Presentation Transcript

1. Forensic ComputingWhat is E-Discovery?

   May 10, 2013 Yigal Rechtman, CPA, CFE, CITP, CISM Brian Schrader, President BIA
2. About the speakers Yigal Rechtman, CPA, CFE, CITP, CISM is a director for information technology, technology assurance and forensic services at Buchbinder Tunick & Co. LLP. Rechtman specializes in internal controls, fraud investigation and forensic accounting, information technology and computer aided auditing and statistical analysis. He manages engagements of forensic accounting and financial audits. These engagements include evaluation of internal controls, risk analysis, computerized information systems evaluation, fraud investigation, litigation support, SSAE 16 and SOX 404 testing. Buchbinder Tunick & Company LLP
3. About the speakers Brian Schrader, president of BIA has over 20 years of experience in information management, computer technology, and the law and has been a pioneer in Computer Forensics and e-Discovery. Brian's experience started as a programmer and computer systems consultant. In 1990, Brian founded and operated a consulting company, helping clients design and implement information management systems in a variety of industries including health care, insurance and securities. Buchbinder Tunick & Company LLP
4. Objectives and outline Objectives: To understand the current issues and technical issues that face forensic accountants with work that involves utilization of computers and information technologies To understand the best practices followed in e-Discovery. Buchbinder Tunick & Company LLP
5. Outline Types of engagements, Types of perpetrators Technical issues Types of data Best practices in forensic computing Roles Caveat: Presenter is not an attorney. No hacking techniques are being taught. Buchbinder Tunick & Company LLP
6. Types of engagements Use of device or computer drives the engagement: The technology was the method of perpetrating or undertaking an activity The technology was the target of the activity. Buchbinder Tunick & Company LLP
7. Example: technology as part of a court proceeding In June 2004 Kobe Bryant was on trial for sexually assaulting a woman. Part of the trial involved the admissibility of a text message that was retained on a file server. Ultimately the file was admitted, lending support to the defense. Buchbinder Tunick & Company LLP
8. Example: technology is target of a perpetrator’s action File server breached. Impact: personal records stolen, detection is late. Password guessed, supervisor’s login ID breached. Impact: internal controls breached without detection. Home wireless network breached and used to download illegal music sharing services. Impact: owner has to address possible legal liability. Buchbinder Tunick & Company LLP
9. Perpetrators High technical level hackers. These often involve track covering techniques and time bombs. Often used in professional high-stakes computer crimes such as identity theft or business spying. Low level technical skilled. Often involved low level systems with (hopefully) a system with low criticality. Buchbinder Tunick & Company LLP
10. Perpetrators (cont) Third type is authorized user. This involved authorized use or access to technological resources for personal gain. For example: sales-person who taps to the Customer Relation Management system (CRM) and download sale leads before going on to form their own company, competing with current employer. Buchbinder Tunick & Company LLP
11. Forensic process Identification of evidence Preservation of evidence Analysis, including detail documentation of steps taken Deliverable to legal action, if applicable Note: Need to adhere to rules of evidence and sound “best practices” for preserving IT evidence. Technical skill’s a must. Buchbinder Tunick & Company LLP
12. Best practices Photograph room, work area and environment, noting location of items such as disks, external devices, connectors and cables. Bag and tag diligently Duplication of data and memory devices should be done using appropriate tools. Avoid using “system provided” toolkits or commands. Using the system is evidence tampering. Buchbinder Tunick & Company LLP
13. Quiz time… Buchbinder Tunick & Company LLP
14. Tools to be used Disk and Flash memory duplicators Data recovery software HEX readers Case management software (with or without tools, which can be operating-system specific) Buchbinder Tunick & Company LLP
15. Rule of Evidence “…a counterpart serves equally as well as the original, if the counterpart is the product of a method which insures accuracy and genuineness.” Rule 1003 (Admissibility of Duplicates), Federal Rules of Evidence. State law and arbitration proceeding often accept this definition and standard of care. Buchbinder Tunick & Company LLP
16. Types of Evidence Active data: This is the information that would have been available to an authorized user. Archival data: This is information that is maintained but not directly available to the user such as opertating system files, software configuration files and hidden files. Some operating system maintain shadow copies of files or backup versions. Buchbinder Tunick & Company LLP
17. Type of Data (cont) Latent data is purposfuly hidden from the user and may be Incomplete Unreadable Fragmented Specialized software can help a forensic technician identify this class of data. All classes of data appear in hard disk, RAM and circuitry of all kinds. Buchbinder Tunick & Company LLP
18. Roles IT professionals should be familiar with the resources that were breached and the method of breach. CPAs should know to advise clients about the sensitivity of electronic evidence Lawyers should be familiar with legal rights and direction of the engagement. Buchbinder Tunick & Company LLP
19. IT Professionals Role of professional may change based on direction and assignment: “Black hats" -- working for defense “White hats" working for plaintiff or prosecution teams Buchbinder Tunick & Company LLP
20. Questions and Answers Yigal Rechtman, CPA, CFE, CITP, CISM yrechtman@buchbinder.com (212) 896-1958 Buchbinder Tunick & Company LLP