Modalities for Forensic Review of Computer Related Frauds Neneh Addico (CFE, CA), MTN Ghana
Outline Recent Computer Crime Cases What is Computer Crime Forensics Types of Computer Related Crimes Relevance of Forensic in Organizations Modalities for Computer Forensic Examination Challenges in Computer Crime Forensics End Results of Forensic Reviews Forensic Reviews & Litigation Support Combating Computer Crimes
Recent Computer Crime Cases
What is Computer Crime Forensics Computer Crime is any illegal act for which knowledge of computer technology is essential for its Perpetration, Investigation, Prosecution. Prevalent due to increased used and dependency on computers and other technological gargets to support business/government/individual processes. Laptops/Computers/Smartphones/Servers/PDAs/Tablets Software/Applications EBS (Oracle/SAP/OS Networks and internet (GSM) Data/Information (Client Data, Financial Data, Cloud)
What is Computer Crime Forensics (cont) Fraudsters exploits/applies these technologically advance tools to commit fraud. Individuals, Governments and Organizations with some of value are targets Computer criminals are becoming more organized and determined Containment analysis and eradication should be accomplished immediately computer crime is reported
Types of Computer Related Crimes Unauthorized access. Exceeding authorized access. Intellectual property theft or misuse of information. Pornography. Theft of services. Forgery. Property theft (e.g., computer hardware and chips). Invasion of privacy. Denial of services. Manipulation of software applications. Viruses. Sabotage (i.e., data alteration or malicious destruction). Extortion. Embezzlement. Espionage. Terrorism.
Relevance of Forensic in Organizations 1. Increased dependency on IT to support business government processes 2. Ineffective IT Governance (PPPs/SODs/DOAs) 3. Regulatory Requirements (Banks etc.) 4. Security/Control/Compliance not at same pace with Technological advancement and development 5. Determination of computer criminals 6. Potential losses or Reputational Damage
Modalities for Computer Forensics (1) Planning the forensic Examination Scoping & Scope Limitation Identify IT resource or systems being reviewed Determine period of relevance Decide specialist help required Identify all person possibly involved Identify standards/policies/framework applicable Objective Recommendation to improve process/strengthen controls Determine loss or damage suffered Evidence Handling and retention Chain of evidence - accountability and protection Evidence life cycle (identify, collect, store, preserve, transport, present in court and return to owner)
Modalities for Computer Forensics (2) Execution Literature review of the incident Interviewing (obtain written statements & also record) Confessions Evidence gathering Involves Data Analysis, Data Mining, Tracing, Simulation, texts, confirmations, extracts, imaging, copying, reconstruction. Could be Direct, real, documentary, and demonstrative Documentation of modus operation Perform root cause analysis to identify control/process weaknesses/absence
Modalities for Computer Forensics (3) Reporting 2 Types of Forensic Reports Preliminary report Long form or detail report Content of Forensic Long Form Report Distribution List Executive summary Introduction and Background Objective and Scope Scope Limitation and Subsequent Events Procedures Performed Detailed findings presentation of interview statement Presentation of evidence obtained Professional opinion from contrasting
Modalities for Computer Forensics (4) Content of Forensic Long Form Report (cont.) Modus operandi Root Causes Recommendations Conclusion Acknowledgement Recommendation Implementation Plan
Challenges in Computer Crime Forensics Lack of traditional paper audit trail Require understanding of the technology used in committing the crime May require use of more than one specialist to assist the forensic examiner Legal developments lags behind technological advancement Lack of experts and specialist
End Results of Forensic Reviews Produce forensic report to management Determination of loss suffered or recoveries made HR disciplinary action Recommendations for Control/Process Improvement Articulate evidence to support criminal prosecution Modus operandi Evidence of compromised IT resources (unauthorized access) Articulate losses/damages suffered Expert witness testimony
Forensic Reviews & Litigation Support Criminal law identifies a crime as being a wrong against society Prosecution aims at punishing the offender to serve as a deterrent against future crime Judge must believe beyond reasonable doubt, that the offender is guilty of the offense under a law Forensic examination must articulate demonstrative evidence to prove guilt of the offender Litigation Support Coaching/prepping by prosecuting legal team Expert witness Simple testimony in laymen's terms Good knowledge of sections of criminal code/relevant laws applicable under the circumstances
Combating Computer Crimes Preventive Approaches Fraud Awareness Training Tone at the top (shared Ethics & Values) Whistleblower/Hotlines Staff background checks SODs Tools & techniques (Encryption, Customer Validation, internal network security, firewalls) Detective Approaches Fraud Risk Assessment to improve controls (show framework) Surprise & Periodic audits
Combating Computer Crimes Recent Development in Ghana to Combat computer crimes Legal framework e.g. AML Act, Data Protection Act) Specialized Units in the Security Agencies Immergence of Anti-Fraud Units in Organization Regulatory Requirements (Basel 3, SOX, King III)