. It is essential to define the scope and purpose of the audit, to establish a
competent multidisciplinary team and to document the Chain of Custody. You should develop a
communications plan to strategically manage internal and external communications. In addition,
risk assessments are needed to identify areas of concern and prioritize research efforts based on
perceived risks. By carefully planning and executing these first steps, anti-fraud teams can lay
the foundation for a comprehensive, legally sound forensic audit and resolve allegations of CFO
misconduct.
29. What is the relationship between "brainstorming" as defined In SAS No. 99 and digital
forensics?
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
SAS No. 99, emphasizes a heightened attitude of skepticism and expanded rules for fraud
investigation in financial audits. The auditor is required to identify risks of material misstatement
and engage in brainstorming sessions to uncover potential fraud scenarios. In this process, digital
forensics plays a crucial role, as recommended by the PCAOB. Information technology
specialists, including digital forensic experts, are involved in these brainstorming sessions,
contributing their expertise to evaluate computer records and detect manipulation of electronic
journal entries. This collaborative approach ensures a comprehensive understanding of fraud
risks, incorporating insights from digital forensics in the evolving landscape of electronic data.
30. Where does a digital investigator start and why?
A digital investigator starts by monitoring electronic data from the company's LAN and WiFi
networks. This monitoring involves analyzing executive-level emails and website activities. The
process is determined based on the results of a cultural assessment, specifying whether
monitoring is continuous or periodic and identifying the executives to be monitored. The
collected data undergoes automated preliminary reviews, utilizing predefined criteria for
potentially fraudulent activity, such as specific terms or email subjects related to financial results.
This automated review streamlines the process, identifying flagged emails for further
examination by a forensic investigator. The investigator then analyzes cross-linked messages
among executives connected to the initially logged emails. Depending on the findings, the
analysis may be expanded to include web activities of identified executives, offering a
comprehensive approach to fraud detection and investigation.
Reference:
Crumbley, D. L., Fenton, E. D., Smith, G. S., & Heitger, L. E. (2017).
Forensic and investigative
accounting
. CCH Incorporated.