Grover Kearns, Ph.D., CPA, CFE, CITP
Computer Forensics for Accountants
Additional Materials
1
File Signatures in Hex
2
File Type SignaturePDF 25 50 44 46
JPG FF D8 FF E0
EXE 4D 5A 90 00
DLL 4D 5A 90 00
DOC D0 CF 11 E0
XLS D0 CF 11 E0
Corrupt the FileShift Left or Right
Hex editors allow you to shift bits right or left
Result? The file looks like garbage. To view file, reverse the process.
3
Beat File Signature Analysis Anti-forensic approach to stop
EnCase and similar tools from identifying file types.
Change the file extension. Use hex editor to alter the file
signature MZ for executable files
4
Hide Files in Open Sight
First change the file signature
Second change the file extension
Example: plan.doc becomes plan.jpg
5
6
In the hex editor the hex values 42 4D is the signature for a bitmap file. These can easily be changed to another value such as D0 CF 11 E0 for a .doc file.
Hibernate Mode
Hibernate or Sleep?
8
Hibernate or Sleep?
9
Timestomp.exeFreeware that allows time stamps to be altered. This code will change the file creation to 10/8/2005.timestomp.exe c:\test.txt -z "Saturday 10/08/2005 2:02:02 PM" timestomp.exe c:\test.txt -a "Saturday 10/08/2005 2:02:02 PM"
10
11
Changing Time Stamp
12
Computers are Obedient – They Do What They are Told
Everything is represented in 1’s and 0’s The bytes are interpreted according to
user instructions The bytes may represent numbers,
dates, text, colors, sounds, etc. Representation may also depend on
hardware such as audio cards, video cards, etc.
13
Dates in Excel
14
DATE Number
Sunday, January 01, 1900 1
Monday, June 10, 2013 41,435
Tuesday, June 11, 2013 41,436
Wednesday, June 12, 2013 41,437
Obfuscation: Simple Hiding Technique
15
11/25/2001 $ 37,220
3/15/2023 $ 45,000
5/24/2002 $ 37,400
8/29/1953 $ 19,600
2/10/2140 $ 87,700
8/20/2088 $ 68,900
2/18/1982 $ 30,000
1/23/2792 $ 325,820
Assumed Trust
16
Top 10 Social Networking Websites
1. Facebook2. YouTube3. Twitter 4. Squidoo5. Hubpages
17
6. MySpace7. LinkedIn8. Classmates9. Xanga10. Weebly
Facebook – Can You Do This?
My middle name __________, my age ___, my favorite soda _______, my birthday ___/___/___, whose the love of my life ______, my best friend _____, my favorite color ______, my eye color _______, my hair color ______ my favorite food ________ and my mom's name __________. Put this as your status and see who knows you best.
18
19
Your friend [Name here] just answered a question about you!
Was it possible that an old friend answered a question about me that I needed to "unlock?" Absolutely.
When you click on the link, the next screen should give you pause: 21 Questions is requesting permission to ... (a) access your name, profile picture, gender, networks, user ID, friends and any other information shared with everyone ... (b) send you email ... (c) post to your wall ... and ... (d) access your data any time ... regardless of whether or not you're using their application.
20
Look at the video I found of you! LOL.
21
Big Problems in One Click
We’re Stuck! (and 5 Things Never to Post)
You or Your Family's Full Birth Dates Your Relationship Status Your Current Location The Fact That You Are Home Alone Pictures of Your Kids Tagged With
Their Names
22
Secret Crush
23
Meet Sophie Draufster Born on Facebook and LinkedIn in 2010 Purpose: Social engineering of
executives at large consulting firms Facebook Friends: 105 LinkedIn Requests: 133 Divulging of PII: 73 Date Requests: 33
24
Spear Phishing Like phishing but targeted to a specific
person or group using personalized information that lends credibility.
Typically diverts to a spoofed web page requesting PII, card numbers, etc.
May request clicking link that downloads malware.
25
Linked-In and Spearphishing
26
Cybercriminals datamine LinkedIn for information about companies and employees.That information is used to launch spearphishing attacks. Corporate directories also exist online, providing a wealth of information for spearphishers.Malicious LinkedIn invitation reminders redirect you to a webpage that installs malware onto your computer. If you click, hackers can potentially steal your confidential data.
Top 5 Social Media Security Threats
Lack of a social media policy Your employees Social networking sites Social engineering Mobile apps
27
Should We Block SN Sites? “Allowing access to social network sites influences user
behavior in a way that increases corporate risk.” Chris Poulin, Chief Security Officer at Q1 Labs There is no need to block access to social network sites.
The risks can be easily addressed and the downsides of blocking are greater than potential problems.
Shel Holtz, Principal of Holtz Communication + Technology One study shows 54% of U.S. companies restrict
employees from visiting sites like Facebook, Twitter and LinkedIn.
28
Social Networking Headlines
Hackers hijack Obama's, Britney's Twitter accounts Twitter wrestles with multiple worm attacks Phishers, viruses target Facebook users Twitter/Google Apps hack raises questions about
cloud security High-profile organizations ban Facebook, Twitter Twitter victimized by distributed denial-of-service
attack Facebook shuts down Beacon program, donates
$9.5 million to settle lawsuit Facebook unveils controversial new privacy settings
29
Seven Most Lethal Social Networks Hacks
1. Impersonation and targeted personal attacks 2. Spam and bot infections 3. Weaponized OpenSocial and other social networking applications 4. Crossover of personal to professional online presence 5. XSS, CSRF attacks 6. Identity theft 7. Corporate espionage
30
Common Social Media Policies Be transparent Be connected Be thoughtful Strive for accuracy Do not mix personal with business Think twice before posting
31
Social Networking Policy “Employees are forbidden from using social networks to post or display comments about co-workers, supervisors that are vulgar, obscene, threatening, harassing, or a violation of Company XYZ’s policies on discrimination or harassment.” “Employees may not use social networks to disclose any confidential or proprietary information about Company XYZ or its employees, customers or business partners.” “Employees should refrain from speaking on behalf of Company XYZ when not authorized.”
32
Social Networking Policy (cont.)
Display a warning banner on all systems
Policy should state that company has right to inspect all computers on-site at will without notice
Policy should include employee’s own computer, cell phone, briefcase, purses, etc.
33
34
Are Passwords Effective Not always. Strong passwords are
difficult to impossible to crack Social engineering attacks are
effective against strong passwords Companies should have and enforce a
strong password policy. Companies should train employees to
social engineering attacks.35
Online Information About You
Name(s) Address Phone Birthdate Spouse Children High School
36
Workplace Education Relatives
Names Pets Names Criminal
History Email Address SSN (?)
37
Card Readers: Is Your PII Safe?
Guide to Computer Forensics and Investigations 37
SIM SD
Smart Card
Mag Stripe
38
39
40
41
Not on Windows 8!
42
Bring your system back from the dead!
Next … More hacks and theft of PII and IP Social engineering combined with hacks Office 2013 safer BYOD Cloud Computing XBRL Need for extensive employee training
43
Even reasonable intelligent people make
mistakes!
44
Even reasonable intelligent people make mistakes!
How much will those mistakes cost your
organization?
45
Grover Kearns, Ph.D., CPA, CFE, CITPGregory, Sharer & Stuart Term Professor
in Forensic Accounting