FORENSICS - Printable Version +- Accountancy Forum (https://www.accountancy.com.pk/forum) +-- Forum: The Profession (https://www.accountancy.com.pk/forum/forumdisplay.php?fid=4) +--- Forum: Accounting and Audit (https://www.accountancy.com.pk/forum/forumdisplay.php?fid=7) +--- Thread: FORENSICS (/showthread.php?tid=1885) |
FORENSICS - Pracs - 04-14-2005 <b>COMPUTER FORENSICS.</b> With acknowledgement to the FCA YAHOO group This article will examine some of the main issues relating to computer forensics. It is aimed at the investigator or investigations manager who has a need to understand the basics quickly and who does not necessarily have much direct experience of, or exposure to, computer forensics. We have attempted to write in a non-technical way, but technical terms have been explained where relevant. What is Computer Forensics? The first thing to discuss is what exactly we mean by computer forensics. It is the science of recovering and analysing data stored electronically in a way that can be relied upon for the purposes of litigation or other proceedings. At the heart of computer forensics is the process of taking a "mirror image" of the storage media (usually known as disk imaging). The disk in question can be anything from that of a laptop to a server. The differences are of scale, which adds to the complexity of the procedure and the time that imaging, processing and analysis take. Forensic analysis can also take place on whole systems, but this is the subject for another article. Uses and benefits Next we should consider in what circumstances computer forensic techniques might be employed. In all areas of criminal and civil litigation, employee disputes and fraud and insolvency investigations is the answer. Wherever a computer might contain evidence or information relevant to the enquiry it should examined forensically. The benefits are that whole of the storage media is copied, there is no interference with the original, information hidden to the ordinary used can be retrieved and the whole disk can be effectively and efficiently analysed. Furthermore, the results can be presented in litigation. How does it work? There are three distinct steps Taking the image Processing the image Analysing the processed image Imaging In simple terms, a device is attached to one of the communications ports of the target computer (usually the parallel or scsi port) and this device records a complete copy of the electronic storage media inside the computer. In some cases the hard disk is removed from the computer housing. Every part of the media is copied so that what is obtained is a complete byte-by-byte copy with nothing added and nothing taken away. This last point is very important because it is essential that there is no interference with the disk by the investigator. The copy can be to digital tape or to another hard disk of equal or greater capacity than the disk being imaged. The expanding size of hard disks and the amounts of data stored, even on modest personal computer, raises continual challenges for the investigator. The imaging process leaves no trace on the target computer, whereas just the act of starting up a computer and loading an operating system (such as WindowsT) changes a whole series of dates and times. Processing Once imaging is complete, the image should be processed to recover deleted and partially overwritten files and to process the current files and folders so that they appear as they would have done on the target computer. Whilst on this subject, it is worth explaining why computers do not (in general) delete files when the delete command is given. At the beginning of a hard disk is an index of the locations of all the files on the disk. This index, known as the file allocation table, tells the operating system on which parts of the disk a file may be found. When the user asks to see the file, the identifier of the top of the file is accessed on the disk by reference to the file allocation table. When a file is "deleted" from an application or explorer command, all that happens is the file's entry in the table is removed so that the computer can no longer access that file. The computer also understands that the disk space occupied by that file is now available to be overwritten. Of course, there are programmes that will delete and recursively overwrite files but, in our experience, these are not widely or properly used. From a security standpoint, if you need to destroy highly sensitive data, physical destruction of the hard disk is the only guaranteed way. The recovery of deleted files is a straightforward process and can be very important. The analysis described below automatically includes deleted files. Analysis After processing comes analysis and this is where the investigators skill and technique are demonstrated. Analysis all depends on the care with which the image is investigated. Some of the steps in examining a typical hard disk image would be never examine an original key word searches based on the information already available to the investigator e.g. example, names of people, companies, bank account numbers and addresses can all be searched for (the more unique the better) examination of the personal folders and "my documents" folders for any files that may be kept there - it is surprising that fraudsters are not more creative in their hiding places for incriminating evidence; many still allow documents to be saved to default folders a look at the recent documents folder to see if there are any interesting file names to which the links have been broken, possibly indicating recent deletion examination of the Internet history file and temporary Internet files - these can often be very revealing; they are a kind of audit trail of the user's journey around the Internet examination of the user's cookies files for more information about sites visited if the case involves allegations of internet pornography, then a search for graphics files (e.g. .gif, .bmp or .jpg extensions) can be revealing analysis of the email file breaking passwords on protected files circumnavigating encryption that has not been used properly analysis of the calendar and contacts file It is essential that proper contemporaneous written records be made of the complete process from image to analysis so that any third party can clearly see what has been done. What sort of things can be discovered? Here follow a few examples of evidence and information found during analysis of disk images duplicate accounts indicating large scale fraud deleted pornographic images and cookies proving a senior IT engineer had been using his employer's computer contrary to the companies policies; this resulted in his resignation prior to formal disciplinary proceedings contact and calendar entries showing previously undisclosed links to third parties files demonstrating the unauthorised possession of confidential information email correspondence indicating a conspiracy stolen data/intellectual property dates and times of key events deleted words and paragraphs from MS WordT documents Some dos and don'ts If you are confronted with an investigation where computers may need to be forensically examined here are some important points to bear in mind. Computer evidence or data is fundamentally different from, say, paper evidence. Just the act of turning on a computer can change a whole series of dates and times and invalidate its use in a court or tribunal. Therefore, a few basic principles need to be followed when dealing with potentially valuable computer evidence. Do Fully assess the situation before taking any action Isolate the computer so that it cannot be tampered with Consider securing all relevant logs (e.g. Internet logs, Server logs, Building access logs, etc.) and any CCTV footage, at the earliest opportunity Record where the computer is based and all who had access to it Call in IT Security staff or external consultants as appropriate Then ask the relevant expert to Disconnect the relevant computers from your network Restrict remote access Take an "image" copy of the computer (or server as appropriate) Don't Alert any of the potential suspects Call in your own IT Support staff (they often change evidence inadvertently) Move the computer if it is switched on Turn off the computer if it is turned on Turn on the computer if it is switched off Make file copies of the computer Examine electronic logs without first ensuring that they are preserved elsewhere. - khurram_jamal - 05-12-2005 Hello Man Have you any idea or information about []FORENSIC AUDITING[] please Thanks ---------------------------------------------------------------- *REMEMBER****GOD HELPS THOSE WHO HELPS THEMSELVES**** WISH YOU ALL THE BEST KHURRAM JAMAL SHAHID (MBA)(CA-Module-C) - Pracs - 05-17-2005 Check out this article, details on the basics of forensic accounting http//www.acca.org.uk/publications/studentaccountant/503181?session=fffffffeffffffff0a0121204288ecc9f2b111c5402d8aef4b4bfbcf1b01e3cb <b>Focus on forensic accounting by Victoria Ashton 25 Aug 2004</b> Feature Article Imagine a job where you interview someone about a suspected cheque fraud case on Monday, study the supposedly hidden contents of a computer's hard drive on Wednesday and finish the week as an expert witness in a civil court case. Sound exciting? For forensic accountants, this is all in a week's work. Victoria Ashton investigates. Because of the changing nature of the business world, with increased globalisation and international transactions, forensic accounting is a rapidly-growing area. Most major accountancy firms have forensic accounting teams and many companies now specialise in forensic accounting issues. Governments and policy makers are also concerned about the increased risks from criminals funding terrorist groups, and so accountants are, for example, required to help to trace assets or investigate money. Allen Blewitt, ACCA's chief executive, believes that forensic accounting requires a multidisciplinary mix of skills, and is positioned at the exciting end of the accountancy profession. Interested in this field, he has created the concept, plot and characterisation for a recently screened television drama called Loot which is about the work of a forensic accountant, Jon Peregrine, who investigates a fraudulent initial public offering which resulted in losses for 'mum and dad' investors. 'A good forensic accountant combines the scepticism of an auditor, good IT skills, excellent financial analysis and also needs to be credible in a court room. I encourage anyone wanting to enter the field to do so,' says Allen Blewitt. Forensic accounting covers a wide range of specialisms, including investigative work, IT forensics, litigation support, and dispute resolution and mediation. Investigations Forensic accounting investigations can vary from fraud, asset tracing and money laundering, to cases involving complex accounting. These types of investigations could be considered as financial detective work. In most circumstances, the investigations are for potential civil cases, although forensic accountants can be called on for criminal investigations too. IT forensics This is a fairly specialised area of forensic accounting and requires an in-depth knowledge of computing. Sophisticated criminals might think that their fraudulent activities can be deleted and removed from a computer's hard drive. What they don't know is that an IT forensic specialist can find deleted and supposedly hidden files quite easily. Litigation Forensic accountants are often in demand as expert witnesses in court and tribunal cases. Although engaged and paid for by one side in a case, expert witness have to be independent, impartial, and act in the interests of the court. Expert witnesses need to be thoroughly familiar with the legal process and give their professional opinion on the matter in question. Often accountancy firms, or specialised forensic accountancy firms, have a number of experts who are familiar with court proceedings. Resolution and mediation Resolving or mediating disputes is also an aspect of forensic accounting. Typically, commercial disputes can involve an alleged breach of contract, business valuations in mergers and acquisitions, professional negligence, and partnership disputes. Forensic accountants have to look at the particulars of the dispute and mediate between the two sides. In addition to commercial disputes, personal matters may also require the services of a forensic accountant. An example of this is where marriages fail, and there are disagreements about the value of assets to be divided between the two parties. In addition to being able to understand the legal and financial issues behind the dispute, tact and diplomacy are essential to successful resolution and mediation. Key skills Forensic accounting relies on excellent accounting skills and highly-developed investigative skills. A good forensic accountant needs to be able to pick up concepts and ideas immediately. The nature of the job means that as well as having financial knowledge, it is also essential to have a good understanding of the legal process. In such a rapidly-growing sector, how can you make your first step into forensic accounting? Jonathan Newey, director at Witan Jardine recruitment specialists advises 'The majority of people that we place into forensic roles are qualified accountants. They tend to have a strong academic record, excellent attention to detail and importantly, an investigative mind.' He adds 'Many forensic roles will be deadline driven, therefore you will need to be highly- organised, have excellent report writing skills and be persistent. Bear in mind that you may need to justify your findings in a court of law, so strong communication skills and a confident manner will be useful.' 'The basic requirements of the job pretty much dictate the person,' says Louise Bridge, business director at Hays Accountancy and Finance. 'Arguably this is the most âintellectualâ value-added service in the profession and is entirely opinion-driven. Candidates need to have the intellectual rigour to back this.' In addition, explains Louise 'You need a sense of curiosity, the ability to spot the unusual and the tenacity to discover the cause. A willingness to go into detail is also essential, although you must not be overly distracted by it and lose the big picture.' If you are looking to move into forensic accounting, Jonathan Newey advises 'It is important to get experience at a reputable practice firm and gain strong audit and accounting experience. You might also want to look out for potential secondments into forensics which will enable you to gain further expertise in this field.' Louise Bridge adds 'An audit-based background is ideal - auditors are used to asking questions and delving into detail. Together with this, any investigative or whole-business review and report writing work will be a definite plus point.' Phil Beckett, Forensic Accounting Manager at BDO Stoy Hayward in London My route into forensic accounting, and specifically forensic computing, started after I completed my degree in computing and management. My degree also included a year out in industry - I worked on a computer helpdesk at BP, and gained a great deal of practical IT experience, including learning how to build computers from scratch and take them apart. I joined the graduate programme at Andersen Accounting in London where I worked in the IT risk/computer consultancy department. I was mainly involved with Y2K problems, security and controls. As part of the graduate programme, I began studying for the ACCA Professional Scheme qualification to gain a broad understanding of accountancy. While at Andersens, partly because of my practical computing skills, I was asked by the fraud department to help on a forensic computing job. I loved it! From that, I got the opportunity to help out more with fraud cases. However, the problem for me was that working in the IT department meant that I only saw the bit of the case that I worked on - I didn't get to see the whole picture. After a while, I moved from IT to the fraud department where I got to work on entire fraud cases. I moved to BDO Stoy Hayward in May 2001 to set up the forensic IT section to enhance the already established forensic accounting function. I completed my ACCA exams in the December of that year. As well as being an accountant, you need to be able to get a detailed knowledge of the case very quickly. You have to get the picture straightaway, grasp concepts fast, and prepare for the unexpected. In audit and tax, you can plan your workload - you know what projects or audits you are going to be working on for the year. With forensic accounting, you don't know what is going to appear round the corner - and all cases involve people, which adds an extra factor of the unknown. Computer forensics involves finding information, which may be hidden or encrypted, on a suspect's hard drive. We always take an 'image' of the hard drive on site, and then I find ways of extracting the data that may help with the case. In the main, when you delete something from a computer, it is not actually deleted from the system - the delete command makes the file disappear, but it does not remove it completely. The file or data - which could be, for example, duplicate invoices or incriminating e-mails can then be restored and studied. As well as computer forensics, I also deal with fraud investigations. For example, I work on pension concealment cases where people continue to claim company pensions when the pensioner has died. This type of work can involve some routine list-checking and cross-referencing. For example, I have had to compare a company's pension database with the record of deaths for England and Wales. But when you come up with some names to check further - that's when your investigative skills come into play. Another type of fraud investigation I have dealt with is possible cheque fraud where I had to interview the suspect. I find my work extremely exciting and interesting, and I look forward to furthering my career in this challenging and rapidly-developing field. Simon Padgett, Senior Manager, Forensic Services at Ernst & Young in South Africa I have worked for Ernst & Young Forensic Services in South Africa for over five years. My career in forensic accounting began about 15 years ago while auditing in the Caribbean. An important aspect of this job involved looking at offshore money transfers through offshore bank accounts. From there the world of forensic accounting opened up a whole new career direction for me. My working week typically consists of fraud investigations and preventative strategies for clients. Examples of such areas include fraud prevention and corruption in the tender process. It continually surprises me that most people are shocked when they realise that their company scores atrociously. It just reveals that we need to take fraud much more seriously. Another area for my team involves looking at the financial risks associated with tender processes. A number of South African corporations derive a substantial amount of business and profits from participating in government and private sector contracts. In order to promote fairness and accountability in the awarding of such contracts, it has long been accepted that such contracts should only be awarded after all competing parties have had the opportunity of tendering on an equal basis and without the suspicion of corruption. My forensic team looks at the tendering process and checks that corruption has not taken place. In general, we are looking for conflicts of interest where an employee has an undisclosed direct or indirect financial interest in an entity that enters into business transactions with the employee's company illegal gratuities which are not perceived as a bribe but as a 'gift' economic extortion when an employee of the awarding company asks the supplier for bribes bribery when the supplier offers an employee of the awarding company bribes. When we look at the tendering process, we check that these types of practices do not take place and that everything is above board. If we detect any possible irregularities, we can then start to employ our accountancy and investigative skills in order to quantify any possible damages for either the competing vendor or the awarding company. This is challenging work but the ultimate satisfaction is testifying against someone who thinks stealing is easy. When the judge announces 15 years for fraud... that is satisfying. Sally Tanner, Forensic Investigator at the Financial Services Authority in London My current role as a forensic investigator within the Enforcement Division is varied and interesting. The days fly by and no two days are the same. The work is often high-profile, with many cases making the news which can be exciting. The FSA's Enforcement Division investigates when firms breach FSA rules or the provisions of The Financial Services and Markets Act 2000 (FSMA). The FSMA allows us to take action such as withdraw a firm's authorisation discipline authorised firms and people approved by the FSA to work in those firms impose penalties for market abuse apply to the Courts for injunction and restitution orders prosecute various offences. The FSMA also gives us powers to take action under the insider dealing provisions of the Criminal Justice Act 1993 and the Money Laundering Regulations 1993. We have the power to interview people and require production of documents. We also investigate people who are carrying on regulated activities - such as accepting deposits, or giving investment advice - without authorisation. Those breaking the law risk imprisonment and other sanctions. Each case has a number of different individuals assigned to the investigation - usually a mix of lawyers and forensic investigators. The work for each case team will usually include planning and conducting the investigation, gathering and analysing evidence, investigative interviewing, and working with other regulatory bodies and law enforcement agencies such as the police - both here and abroad. Recent cases I have worked on include investigation of financial promotions which are potentially not 'clear, fair and not misleading'. This has involved analysis of large volumes of documentation such as the actual financial promotions material and documentation relating to its approval, and can include analysing both the numerical and written content. Other cases include investigations into potential failings in senior management systems and controls within authorised firms and also breaches of the Threshold Conditions (the minimum standards for becoming and remaining an authorised firm), such as not having sufficient financial resources or suitability issues. As each case is run as a separate project, team working and good communication skills are vital to the success of an investigation. The role can be quite analytical, and requires the ability to consider not only the data and information you have, but also what further information you require. Coupled with this, industry and regulatory knowledge are very important. My ACCA study has been invaluable here, as have the FSA Graduate Development Programme work rotations. Over the past three years, these have enabled me to gain a sound knowledge of several key areas of regulation such as authorisation, supervision and enforcement. I really enjoy my current role and intend to develop my career within the field of forensic investigation. - imateeq - 05-21-2005 could u plz tell me the url of accoutancy in pakistan yahoo group? |