menu image
AssuranceSecurityGovernanceMembers & LeadersProfessionals & PractitionersStudents & EducatorsExhibitors & Advertisers
menu shadow
Student Benefits & Join
Educators
Model Curriculum
Downloads
Bookstore
IT Audit Basics
Career Centre
spacer image
Print this page
spacer image

Home Students & Educators IT Audit Basics


 

What Every IT Auditor Should Know About Cyberforensics

By Tommie W. Singleton, Ph.D., CISA, CMA, CPA, CITP
Volume 3, 2006
 

Cyberforensics is a highly technical field. It is tempting to think that the need for cyberforensics is rare, that it always involves a crime and that the process is simple—that is, if a cybercrime occurs, one must only notify the proper authorities.

However, most, if not all, medium and large entities have a need for, or soon will need, a cyberforensics specialist. According to a leading authority in the field, "If your company has been lucky enough to avoid the need for computer forensics (or so you think), congratulations; it will come soon enough." 1 In addition, because cyberforensics is highly technical, it normally takes a highly trained, somewhat rare, expert. Thus, most IT auditors will not be trained and equipped to deal with a major cyberforensics issue if it arises, without some preparation in advance. This article provides knowledge for IT auditors so they can be prepared when a cyberforensics need arises.

What is Cyberforensics?

Cyberforensics involves the capture, preservation, identification, extraction, analysis, documentation and case preparation related to digital data and events. Capturing is the first step, but there are key issues to this step that every IT auditor should know. If one makes a mistake during this step, it is possible to hinder a successful legal outcome. Preservation is part of the capture process, in capturing evidence and maintaining custody of digital evidence.

A successful cyberforensics investigation requires someone who is well versed in computer technology and systems and knowledgeable about the legal system and investigations. Like all investigations, including fraud examinations, cyberforensics is often considered more of an art than a science. However, there are established methodologies and procedures that cyberforensics experts follow.

Basically, the steps are:

  • Acquire the digital evidence without altering or damaging the original.
  • Authenticate the digital evidence for analysis (duplicate it where feasible).
  • Analyze the digital evidence without modifying it.

There are special tools to perform these steps, such as Encase and hashing software.

Why Use Cyberforensics?

It might not be obvious why an entity needs cyberforensics and why IT auditors might be involved, until one examines the events that lead to a need for cyberforensics.

First, there are unauthorized intrusions into networks, either internally or via the Internet. These intrusions can be costly and destructive, and they are inherently highly technical—to the extent that the average IT auditor, while technically competent in many ways, is probably not trained and equipped to handle a serious intrusion case. A good example is the case of CD Universe, where an intruder compromised the data of 300,000 credit cards in 2000. Three security groups and the US Federal Bureau of Investigation (FBI) were brought in to help with the case.

Second, there are computer crimes. Computers are either the target of the crime or are used by the criminal to perpetrate the crime. Computer crimes include child pornography, threatening letters, fraud and theft of intellectual property, to name a few that leave fingerprints and tracks in digital technologies.2 

Computer frauds deserve special attention because they will involve IT auditors. The CD Universe case could be classified as both an unauthorized intrusion and a computer fraud because the purpose was to steal assets from the entity. Fraudsters also use computers to commit frauds. Almost all frauds use a computer, and even in frauds that do not (e.g., off-the-books frauds), there may be indirect evidence of the fraud in the computer. In these cases, most IT auditors would be trained and equipped to conduct an investigation.3 

Some other instances that generally require cyberforensics include Internet usage that exceeds that specified in policy ("the norm"), using e-mail inappropriately, using technology in a nonwork-related manner, theft of information, violation of security policies or procedures, intellectual property infractions, and electronic tampering.4 If a cyberforensics case arises, it will likely be referred to the internal audit function, if one exists. Internal audit will naturally turn to the IT auditor at this point.

However, there are many things that the average IT auditor might not know about cyberforensics. Some examples will illustrate the scope of cyberforensics and how difficult it would be to have an adequate level of knowledge, e.g., "fingerprints" on paper that trace back to the printer that printed it, e-mail "fingerprints" in the header and so forth, cookie data, and the volume of hidden data on storage devices and how to retrieve them. The latter includes the use of undelete to retrieve deleted files, unrelated data in the end of block that holds a file, unused space that has data, temporary files, RAM, logs, the possibility of retrieving data that were overwritten, and a host of technical means to extract data from a storage device, RAM or computerized log. Also, acquiring the digital data is not so simple. A bit streaming (bit by bit) backup, not a conventional one, is necessary. Thus, for a substantial event, it is necessary to involve a specialist who is familiar with this knowledge and has the training and tools to investigate properly.

Therefore, it is a good idea to prepare for a cyberforensics investigation before a significant cybercrime occurs. If that preparation is not done, the resulting investigation will be subject to time and cost pressures and will be a watered-down version of cyberforensics. For instance, it will take days to examine the digital evidence, and the organization cannot allow its systems to be set aside for that long.

Incident Response

It should be obvious from education, training and experience that the appropriate place to begin to be prepared for cyberforensics needs is policy. A policy defines the violations, procedures, response and other critical issues, without which there would not be adequate direction in an investigation. Therefore, an organizational policy should include an adequate coverage of cyberforensics issues.

For example, in many cases, depending on the level of risk, cost and technical complexity, cyberforensics experts will be needed to properly respond to the event (crime, fraud, etc.). That expert must have strong technical knowledge, have the tools to conduct the investigation and understand the legal ramifications of evidence. It would be wise to prearrange for the services of an expert, should one not be immediately available internally, so that the expert can be engaged quickly if an entity suffers a cybercrime.

The policy should cover all aspects of response, including law enforcement issues, public relations issues and legal issues. A victim entity should know under what circumstances a law enforcement agency should be contacted, and which agency to turn to for which events. The entity should prepare a public response for severe events, such as the one CD Universe experienced. The legal issues include legal counsel (when and who), custody of evidence and under what circumstances the entity should seek legal prosecution.

Evidence

There are some critical issues related to digital evidence that every IT auditor should know. For instance, an IT auditor should be familiar with all of the different storage devices. If there is a suspicion about a crime, or if a crime has been committed, there are many ways for a criminal to hide data by moving them from organizational systems, including their own computer, and placing them on a removable, portable device. The list includes flash drives (thumb drives) that are small enough to hide in a pocket or the palm of one's hand and can be disguised as a normal fountain pen, digital watches, digital cameras, memory chips for digital cameras that are small enough to hide under a postage stamp, personal digital assistants (PDAs), and cell phones. Some cyberforensics investigators do nothing but collect and analyze information from cell phones. Think about everything that a cell phone contains: voice mail, text messages, notes entered in the address file, phone numbers and addresses, and a log of calls missed, received and made. That is a lot of information!

The reason for the above list is to remind IT auditors that, when investigating, they must think of all the possible storage devices, look for them and collect them—remembering that a fraudster can easily hide one on his/her person or even under a postage stamp.

Secondly, there is the issue of legal prosecution. In the beginning of the investigation, it may not be clear whether the case is going to end up in litigation or legal prosecution. However, it is quite easy for evidence to get tainted. The IT auditor should assume that every investigation for every cyberforensics case is going to end up in court. That assumption will ensure that the process is successful either way. The case of CD Universe illustrates why proper evidence handling is so important; allegedly, the agencies investigating the incident made some mistakes that compromised the evidence and thus hampered any subsequent prosecution.5

It is also important to be aware of the proper custody of evidence. Forensic evidence, by definition, means it will stand up in a court of law. Evidence can be tainted because of improper custody and, in the case of cyberforensics, that compromise can happen at the very beginning. Criminals sometimes put Trojan horses on their computers that will automatically destroy digital evidence. If a computer is off and an investigator turns it on to see if there is any evidence on it, that process will automatically taint the evidence. Windows changes date/time stamps, and booting a system does a number of things that will cause the digital evidence to be different than it was before the boot. Thus, the evidence is no longer admissible in court, because it is no longer in its original state at the point of the capture of the evidence. It is critically important that the investigation in its initial phase takes the correct steps in capturing the digital evidence. Do not turn a computer on or off or pull the plug until and unless an expert has directed the action.

Regarding the custody from that point forward, a log should be kept that shows the unique identification of the evidence (drive serial number), the physical location, what was done, who did it, when, what tool was used and so on. Such documentation is critical to any cyberforensics investigation.

Keys to Success

The following steps are important to achieving a successful conclusion to a cyberforensics investigation:6 

  • IT auditors likely need some specialized training and education in cyberforensics.
  • Be sure to have a specialist lined up prior to the need, if one does not exist internally.
  • Treat every case as if it will end up in court (critical at the very first step).
  • Secure all information and media that may be an issue in litigation, and maintain proper physical custody of the evidence.
  • Document all steps taken with the media (copying, tools used, when, by whom, etc.).
  • Do not commingle subjects in communications.
  • Promote cooperation among all stakeholders: IT staff, auditors, legal counsel, corporate staff, law enforcement, etc.

Conclusion

Every large firm either has experienced or will experience the need for cyberforensics. Most IT auditors are probably not trained and equipped to meet the investigative needs of a major cyberforensics case. However, there are basics about cyberforensics that every IT auditor should know. These basics include, at a minimum, policy, the need for an expert investigator and custody of evidence. If necessary, IT auditors should obtain some specialized training and education on cyberforensics to be able to perform competently when the situation arises.

Endnotes

1 Kruse, Warren G., II; Jay G. Heiser; Computer Forensics: Incident Response Essentials, Addison-Wesley: Boston, MA, USA, 2002, p. 4

2 Ibid.

3 See this column in vol. 2, 2006, for a more detailed discussion of the use of generalized audit software that equips IT auditors to conduct these kinds of investigations.

4 Marcella, Albert J.; Robert S. Greenfield; Cyber Forensics: A Field Manual for Collecting, Examining, and Preserving Evidence of Computer Crimes, CRC Press, Boca Raton, FL, USA, 2002, p. 4

5 Op. cit., Kruse and Heiser, p. 8-9

6 Op. cit., Marcella and Greenfield, p. 145. Except for the first three items in the bulleted list, the remainder was taken from this book.

Tommie W. Singleton, Ph.D., CISA, CMA, CPA, CITP
is an assistant professor of information systems at the University of Alabama at Birmingham (USA), Marshall IS Scholar, and director of the Forensic Accounting Program. Prior to obtaining his doctorate in accountancy from the University of Mississippi (USA) in 1995, Singleton was president of a small, value-added dealer of accounting information systems using microcomputers. In 1999, the Alabama Society of CPAs awarded Singleton the 1998-1999 Innovative User of Technology Award. Singleton is the ISACA academic advocate at the University of Alabama at Birmingham. His publications on fraud, IT/IS, IT auditing and IT governance have appeared in numerous journals, including the Information Systems Control Journal.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
nav menu image
spacer image
Assurance | Security | Governance
Members & Leaders | Professionals & Practitioners | Students & Educators | Exhibitors & Advertisers
Info Request | Join | Bookstore | My ISACA | About ISACA
Home | Site Map | Shopping Cart | Logout | Contact Us
spacer image
menu shadow

Terms Of Use | Privacy Policy | IP Guidelines
© 2008 ISACA All rights reserved.
3701 Algonquin Road, Suite 1010, Rolling Meadows, Illinois 60008 USA