Chapter 14 Power Point - Forensic and Investigative...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Forensic and Investigative Accounting Forensic Chapter 14 Digital Forensics Analysis © 2009 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL 60646-6085 1 800 248 3248 www.CCHGroup.com Hacker Defined A hacker is generally defined as an individual hacker or group whose intent is to gain access to a computer network for malicious purposes. computer Chapter 14 Forensic and Investigative Accounting 2 Collecting Clues and Evidence A forensic investigator needs to be familiar forensic with the protocols used on the Internet to be able to collect clues about either internal or external attackers. external In addition, when law enforcement officials In send requests or subpoenas for information about a company’s logs, the forensic analyst must understand the type of information being sought. sought. Chapter 14 Forensic and Investigative Accounting 3 Protocols Internet protocols are those rules allowing Internet protocols different operating systems and machines to communicate with one another over the Internet. Internet. Chapter 14 Forensic and Investigative Accounting 4 Transmission Control Protocol (TCP) Transmission and Internet Protocol (IP) and TCP/IP protocols are the communication guidelines TCP/IP used and widely supported over the Internet. used Almost every packet of information sent over the Almost Internet uses the datagrams contained within a TCP/IP envelope. The datagrams consist of layers of information needed to verify the packet and get the information from the sender’s to the receiver’s location following traffic control guidelines. location Chapter 14 Forensic and Investigative Accounting 5 Transmission Control Protocol (TCP) Transmission and Internet Protocol (IP) and Message encapsulation is used in sending the packets. In message encapsulation, each layer of information in the sent packet is interpreted by the same layer at the receiving end of the transmission. Additionally, each layer can only communicate with the one directly above or below it. below Chapter 14 Forensic and Investigative Accounting 6 Transmission Control Protocol (TCP) Transmission and Internet Protocol (IP) and Layered Operating System Interconnection (OSI) Model Application Layer Transportation Layer Network Layer Data Link Layer Hardware Layer Electronic Impulse Chapter 14 Forensic and Investigative Accounting 7 Transmission Control Protocol (TCP) Transmission and Internet Protocol (IP) and The application layer issues the commands The application that define the operations. that The transportation layer functions to The transportation provide reliable message delivery. provide The network layer controls the route the The network data takes to get to its destination. data (continued on next slide) Chapter 14 Forensic and Investigative Accounting 8 Transmission Control Protocol Transmission (TCP) and Internet Protocol (IP) (TCP) The data link layer transfers the datagram The data from one network node to another. from The hardware layer (or physical layer) The hardware provides the means of sending and receiving data on a network by converting bits into voltages for transmission to a coax cable. cable. Chapter 14 Forensic and Investigative Accounting 9 IP Address Defined An IP address is a 32-bit number (four bytes) An IP that identifies the sender and recipient who is sending or receiving a packet of information over the Internet. over Chapter 14 Forensic and Investigative Accounting 10 Web Log Entries One important method for finding the One web trail of an attacker is in examining web logs. web Recorded network logs provide Recorded information needed to trace all website usage. usage. Chapter 14 Forensic and Investigative Accounting 11 Web Log Entries Information provided in a log includes the Information visitor’s IP address, geographical location, the actions the visitor performs on the site, browser type, time on page, and the site the visitor used before arriving. visitor Logs should be stored on a separate Logs computer from the web server hosting the site so they cannot be easily altered. site Chapter 14 Forensic and Investigative Accounting 12 TCPDUMP TCPDUMP is a form of network sniffer that TCPDUMP can disclose most of the information contained in a TCP/IP packet. contained A sniffer is a program used to secretly sniffer capture datagrams moving across a network and disclose the information contained in the datagram’s network protocols. the Chapter 14 Forensic and Investigative Accounting 13 Decoding Simple Mail Transfer Decoding Protocol (SMTP) Protocol SMTP is the protocol used to send e-mail SMTP over the Internet. over SMTP server logs can be used to check the SMTP path of the e-mail from the sending host to the receiving host. the Chapter 14 Forensic and Investigative Accounting 14 Decoding Simple Mail Transfer Decoding Protocol (SMTP) Protocol Most of the important information about the Most origin of an e-mail message is in the long form of the header. The most important data for tracing purposes is the IP addresses and the message ID. the Chapter 14 Forensic and Investigative Accounting 15 Tracing and Decoding IP Addresses Traceroute Whois Ping Finger searches Chapter 14 Forensic and Investigative Accounting 16 Narrowing the Search Preliminary Incident Response Form John Doe subpoena Chapter 14 Forensic and Investigative Accounting 17 Forensic Audit Forensic The forensic audit is an audit performed to The audit determine whether fraud is being committed in the executive boardroom. The monitoring methods used in a forensic audit are investigative, directed at top-level executives, and do not rely on a traditional accounting audit practices. Chapter 14 Forensic and Investigative Accounting 18 Due Diligence Searches Internet databases – General searches – Name, telephone number, and e-mail address search Name, engines engines – Internet relay chat (IRC), FTP, and Listserv searches – Usenet postings search – Legal records – Instant messaging (IM) Web page searches Government data searches Miscellaneous searches Chapter 14 Forensic and Investigative Accounting 19 ...
View Full Document

Ask a homework question - tutors are online