the institute of digital forensics digital forensics ...2 usa trends in computer use computers –...

1

Digital Fraud Examination

The Institute of Digital Forensics

Digital Forensics Community

2006

Tokyo, Japan

Computer Technology

Changing the way fraud schemes are constructedChanging the way investigators view crime scenesCreates new tools for fraud examiners to useCreates new opportunities for those who commit fraudCreates new challenges for the courts

2

USA Trends in Computer Use

Computers – smaller and faster2003 – Women slightly more likely than men to use computer in the home (trend reversal)2003- 56% of adults use computers at work2003- 95% of homes where income exceeds $100K have at least one computer

Source: 2005 US Census Report on Computer and Internet Use

2004 US Computer Crime and Security Survey

Only 54% of responders could quantify loses59% reported employee Internet abuse20% reported serious incidents to law enforcement2004- Loses due to computer security breaches totaled $141 million

3

Digital Fraud and Fraud Examination

Investigation requires different skill setsLacks traditional paper audit trailRequires understanding of technology used to commit the fraud and used by the target of fraudUsually requires specialized assistance even when the examiner has high level of computer knowledge

The Role of the Computer

Computer as the TargetPhysical sabotage, theft, data destruction, intrusion, software piracy

Computer as an InstrumentEmbezzlement, IP theft, forgery, internet fraud, solicitation, counterfeiting

Computer as a Repository of EvidenceIntentional storage of pornography, other data used to facilitate the wrongful acts

4

Common Computer CrimesData alterationUnauthorized AccessE-mail interceptionData destructionInternet consumer fraudTheft and sale of proprietary dataDesktop counterfeiting

Cyber ExtortionIdentity TheftE-mail BombingSoftware PiracyPBX FraudVoice Mail Fraud Cell Phone and PDA fraud

Fraud definitions

Fraud – the intentional misrepresentation or concealment of information in order to deceive or misleadComputer Fraud - defalcation or embezzlement accomplished by tampering with programs, files, operations, equipment, or media resulting in loss

5

Computer as a Tool for Fraud

Fraud by Computer ManipulationUsually effects numeric data such as money-on-deposit or hours workedCan involve theft of data such as credit card and social security numbersMoney transferred from one account to another to hide fraudulent transactionsAssets and liabilities moved from one account to anotherCan also be accomplished remotely


Input ManipulationMost common form of computer crimeEasily accomplished and hard to detectDoes not require sophisticated computer knowledgeCan be accomplished by lower level data entry personnelInvolves deliberate entry of false information

6


Program ManipulationDifficult to discover often not recognizedRequires computer-specific knowledgeInvolves alteration within computer program or the addition of new programming codeProgram can be designed to automate the alteration process and delivered covertly, e.g. “Trojan Horse”


Output ManipulationTargets the output of the computer systemAchieved by falsifying instructions to the computer in the input stageTypically manifested as “Round-Down Fraud” or “Data Shaving”

7


Computer Aided Forgery and Desktop Counterfeiting

High quality laser printers perfect for this type of fraudPhoto modification programs make altering scanned images easyCan also be accomplished with color copiers and transparent overlaysCan be difficult to detect

Computer-Assisted Crime

Much computer fraud falls into this categoryGenerally a typical illegal scheme that has evolved with the use of computersOften existing statutes can be applied because the criminal activity fulfills the stated elements of those offenses

8

Computer Crime/ Fraud Schemes

PhishingScheme contains elements of social engineeringGoal is to fool the victim into believing that they are accessing a legitimate recognizable site and to enter account numbers, usernames, and passwords

Spear PhishingTargeted attack focused on a corporate entity or government agencyGoal is to fool the employee into believing the e-mail message is from an internal department or authority such as IT or HR


PharmingExploitation of a vulnerability in the DNS (Domain Name Service) Server that allows a hacker to acquire the Domain Name for a siteThe site’s website traffic is then redirected to another websiteCan involve “DNS cache poisoning”

DNS Poisoning – tricks the DNS server into believing it is receiving legitimate information when it is not – the cached information is then spread to other users who are then diverted to the attacker

9


Counterfeit Check ScamsSeveral variationsCan be an advance fee scamOften involves an internet business transactionOne variation can cause the victim to participate unknowingly in a forgery by passingUsually involves a digitally altered business check or counterfeit Travelers Checks


Remote Access TrojansEasily delivered through a number of different meansEasy to transfer from victim to othersFraudster can turn victim machine into “Botnet” linking to 100’s or 1000’s of other machines in spam distribution network of “zombie” computersZombie network can be used for DoS attacks or password cracking brute force attacks

10

Remote Access Trojans

RATS can be set up to key on banking transactions on the infected machine or for ID theftCan be transmitted via infected websites through Active-X and Java Script downloadsBotnets created through RATS are starting to use encryption technology to make it more difficult to find them


Key LoggingSoftware or hardware deviceDesigned to record the key stokes from the keyboard in a continuous streamSoftware key loggers are delivered like Trojans or Viruses and are designed to report back to the fraudster information they have recordedHardware key loggers are physically attached to the victim machine then later retrieved and harvested

11


Root Kits – set of software tools designed to give an intruder access to a computer system

Designed to be cloakedPersistent root kitsMemory-based root kitsUser-mode root kitsKernel-mode root kits

Hardware Key Loggers

12


War DrivingTerm comes from the act of driving around with a lap top in search of wireless access pointsRange can be increased with home made directional antenna called a “Yagi Antenna” (named after the Japanese inventor)War driving with directional antennas can pin point wireless access points in buildings from the street

Homemade Yagi Antenna

13

War Driving Equipment

How far can it go?

DefCon WiFi Shootout 2005College students using 12 foot Satellite Dishes and unamplified signal won the competition at 125 miles!

14

What about BlueTooth?

Its wide open and vulnerableHomemade equipment can access devices up to a mile away

Wireless CountermeasuresUse WEP at a minimum

Use WPA if it is available for your devices

Change default SSIDsDon’t describe your AP with your SSID

Don’t name the agency/company Don’t name the division (i.e. accounting, security)

Don’t broadcast the SSIDChange default administrative passwords on the APPlace AP outside of your network’s firewall

15


Packet Sniffing and CaptureCan be accomplished with wired or wireless accessPlaces the NIC card into promiscuous modeEaves Dropping on network trafficMost experienced hackers can crack and penetrate systems if given time to capture enough network packets to derive user name and password


Back Door InstallationAllows attackers to remotely access a system again in the future as an authenticated clientUses exploit to gain root level access to set up the rogue accountAllows access even if security exploit is discovered and patchedCan be automated installation and setup via “Worm”

16


Social EngineeringAny method designed to obtain privileged information through point to point trickeryForm of reasoning that takes into account human predictabilityFraudster can study known factors about an individual and guess what their password might be, (e.g. drivers license, SSN, kids’ names, pets, birth dates, etc.)


Web Browser ExploitsUses the common web browser to inject commands into vulnerable web page codeCan allow access to data tables and information that supports the web page“Google hacking” can be used to find web sites that contain these vulnerabilities

17


Cyber ExtortionHolding data for ransomUsually involves a notice that system has been hacked and access gained or data stolen Involves a demand for payment to get data back or to prevent release of the data to the general publicMay involve protection guarantee from

other attackers

Computer Crime/Fraud Schemes

Theft of Intellectual Property2004 Ibas Corporation Survey

Nearly 70% of business professionals say they have stolen some form of corporate IP when leaving a jobMost common forms are: e-mail address books, sales proposals, customer lists and client contactsMost common method of theft is through e-mailing to a personal e-mail account

18

Insider Computer Aided Schemes

Billing SchemesInvoicing Schemes

via “Shell” Companiesvia non-accomplice vendorsPersonal purchases with company funds

Billing Schemes

Involve falsified documentsCan involve the use of computer technology to fabricate or alter invoicesMay involve a third party accompliceMay involve a vendor who does not know that a fraud is in progressMay involve forged authorization

19


Payroll SchemesSimilar to billing schemes except that they cause disbursements to individuals instead of to other entitiesGoal is to generate pay for work not performed

May involve “ghost” employees,Falsified hours of work, orFalsified commission reports

Payroll Schemes

For Payroll schemes to workMust somehow be added to the payroll by a person who has that level of authorityMust have time keeping records falsifiedA pay check must be generated

Commission SchemesAffect the volume of sales or the percentage of commission

20

Other Insider Schemes

Several other fraud schemes can involve manipulation of data thatresults in digital evidence

SkimmingLappingCheck Tampering

Batch Payment Scheme

Employee in charge of organizing the batch payment of several accounts on one payment Inputs their own personal account information as part of the batch paymentResults in their personal bill being paid by the company

21


Data ShavingInvolve the execution of unauthorized programs used to steal small amounts of assets from a large number of sources without noticeably reducing the whole.Also known as Round-Off fraud

Data DiddlingChanging of data before or during entry into the computer systemForm of computer input manipulationEasy for data input operators to accomplish

Computer Aided Schemes -Evidence

Digital Evidence May exist on the suspect’s machine in the form of stored or deleted graphics filesPrinter spool files or remnantsStored or deleted counterfeit documentsEvidence of connection to scanning equipment Evidence of intent to gain knowledge about perpetrating the scheme found in stored and deleted internet cache files

22

Techniques to Aid in Detection

Use of Intrusion Detection systemsMonitor network for events that could result in network compromiseCollect information resulting from Internet Web browser events such as Java scripts and Active-X attacksSends alerts triggered by known exploit activity and defines compromised systemSystem can then be examined for compromise investigation


Web site log analysisCorrelates incoming internet activity to company web siteReveals patterns by visitors intent on creating phishing sitesInformation can be used to show the intent of the suspect to commit fraudCan reveal patterns indicative of “Click Fraud”Can be used to identify location of suspect

23


Internal Network Monitoring

Agent basedProxy basedSniffer based

Data ClassificationPublicSensitiveConfidentialRestricted

ProductsVontuVericeptCWATNet VizorTablusPacket SureData SafeIoLogicsVidius

Neglected Digital EvidenceSystems involved in payroll and accounting should have logging features that will record manual alterations to the dataComputers used to facilitate the access may contain digital evidence showing access to the data and the date and time

24

Digital Fraud Artifacts

Deleted DocumentsDocument Meta DataLink FilesPrint Spool FilesE-mailWeb Cache Files and logsSystem RegistryCell Phones and PDA’s

Trends In Digital Fraud Investigation

Live Digital ForensicsSensitive Information extrusion detection and preventionUse of forensic experts for consultation in the preparation for AuditsCombining automated live forensic techniques with intrusion detection alerts

25

US Cyber Fraud Statistics

8th Annual Cyber Source SurveyeCommerce Fraud will grow to $3 billionPercent of corporate revenue loss due to fraud has been on a slow decline1% of orders tend to be fraudulent but about 4% of business is turned away due to the possibility of fraudInternational orders tend to be 2.5% higher for risk of fraudOn line merchants using more fraud detection tools – up 30% from 2005

Fraud Investigator of the Future

Needs to understand technology used by the fraudster and the entity investigatedNeeds to understand vulnerabilities of software and hardwareNeeds to add computer forensic methodology to investigative processNeeds to understand both the risk to physical security and network securityNeeds to understand the risk to confidential and proprietary data

26

Questions?

Contact information

Richard D. Cannon CFE, CFCEChief Investigator Corporate Information [email protected]+1 830 714 7006