Analyzing Evidence

Question 1

List examples of data analysis queries that can be performed by data analysis software

Answer 1

• Summarize payroll activity by specific criteria for review.
• Identify changes to payroll or employee files.
• Compare timecard and payroll rates for possible discrepancies.
• Prepare check amount reports for amounts over a certain limit.
• Check proper supervisory authorization on payroll disbursements

Question 2

Steps to be considered in each data analysis engagement

Answer 2

(1) Planning phase
- Understand the data.
- Define examination objectives.
- Build a profile of potential frauds.
- Determine whether predication exists.

(2) Preparation phase

• Identify the relevant data.
• Obtain the data.
• Verify the data.
• Cleanse and normalize the data.

(3) Testing and interpretation phase
- Analyze the data.

(4) Post-analysis phase
- Respond to the analysis findings.
- Monitor the data.

Question 3

What is structured and unstructured data?

Answer 3

Structured data are the type of data found in a database, consisting of recognizable and predictable structures. Examples: sales records, payment or expense details, and financial reports

Unstructured data, by contrast, are data that would not be found in a traditional spreadsheet or database - text based

Question 4

What is STEGANOGRAPHY?

Answer 4

the process of hiding one piece of information within an apparently innocent file

Question 5

What are the FOUR common methods to detect the use of steganography?

Answer 5

(1) Visual Detection - looking for visual anomalies in jpeg, bmp, gif, and other image files
(2) Audible Detection - looking for audible anomalies in wav, mp3, mpeg, and other media files
(3) Statistical Detection - determining whether the statistical properties of files deviate from the expected norm
(4) Structural detection - looking for structural oddities that suggest manipulation (e.g., size differences, date differences, time differences, or content modification)

Question 6

What are the steps in evidence collection?

Answer 6

(1) examine and document the machine’s surroundings

2

Question 7

What are the unique challenges of cloud forensics not faced in traditional forensic practices?

Answer 7

• Lack of frameworks and specialist tools
• Lack of information accessibility
• Lack of data control
• Jurisdiction of storage
• Electronic discovery
• Preserving chain of custody
• Resource sharing
• Lack of knowledge

Question 8

What is Link Analysis?

Answer 8

• very effective for identifying indirect relationships and relationships with several degrees of separation
• useful when conducting a money laundering investigation, since it can track the placement, layering, and integration of money as it moves around unexpected sources

Link analysis software is used by fraud examiners to create visual representations

Question 9

What is chain of custody?

Answer 9

both a process and a document that memorializes who has had possession of an object and what they have done with it

The memorandum should state:

• What items were received
• When they were received
• From whom they were received
• Where they are maintained

Question 10

What is indented writing?

Answer 10

impression a writing instrument leaves on sheets of paper below the sheet that contains the original writing?

can be seen by employing an oblique-lighting method

Question 11

What is Data Mining???

Answer 11

the science of searching large volumes of data for patterns

combines several different techniques essential to detecting fraud, including the streamlining of raw data into understandable patterns

effective way for fraud examiners to develop fraud targets for further investigation

Question 12

What is textual analytics?

Answer 12

method of using software to extract usable information from unstructured text data

can be used to categorize data to reveal patterns, sentiments, and relationships indicative of fraud.

Question 13

What are the 5 ADVANTAGES of using data analysis software?

Answer 13

(1) centralize an investigation, relying less on others to gather data
(2) ensure that an investigation is accurate and complete
(3) base predictions about the probability of a fraudulent situation on reliable statistical information
(4) search entire data files for red flags of possible fraud
(5) eveloping reference files for ongoing fraud detection and investigation work

Question 14

What is IMAGING?

Answer 14

the process whereby a forensic image of a hard drive or other digital media is made and imaged to another hard disk drive or other media for forensic analysis

Imaging the data from suspect devices allows a fraud examiner to view and analyze a computer’s contents without altering the original data in any way.

Question 15

What is multi-file processing?

Answer 15

allows the user to relate several files by defining relationships between multiple files, without the use of the Join command

Question 16

What are the general rules regarding the collection of documents?

Answer 16

• Obtain original documents where feasible. Make working copies for review, and keep the originals segregated.
• Do not touch originals any more than necessary; they might later have to undergo forensic analysis.
• Maintain a dependable filing system for the documents. Documents can be stamped sequentially for easy reference.

Question 17

What is the goal of Benford’s Law?

Answer 17

identify fictitious numbers

Benford’s Law maintains that certain digits show up more than others do when dealing with natural numbers.

Question 18

What is correlation analysis?

Answer 18

determine the relationships among different variables in the raw data.

Question 19

When is live evidence collection appropriate?

Answer 19

appropriate when a formally trained computer investigator is seizing the system, and the evidence that the investigator needs to collect exists only in the form of volatile data.

Question 20

What practices does the fraud examiner need to adhere to ensure that a machine can be fully analyzed?

Answer 20

1 - Examine and document the machine’s surroundings.

2 - Inspect for traps.

3 - If the computer is off, leave it off

4 - Consider collecting volatile data “live.”

5 - Secure the evidence.

6 - Image the system hard drives.

7 - Document the collection process

8 - Implement a system to manage the evidence.

Question 21

What are the different types of logs?

Answer 21

(1) System logs record events executed on an operating system, including miscellaneous events and those generated during system startup, like hardware and controller failures. For example:
- starting up and shutting down
- configuration updates
- system crashes

(2) Application logs record the events regarding access to application data. For example:
- data files being opened or closed
- specific actions such as reading, editing, etc.

(3) Security logs track security-related events like logon and logoff times and changes to access rights.

Question 22

What is gap testing?

Answer 22

identify missing items in a sequence or series, such as missing checks or invoice numbers.

can also be used to find sequences where none are expected to exist

Question 23

What is compliance verification?

Answer 23

determines whether company policies are met by employee transactions