TECHNOLOGY TOOLS IN FORENSIC ACCOUNTING INVESTIGATION May 29, 2010Posted by maskokilima in Sekolah, Tax.
Tags: ACL, EDP Audit, Forensic Accounting, Hardware Write Blocker, Hash Calculator, Helix, Indonesian Taxation Office, Investigation, MD5Sum, Passware Forensic, SHA-1, SHA-2, UltraBlock
In today’s life, people always touched by digital equipments. While many areas of our lives get benefits from these kinds of technology, there are some areas that vulnerably to have negative effects. In term of frauds, many perpetrators use these digital equipments as tools to help them to commit frauds. Smith (2005, p 119) argues that “almost every financial fraud incorporates the use of computer and digital equipments…” Digital equipment such as computer also become as target of fraud. Volonino, Anzaldua and Godwin (2006, p 6) divide computer crimes into two categories, as a target and as a tool. Crimes against a computer include attacks on networks that cause them to crash, and unauthorized access to, or tampering with, information systems, programs, or data. In addition, digital evidences are different from ordinary documentary evidences. Digital evidence can easily and unintentionally can be destroyed and made inadmissible as courtroom evidence by either the perpetrators or those who firstly find the evidence (Smith, 2005). So technology is essentially an enemy in terms of frauds from auditor’s perspective.
Fortunately, like double sided sword, technology is also the auditors’ friend to conceal frauds. Because computer can be used as both a target and a tool in any fraud, data stored in computer is a perfect evidence to conceal fraud. If auditors know the correct way to preserved, acquire and analysis data stored in a computer which suspected to become a target of fraud or used as a tool in fraud, the data will become high quality evidence in the court. Pearson and Singleton (2008) argue that the need to obtain, manage and analyse digital evidence is critical for the success of future accounting professional. Thus, the benefit of technology such as computer and other digital equipments outweighs its negative side. This article will explains the evolution of technology used in an investigation then product review of the tools that usually used in digital forensic by forensic accountant and an evaluation of the use of those tools.
2. The history of computer forensic in investigation
Sheetz (2007) states in order to understand the evolution of technology used in forensic accounting investigation, we have to know the machine themselves. Sheetz (2007) divides the evolution of computer into three categories, sizes, languages and networks. The first computers built in the early 1950’s were housed in buildings dedicated solely to their operation (Sheetz 2007). Today we can see people walk on the street handing their computer.
The second evolution category made by Sheetz is programming language. The first computers actually only did the same task they dedicated to. Those computers were not programmable as we see in the world today. The first high level programming language used to communicate with computer binary code: a series of 0s and 1s. The second layer of programming language was known as assembler language which turned the binary code into human language. Based on this assembler language, an IBM employee created FORTRAN and the computer revolution began. Following FORTRAN, many languages, that are much simpler than the machine language, are developed.
The last evolution of computer is internet. The idea to connecting the computers began when the research facilities at the University of California at Los Angeles, the University of California at Santa Barbara, Stanford and the Utah University develop ARPANET (Advanced Research Projects Agency Network). From this humble network, internet is emerging to the scale that we see today. Connecting a computer to internet for any reason including exchange of information, e-commerce, or even defence is necessity in the world today.
Back to technology used in fraud investigation, we can refer to audit technology. Elliot and Jacobson (1987) explain the evolution of EDP audit in USA. According to them, EDP audit begins in the 1960’s when American Institute of Certified Public Accountant (AICPA) released a publication of Auditing and EDP. Later, the ideas of that book appeared in many auditing standards published by AICPA. Elliot and Jacobson explain at earlier stage of EDP auditing, auditors use ‘around the computer’ method. This method was relying on user controls and verifying output by its relationship to input. The next level was to use test data. In applying this technique, the auditor tested data through the client’s computer and compared the independently calculated results to the results produced by the client’s computer. Generalized audit software was soon available and provided a simpler approach.
Pearson and Singleton (2008) state that the idea of digital forensic or computer forensic emerged in the middle of 1980 when the FBI implemented its Magnetic Media Program and performed only three examinations of computers. According to them, digital evidence was institutionalized in 1995 with the formation of the International Organization on Computer Evidence (IOCE). So the development of computer forensic actually exists in the last 20 years.
3. Investigation tools
Forensic accounting in conducting investigation in this internet era uses many investigation tools. Ranging from data mining software to data analysis and sometime the same tools that used by hackers. Here some of those tools used by forensic accounting.
Helix3TM (www.e-fense.com) is “an internal tool to provide the ability to acquire forensically sound images of many types of hard drives and partitions on systems running unique setups such as RAID arrays” (Gleason & Fahey, 2006, p 9). There are many products in the world that offer the capabilities that Helix has. However, Helix different from many other software imaging because, Helix developed based on Knoppix (one variant of Linux) which are open source and free. At this time e-fense, Inc. promotes Helix3TM Pro to digital forensic examiners with the compulsory to a one year forum membership for US$ 239. However Helix3 2009R1 which is beta version of Helix3 Pro can be downloaded for free.
Helix can run in three different environments: Mac OS X, Windows and Linux with one simple to use interface. Helix can be used either as live forensic imaging or as forensically sound environment to boot any x86 systems. And because turning off a suspected computer may destroy the evidence, many digital forensic examiners do that with extra carefulness. Before booting a suspected computer the best way to turn off the computer is by unplug the power, because when we press the shutdown button, the computer will be systemically shutdown by software. The bootable Helix actually runs in Linux side. Once Helix finished the boot process, X Windows will automatically start and present the Helix desktop. By default Helix set all devices in target computer as read only, so they cannot be easily modified even with Helix itself.
Another way of using Helix is by live Helix. This method is the best method for acquiring disk image from the system that cannot be turned off or taken offline for an extended period of time. To use Helix, you should first read the warning. As it has been pointed out several times in the manual, using Helix in a live environment will make changes to the system – that is on of the inherent risks in a live-response situation. But remember, just inserting this CD has modified the system – even just leaving the system turned on is modifying the system. So you need to make your decision, and when ready, press the “I Agree” button to continue. Once the user accepts the agreement, the main screen will appear.
There are no differences in terms of application that Helix offers to between Helix bootable method and Helix live method. Helix offers six main options to examine the system under investigation (Gleason & Fahey, 2006). These options are described below:
Preview System Information
This option provides the basic information of the system such as Operating system version, network information, owner information, and a summary of the drives on the system.
Acquire a “live” image of a System using dd
This option will allow the investigator to make exact copies of hard drives, floppy disks, or memory, and store them on local removable media, or over a network.
Incident Response tools for Operating Systems
This option provides access to 20 tools, all of which can be run directly from the CDROM. Once you click the icon, a small triangle will appear, next to the icon. Clicking on this small triangle will provide access to the others pages of tools.
Documents pertaining to Incident Response, Computer Forensics, Computer Security & Computer Crime
The option provides the user with access to some common reference documents in PDF format. The documents include a chain of custody form, preservation of digital evidence information, Linux forensics Guide for beginners, and forensic examination for digital evidence guide. These documents are highly recommended, and the investigator should review them before attempting any forensic examination.
Browse contents of the CD-ROM and Host OS
This is a simple file browser that will provide the investigator with information about the selected file. It will display the filename, created, accessed and modified dates, Attributes, CRC, MD5 and the file size.
Scan for Pictures from a system
This tool will allow the investigator to quickly scan the system to see if there are any suspect graphic images on the suspect system. Many different graphic formats are recognized, and displayed as thumbnails.
Helix legitimacy in preparing and manage digital evidence in a court is recognized by many digital forensic examiners and law enforcement. Gleason and Fahey (2006) claim many Government agencies and Law Enforcement community across the globe including Indonesian Taxation Office have turned to Helix as their forensic acquisition standard due to its functionality and cost effectiveness. Although in live environment, Helix will make changes to the system, forensic accounting may use other tools to patch the Helix weaknesses to make digital evidence admissible in the court.
2. ACL Desktop
Audit Command Language (ACL) is developed by ACL Service Ltd (www.acl.com). Foundation of ACL concepts and practices (2006, p 2) defines ACL as a tool to read and analyse type of files scattered across numerous database on different platforms. ACL Service Ltd claims that ACL provides immediate visibility into transactional data critical to your organization enabling you to: analyse entire data populations for complete assurance; identify trends, pinpoint exceptions and highlight potential areas of concern; locate errors and potential fraud; identify control issues and ensure compliance with organizational and regulatory standards; age and analyse financial or any other time sensitive transactions; and cleanse and normalize data to ensure consistency and accurate result (www.acl.com). In generic term ACL is a Generalized Audit Software (GAS).
ACL maintains data integrity by read only access to all data that they accessed, that is why the source data is never changed, altered or deleted. Mason (2007) explains that rule 901 of the US Federal Rules of Evidence requires that evidence submitted in the court have to be authentic. Further Mason (2007) states that data integrity is one factor out of six that proving the authenticity of evidence.
ACL features built in analysis command so there is no programming language needed. In addition for automate analytical procedures, ACL provides script for auditors who want more customized programmable commands.
One of analysis command in ACL is Benford’s Law analysis. In auditing especially in fraud detecting, Benford’s Law is commonly used as an analysis tolls by many auditors including internal, external and governmental (Cleary & Thibodeu 2005). ACL use Benford’s Law analysis in a digit-by-digit basis and not the test-by-test basis as statisticians (Cleary & Thibodeu 2005). As a result, according to Cleary and Thibodeu (2005) auditors who want to relay on this analysis should understand that using a digit-by-digit basis in Benford’s Law as ACL does, might increase the chances of findings actual fraudulent entries.
At this time the newer version of ACL is ACL Desktop ver. 9.1 and the new improvement is, it can read and analysis PDF file. However despite of the powerful function of ACL, its price is quite expensive. In Indonesia, ACL desktop retail price is US$3,000 for two users and including one year subscription to ACL support.
UltraBlock (www.digitalintelligence.com) is a brand name for forensic write blocker hardware. The purpose of this hardware is to prevent the digital forensic accounting to modify the data that they accessed. It is very important for digital forensic accounting to maintain the data submitted to a court as evidence remain authentic. Therefore when they access and analyse the evidence they have to be very careful not to modify, change or alter the data. UltraBlock is compatible with all leading software imaging application including Helix, EnCase or other software imaging.
Digital Intelligence offers UltraBlock into one full kit (UltraKitIII) and separate device. UltraKit retail price is range about US$1,369 to US$1,599 (plus FireWire). UltraKitIII consists of four main products and their accessories. Those main products can be bought separately. The four main products are UltraBlock eSATA IDE-SATA Write Blocker, UltraBlock SCSI, UltraBlock USB and UltraBlock Forensic Card Reader.
The UltraBlock eSATA IDE-SATA is an eSATA/FireWire/USB to Parallel IDE / SATA Bridge Board with Forensic Write Protection. By connecting a suspect drive to the UltraBlock IDE-SATA, a digital forensic accounting can be assure that no writes, modifications, or alterations can occur to the attached drive. The UltraBlock SCSI is used to acquire data from a SCSI hard drive in a forensically sound write-protected environment. Combination of those two devices makes forensic accounting can forensically access and analysis all hard drive available in the market today. The UltraBlock Forensic USB Write Blocker brings secure, hardware-based write blocking to the world of USB mass storage devices and the UltraBlock Forensic Card Reader can be used for writing and the forensic acquisition of information found on multimedia and memory cards. All those devices are set with ‘Read Only’ as default but when necessary forensic accounting can configure them to ‘Read Write’ to testing or validation purpose.
4. Advance Hash Calculator
Maintaining integrity of evidence is one of the most things that should be concerned by forensic accounting. Once the integrity of evidence is questionable, the evidence will lost its power in the court. The worst case, the admission of evidence in the court will be rejected. One method that can be used to maintain integrity data in terms of digital forensic is by using hash value. The common hash value methods are MD5 and SHA-1. These hash value program, are include in forensic software imaging such as Helix and EnCase. However, Advance Hash Calculator offers more than MD5 and SHA-1 method to calculate hash value.
Advance Hash Calculator, developed by Filesland (http://www.filesland.com/hashcalc/) supports CRC32, GOSThash, MD2, MD4, MD5, SHA-1, SHA2-256, SHA2-384, SHA2-512 hash algorithms. Although MD5 and SHA-1 are the common hashing method, both of them are very vulnerable of collision. Wang and Yu (2005) proved that it is not difficult to break MD5 and SHA-1 hash function. US Department of Commerce announces that all federal government agencies in US use SHA-2 family after 2010 (http://csrc.nist.gov/groups/ST/hash/policy.html). Therefore, by using Advance Hash Calculator, forensic accounting can maintain data integrity more securely without worrying of any collision.
5. Passware Kit Forensic
Passware Kit Forensic (www.lostpassword.com) is a tool for evidence discovery solution reports all password-protected items on a computer and gains access to these items using the fastest decryption and password recovery algorithms. Passware can recovered many password in all files including difficult and strong type password. Passware Kit Forensic includes a Portable version that runs from a USB drive and finds encrypted files, recovers files and websites passwords without modifying files or settings on the host computer. Passware Kit Forensic also able to decrypts BitLocker and TrueCrypt of hardisk. Passware Kit Forensic is suitable for forensic purpose and maintain the authenticity of evidences.
The main weakness of Passware is that its basic methods such as Dictionary, Xieve, Brute-force and Known Password/Previous Passwords apply only for English password. If the password is set with language other than English, Passware needs long time to recover it. Unless, the forensic accounting have enough knowledge about encryption to modify the method through new attacks editor function. Another weakness is the price for this tool is quite expensive. Passware Kit Forensic is offered for US$795 for single user.
4. Evaluation of Digital Forensic Tools
Mc Kemmish (1999) defines digital forensic as “process of identifying, preserving, analyzing, and presenting digital evidence in a manner that is legally acceptable” (cited in Lim 2008, p 7). So the forensic accounting who wants to discover fraud in digital environment must comply with the rules of evidence in order to make digital evidence admissible in the court. IOCE (2002, p 11) states general principles regarding digital evidence as follow: a) The general rules of evidence should be applied to all digital evidence; b) Upon seizing digital evidence, actions taken should not change that evidence; c) When it is necessary for a person to access original digital evidence that person should be suitably trained for the purpose; d) All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved and available for review; and e) An individual is responsible for all actions taken with respect to digital evidence whilst the digital evidence is in their possession. This guidance will help forensic accounting profession to identify, analyse and present digital evidences that admissible in the court.
The investigation tools describe above may help forensic accountant to detect, deter and resolve fraud faster. Golden, Skalak and Clayton (2006) state that handling digital evidence requires establishment chain of custody as with documentary evidence. Further Golden, Skalak and Clayton (2006) propose the ways to establish chain of custody such as: by keeping documentation on all procedures and/or applications performed on the digital evidence, by storing the electronic media in a secure location, by making bit-by-bit image copy of the hard drive rather than a file system copy, by analysing the copy rather than the original, and by using forensic software to prove the integrity of the original contents. Most of forensic tools used by forensic accounting can maintain the data integrity so the authenticity of evidence can be protected. The authentic evidences are admissible in the court and that is the goal of forensic accounting engagement.
However, there are some considerations that should be kept in mind of forensic accounting before using technology in an investigation. Golden, Skalak and Clayton (2006, pp. 387-388) describe eight considerations for gathering digital evidence:
- The computer is not a substitute for forensic accounting judgement and experience. It cannot replace document reviews, interviews and follow up steps.
- If possible, data should be gathered at the outset of engagement and prior to the initial field visit.
- Data obtained should be checked for accuracy and completeness, because incorrect and incompleteness data set may cause to premature and incorrect conclusions.
- The complexity of the tools used should be commensurate with the size and complexity of engagement.
- Some forensic accounting investigators may place too much reliance on the tool itself.
- Ensure that planned procedures are allowed from a legal perspective and that any evidence gathered may be used for legal purposes if required.
- Data collection across national boundaries must be done with proper legal advice about the export data or about the type of data being collected.
- Proper computer forensic techniques must be used to avoid inadvertently altering evidence.
Those pitfalls will help the forensic accounting from the more common mistake and to ensure that the evidences found are admissible in the court.
Technology has two sides, it can be harmful in the hand of criminals and it can be useful in the hand of right people. Forensic accounting investigators receive many benefits from technology used in an investigation. The benefits such as efficiency, the ability to handling large data to ensure complete assurance, the ability to maintain integrity of data can be given by technology easily. However, the technology demand high skilled person to optimize its power. In addition some consideration of using technology in gathering digital evidence should be noted. Like a hammer, we can build a house with hammer but we cannot build a house just using a hammer. The same is true in the field of digital forensics. Before forensic accounting examines any system, forensic accounting need to make sure that forensic accounting has permission to examine that system. Forensic accounting needs to know the legal aspects of collection, documentation, and preservation of digital evidence.
ACL Service Ltd. 2010, ACL Desktop edition, accessed 22-05-2010, http://www.acl.com/products/desktop.aspx
Cleary, R & Thibodeau, JC 2005, “Applying digital analysis using Benford’s Law to detect fraud: the dangers of type I error”, Auditing: a journal of practice and theory, Vol. 24, No. 1, pp. 77-81, accessed 21-05-2010, ProQuest database
Digital Intelligence 2010, Forensic Write Blocker, accessed 22-05-2010, http://www.digitalintelligence.com/forensicwriteblockers.php
Elliot, RK & Jacobson PD 1987 “Audit technology: a heritage and promise”, Journal of accountancy, Vol. 163, No. 5, pp. 198-217, accessed 18-05-2010, ProQuest database
e-fense 2010, Don’t let your company data walk out the door!, accessed 20-04-2010, https://www.e-fense.com/products.php
Filesland 2010, Advance Hash Calculator, accessed 20-04-2010, http://www.filesland.com/hashcalc/
Foundation of ACL concepts and practices 2006, ACL certified training material, ACL Service Ltd., Vancouver, Canada
Gleason, BJ & Fahey, D 2006, Helix 1.7 for beginners: manual version 2006.03.07, manual guide
Golden, T W, Skalak, SL & Clayton, MM 2006, A Guide to forensic accounting investigation, John Willey & Sons, Hoboken, New Jersey
IOCE 2002, Guidelines for best practice in the forensic examination of digital technology, Guidelines, IOCE, accessed 23-05-2010, http://www.ioce.org/fileadmin/user_upload/2002/Guidelines%20for%20Best%20Practices%20in%20Examination%20of%20Digital%20Evid.pdf
Lim, N 2008, Digital forensic certification versus Forensic science certification: Proceedings of the Conference on Digital Forensics, Security and Law, January 1, pp. 1-13, accessed 21-05-2010, ProQuest database
Mason, S 2007, “Authentic digital records: laying the foundation for evidence”, Information management journal, Vol. 41, No. 5, pp. 32-40, accessed 21-05-2010, ProQuest database
Passware Inc. 2010, Passware Kit Forensic 9.7, accessed 25-04-2010, http://www.lostpassword.com/kit-forensic.htm
Pearson, TA & Singleton, TW 2008, “Fraud and forensic accounting in the digital environment”, Issues in accounting education, Vol. 23, No. 4, pp. 545-559, accessed 9-04-2010, http://www.ncjrs.gov/ pdffiles1/ nij / grants / 217589.pdf
Smith, GS 2005, “Computer forensics: helping to achieve the auditor’s fraud mission?”, Journal of forensic accounting, Vol. VI, No. 1, pp. 119-134, accessed 29-04-2010, eLearning@UOW
Sheetz, M 2007 Computer forensics: an essential guide for accountants, lawyers, and managers, John Wiley & Sons, Hoboken, New Jersey
Vlonino, L, Anzaldua, R & Godwin, J 2007, Computer forensics principles and practices, Prentice Education, Upper Saddle River, New Jersey
Wang, X & Yu, H 2005, “How to break MD5 and other hash functions”, unpublished paper USC, Los Angeles, accessed 22-05-2010, http://merlot.usc.edu/csac-f06/papers/Wang05a.pdf