the institute of digital forensics digital forensics ...2 usa trends in computer use computers –...
TRANSCRIPT
1
Digital Fraud Examination
The Institute of Digital Forensics
Digital Forensics Community
2006
Tokyo, Japan
Computer Technology
Changing the way fraud schemes are constructedChanging the way investigators view crime scenesCreates new tools for fraud examiners to useCreates new opportunities for those who commit fraudCreates new challenges for the courts
2
USA Trends in Computer Use
Computers – smaller and faster2003 – Women slightly more likely than men to use computer in the home (trend reversal)2003- 56% of adults use computers at work2003- 95% of homes where income exceeds $100K have at least one computer
Source: 2005 US Census Report on Computer and Internet Use
2004 US Computer Crime and Security Survey
Only 54% of responders could quantify loses59% reported employee Internet abuse20% reported serious incidents to law enforcement2004- Loses due to computer security breaches totaled $141 million
3
Digital Fraud and Fraud Examination
Investigation requires different skill setsLacks traditional paper audit trailRequires understanding of technology used to commit the fraud and used by the target of fraudUsually requires specialized assistance even when the examiner has high level of computer knowledge
The Role of the Computer
Computer as the TargetPhysical sabotage, theft, data destruction, intrusion, software piracy
Computer as an InstrumentEmbezzlement, IP theft, forgery, internet fraud, solicitation, counterfeiting
Computer as a Repository of EvidenceIntentional storage of pornography, other data used to facilitate the wrongful acts
4
Common Computer CrimesData alterationUnauthorized AccessE-mail interceptionData destructionInternet consumer fraudTheft and sale of proprietary dataDesktop counterfeiting
Cyber ExtortionIdentity TheftE-mail BombingSoftware PiracyPBX FraudVoice Mail Fraud Cell Phone and PDA fraud
Fraud definitions
Fraud – the intentional misrepresentation or concealment of information in order to deceive or misleadComputer Fraud - defalcation or embezzlement accomplished by tampering with programs, files, operations, equipment, or media resulting in loss
5
Computer as a Tool for Fraud
Fraud by Computer ManipulationUsually effects numeric data such as money-on-deposit or hours workedCan involve theft of data such as credit card and social security numbersMoney transferred from one account to another to hide fraudulent transactionsAssets and liabilities moved from one account to anotherCan also be accomplished remotely
Computer as a Tool for Fraud
Input ManipulationMost common form of computer crimeEasily accomplished and hard to detectDoes not require sophisticated computer knowledgeCan be accomplished by lower level data entry personnelInvolves deliberate entry of false information
6
Computer as a Tool for Fraud
Program ManipulationDifficult to discover often not recognizedRequires computer-specific knowledgeInvolves alteration within computer program or the addition of new programming codeProgram can be designed to automate the alteration process and delivered covertly, e.g. “Trojan Horse”
Computer as a Tool for Fraud
Output ManipulationTargets the output of the computer systemAchieved by falsifying instructions to the computer in the input stageTypically manifested as “Round-Down Fraud” or “Data Shaving”
7
Computer as a Tool for Fraud
Computer Aided Forgery and Desktop Counterfeiting
High quality laser printers perfect for this type of fraudPhoto modification programs make altering scanned images easyCan also be accomplished with color copiers and transparent overlaysCan be difficult to detect
Computer-Assisted Crime
Much computer fraud falls into this categoryGenerally a typical illegal scheme that has evolved with the use of computersOften existing statutes can be applied because the criminal activity fulfills the stated elements of those offenses
8
Computer Crime/ Fraud Schemes
PhishingScheme contains elements of social engineeringGoal is to fool the victim into believing that they are accessing a legitimate recognizable site and to enter account numbers, usernames, and passwords
Spear PhishingTargeted attack focused on a corporate entity or government agencyGoal is to fool the employee into believing the e-mail message is from an internal department or authority such as IT or HR
Computer Crime/ Fraud Schemes
PharmingExploitation of a vulnerability in the DNS (Domain Name Service) Server that allows a hacker to acquire the Domain Name for a siteThe site’s website traffic is then redirected to another websiteCan involve “DNS cache poisoning”
DNS Poisoning – tricks the DNS server into believing it is receiving legitimate information when it is not – the cached information is then spread to other users who are then diverted to the attacker
9
Computer Crime/ Fraud Schemes
Counterfeit Check ScamsSeveral variationsCan be an advance fee scamOften involves an internet business transactionOne variation can cause the victim to participate unknowingly in a forgery by passingUsually involves a digitally altered business check or counterfeit Travelers Checks
Computer Crime/ Fraud Schemes
Remote Access TrojansEasily delivered through a number of different meansEasy to transfer from victim to othersFraudster can turn victim machine into “Botnet” linking to 100’s or 1000’s of other machines in spam distribution network of “zombie” computersZombie network can be used for DoS attacks or password cracking brute force attacks
10
Remote Access Trojans
RATS can be set up to key on banking transactions on the infected machine or for ID theftCan be transmitted via infected websites through Active-X and Java Script downloadsBotnets created through RATS are starting to use encryption technology to make it more difficult to find them
Computer Crime/ Fraud Schemes
Key LoggingSoftware or hardware deviceDesigned to record the key stokes from the keyboard in a continuous streamSoftware key loggers are delivered like Trojans or Viruses and are designed to report back to the fraudster information they have recordedHardware key loggers are physically attached to the victim machine then later retrieved and harvested
11
Computer Crime/ Fraud Schemes
Root Kits – set of software tools designed to give an intruder access to a computer system
Designed to be cloakedPersistent root kitsMemory-based root kitsUser-mode root kitsKernel-mode root kits
Hardware Key Loggers
12
Computer Crime/ Fraud Schemes
War DrivingTerm comes from the act of driving around with a lap top in search of wireless access pointsRange can be increased with home made directional antenna called a “Yagi Antenna” (named after the Japanese inventor)War driving with directional antennas can pin point wireless access points in buildings from the street
Homemade Yagi Antenna
13
War Driving Equipment
How far can it go?
DefCon WiFi Shootout 2005College students using 12 foot Satellite Dishes and unamplified signal won the competition at 125 miles!
14
What about BlueTooth?
Its wide open and vulnerableHomemade equipment can access devices up to a mile away
Wireless CountermeasuresUse WEP at a minimum
Use WPA if it is available for your devices
Change default SSIDsDon’t describe your AP with your SSID
Don’t name the agency/company Don’t name the division (i.e. accounting, security)
Don’t broadcast the SSIDChange default administrative passwords on the APPlace AP outside of your network’s firewall
15
Computer Crime/ Fraud Schemes
Packet Sniffing and CaptureCan be accomplished with wired or wireless accessPlaces the NIC card into promiscuous modeEaves Dropping on network trafficMost experienced hackers can crack and penetrate systems if given time to capture enough network packets to derive user name and password
Computer Crime/ Fraud Schemes
Back Door InstallationAllows attackers to remotely access a system again in the future as an authenticated clientUses exploit to gain root level access to set up the rogue accountAllows access even if security exploit is discovered and patchedCan be automated installation and setup via “Worm”
16
Computer Crime/ Fraud Schemes
Social EngineeringAny method designed to obtain privileged information through point to point trickeryForm of reasoning that takes into account human predictabilityFraudster can study known factors about an individual and guess what their password might be, (e.g. drivers license, SSN, kids’ names, pets, birth dates, etc.)
Computer Crime/ Fraud Schemes
Web Browser ExploitsUses the common web browser to inject commands into vulnerable web page codeCan allow access to data tables and information that supports the web page“Google hacking” can be used to find web sites that contain these vulnerabilities
17
Computer Crime/ Fraud Schemes
Cyber ExtortionHolding data for ransomUsually involves a notice that system has been hacked and access gained or data stolen Involves a demand for payment to get data back or to prevent release of the data to the general publicMay involve protection guarantee from
other attackers
Computer Crime/Fraud Schemes
Theft of Intellectual Property2004 Ibas Corporation Survey
Nearly 70% of business professionals say they have stolen some form of corporate IP when leaving a jobMost common forms are: e-mail address books, sales proposals, customer lists and client contactsMost common method of theft is through e-mailing to a personal e-mail account
18
Insider Computer Aided Schemes
Billing SchemesInvoicing Schemes
via “Shell” Companiesvia non-accomplice vendorsPersonal purchases with company funds
Billing Schemes
Involve falsified documentsCan involve the use of computer technology to fabricate or alter invoicesMay involve a third party accompliceMay involve a vendor who does not know that a fraud is in progressMay involve forged authorization
19
Insider Computer Aided Schemes
Payroll SchemesSimilar to billing schemes except that they cause disbursements to individuals instead of to other entitiesGoal is to generate pay for work not performed
May involve “ghost” employees,Falsified hours of work, orFalsified commission reports
Payroll Schemes
For Payroll schemes to workMust somehow be added to the payroll by a person who has that level of authorityMust have time keeping records falsifiedA pay check must be generated
Commission SchemesAffect the volume of sales or the percentage of commission
20
Other Insider Schemes
Several other fraud schemes can involve manipulation of data thatresults in digital evidence
SkimmingLappingCheck Tampering
Batch Payment Scheme
Employee in charge of organizing the batch payment of several accounts on one payment Inputs their own personal account information as part of the batch paymentResults in their personal bill being paid by the company
21
Insider Computer Aided Schemes
Data ShavingInvolve the execution of unauthorized programs used to steal small amounts of assets from a large number of sources without noticeably reducing the whole.Also known as Round-Off fraud
Data DiddlingChanging of data before or during entry into the computer systemForm of computer input manipulationEasy for data input operators to accomplish
Computer Aided Schemes -Evidence
Digital Evidence May exist on the suspect’s machine in the form of stored or deleted graphics filesPrinter spool files or remnantsStored or deleted counterfeit documentsEvidence of connection to scanning equipment Evidence of intent to gain knowledge about perpetrating the scheme found in stored and deleted internet cache files
22
Techniques to Aid in Detection
Use of Intrusion Detection systemsMonitor network for events that could result in network compromiseCollect information resulting from Internet Web browser events such as Java scripts and Active-X attacksSends alerts triggered by known exploit activity and defines compromised systemSystem can then be examined for compromise investigation
Techniques to Aid in Detection
Web site log analysisCorrelates incoming internet activity to company web siteReveals patterns by visitors intent on creating phishing sitesInformation can be used to show the intent of the suspect to commit fraudCan reveal patterns indicative of “Click Fraud”Can be used to identify location of suspect
23
Techniques to Aid in Detection
Internal Network Monitoring
Agent basedProxy basedSniffer based
Data ClassificationPublicSensitiveConfidentialRestricted
ProductsVontuVericeptCWATNet VizorTablusPacket SureData SafeIoLogicsVidius
Neglected Digital EvidenceSystems involved in payroll and accounting should have logging features that will record manual alterations to the dataComputers used to facilitate the access may contain digital evidence showing access to the data and the date and time
24
Digital Fraud Artifacts
Deleted DocumentsDocument Meta DataLink FilesPrint Spool FilesE-mailWeb Cache Files and logsSystem RegistryCell Phones and PDA’s
Trends In Digital Fraud Investigation
Live Digital ForensicsSensitive Information extrusion detection and preventionUse of forensic experts for consultation in the preparation for AuditsCombining automated live forensic techniques with intrusion detection alerts
25
US Cyber Fraud Statistics
8th Annual Cyber Source SurveyeCommerce Fraud will grow to $3 billionPercent of corporate revenue loss due to fraud has been on a slow decline1% of orders tend to be fraudulent but about 4% of business is turned away due to the possibility of fraudInternational orders tend to be 2.5% higher for risk of fraudOn line merchants using more fraud detection tools – up 30% from 2005
Fraud Investigator of the Future
Needs to understand technology used by the fraudster and the entity investigatedNeeds to understand vulnerabilities of software and hardwareNeeds to add computer forensic methodology to investigative processNeeds to understand both the risk to physical security and network securityNeeds to understand the risk to confidential and proprietary data
26
Questions?
Contact information
Richard D. Cannon CFE, CFCEChief Investigator Corporate Information [email protected]+1 830 714 7006