You are on page 1of 12

TECHNOLOGY TOOLS IN FORENSIC ACCOUNTING

INVESTIGATION

By: Mohamad Marulli, University of Wollongong, NSW Australia

1. Introduction
In today’s life, people always touched by digital equipments. While many areas of our
lives get benefits from these kinds of technology, there are some areas that vulnerably to have
negative effects. In term of frauds, many perpetrators use these digital equipments as tools to
help them to commit frauds. Smith (2005, p 119) argues that “almost every financial fraud
incorporates the use of computer and digital equipments…” Digital equipment such as
computer also become as target of fraud. Volonino, Anzaldua and Godwin (2006, p 6) divide
computer crimes into two categories, as a target and as a tool. Crimes against a computer
include attacks on networks that cause them to crash, and unauthorized access to, or
tampering with, information systems, programs, or data. In addition, digital evidences are
different from ordinary documentary evidences. Digital evidence can easily and
unintentionally can be destroyed and made inadmissible as courtroom evidence by either the
perpetrators or those who firstly find the evidence (Smith, 2005). So technology is essentially
an enemy in terms of frauds from auditor’s perspective.
Fortunately, like double sided sword, technology is also the auditors’ friend to conceal
frauds. Because computer can be used as both a target and a tool in any fraud, data stored in
computer is a perfect evidence to conceal fraud. If auditors know the correct way to
preserved, acquire and analysis data stored in a computer which suspected to become a target
of fraud or used as a tool in fraud, the data will become high quality evidence in the court.
Pearson and Singleton (2008) argue that the need to obtain, manage and analyse digital
evidence is critical for the success of future accounting professional. Thus, the benefit of
technology such as computer and other digital equipments outweighs its negative side. This
article will explains the evolution of technology used in an investigation then product review
of the tools that usually used in digital forensic by forensic accountant and an evaluation of
the use of those tools.

2. The history of computer forensic in investigation


Sheetz (2007) states in order to understand the evolution of technology used in
forensic accounting investigation, we have to know the machine themselves. Sheetz (2007)
divides the evolution of computer into three categories, sizes, languages and networks. The

Page 1 of 12
first computers built in the early 1950’s were housed in buildings dedicated solely to their
operation (Sheetz 2007). Today we can see people walk on the street handing their computer.
The second evolution category made by Sheetz is programming language. The first
computers actually only did the same task they dedicated to. Those computers were not
programmable as we see in the world today. The first high level programming language used
to communicate with computer binary code: a series of 0s and 1s. The second layer of
programming language was known as assembler language which turned the binary code into
human language. Based on this assembler language, an IBM employee created FORTRAN
and the computer revolution began. Following FORTRAN, many languages, that are much
simpler than the machine language, are developed.
The last evolution of computer is internet. The idea to connecting the computers began
when the research facilities at the University of California at Los Angeles, the University of
California at Santa Barbara, Stanford and the Utah University develop ARPANET (Advanced
Research Projects Agency Network). From this humble network, internet is emerging to the
scale that we see today. Connecting a computer to internet for any reason including exchange
of information, e-commerce, or even defence is necessity in the world today.
Back to technology used in fraud investigation, we can refer to audit technology.
Elliot and Jacobson (1987) explain the evolution of EDP audit in USA. According to them,
EDP audit begins in the 1960’s when American Institute of Certified Public Accountant
(AICPA) released a publication of Auditing and EDP. Later, the ideas of that book appeared
in many auditing standards published by AICPA. Elliot and Jacobson explain at earlier stage
of EDP auditing, auditors use ‘around the computer’ method. This method was relying on
user controls and verifying output by its relationship to input. The next level was to use test
data. In applying this technique, the auditor tested data through the client’s computer and
compared the independently calculated results to the results produced by the client’s
computer. Generalized audit software was soon available and provided a simpler approach.
Pearson and Singleton (2008) state that the idea of digital forensic or computer
forensic emerged in the middle of 1980 when the FBI implemented its Magnetic Media
Program and performed only three examinations of computers. According to them, digital
evidence was institutionalized in 1995 with the formation of the International Organization on
Computer Evidence (IOCE). So the development of computer forensic actually exists in the
last 20 years.

3. Investigation tools

Page 2 of 12
Forensic accounting in conducting investigation in this internet era uses many
investigation tools. Ranging from data mining software to data analysis and sometime the
same tools that used by hackers. Here some of those tools used by forensic accounting.
A. Helix
Helix3TM (www.e-fense.com) is “an internal tool to provide the ability to acquire
forensically sound images of many types of hard drives and partitions on systems running
unique setups such as RAID arrays” (Gleason & Fahey, 2006, p 9). There are many products
in the world that offer the capabilities that Helix has. However, Helix different from many
other software imaging because, Helix developed based on Knoppix (one variant of Linux)
which are open source and free. At this time e-fense, Inc. promotes Helix3TM Pro to digital
forensic examiners with the compulsory to a one year forum membership for US$ 239.
However Helix3 2009R1 which is beta version of Helix3 Pro can be downloaded for free.
Helix can run in three different environments: Mac OS X, Windows and Linux with
one simple to use interface. Helix can be used either as live forensic imaging or as
forensically sound environment to boot any
x86 systems. And because turning off a
suspected computer may destroy the
evidence, many digital forensic examiners do
that with extra carefulness. Before booting a
suspected computer the best way to turn off
the computer is by unplug the power, because
when we press the shutdown button, the Figure 1 Helix desktop in Linux
computer will be systemically shutdown by software. The bootable Helix actually runs in
Linux side. Once Helix finished the boot process, X Windows will automatically start and
present the Helix desktop. By default Helix set all devices in target computer as read only, so
they cannot be easily modified even with Helix itself.
Another way of using Helix is by live Helix. This method is the best method for
acquiring disk image from the system that
cannot be turned off or taken offline for an
extended period of time. To use Helix, you
should first read the warning. As it has been
pointed out several times in the manual, using
Helix in a live environment will make
changes to the system – that is on of the

Figure 2 Helix desktop live in Windows


Page 3 of 12
inherent risks in a live-response situation. But remember, just inserting this CD has modified
the system – even just leaving the system turned on is modifying the system. So you need to
make your decision, and when ready, press the “I Agree” button to continue. Once the user
accepts the agreement, the main screen will appear.
There are no differences in terms of application that Helix offers to between Helix
bootable method and Helix live method. Helix offers six main options to examine the system
under investigation (Gleason & Fahey, 2006). These options are described below:
1. Preview System Information
This option provides the basic information of the system such as Operating system
version, network information, owner information, and a summary of the drives on the
system.
2. Acquire a “live” image of a System using dd
This option will allow the investigator to make exact copies of hard drives, floppy disks,
or memory, and store them on local removable media, or over a network.
3. Incident Response tools for Operating Systems
This option provides access to 20 tools, all of which can be run directly from the
CDROM. Once you click the icon, a small triangle will appear, next to the icon.
Clicking on this small triangle will provide access to the others pages of tools.
4. Documents pertaining to Incident Response, Computer Forensics, Computer Security &
Computer Crime
The option provides the user with access to some common reference documents in PDF
format. The documents include a chain of custody form, preservation of digital evidence
information, Linux forensics Guide for beginners, and forensic examination for digital
evidence guide. These documents are highly recommended, and the investigator should
review them before attempting any forensic examination.
5. Browse contents of the CD-ROM and Host OS
This is a simple file browser that will provide the investigator with information about the
selected file. It will display the filename, created, accessed and modified dates, Attributes,
CRC, MD5 and the file size.
6. Scan for Pictures from a system
This tool will allow the investigator to quickly scan the system to see if there are any
suspect graphic images on the suspect system. Many different graphic formats are
recognized, and displayed as thumbnails.
Helix legitimacy in preparing and manage digital evidence in a court is recognized by
many digital forensic examiners and law enforcement. Gleason and Fahey (2006) claim many
Government agencies and Law Enforcement community across the globe including
Page 4 of 12
Indonesian Taxation Office have turned to Helix as their forensic acquisition standard due to
its functionality and cost effectiveness. Although in live environment, Helix will make
changes to the system, forensic accounting may use other tools to patch the Helix weaknesses
to make digital evidence admissible in the court.
B. ACL Desktop
Audit Command Language (ACL) is developed by ACL Service Ltd (www.acl.com).
Foundation of ACL concepts and practices (2006, p 2) defines ACL as a tool to read and
analyse type of files scattered across numerous database on different platforms. ACL Service
Ltd claims that ACL provides immediate visibility into transactional data critical to your
organization enabling you to: analyse entire data populations for complete assurance; identify
trends, pinpoint exceptions and highlight
potential areas of concern; locate errors and
potential fraud; identify control issues and
ensure compliance with organizational and
regulatory standards; age and analyse financial
or any other time sensitive transactions; and
cleanse and normalize data to ensure
Figure 3 ACL Desktop
consistency and accurate result (www.acl.com). In generic term ACL is a Generalized Audit
Software (GAS).
ACL maintains data integrity by read only access to all data that they accessed, that is
why the source data is never changed, altered or deleted. Mason (2007) explains that rule 901
of the US Federal Rules of Evidence requires that evidence submitted in the court have to be
authentic. Further Mason (2007) states that data integrity is one factor out of six that proving
the authenticity of evidence.
ACL features built in analysis
command so there is no programming
language needed. In addition for automate
analytical procedures, ACL provides script for
auditors who want more customized
programmable commands.
One of analysis command in ACL is
Figure 4 Benford's Law graph in ACL
Benford’s Law analysis. In auditing especially
in fraud detecting, Benford’s Law is commonly used as an analysis tolls by many auditors
including internal, external and governmental (Cleary & Thibodeu 2005). ACL use Benford’s
Law analysis in a digit-by-digit basis and not the test-by-test basis as statisticians (Cleary &

Page 5 of 12
Thibodeu 2005). As a result, according to Cleary and Thibodeu (2005) auditors who want to
relay on this analysis should understand that using a digit-by-digit basis in Benford’s Law as
ACL does, might increase the chances of findings actual fraudulent entries.
At this time the newer version of ACL is ACL Desktop ver. 9.1 and the new
improvement is, it can read and analysis PDF file. However despite of the powerful function
of ACL, its price is quite expensive. In Indonesia, ACL desktop retail price is US$3,000 for
two users and including one year subscription to ACL support.
C. UltraBlock
UltraBlock (www.digitalintelligence.com) is a brand name for forensic write blocker
hardware. The purpose of this hardware is to prevent the digital forensic accounting to modify
the data that they accessed. It is very important for digital forensic accounting to maintain the
data submitted to a court as evidence remain authentic. Therefore when they access and
analyse the evidence they have to be very careful not to modify, change or alter the data.
UltraBlock is compatible with all leading software imaging application including Helix,
EnCase or other software imaging.
Digital Intelligence offers UltraBlock into one full kit (UltraKitIII) and separate
device. UltraKit retail price is range about US$1,369 to US$1,599 (plus FireWire). UltraKitIII
consists of four main products and their accessories. Those main products can be bought
separately. The four main products are UltraBlock eSATA IDE-SATA Write Blocker,
UltraBlock SCSI, UltraBlock USB and UltraBlock Forensic Card Reader.

Figure 5 UltraBlock Family

The UltraBlock eSATA IDE-SATA is an eSATA/FireWire/USB to Parallel IDE /


SATA Bridge Board with Forensic Write Protection. By connecting a suspect drive to the
UltraBlock IDE-SATA, a digital forensic accounting can be assure that no writes,
modifications, or alterations can occur to the attached drive. The UltraBlock SCSI is used to

Page 6 of 12
acquire data from a SCSI hard drive in a forensically sound write-protected environment.
Combination of those two devices makes forensic accounting can forensically access and
analysis all hard drive available in the market today. The UltraBlock Forensic USB Write
Blocker brings secure, hardware-based write blocking to the world of USB mass storage
devices and the UltraBlock Forensic Card Reader can be used for writing and the forensic
acquisition of information found on multimedia and memory cards. All those devices are set
with ‘Read Only’ as default but when necessary forensic accounting can configure them to
‘Read Write’ to testing or validation purpose.
D. Advance Hash Calculator
Maintaining integrity of evidence is one of the most things that should be concerned
by forensic accounting. Once the integrity of evidence
is questionable, the evidence will lost its power in the
court. The worst case, the admission of evidence in the
court will be rejected. One method that can be used to
maintain integrity data in terms of digital forensic is
by using hash value. The common hash value methods

are MD5 and SHA-1. These hash value program, are Figure 6 Advance Hash Calculator
include in forensic software imaging such as Helix and EnCase. However, Advance Hash
Calculator offers more than MD5 and SHA-1 method to calculate hash value.
Advance Hash Calculator, developed by Filesland
(http://www.filesland.com/hashcalc/) supports CRC32, GOSThash, MD2, MD4, MD5, SHA-
1, SHA2-256, SHA2-384, SHA2-
512 hash algorithms. Although
MD5 and SHA-1 are the common
hashing method, both of them are
very vulnerable of collision.
Wang and Yu (2005) proved that
it is not difficult to break MD5 Figure 7 Advance Hash Calculator's Hash Type
and SHA-1 hash function. US Department of Commerce announces that all federal
government agencies in US use SHA-2 family after 2010
(http://csrc.nist.gov/groups/ST/hash/policy.html). Therefore, by using Advance Hash
Calculator, forensic accounting can maintain data integrity more securely without worrying of
any collision.

Page 7 of 12
E. Passware Kit Forensic
Passware Kit Forensic (www.lostpassword.com) is a tool for evidence discovery
solution reports all password-protected items on a computer and gains access to these items
using the fastest decryption and password
recovery algorithms. Passware can recovered
many password in all files including difficult and
strong type password. Passware Kit Forensic
includes a Portable version that runs from a USB
drive and finds encrypted files, recovers files and
websites passwords without modifying files or
settings on the host computer. Passware Kit Figure 8 Passware Kit Forensic 9.7
Forensic also able to decrypts BitLocker and TrueCrypt of hardisk. Passware Kit Forensic is
suitable for forensic purpose and maintain the authenticity of evidences.
The main weakness of Passware is that its basic methods such as Dictionary, Xieve,
Brute-force and Known Password/Previous Passwords apply only for English password. If the
password is set with language other than English, Passware needs long time to recover it.
Unless, the forensic accounting have enough knowledge about encryption to modify the
method through new attacks editor function. Another weakness is the price for this tool is
quite expensive. Passware Kit Forensic is offered for US$795 for single user.

4. Evaluation of Digital Forensic Tools


Mc Kemmish (1999) defines digital forensic as “process of identifying, preserving,
analyzing, and presenting digital evidence in a manner that is legally acceptable” (cited in
Lim 2008, p 7). So the forensic accounting who wants to discover fraud in digital
environment must comply with the rules of evidence in order to make digital evidence
admissible in the court. IOCE (2002, p 11) states general principles regarding digital evidence
as follow: a) The general rules of evidence should be applied to all digital evidence; b) Upon
seizing digital evidence, actions taken should not change that evidence; c) When it is
necessary for a person to access original digital evidence that person should be suitably
trained for the purpose; d) All activity relating to the seizure, access, storage or transfer of
digital evidence must be fully documented, preserved and available for review; and e) An
individual is responsible for all actions taken with respect to digital evidence whilst the digital
evidence is in their possession. This guidance will help forensic accounting profession to
identify, analyse and present digital evidences that admissible in the court.
The investigation tools describe above may help forensic accountant to detect, deter
and resolve fraud faster. Golden, Skalak and Clayton (2006) state that handling digital
Page 8 of 12
evidence requires establishment chain of custody as with documentary evidence. Further
Golden, Skalak and Clayton (2006) propose the ways to establish chain of custody such as: by
keeping documentation on all procedures and/or applications performed on the digital
evidence, by storing the electronic media in a secure location, by making bit-by-bit image
copy of the hard drive rather than a file system copy, by analysing the copy rather than the
original, and by using forensic software to prove the integrity of the original contents. Most of
forensic tools used by forensic accounting can maintain the data integrity so the authenticity
of evidence can be protected. The authentic evidences are admissible in the court and that is
the goal of forensic accounting engagement.
However, there are some considerations that should be kept in mind of forensic
accounting before using technology in an investigation. Golden, Skalak and Clayton (2006,
pp. 387-388) describe eight considerations for gathering digital evidence:
1. The computer is not a substitute for forensic accounting judgement and experience. It
cannot replace document reviews, interviews and follow up steps.
2. If possible, data should be gathered at the outset of engagement and prior to the initial
field visit.
3. Data obtained should be checked for accuracy and completeness, because incorrect
and incompleteness data set may cause to premature and incorrect conclusions.
4. The complexity of the tools used should be commensurate with the size and
complexity of engagement.
5. Some forensic accounting investigators may place too much reliance on the tool itself.
6. Ensure that planned procedures are allowed from a legal perspective and that any
evidence gathered may be used for legal purposes if required.
7. Data collection across national boundaries must be done with proper legal advice
about the export data or about the type of data being collected.
8. Proper computer forensic techniques must be used to avoid inadvertently altering
evidence.
Those pitfalls will help the forensic accounting from the more common mistake and to ensure
that the evidences found are admissible in the court.

5. Conclusion
Technology has two sides, it can be harmful in the hand of criminals and it can be
useful in the hand of right people. Forensic accounting investigators receive many benefits
from technology used in an investigation. The benefits such as efficiency, the ability to
handling large data to ensure complete assurance, the ability to maintain integrity of data can
be given by technology easily. However, the technology demand high skilled person to
Page 9 of 12
optimize its power. In addition some consideration of using technology in gathering digital
evidence should be noted. Like a hammer, we can build a house with hammer but we cannot
build a house just using a hammer. The same is true in the field of digital forensics. Before
forensic accounting examines any system, forensic accounting need to make sure that forensic
accounting has permission to examine that system. Forensic accounting needs to know the legal
aspects of collection, documentation, and preservation of digital evidence.

Page 10 of 12
REFERENCES

ACL Service Ltd. 2010, ACL Desktop edition, accessed 22-05-2010,


http://www.acl.com/products/desktop.aspx
Cleary, R & Thibodeau, JC 2005, “Applying digital analysis using Benford'
s Law to detect
fraud: the dangers of type I error”, Auditing: a journal of practice and theory, Vol.
24, No. 1, pp. 77-81, accessed 21-05-2010, ProQuest database
Digital Intelligence 2010, Forensic Write Blocker, accessed 22-05-2010,
http://www.digitalintelligence.com/forensicwriteblockers.php
Elliot, RK & Jacobson PD 1987 “Audit technology: a heritage and promise”, Journal of
accountancy, Vol. 163, No. 5, pp. 198-217, accessed 18-05-2010, ProQuest database
e-fense 2010, Don't let your company data walk out the door!, accessed 20-04-2010,
https://www.e-fense.com/products.php
Filesland 2010, Advance Hash Calculator, accessed 20-04-2010,
http://www.filesland.com/hashcalc/
Foundation of ACL concepts and practices 2006, ACL certified training material, ACL
Service Ltd., Vancouver, Canada
Gleason, BJ & Fahey, D 2006, Helix 1.7 for beginners: manual version 2006.03.07, manual
guide
Golden, T W, Skalak, SL & Clayton, MM 2006, A Guide to forensic accounting investigation,
John Willey & Sons, Hoboken, New Jersey
IOCE 2002, Guidelines for best practice in the forensic examination of digital technology,
Guidelines, IOCE, accessed 23-05-2010,
http://www.ioce.org/fileadmin/user_upload/2002/Guidelines%20for%20Best%20Pra
ctices%20in%20Examination%20of%20Digital%20Evid.pdf
Lim, N 2008, Digital forensic certification versus Forensic science certification: Proceedings
of the Conference on Digital Forensics, Security and Law, January 1, pp. 1-13,
accessed 21-05-2010, ProQuest database
Mason, S 2007, “Authentic digital records: laying the foundation for evidence”, Information
management journal, Vol. 41, No. 5, pp. 32-40, accessed 21-05-2010, ProQuest
database
Passware Inc. 2010, Passware Kit Forensic 9.7, accessed 25-04-2010,
http://www.lostpassword.com/kit-forensic.htm

Page 11 of 12
Pearson, TA & Singleton, TW 2008, “Fraud and forensic accounting in the digital
environment”, Issues in accounting education, Vol. 23, No. 4, pp. 545-559, accessed
9-04-2010, http://www.ncjrs.gov/ pdffiles1/ nij / grants / 217589.pdf
Smith, GS 2005, “Computer forensics: helping to achieve the auditor’s fraud mission?”,
Journal of forensic accounting, Vol. VI, No. 1, pp. 119-134, accessed 29-04-2010,
eLearning@UOW
Sheetz, M 2007 Computer forensics: an essential guide for accountants, lawyers, and
managers, John Wiley & Sons, Hoboken, New Jersey
Vlonino, L, Anzaldua, R & Godwin, J 2007, Computer forensics principles and practices,
Prentice Education, Upper Saddle River, New Jersey
Wang, X & Yu, H 2005, “How to break MD5 and other hash functions”, unpublished paper
USC, Los Angeles, accessed 22-05-2010, http://merlot.usc.edu/csac-
f06/papers/Wang05a.pdf

Page 12 of 12

You might also like