Computer Forensics for Accountants
Additional Materials
Grover Kearns, Ph.D., CPA, CFE, CITP
1
File Signatures in Hex
File Type
Signature
PDF
25 50 44 46
JPG
FF D8 FF E0
EXE
4D 5A 90 00
DLL
4D 5A 90 00
DOC
D0 CF 11 E0
XLS
D0 CF 11 E0
2
Corrupt the File
Shift Left or Right



Hex editors allow you to shift bits right
or left
Result? The file looks like garbage.
To view file, reverse the process.
3
Beat File Signature Analysis



Anti-forensic approach to stop
EnCase and similar tools from
identifying file types.
Change the file extension.
Use hex editor to alter the file signature

MZ for executable files
4
Hide Files in Open Sight



First change the file
signature
Second change the file
extension
Example: plan.doc
becomes plan.jpg
5
In the hex editor the hex values 42 4D
is the signature for a bitmap file.
These can easily be changed to
another value such as D0 CF 11 E0 for
a .doc file.
6
Hibernate Mode
Hibernate or Sleep?
8
Hibernate or Sleep?
9
Timestomp.exe
Freeware that allows time stamps to be altered.
This code will change the file creation to 10/8/2005.
timestomp.exe c:\test.txt -z "Saturday 10/08/2005 2:02:02 PM"
timestomp.exe c:\test.txt -a "Saturday 10/08/2005 2:02:02 PM"
10
11
Changing Time Stamp
12
Computers are Obedient –
They Do What They are Told




Everything is represented in 1’s and 0’s
The bytes are interpreted according to
user instructions
The bytes may represent numbers,
dates, text, colors, sounds, etc.
Representation may also depend on
hardware such as audio cards, video
cards, etc.
13
Dates in Excel
DATE
Number
Sunday, January 01, 1900
1
Monday, June 10, 2013
41,435
Tuesday, June 11, 2013
41,436
Wednesday, June 12, 2013
41,437
14
Obfuscation: Simple Hiding
Technique
11/25/2001
$
37,220
3/15/2023
$
45,000
5/24/2002
$
37,400
8/29/1953
$
19,600
2/10/2140
$
87,700
8/20/2088
$
68,900
2/18/1982
$
30,000
1/23/2792
$
325,820
15
Assumed
Trust
16
Top 10 Social Networking
Websites
1.
2.
3.
4.
5.
Facebook
YouTube
Twitter
Squidoo
Hubpages
6. MySpace
7. LinkedIn
8. Classmates
9. Xanga
10. Weebly
17
Facebook – Can You Do This?
My middle name __________, my age ___, my
favorite soda _______, my birthday
___/___/___, whose the love of my life ______,
my best friend _____, my favorite color ______,
my eye color _______, my hair color ______ my
favorite food ________ and my mom's name
__________.
Put this as your status and see who knows
you best.
18
19
Your friend [Name here] just
answered a question about you!
Was it possible that an old friend answered a
question about me that I needed to "unlock?"
Absolutely.
When you click on the link, the next screen should
give you pause: 21 Questions is requesting
permission to ... (a) access your name, profile
picture, gender, networks, user ID, friends and any
other information shared with everyone ... (b) send
you email ... (c) post to your wall ... and ... (d)
access your data any time ... regardless of whether or
not you're using their application.
20
Big Problems in One Click
Look at the video I found of
you! LOL.
!
21
We’re Stuck!
(and 5 Things Never to Post)





You or Your Family's Full Birth Dates
Your Relationship Status
Your Current Location
The Fact That You Are Home Alone
Pictures of Your Kids Tagged With Their
Names
22
Secret Crush
23
Meet Sophie Draufster






Born on Facebook and LinkedIn in 2010
Purpose: Social engineering of executives
at large consulting firms
Facebook Friends: 105
LinkedIn Requests: 133
Divulging of PII: 73
Date Requests: 33
24
Spear Phishing



Like phishing but targeted to a specific
person or group using personalized
information that lends credibility.
Typically diverts to a spoofed web page
requesting PII, card numbers, etc.
May request clicking link that downloads
malware.
25
Linked-In and Spearphishing
 Cybercriminals datamine LinkedIn for information
about companies and employees.
 That information is used to launch spearphishing
attacks.
 Corporate directories also exist online, providing a
wealth of information for spearphishers.
 Malicious LinkedIn invitation reminders redirect
you to a webpage that installs malware onto your
computer. If you click, hackers can potentially
steal your confidential data.
26
Top 5 Social Media
Security Threats





Lack of a social media policy
Your employees
Social networking sites
Social engineering
Mobile apps
27
Should We Block SN Sites?

“Allowing access to social network sites influences user
behavior in a way that increases corporate risk.”
Chris Poulin, Chief Security Officer at Q1 Labs

There is no need to block access to social network sites.
The risks can be easily addressed and the downsides of
blocking are greater than potential problems.
Shel Holtz, Principal of Holtz Communication + Technology

One study shows 54% of U.S. companies restrict employees
from visiting sites like Facebook, Twitter and LinkedIn.
28
Social Networking Headlines








Hackers hijack Obama's, Britney's Twitter accounts
Twitter wrestles with multiple worm attacks
Phishers, viruses target Facebook users
Twitter/Google Apps hack raises questions about cloud
security
High-profile organizations ban Facebook, Twitter
Twitter victimized by distributed denial-of-service
attack
Facebook shuts down Beacon program, donates $9.5
million to settle lawsuit
Facebook unveils controversial new privacy settings 29
Seven Most Lethal Social
Networks Hacks
1. Impersonation and targeted personal attacks
2. Spam and bot infections
3. Weaponized OpenSocial and other social
networking applications
4. Crossover of personal to professional online
presence
5. XSS, CSRF attacks
6. Identity theft
7. Corporate espionage
30
Common Social Media Policies






Be transparent
Be connected
Be thoughtful
Strive for accuracy
Do not mix personal with business
Think twice before posting
31
Social Networking Policy
“Employees are forbidden from using social networks
to post or display comments about co-workers,
supervisors that are vulgar, obscene, threatening,
harassing, or a violation of Company XYZ’s policies on
discrimination or harassment.”
“Employees may not use social networks to disclose
any confidential or proprietary information about
Company XYZ or its employees, customers or business
partners.”
“Employees should refrain from speaking on behalf of
Company XYZ when not authorized.”
32
Social Networking Policy (cont.)



Display a warning banner on all systems
Policy should state that company has
right to inspect all computers on-site at
will without notice
Policy should include employee’s own
computer, cell phone, briefcase, purses,
etc.
33
34
Are Passwords Effective




Not always. Strong passwords are
difficult to impossible to crack
Social engineering attacks are effective
against strong passwords
Companies should have and enforce a
strong password policy.
Companies should train employees to
social engineering attacks.
35
Online Information About You







Name(s)
Address
Phone
Birthdate
Spouse
Children
High School







Workplace
Education
Relatives Names
Pets Names
Criminal History
Email Address
SSN (?)
36
Card Readers: Is Your PII Safe?
SIM
Mag
Stripe
Guide to Computer Forensics and Investigations
SD
Smart Card
37
37
38
39
40
Not on
Windows 8!
41
Bring your system back from the dead!
42
Next …







More hacks and theft of PII and IP
Social engineering combined with hacks
Office 2013 safer
BYOD
Cloud Computing
XBRL
Need for extensive employee training
43
Even reasonable intelligent
people make mistakes!
44
Even reasonable intelligent
people make mistakes!
How much will those mistakes
cost your organization?
45
Grover Kearns, Ph.D., CPA, CFE, CITP
Gregory, Sharer & Stuart Term Professor
in Forensic Accounting
gkearns@usfsp.edu
46