IT Audit - The Institute Of Internal Auditors  


Reference Library

Discussion Board

Contact the Editor

About ITAudit

Authors Wanted


Previous Issues

print Print Article

Forensic Auditing

January 15, 1999
Andrew Sheldon,

This article first appeared in the November 1998 issue of "Internal Auditing", a magazine published by IIA-UK. Reprinted with permission. If you wish to subscribe to this IIA-UK publication, e-mail to for more information.
The role of computer forensics in the Corporate Toolbox.
There are two idioms that every corporate security officer lives by: "A backup is only as good as the last restore" and "Prevention is better than cure." In a perfect world there would be no computer failures, no lost data and certainly no abuse of computer systems. Unfortunately, we don't live in a perfect world (if we did, I'd be relaxing on a tropical beach while my computer wrote this article!) and we have to face the very real prospect that corporate computer systems are woefully vulnerable to misuse, if not wilful abuse.

"Computer abuse" is a phrase covering a multitude of sins, quite literally, from games playing to fraud, hacking and virus writing through inappropriate downloads and Internet activity. The detection of such abuse falls squarely on the shoulders of the audit and security departments of any organisation, supported by adequate policy and procedures.

So, what exactly is "forensic auditing"? There are really two main components of the function, audit and computer forensics, which have the following primary aims: 

  • Detection of potential abuse 
  • Protection of the proof 
  • Adducing qualified evidence 
  • Presentation of the evidence

It may sound trite but in order to detect abuse within computer systems you must be looking for the right things. This where the audit role comes to the fore. By using appropriate audit tools combined with a strategy to suite the organisation which is backed by well designed policy and procedures, it is remarkably easy to spot abuse of all kinds simply by viewing the audit data in the right way.

Most organisations fail to reap the true benefits of PC audit simply because they are focussed on the two gods of "asset management" and "corporate compliance". Using the right tools, the process of audit can reveal much more about an organisation than that. For example, while performing a PC audit it is possible to collect the contents of the Internet browser cache found on all Internet ready machines. Using one of the many cache browsers available, it is then a simple task to review the copied data to establish potential transgressions of corporate Internet policy.

I recently carried out such a task on 2000 computers with a view to establishing the presence of any "undesirable" image files. The results were shocking. Over 210,000 images were found, of which approximately 25% were questionable. I used existing audit data, collected during a licence compliance audit and the whole analysis added just 4 man days on top of the audit project.

From the clients perspective, this was a cost exercise but one which was extremely valuable. In fact, not only did I find the image files, I also located a range of undesirable software including copies of PGP (Pretty Good Privacy) where it was not appropriate for encryption to be used, mobile phone cloning software, Sky card cracking software and much, much more!

What was even more surprising for me was the fact that not only did the above organisation have a reasonable security policy and working set of procedures in place but they also believed that had things under control.

While the above case serves to illustrate the "hidden" power and value of audit data, it also begs the question of what action to take if (or when) you are faced with the knowledge that there is serious abuse within your systems. This is where the forensics part of forensic auditing comes in.

Evidentially sound advice
The key role of computer forensics is the protection, adducing and presentation of evidence, in that order. In all abuse cases, protection of the evidence is both critical and central to the organisation’s ability to investigate and take action against the abuser.

Once abuse is suspected it is important to assess the likely route of action. One of the first decisions to make is to determine the nature of the abuse and whether the investigation will result in criminal, civil or internal disciplinary action.

If the nature of the abuse warrants either of the first two options, protection of all evidence is of utmost importance as, frequently, the defence’s best case is based on the admissibility of computer based evidence. Even when internal disciplinary action is being taken, it may pay to protect the evidence to the same degree as in a criminal or civil cases as an industrial tribunal may consider the employers case more favourably if proper evidential practices have been observed.

What exactly does "protecting the evidence" mean?

Let us assume that an employee is suspected of downloading illegal pornography (the definition of what is "legal" pornography would take more space to discuss than this article has!) from the Internet. Perhaps not surprisingly, this is far from uncommon and can leave an organisation legally culpable courtesy of the fact that a company and its officers hold a vicarious responsibility for the deeds and actions of employees.

Most organisations would take one of two possible actions. Either a member of the security team would be tasked with making a backup of the users hard disk which would then be restored onto a blank drive. Or the users computer would be taken away by the support department where one of the technicians would be asked to search the disk for image files and print them off.

Unfortunately, both these actions will harm the organisations ability to 

  1. defend itself against potential legal action and 
  2. invalidate the submission of any evidence against the user which may have been present on the users computer.

Whilst the above actions would appear on the surface to be adequate methods of determining the presence of incriminating evidence, they are both fatally flawed in their execution.

Protecting the Evidence
The cardinal rule with all computer evidence is to protect it, as soon as possible, from deletion, contamination and modification and, where possible, to keep it in the same state and in the same location as it was at the time of the offence. Simply by turning the computer on and allowing it to boot into (say) Windows95 will make many changes to the contents of certain files on the disk. Now, these files may not be the ones of interest to the investigation but the modification of one file can cause previously deleted files containing valuable evidence to be lost for ever.

Likewise, making a backup of the disk will only copy the "live" files. None of the deleted files will be recovered and, just as importantly, the "slack space" between the end of one file and the beginning of the next will be totally ignored. This area is sometimes the source of evidential rich pickings.

The answer is a "forensic image". The use of evidentially sound imaging applications and practices is essential to maintain evidential continuity. Such imaging tools are not normally in the toolkit of the security or support department but are used by expert forensic analysts to produce exact images of every Bit of data on a hard disk. Imaging is carried out without launching the computers operating system, thereby preventing any changes to the contents of the disk under investigation. It also generates a log file which records all the parameters of the process from disk geometry, interface health and packet checksums to case details such as date, time, analysts name etc.

The forensic image can be used to generate an exact working copy of the original disk. The copy can then be placed back in the computer in place of the original which should be sealed in a bag and stored as the "original" evidence.

Adducing the Proof
A second copy is then taken from the forensic image which can be examined in lots of different ways. The forensic analyst will usually request a brief from the client as to what type of evidence is being sought. It is unwise and may be illegal, to go on what's called a "fishing trip" for evidence although it is not uncommon, while searching for one thing, to stumble across another. The art in locating evidence is being able to think like the abuser while keeping accurate, contemporaneous notes about what was done, why it was done, what was find and why it is being used as evidence. In court cases, computer evidence can be dismissed if even the slightest doubt over it's veracity can be shown, making the process of adducing the evidence correctly vital to the success of otherwise of the case.
Showing Your Hand
Having imaged and analysed the suspect’s computer disks and found the evidence all that remains is the process of presenting that evidence for use in any criminal, civil or disciplinary hearings.

It might sound easy but the significance of taking compelling physical evidence and presenting it badly should not be underestimated. To the average man in the street computers are still largely a technical mystery and presenting computer evidence in too much detail may serve only to confuse a jury. This leaves them with only two options: to make judgements based upon misunderstanding or to tempt them to ignore detail which is too complex for them to fully understand but which may be the pivotal point of the case.

Evidence is usually presented in the form of a witness statement accompanied by "productions" or "exhibits" which may be printouts, reproductions of images or sometimes hardware items. Such statements must be written in accordance with legal requirements for them to be truly admissible. And this begs another question;

Who should be asked to examine the evidence? A technical support person may be well versed in the technology and a security consultant will be able to provide valuable insight into the nature of the offence. However, when questioned about the principles of data storage at the Bit or Byte level or the finer points of forensic imaging, they may not have sufficient background, or credentials, to withstand vigorous cross examination by a tenacious barrister.

The End Game
There are several other important factors which must also be considered when analysing evidence. Is the problem restricted to just internal staff or is there external involvement. This may be discovered, for example, through the examination of emails. The extent of corporate liability must be established as early as possible, enabling decisions regarding possible actions to be made with due diligence.

Finally, if you think you may have a problem it is better to act quickly, computer evidence is volatile and can be destroyed in a blink. It is also better to know for sure than to ignore possible consequences. If you are unfortunate to uncover a potential problem, it may be prudent to seek confidential advice from an experienced forensic examiner before rushing in. The "do it yourself" route is a risky strategy which may have far reaching effects. If you are committed to using in house staff, remember the basics of evidential integrity and don't be tempted to use short cuts.

When carried out correctly, forensic analysis of computer systems involved in abuse can provide valuable evidence which might otherwise have been lost or overlooked. Performed wrongly but with good intent and your evidence could give the guilty the opportunity they need to get a case dismissed.