Computer Forensics for Accountants Additional Materials Grover Kearns, Ph.D., CPA, CFE, CITP 1 File Signatures in Hex File Type Signature PDF 25 50 44 46 JPG FF D8 FF E0 EXE 4D 5A 90 00 DLL 4D 5A 90 00 DOC D0 CF 11 E0 XLS D0 CF 11 E0 2 Corrupt the File Shift Left or Right Hex editors allow you to shift bits right or left Result? The file looks like garbage. To view file, reverse the process. 3 Beat File Signature Analysis Anti-forensic approach to stop EnCase and similar tools from identifying file types. Change the file extension. Use hex editor to alter the file signature MZ for executable files 4 Hide Files in Open Sight First change the file signature Second change the file extension Example: plan.doc becomes plan.jpg 5 In the hex editor the hex values 42 4D is the signature for a bitmap file. These can easily be changed to another value such as D0 CF 11 E0 for a .doc file. 6 Hibernate Mode Hibernate or Sleep? 8 Hibernate or Sleep? 9 Timestomp.exe Freeware that allows time stamps to be altered. This code will change the file creation to 10/8/2005. timestomp.exe c:\test.txt -z "Saturday 10/08/2005 2:02:02 PM" timestomp.exe c:\test.txt -a "Saturday 10/08/2005 2:02:02 PM" 10 11 Changing Time Stamp 12 Computers are Obedient – They Do What They are Told Everything is represented in 1’s and 0’s The bytes are interpreted according to user instructions The bytes may represent numbers, dates, text, colors, sounds, etc. Representation may also depend on hardware such as audio cards, video cards, etc. 13 Dates in Excel DATE Number Sunday, January 01, 1900 1 Monday, June 10, 2013 41,435 Tuesday, June 11, 2013 41,436 Wednesday, June 12, 2013 41,437 14 Obfuscation: Simple Hiding Technique 11/25/2001 $ 37,220 3/15/2023 $ 45,000 5/24/2002 $ 37,400 8/29/1953 $ 19,600 2/10/2140 $ 87,700 8/20/2088 $ 68,900 2/18/1982 $ 30,000 1/23/2792 $ 325,820 15 Assumed Trust 16 Top 10 Social Networking Websites 1. 2. 3. 4. 5. Facebook YouTube Twitter Squidoo Hubpages 6. MySpace 7. LinkedIn 8. Classmates 9. Xanga 10. Weebly 17 Facebook – Can You Do This? My middle name __________, my age ___, my favorite soda _______, my birthday ___/___/___, whose the love of my life ______, my best friend _____, my favorite color ______, my eye color _______, my hair color ______ my favorite food ________ and my mom's name __________. Put this as your status and see who knows you best. 18 19 Your friend [Name here] just answered a question about you! Was it possible that an old friend answered a question about me that I needed to "unlock?" Absolutely. When you click on the link, the next screen should give you pause: 21 Questions is requesting permission to ... (a) access your name, profile picture, gender, networks, user ID, friends and any other information shared with everyone ... (b) send you email ... (c) post to your wall ... and ... (d) access your data any time ... regardless of whether or not you're using their application. 20 Big Problems in One Click Look at the video I found of you! LOL. ! 21 We’re Stuck! (and 5 Things Never to Post) You or Your Family's Full Birth Dates Your Relationship Status Your Current Location The Fact That You Are Home Alone Pictures of Your Kids Tagged With Their Names 22 Secret Crush 23 Meet Sophie Draufster Born on Facebook and LinkedIn in 2010 Purpose: Social engineering of executives at large consulting firms Facebook Friends: 105 LinkedIn Requests: 133 Divulging of PII: 73 Date Requests: 33 24 Spear Phishing Like phishing but targeted to a specific person or group using personalized information that lends credibility. Typically diverts to a spoofed web page requesting PII, card numbers, etc. May request clicking link that downloads malware. 25 Linked-In and Spearphishing Cybercriminals datamine LinkedIn for information about companies and employees. That information is used to launch spearphishing attacks. Corporate directories also exist online, providing a wealth of information for spearphishers. Malicious LinkedIn invitation reminders redirect you to a webpage that installs malware onto your computer. If you click, hackers can potentially steal your confidential data. 26 Top 5 Social Media Security Threats Lack of a social media policy Your employees Social networking sites Social engineering Mobile apps 27 Should We Block SN Sites? “Allowing access to social network sites influences user behavior in a way that increases corporate risk.” Chris Poulin, Chief Security Officer at Q1 Labs There is no need to block access to social network sites. The risks can be easily addressed and the downsides of blocking are greater than potential problems. Shel Holtz, Principal of Holtz Communication + Technology One study shows 54% of U.S. companies restrict employees from visiting sites like Facebook, Twitter and LinkedIn. 28 Social Networking Headlines Hackers hijack Obama's, Britney's Twitter accounts Twitter wrestles with multiple worm attacks Phishers, viruses target Facebook users Twitter/Google Apps hack raises questions about cloud security High-profile organizations ban Facebook, Twitter Twitter victimized by distributed denial-of-service attack Facebook shuts down Beacon program, donates $9.5 million to settle lawsuit Facebook unveils controversial new privacy settings 29 Seven Most Lethal Social Networks Hacks 1. Impersonation and targeted personal attacks 2. Spam and bot infections 3. Weaponized OpenSocial and other social networking applications 4. Crossover of personal to professional online presence 5. XSS, CSRF attacks 6. Identity theft 7. Corporate espionage 30 Common Social Media Policies Be transparent Be connected Be thoughtful Strive for accuracy Do not mix personal with business Think twice before posting 31 Social Networking Policy “Employees are forbidden from using social networks to post or display comments about co-workers, supervisors that are vulgar, obscene, threatening, harassing, or a violation of Company XYZ’s policies on discrimination or harassment.” “Employees may not use social networks to disclose any confidential or proprietary information about Company XYZ or its employees, customers or business partners.” “Employees should refrain from speaking on behalf of Company XYZ when not authorized.” 32 Social Networking Policy (cont.) Display a warning banner on all systems Policy should state that company has right to inspect all computers on-site at will without notice Policy should include employee’s own computer, cell phone, briefcase, purses, etc. 33 34 Are Passwords Effective Not always. Strong passwords are difficult to impossible to crack Social engineering attacks are effective against strong passwords Companies should have and enforce a strong password policy. Companies should train employees to social engineering attacks. 35 Online Information About You Name(s) Address Phone Birthdate Spouse Children High School Workplace Education Relatives Names Pets Names Criminal History Email Address SSN (?) 36 Card Readers: Is Your PII Safe? SIM Mag Stripe Guide to Computer Forensics and Investigations SD Smart Card 37 37 38 39 40 Not on Windows 8! 41 Bring your system back from the dead! 42 Next … More hacks and theft of PII and IP Social engineering combined with hacks Office 2013 safer BYOD Cloud Computing XBRL Need for extensive employee training 43 Even reasonable intelligent people make mistakes! 44 Even reasonable intelligent people make mistakes! How much will those mistakes cost your organization? 45 Grover Kearns, Ph.D., CPA, CFE, CITP Gregory, Sharer & Stuart Term Professor in Forensic Accounting gkearns@usfsp.edu 46