ACC4712

Forensic Accounting
AY 2021/22, Semester 2
Week 6 1

Adjunct A/P Tay Puay Hui

Adjunct A/P Iain Potter
 The Role of Advanced
Technology in Forensic
Investigations
Course Outline

Objectives
The objective of this course is to equip our students with
knowledge of:
1. Digital forensics process
3

2. Challenges and solutions along the forensics chain

3. Establishment of a robust digital forensics program

Understanding Digital
Forensics
Understanding Digital Forensics

Digital Forensics - involves the effectual capture,

preservation, identification, extraction, analysis, and
documentation of digital data and events.

EMAILS NOTEPADS CONTACTS CALENDAR

EVENTS

TASKS TEXT SOCIAL CACHE

MESSAGES MEDIA
 “
I expect my privacy to be
respected…

6
Expectation of Privacy
1. Anti-fraud policies and procedures include an explicit
statement acknowledged and signed by the employees
that they should not have expectation of privacy over
specified things in their office space or on their person

2. Effective monitoring function – systematic checks over

time across employees in the organization 7

3. Logon warning box

You should have no expectation of privacy

in your use of this network.
Use of this network constitutes consent
to monitoring, retrieval, and disclosure of
any information stored within the network
for any purpose including criminal
prosecution
Sources of Digital Data

COMPUTERS LAPTOPS NETWORK ISP SERVERS

SERVERS*

REMOVABLE USB CD/DVD MEMORY

EXT. DRIVES CHIPS

DIGITAL PRINTERS PDA MOBILE

WATCHES COPIERS DEVICES
Types of Data
Extractable data Metadata Latent digital data
Ø Observable with Ø Data about data Ø Undiscovered,
the right concealed,
Ø Formulae, creation
technology (e.g. misplaced, missing or
date, deletion
excel) date, hidden data
Ø Data mining to Ø Typically transparent
Ø File name, file
uncover anomalies to operating systems
location 9
Ø Data analytics
and file managers
Ø user activities,
Ø Deleted files, Temp
files, RAM data,
unused space (past
traces), stored printer
images, bad clusters
Ø Stenography – data
hidden in storage
media or TCP/IP
packets where it does
not belong
 Digital Forensic
Investigation Process
 Digital Forensic Investigation
Process

Report on
evidence,
Convert into analysis &
presentable conclusions
Execute forms
plan with (graphs)
Develop forensic
tests, tools
Create and procedures
authenticate 11
copies (no
alter)

Transport to
forensics lab
Secure
original
Acquire and evidence
authenticate (CoC)
Resolve evidence
privacy
Identify data
Sample Chain of Custody From

Source: Fraud Auditing and Forensic Accounting, Fourth Edition, Tommie W. Singleton, Aaron J. Singleton
12
 Challenges and
Solutions in Digital
Forensics
Challenges along the Forensic Process

Data Data
collection reporting

Data
analysis

14
Control Systems Forensic Domain

15

Source: Creating Cyber Forensic Plan for Control Systems, Homeland Security
Challenges Impacting Effective
Forensics in Control Systems
1. Lack of (active) capabilities for the collection of
effective data (e.g. activities logging) for post-incident
security analysis in traditional systems and
technologies

2. Cyber-forensic methodologies are not extensible to 16

traditional systems

3. Systems with modern cyber-centric security

procedures and technologies (e.g. firewalls, IPS/IDS),
the unification of forensic data cannot always be
effectively correlated to device and control systems
logging data

4. Inadequate end user understanding of device logging -

> vendor dependency for post-incident analysis
Challenges in Effective Forensics
Collection
1. Volatile memory

2. Poor admin functions (data access, data management)

3. Absent/inadequate logging
17
4. Automation – deployment of information resources hinders
the establishment of data retention scheme

5. Volatility of data – high rate of deletion, removal or over-

writing of data that makes collection unviable

6. Data mingling – data related to incident and those unrelated

due to limited memory storage
Challenges in Effective Forensics
Collection

7. Corrupted back up data (CLA case)

8. Taking impacted resources offline is infeasible or cost

prohibitive
18
Challenges in Effective Forensics
Collection

19

Source: Creating Cyber Forensic Plan for Control Systems, Homeland Security
Solutions for Effective Forensics
Collection
1. Forensic security-by-design approach to SDLC

2. Establish timely vendor support via service level

agreements
20
3. Inclusion of real-time forensic tools for active analysis

4. Embedding of forensic analysis tools within critical

operational environment

5. Assimilation of security information management and

collection systems (e.g. IPS/IDS, event logs) into
existing infrastructure
Challenges in Data Analysis
1. Lack of adequate data sources for evidence collection

2. Contemporary forensic tools (e.g. examine running

processes, generating checksums for complete and
total image verification) may not map perfectly to
control systems (esp. legacy ones)
21
3. Vendors for forensic tools do not adapt without
sufficient market demand

4. After-market modifications of operating platforms

(e.g. Windows, UNIX) extends the uniqueness of
systems -> affect analysis of correlation between
operational information and volatile, non-persistent
and frequently overwritten data
Solutions in Data Analysis
1. Defense-in-depth strategies to create effective
forensics capability involving centralized logging and
data collection while supporting business operations
needs

2. Deploy security-centric technologies in controls

systems involving combining multiple log files (e.g. 22
syslog, event recreation, physical access logs)
Forensics Reporting
✗ Resumption of operations in an incident often trumps
the need for evidence preservation and documentation
(e.g. replacement of devices, overwriting of operational
data)

-> Documentation is of paramount importance

23
ü Pre-emptive documentation of operating systems and
configuration changes vs OEM defaults
ü Identify changes made by vendors
ü Adopt and rehearse forensic approach in incident
response plan
Digital Forensics
Program
 Control Systems Forensic Domain
Modern/common

Lack inherent data Incorporate live

collection systems forensics
capabilities or lose
critical state info
upon power
recycling

Modern/proprietary
25
Non-open source; Contemporary
unique and dead (offline)
proprietary – risk of analysis; vendor
data interaction
misinterpretation essential

Legacy/proprietary

Not supported; Draw on network

concentrated based comms to
knowledge with extrapolate; use
veterans; difficult to process system
harvest info reports or event
logs; peer networks Source: Creating Cyber Forensic Plan for Control Systems, Homeland Security
Essential Forensic Elements
1. Reference clock system (GPS clocks, Network Time
Protocol -> time stamping and activities mapping ->
centralized clock; not more than one)

2. Activity and transaction logs -> sufficient granularity

beyond production support -> connectivity of resources
b/w controls systems and other domain help identify 26
plausible attack vectors -> focus examination of logs

3. Other sources of data (floppy disk drives, removable media,

handheld devices, modems, USB, keystroke loggers)

4. General system failures: recording of system failures and

event based incidents critical for event recreation. Built-in
safeguards for fail and recover -> effective history of
system faults -> X-ref to info such as time, operator actions
and device activity
 MAS orders DBS to set aside S$930m more in regulatory
capital over serious service failure
- The Business Times, 7 Feb 2022

Chief executive Piyush Gupta said on Monday (Feb 14) that two sets of reviews have been carried
out by experts, who have not been able to "replicate the problem" of why the server
malfunctioned….Nevertheless, we've learnt a lot from the reviews and it's principally around our
incidents management and recovery process…It took us some time to figure out what the problem
was and some time to fix it, and frankly, we could have done a lot better in terms of the speed of
recovery,"

27
Essential Forensic Elements
5. Real time forensics (modern/common technologies ->
business critical -> pre-installed live forensic toolkit)

6. Device integrity monitoring (static nature -> efficient

baseline measurements -> deploy hash, checksums to
identify tampering -> zoom in on transaction logs
28
7. Enhanced all-source logging and auditing
ü ensure logging features are not disabled,
ü For field devices with inadequate logging
capabilities, track network traffic in/out
ü Secure storage of logs offline or read-only
Reconstruction of Extracted Data
Temporal Analysis Relational analysis Functional
Ø What happened? Ø Correlate the analysis
Ø Who are involved? actions of the Ø How did the
suspected victim activities happen?
Ø What are the
responsible
factors? 29
Reconstruction of Extracted Data
1. Time-frame analysis – determine when events occurred on
the computer systems
ü Review time and date stamps in file system metadata
(e.g. time created, modified, authorised, deleted) to
link files of interest to relevant investigation
timeframes
ü Review system and application logs (e.g. error logs,
installation logs, connection logs, security logs, activity 30

logs)

2. Data hiding analysis – recover information on ownership or

knowledge
ü Correlate file headers to file extensions to identify
mismatches and analyse file signatures to detect
hidden data
ü Analyse password protected, encrypted and
compressed files
ü Gain access to Host Protected Area (HPA)
Reconstruction of Extracted Data
3. Application and file analysis – insight into user knowledge
and system capabilities
ü File names -> file content
ü File content -> evidence or possession by user
ü Correlating files: internet history -> cache; emails ->
attachments
ü Examine user configuration settings, file metadata
ü Examine user default storage location whether files are 31

stored by default or alternative location

4. Log files analysis

ü Network traffic and packet
ü IDS logs and security events
ü Syslog, terminal/console logging, Simple Network
Management Protocol (SNMP) logging, Access Control
List logging
ü Firewall, application server logs (e.g. emails, errors,
database, logins, authentication, OS log)
Reconstruction of Extracted Data
5. Email message analysis
ü Email header
ü IP address
ü Email server logs
ü Email provider

6. Network analysis
ü Analyse abnormal processes 32

ü Analyse start up files to identify any unauthorised

modifications or unusual port listening for connections
from other hosts
ü Inspect network configurations for unauthorised
entries
ü Identify initiating IP address, source port, geolocation
date and time
ü Identify unauthorised network trusts
Incident Response Plan
1. Incident detection
Forensic
2. Response initiation collection
Forensic
analysis
3. Incident response action <-> forensic
collection
Forensic 33
4. Incident recovery <-> forensic analysis reporting

5. Incident closure <-> forensic reporting

Forensic embedded IR
Our role is to prevent it, failing which we detect, and we examine with forensic technologies

34
 Appendix 1:
Reading materials
Prescribed Reading Materials [F = Full reading]

1. Fraud Auditing and Forensic Accounting, Fourth Edition, Tommie W. Singleton,

Aaron J. Singleton (Chapter 12)*

2. Creating Cyber Forensics Plan for Control Systems, US Homeland Security

https://us-
cert.cisa.gov/sites/default/files/recommended_practices/Forensics_RP.pdf

*please refer to LumiNUS folder

36
Supplementary Reading Materials [O = Overall Understanding]

1. NIST Guide on Mobile Device Forensics*

2. NIST Guide to integrating digital forensics into incident response*

*please refer to LumiNUS folder

37