1 / 57

Forensics, Fraud and Analytical Techniques

Forensics, Fraud and Analytical Techniques. Computer Forensics (Chapter 12) Practicum: Burlington Bees (Analytical Procedures as Substantive Tests). Crime Doesn’t Pay?. As Willie Sutton the bank robber said when asked why he robbed banks 'because that's where the money is‘

lottie
Télécharger la présentation

Forensics, Fraud and Analytical Techniques

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Forensics, Fraud and Analytical Techniques Computer Forensics (Chapter 12) Practicum: Burlington Bees (Analytical Procedures as Substantive Tests)

  2. Crime Doesn’t Pay? • As Willie Sutton the bank robber said when asked why he robbed banks • 'because that's where the money is‘ • Sutton robbed banks and he was good at it. He made no bones about that. He usually packed a gun, either a pistol or a Thompson submachine gun • "You can't rob a bank on charm and personality" • "Why did I rob banks? Because I enjoyed it. I loved it. I was more alive when I was inside a bank, robbing it, than at any other time in my life. I enjoyed everything about it so much that one or two weeks later I'd be out looking for the next job. But to me the money was the chips, that's all." • From Where the Money Was: The Memoirs of a Bank Robber (Viking Press, New York, 1976)

  3. Why ‘Computer’ Crime? • ‘Because that's where the money is‘ (c. 2005) • Money is no longer held in physical form • How much money is being handled daily by computer exchange systems in 2005? • Foreign exchange $2 trillion daily • Derivatives markets $5 trillion daily • Outstanding derivatives positions $200 trillion • NYSE daily activity $1.6 trillion daily

  4. Types of Computer Crime:Business as a Victim • Employee Thefts • Payroll Fraud • Fraudulent Billing Schemes • Fraud Committed by outsiders • Management Thefts • Corporate Thefts

  5. Types of Computer Crime:Business as a Vehicle • Organized Crime • Money laundering • Theft from Minority Shareholders • Other Stock Market Fraud • Bankruptcy Fraud

  6. Crime’s new venue • The Internet (With an estimated 1 billion people ) is now in a golden age of criminal invention. • It's a "dot-con" boom, in which electronic crime runs rampant in a frantic search for business models. • Even encryption, supposedly a defensive measure, has become a tool for extortion • witness the weird new crime of breaking into a computer, encrypting its contents, and then demanding a payoff to supply a password to the victim's own data. • The crime's so new, it doesn't even have a name yet. • .

  7. Crime’s new venue • All the classic scams and rackets that city sharpies push on rubes can be digitized • once there were a few relatively uncomplicated viruses, now there are torrents of fast-evolving, multifaceted viruses. • Where once there was just small-time credit-card fraud, now there is international credit-card racketeering. • Computer-network password theft has turned into sophisticated ID fraud that robs patrons of banks and online auction sites. • Spam, once an occasional rude violation of "netiquette," now arrives by the ton (12.9 billion pieces a day worldwide last May, according to the e-mail security firm IronPort) • Then there are the newer electronic crimes, proliferating so fast that even experts have trouble keeping up with the jargon. Phishing. Spear phishing. Pharming. DDOS. DDOS protection rackets. Spyware. Scumware. Web site defacement. Botnets. Keylogging

  8. FBI Computer Crime and Security Survey • Companies with sales of less than $10 million per year • spent $643 per employee on computer security each year. • For companies with more than $1 billion in annual revenue • the amount spent on security dropped to $247 per employee. • The survey found that companies in the utilities business spent the most on computer security • on average, $190 per employee per year. • Next highest on the list were transportation and telecommunication companies, with average annual costs per employee of $187 and $132, respectively.

  9. Computer Criminals Today • The largest class of crime is Internet based • Generally, there is a form of compartmentalization, from the top down • At the top of the food chain is someone who has the financial means to organize a group • This individual, acting as the criminal kingpin, puts together a plan and then assembles the necessary technologically savvy individuals. • These groups work together without central organization

  10. Computer Criminals Today • Many Criminals are recruited through acquaintances; others are found online • Individuals use Web sites, online forums, and IRC channels to advertise their services and meet their colleagues. Many others visit these sites to learn how to get started in the business. • The scene is always looking for rooters, scanners, curriers [various hacking specialties] • Once they've learned those skills, hackers commonly operate as freelancers, working on projects in an area of expertise--whether it be writing exploits, building botnet networks, or designing fake Web sites • And like legitimate businesspeople and freelancers, they must build a reputation before they can get hired for lucrative work.

  11. Hotspots for Internet crime • Brazil, Bulgaria, China, Estonia, Hungary, Indonesia, Japan, Latvia, Malaysia, North Korea, Romania, Russia, and the United States are major centers for organized hacking • Why are certain areas hotspots? • Places where there's a significant amount of activity usually have a technically advanced population and a large population of computer users. • You also have a poor economy, so you have people with the technical skills to do good work, but they can't find a job that will provide for them, • so they may have to resort to doing things that are against the law • These hotspots (other than the United States and Japan) also tend to be countries where laws and law enforcement lag • hackers will find the weakest link, the country with no laws

  12. Denial-of-service (DoS attack) • A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include • attempts to "flood" a network, thereby preventing legitimate network traffic • attempts to disrupt connections between two machines, thereby preventing access to a service • attempts to prevent a particular individual from accessing a service • attempts to disrupt service to a specific system or person • Details are at http://www.cert.org/tech_tips/denial_of_service.html

  13. Zombies • Zombies do a lot of the heavy lifting • malware-infected computers that an online puppet master controls • Set to work in thousands or even tens of thousands, the machines in a zombie network or "botnet" attempt to carry out the high-tech money grab. • Botnets are popular because of their increasing sophistication and multiple uses. • versatile zombie armies pull in cash for their controllers in a variety of ways. • Sending spam (a big money-maker)is one common use. • Zombie networks can also steal personal information for purposes of identity theft. • When botnets are used to launch a DDoS attack, • the ringleader instructs each zombie computer to send a flood of data to a particular Web site. • By itself, the data from a single PC can't hurt a site. • But multiply that traffic by 10,000 or more computers, and a Web site can easily be overwhelmed and cut off from the Internet. • E.g., MyDoom had a rather unsophisticated means of controlling host machines. • Once it insinuated itself into an unprotected PC, • anyone who knew a not-so-secret five-digit code could commandeer the computer for any desired purpose • As a result, MyDoom-compromised computers were very popular with online criminals for a while

  14. Botnets & Zombies • Malware turned an average of 172,009 previously healthy computers into zombies every day during May 2005 • CipherTrust, an e-mail security company that tracks botnets • As processing power improves and broadband Internet connections become more widespread, zombie computers will be able to send more spam or hit Web sites harder • and botnets will become more powerful. • Also, the ability to shuffle funds • including ransom payments • anonymously through convoluted Internet paths using human mules (in much the same way as in the drug trade) and online payment services • means that criminals can revisit old approaches.

  15. Cops and Robbers • Some botnets consist of phalanxes of from 15,000 to 50,000 zombie PCs that are controlled by groups of people dispersed around the world • Christopher Painter, deputy chief of the Computer Crime section of the U.S. Department of Justice. • Most perpetrators are adults who execute extremely sophisticated assaults. "They don't brag, and they cover their tracks very well," (Painter) • One notorious cybergang, called Shadowcrew, reportedly had 4000 members scattered across the United States, Brazil, Spain, and Russia.

  16. Objectives • Money is these cybergangs' primary motivation • The asking price for temporary use of an army of 20,000 zombie PCs today is $2000 to $3000, according to a June posting on SpecialHam.com, an electronic forum for hackers • Marshaling their armies of zombie PCs, online extortionists may threaten to crash a company's Web site unless they are paid off. • Hackers are not shy about asking for $20,000 to $30,000 from companies.

  17. Payoffs • Companies know it's far cheaper to pay the hackers than to get knocked offline and lose hundreds of thousands of dollars in lost business • Many extortionists go unreported because businesses are unwilling to volunteer evidence of their coercion to law enforcement officials, • corporations don't want to admit to their customers, stockholders, and business partners their networks were ever vulnerable to an attack. • only about 20 percent of computer intrusions are ever reported to law enforcement agencies. • The US Secret Service receives between 10 and 15 inquiries per week from businesses owners who believe they may be the target of a cyberattack. • Survey by the Computer Security Institute

  18. Payoffs • A PriceWaterhouseCoopers survey of more than 1000 businesses in the UK found that, • on average, companies spent more than $17,000 on their worst security incident that year. • For large companies, that amount was closer to $210,000, the study found. • For companies of either size, most of the loss was due to the disruption in their ability to do business, with expenses for troubleshooting the incident and actual cash spent responding to it accounting for considerably less.

  19. Case Study: Protx • When the first extortion e-mail popped into Michael Alculumbre's inbox, he had no idea it was about to cost his business nearly $500,000. • The note arrived in early November of last year, as Alculumbre's London-based transaction processing company, Protx was being hit by a nasty distributed denial of service (DDoS) attack. • Zombie PCs from around the world were flooding Protx.com (the company's Web site) and the transaction processing server that was the commercial heart of the business. • In extortion e-mail's broken English, someone identifying himself as Tony Martino proposed a classic organized-crime protection scheme. • "You should pay $10,000," Martino wrote. "When we receive money, we stop attack immediately.“ • The e-mail even promised one year's protection from other attackers for the $10,000 fee. • "Many companies paid us, and use our protection right now," Martino said. "Think about how much money you lose, while your servers are down."

  20. Case Study: Protx • By scrambling its IT staff and prohibiting traffic from zombie servers • at one point, Protx.com simply blocked all traffic originating from the Western United States • that company managed to survive the first wave of the attack against it. • But the 13-person company's biggest cost involved preparing for the next assaults, consisting of thousands of server requests, which came in January and April of 2005. • The April attack, which lasted for more than five days, was the most severe, • as Protx and the attackers engaged in a kind of online cat and mouse: • Just as Alculumbre's technicians found one way to block the flood of unwanted server messages, the attackers would switch to another tack. • At one point, the cybercrooks used a new exploit of Microsoft's Microsoft Internet Information Services server that caused the Protx Web site to crash whenever certain types of secure messages got through. • Protx responded by installing an SSL accelerator and analyzing the messages before letting them through. • On the final day of the April assault, the attackers hit Protx with everything they had. • At the peak of the assault, the company's servers were processing 800 megabits of traffic per second, the equivalent of more than 530 T1 lines firing at full capacity.

  21. Case Study: Protx • Just a few years ago, financially motivated attackers tended to focus on fringe businesses like online gaming sites. • Transaction processors like Protx are now choice prey for extortionists, • If you bring down your payment processor, you can bring down hundreds of online processors • Transaction processors like Protx will do everything in their power not to be offline • therefore, they are investing heavily in security and bandwidth.“ • Protx ended up spending a whopping $38,000 per employee on security in 2004

  22. Client-side Targets • About 60 percent of new vulnerabilities now affect client-side applications • like Web browsers and media players • And those vulnerabilities are drawing all the wrong sorts of attention • In 2005, unwanted network traffic targeting Symantec Veritas BackupExec • rocketed to 500,000 instances within days of an announced security hole in the product, • up from a previous maximum of about 50,000 instances. • Microsoft Office, Internet Explorer, Firefox, and AOL Instant Messenger also suffered from serious reported vulnerabilities, as did RealPlayer and iTunes

  23. Focus of Client-side Attacks • Attackers now target • backup and recovery programs, • as well as "the antivirus and other security tools that most organizations think are keeping them safe • SANS Top 20 report for 2005 on the most critical Internet vulnerabilities • The shift toward finding and exploiting vulnerabilities in programs represents a major change from past years, • when Windows and other operating systems and Internet services like Web and e-mail servers were the preferred targets.

  24. Client-side Crime:Recent Problem Software • Some of the latest application holes: • * Sony BMG's XCP copy protection Used ham-fisted rootkit code to hide every file name that began with the characters "$sys$"; virus writers soon released worms and Trojan horse programs to leverage the XCP cloaking features • * Symantec/Veritas NetBackup A buffer overflow vulnerability in a file used by NetBackup clients and servers • * Macromedia Inc.'s Flash Player A buffer overflow in some versions of the Macromedia Flash Player • * Skype Technologies S.A.'s Skype A critical buffer overflow vulnerability in versions of the free Internet phone app

  25. SANS (SysAdmin, Audit, Network, Security) Institute: The 20 Most Critical Internet Security Vulnerabilities • Top Vulnerabilities in Windows Systems • W1. Windows Services • W2. Internet Explorer • W3. Windows Libraries • W4. Microsoft Office and Outlook Express • W5. Windows Configuration Weaknesses • Top Vulnerabilities in Cross-Platform Applications • C1. Backup Software • C2. Anti-virus Software • C3. PHP-based Applications • C4. Database Software • C5. File Sharing Applications • C6. DNS Software • C7. Media Players • C8. Instant Messaging Applications • C9. Mozilla and Firefox Browsers • C10. Other Cross-platform Applications • Top Vulnerabilities in UNIX Systems • U1. UNIX Configuration Weaknesses • U2. Mac OS X • Top Vulnerabilities in Networking Products • N1. Cisco IOS and non-IOS Products • N2. Juniper, CheckPoint and Symantec Products • N3. Cisco Devices Configuration Weaknesses

  26. Phishing • California has passed an antiphishing law, • the Anti-Phishing Act of 2005 • With the passage of the Anti-Phishing Act of 2005, California joins such states as Texas, New Mexico, and Arizona, all of which adopted antiphishing legislation earlier this year. • Phishing victims are typically sent fraudulent e-mail designed to trick them into revealing personal information, like bank account numbers, user names, and passwords. • Under the Anti-Phishing Act, these victims may seek to recover either the cost of the damages they have suffered or $500,000, whichever is greater; government prosecutors can also seek penalties of up to $2500 per phishing violation. • Phishing attacks have been on the rise. Research firm Gartner estimates that 73 million U.S. Internet users received phishing e-mails during the 12 months ended May 2005, up 28 percent from the previous year.

  27. Malware • The mischief-making hacker of the 1990s gives way to the determined high-tech thief of the 21st century • The E-Crime Watch survey of security and law enforcement • estimated an average loss of $506,670 per organization due to malware • It's gotten so bad that the U.S. Secret Service and Carnegie Mellon University's Computer Emergency Response Team (CERT) • last year stopped publishing the number of computer crime incidents, saying: • "Given the widespread use of automated attack tools, attacks against Internet-connected systems have become so commonplace that counts of the number of incidents reported provide little information with regard to assessing the scope and impact of attacks."

  28. How to Build a Legal Case

  29. Inference Network Analysis • Legal cases are proved through inferences. • These inferences, built in chains, must lead logically from point A to point B • He strength (or weakness) of these inferences determines the strength of the legal case

  30. Chain of Inferences • Suppose we want to link the defendant (and ex-football player and aspiring movie star) to the murder of his ex-wife • Initially the evidence is weak (dotted line) • The defendant and victim were divorced, and that may have been motive for the murder, but that is a weak case

  31. The Bloody Glove • Our investigation has uncovered a bloody glove at the crime scene • Immediately there is an inference that the glove is somehow involved in the murder. If we later learn that DNA from the bloody glove matches the victim • The inferential relationship between murder and glove become strong • Although the connection between the defendant and the victim is still tenuous, • The connection between the victim and the glove is strong. • We re not yet satisfied, and the investigation continues

  32. Establishing Ownership • The forensic examiners at the crime lab have determined that the gloves are in fact a very expensive brand sold only in movie-star / football players. They are so unique that only 25 pairs have been sold in the past year. • This information alone does mot necessarily strengthen the inferential relationship to the defendant. • However, taken in combination with the fact that a par of these gloves was purchased on the ex-football players credit card two months earlier, • we are strengthening our chain of inference.

  33. Uniquely Connecting the Gloves to their Owner • Finally our forensic experts compare the DNA from the skin cells found on the glove's lining with those of the defendant – they match • Up until now, we have only bee able to link the defendant inferentially as the owner of similar gloves. • Now we can link him as the owner of these particular gloves (the dotted arrow becomes solid)

  34. Analytical and Automated Fraud Auditing Approaches

  35. Objectives of Analytical Techniques • Looks at the general (qualitative) factors of a company. • Based on tangible and measurable factors (quantitative). • Used in conjunction with tests of transactions and substantive tests • Analytical techniques provide an important, macro-level, detective control over fraud and misstatement in financial statements

  36. Analytical Technique(ratio analysis, fundamental analysis) • Goals • Such an analysis has for objective to assess the firm's: • performance, for the management to improve it, • solvency, so as for a bank or a supplier to grant a credit, • potential value to decide an investment or divestment. Then it is called fundamental analysis and is linked to business valuation and stock valuation

  37. How to: Analytical Techniques • Compare financial ratios (of solvency, profitability, growth...) • between several periods (the last 5 years for example) • and between similar firms. • Those ratios are calculated by dividing a (group of) account balance(s), • taken from the balance sheet and / or • the income statement, • by another, • for example : • Net profit / equity = return on equity • Gross profit / balance sheet total = return on assets • Stock price / earnings per share = P/E-ratio

  38. Where to find the data • Company websites • almost every public company has a website or investor relations department. For the most current quarterly or annual report you might want to check in these places first. • http://www.gm.com/company/investor_information/stockholder_info/ • Securities and Exchange Commission (SEC) - The information posted in the "EDGAR" database includes the annual report (known as the 10-K), quarterly report (10-Q), and a myriad of other forms that contain every type of financial data. • http://www.edgar-online.com/products/edgarpro.aspx • Hoovers.com - another source for company analysis (some of the data requires a subscription) • http://www.hoovers.com/free/

  39. Analyzing the Financial Statements • 19 Key Ratios for Analytical Techniques

  40. Average Interest Rate=(Interest Expense - Accounts Payable) / Liabilities • Objectives: • There are several versions of this ratio, some people prefer to just use interest bearing liabilities such as the bonds and other short term loans. • This formula won't give you the exact interest rate they are paying, but it is useful in an interest rate sensitive environment. • And if you compare it to previous years then you are able to tell what rate the company had to take on more debt at. If you will notice from the balance sheet above,

  41. Book Value Per Share - BV=Stockholders Equity - Preferred Stock • Things to remember • Comparing the market value to the book value can indicate whether or not the stock in overvalued or undervalued. • During bull markets the stock price is more likely to trade significantly higher than book value, and in a bear market the two value's may be close to equal. • Objectives • For the most part the book value really doesn't tell us a whole lot. • BV is considered to be the accounting value of each share, drastically different than what the market is valuing the stock at. And the truth is that market and book value have nothing in common. Market value is what the investment community's expectations are and book value is based on costs and retained earnings. One situation where BV can be useful is if the market value is trading below the book value, this rarely happens, but if it does it could mean that the company is undervalued and might be an attractive buy.

  42. Cash Flow to Assets=(Cash from Operations)/(Total Assets) • Things to remember • Comparing to previous years is important, if the company's ratio is decreasing then they may eventually run into cash problems. • Objectives: • Cash flow is often overlooked when people analyze a company. You can be a profitable company but if you don't have cash moving around to pay bills then you are really in trouble. It relates a company's ability to generate cash compared to its asset size. When the ratio declines below 10% then there may be some cause for concern.

  43. Common Size Analysis=Entity / Total Entity • Basically the reason for stating COGS, OM, etc. as a percentage of Sales • E.g., comparing one class of current assets like cash to the whole CA total • Things to remember • Compares what proportion that an expense reduces sales, especially useful when comparing previous years. It is also useful when comparing similar companies of different sizes to see if they have the same financial structure.

  44. Dividend Payout Ratio=(Yearly Dividend per Share)/ (Earnings per Share) • Things to remember • A reduction in dividends paid is looked poorly upon by investors, and the stock price usually depreciates as investors seek other dividend paying stocks. • Indicates the proportion of earnings that are used to pay dividends to shareholders • A stable dividend payout ratio indicates a solid dividend policy by the company's board of directors.

  45. Earnings Per Share =(Net Income - Dividends on Preferred Stock) / (Average OS Shares) • Things to remember • Diluted EPS means that the outstanding shares includes any convertible's or warrants outstanding. • If the company issues more shares then EPS are much harder to compare to previous years.

  46. Asset Turnover =Revenue / (Total Assets) • Indicates the relationship between assets and revenue. • Things to remember • Companies with low profit margins tend to have high asset turnover, those with high profit margins have low asset turnover - it indicates pricing strategy. • This ratio is more useful for growth companies to check if in fact they are growing revenue in proportion to sales. • Objective • This ratio is useful to determine the amount of sales that are generated from each dollar of assets. As noted above, companies with low profit margins tend to have high asset turnover, those with high profit margins have low asset turnover.

  47. Collection Ratio =(Accounts Receivable)/ (Revenue/365) • This indicates the average number of days it takes a company to collect unpaid invoices. • Things to remember • A high ratio indicates that the company is having problems getting paid for services or products. • The ratio is sometimes seasonally affected, rising during busy seasons and falling during the off-season. To account for this seasonality, the average accounts receivable ((beginning + ending accounts receivable)/2) could be used instead.

  48. Inventory Turnover =(Cost of Goods Sold) / (Average or Current Period Inventory) • An important and often overlooked ratio that indicates inventory levels. • Things to remember • A low turnover is usually a bad sign because products tend to deteriorate as they sit in a warehouse. • Companies selling perishable items have very high turnover. • For more accurate inventory turnover figures, the average inventory figure, ((beginning inventory + ending inventory)/2), is used when computing inventory turnover. Average inventory accounts for any seasonality effects on the ratio.

  49. Debt-Asset Ratio=Total Liabilities / Total Assets • Indicates what proportion of the company's assets are being financed through debt. • Things to remember • This ratio is very similar to the debt-equity ratio. • A ratio under 1 means a majority of assets are financed through equity, above 1 means they are financed more by debt. Furthermore you can interpret a high ratio as a "highly debt leveraged firm".

  50. Computer Assisted Techniques for Fraud Detection • Audit software has commands that support the auditor's requirement to review transactions for fraud such as the existence of duplicate transactions, missing transactions, and anomalies. Some examples of these commands include: • * comparing employee addresses with vendor addresses to identify employees that are also vendors; • * searching for duplicate check numbers to find photocopies of company checks; • * searching for vendors with post office boxes for addresses; • * analyzing the sequence of all transactions to identify missing checks or invoices; • * identifying vendors with more than one vendor code or more than one mailing address; • * finding several vendors with the same mailing address; and • * sorting payments by amount to identify transactions that fall just under financial control on contract limits. • Audit software can be used to interrogate a company's data files and identify data patterns associated with fraud. • Patterns such as negative entries in inventory received fields, voided transactions followed by "No Sale," • or a high percentage of returned items may indicate fraudulent activity. • Auditors can use these data patterns to develop a "fraud profile" early in their review of operations. • The patterns can function as auditor-specified criteria; and transactions fitting the fraud profile can trigger auditor reviews. • Systems can even be built to monitor transactions on an ongoing basis. • Continuous monitoring is a proactive approach to the early detection of fraud.

More Related