Professional Documents
Culture Documents
INVESTIGATION
1. Introduction
In today’s life, people always touched by digital equipments. While many areas of our
lives get benefits from these kinds of technology, there are some areas that vulnerably to have
negative effects. In term of frauds, many perpetrators use these digital equipments as tools to
help them to commit frauds. Smith (2005, p 119) argues that “almost every financial fraud
incorporates the use of computer and digital equipments…” Digital equipment such as
computer also become as target of fraud. Volonino, Anzaldua and Godwin (2006, p 6) divide
computer crimes into two categories, as a target and as a tool. Crimes against a computer
include attacks on networks that cause them to crash, and unauthorized access to, or
tampering with, information systems, programs, or data. In addition, digital evidences are
different from ordinary documentary evidences. Digital evidence can easily and
unintentionally can be destroyed and made inadmissible as courtroom evidence by either the
perpetrators or those who firstly find the evidence (Smith, 2005). So technology is essentially
an enemy in terms of frauds from auditor’s perspective.
Fortunately, like double sided sword, technology is also the auditors’ friend to conceal
frauds. Because computer can be used as both a target and a tool in any fraud, data stored in
computer is a perfect evidence to conceal fraud. If auditors know the correct way to
preserved, acquire and analysis data stored in a computer which suspected to become a target
of fraud or used as a tool in fraud, the data will become high quality evidence in the court.
Pearson and Singleton (2008) argue that the need to obtain, manage and analyse digital
evidence is critical for the success of future accounting professional. Thus, the benefit of
technology such as computer and other digital equipments outweighs its negative side. This
article will explains the evolution of technology used in an investigation then product review
of the tools that usually used in digital forensic by forensic accountant and an evaluation of
the use of those tools.
Page 1 of 12
first computers built in the early 1950’s were housed in buildings dedicated solely to their
operation (Sheetz 2007). Today we can see people walk on the street handing their computer.
The second evolution category made by Sheetz is programming language. The first
computers actually only did the same task they dedicated to. Those computers were not
programmable as we see in the world today. The first high level programming language used
to communicate with computer binary code: a series of 0s and 1s. The second layer of
programming language was known as assembler language which turned the binary code into
human language. Based on this assembler language, an IBM employee created FORTRAN
and the computer revolution began. Following FORTRAN, many languages, that are much
simpler than the machine language, are developed.
The last evolution of computer is internet. The idea to connecting the computers began
when the research facilities at the University of California at Los Angeles, the University of
California at Santa Barbara, Stanford and the Utah University develop ARPANET (Advanced
Research Projects Agency Network). From this humble network, internet is emerging to the
scale that we see today. Connecting a computer to internet for any reason including exchange
of information, e-commerce, or even defence is necessity in the world today.
Back to technology used in fraud investigation, we can refer to audit technology.
Elliot and Jacobson (1987) explain the evolution of EDP audit in USA. According to them,
EDP audit begins in the 1960’s when American Institute of Certified Public Accountant
(AICPA) released a publication of Auditing and EDP. Later, the ideas of that book appeared
in many auditing standards published by AICPA. Elliot and Jacobson explain at earlier stage
of EDP auditing, auditors use ‘around the computer’ method. This method was relying on
user controls and verifying output by its relationship to input. The next level was to use test
data. In applying this technique, the auditor tested data through the client’s computer and
compared the independently calculated results to the results produced by the client’s
computer. Generalized audit software was soon available and provided a simpler approach.
Pearson and Singleton (2008) state that the idea of digital forensic or computer
forensic emerged in the middle of 1980 when the FBI implemented its Magnetic Media
Program and performed only three examinations of computers. According to them, digital
evidence was institutionalized in 1995 with the formation of the International Organization on
Computer Evidence (IOCE). So the development of computer forensic actually exists in the
last 20 years.
3. Investigation tools
Page 2 of 12
Forensic accounting in conducting investigation in this internet era uses many
investigation tools. Ranging from data mining software to data analysis and sometime the
same tools that used by hackers. Here some of those tools used by forensic accounting.
A. Helix
Helix3TM (www.e-fense.com) is “an internal tool to provide the ability to acquire
forensically sound images of many types of hard drives and partitions on systems running
unique setups such as RAID arrays” (Gleason & Fahey, 2006, p 9). There are many products
in the world that offer the capabilities that Helix has. However, Helix different from many
other software imaging because, Helix developed based on Knoppix (one variant of Linux)
which are open source and free. At this time e-fense, Inc. promotes Helix3TM Pro to digital
forensic examiners with the compulsory to a one year forum membership for US$ 239.
However Helix3 2009R1 which is beta version of Helix3 Pro can be downloaded for free.
Helix can run in three different environments: Mac OS X, Windows and Linux with
one simple to use interface. Helix can be used either as live forensic imaging or as
forensically sound environment to boot any
x86 systems. And because turning off a
suspected computer may destroy the
evidence, many digital forensic examiners do
that with extra carefulness. Before booting a
suspected computer the best way to turn off
the computer is by unplug the power, because
when we press the shutdown button, the Figure 1 Helix desktop in Linux
computer will be systemically shutdown by software. The bootable Helix actually runs in
Linux side. Once Helix finished the boot process, X Windows will automatically start and
present the Helix desktop. By default Helix set all devices in target computer as read only, so
they cannot be easily modified even with Helix itself.
Another way of using Helix is by live Helix. This method is the best method for
acquiring disk image from the system that
cannot be turned off or taken offline for an
extended period of time. To use Helix, you
should first read the warning. As it has been
pointed out several times in the manual, using
Helix in a live environment will make
changes to the system – that is on of the
Page 5 of 12
Thibodeu 2005). As a result, according to Cleary and Thibodeu (2005) auditors who want to
relay on this analysis should understand that using a digit-by-digit basis in Benford’s Law as
ACL does, might increase the chances of findings actual fraudulent entries.
At this time the newer version of ACL is ACL Desktop ver. 9.1 and the new
improvement is, it can read and analysis PDF file. However despite of the powerful function
of ACL, its price is quite expensive. In Indonesia, ACL desktop retail price is US$3,000 for
two users and including one year subscription to ACL support.
C. UltraBlock
UltraBlock (www.digitalintelligence.com) is a brand name for forensic write blocker
hardware. The purpose of this hardware is to prevent the digital forensic accounting to modify
the data that they accessed. It is very important for digital forensic accounting to maintain the
data submitted to a court as evidence remain authentic. Therefore when they access and
analyse the evidence they have to be very careful not to modify, change or alter the data.
UltraBlock is compatible with all leading software imaging application including Helix,
EnCase or other software imaging.
Digital Intelligence offers UltraBlock into one full kit (UltraKitIII) and separate
device. UltraKit retail price is range about US$1,369 to US$1,599 (plus FireWire). UltraKitIII
consists of four main products and their accessories. Those main products can be bought
separately. The four main products are UltraBlock eSATA IDE-SATA Write Blocker,
UltraBlock SCSI, UltraBlock USB and UltraBlock Forensic Card Reader.
Page 6 of 12
acquire data from a SCSI hard drive in a forensically sound write-protected environment.
Combination of those two devices makes forensic accounting can forensically access and
analysis all hard drive available in the market today. The UltraBlock Forensic USB Write
Blocker brings secure, hardware-based write blocking to the world of USB mass storage
devices and the UltraBlock Forensic Card Reader can be used for writing and the forensic
acquisition of information found on multimedia and memory cards. All those devices are set
with ‘Read Only’ as default but when necessary forensic accounting can configure them to
‘Read Write’ to testing or validation purpose.
D. Advance Hash Calculator
Maintaining integrity of evidence is one of the most things that should be concerned
by forensic accounting. Once the integrity of evidence
is questionable, the evidence will lost its power in the
court. The worst case, the admission of evidence in the
court will be rejected. One method that can be used to
maintain integrity data in terms of digital forensic is
by using hash value. The common hash value methods
are MD5 and SHA-1. These hash value program, are Figure 6 Advance Hash Calculator
include in forensic software imaging such as Helix and EnCase. However, Advance Hash
Calculator offers more than MD5 and SHA-1 method to calculate hash value.
Advance Hash Calculator, developed by Filesland
(http://www.filesland.com/hashcalc/) supports CRC32, GOSThash, MD2, MD4, MD5, SHA-
1, SHA2-256, SHA2-384, SHA2-
512 hash algorithms. Although
MD5 and SHA-1 are the common
hashing method, both of them are
very vulnerable of collision.
Wang and Yu (2005) proved that
it is not difficult to break MD5 Figure 7 Advance Hash Calculator's Hash Type
and SHA-1 hash function. US Department of Commerce announces that all federal
government agencies in US use SHA-2 family after 2010
(http://csrc.nist.gov/groups/ST/hash/policy.html). Therefore, by using Advance Hash
Calculator, forensic accounting can maintain data integrity more securely without worrying of
any collision.
Page 7 of 12
E. Passware Kit Forensic
Passware Kit Forensic (www.lostpassword.com) is a tool for evidence discovery
solution reports all password-protected items on a computer and gains access to these items
using the fastest decryption and password
recovery algorithms. Passware can recovered
many password in all files including difficult and
strong type password. Passware Kit Forensic
includes a Portable version that runs from a USB
drive and finds encrypted files, recovers files and
websites passwords without modifying files or
settings on the host computer. Passware Kit Figure 8 Passware Kit Forensic 9.7
Forensic also able to decrypts BitLocker and TrueCrypt of hardisk. Passware Kit Forensic is
suitable for forensic purpose and maintain the authenticity of evidences.
The main weakness of Passware is that its basic methods such as Dictionary, Xieve,
Brute-force and Known Password/Previous Passwords apply only for English password. If the
password is set with language other than English, Passware needs long time to recover it.
Unless, the forensic accounting have enough knowledge about encryption to modify the
method through new attacks editor function. Another weakness is the price for this tool is
quite expensive. Passware Kit Forensic is offered for US$795 for single user.
5. Conclusion
Technology has two sides, it can be harmful in the hand of criminals and it can be
useful in the hand of right people. Forensic accounting investigators receive many benefits
from technology used in an investigation. The benefits such as efficiency, the ability to
handling large data to ensure complete assurance, the ability to maintain integrity of data can
be given by technology easily. However, the technology demand high skilled person to
Page 9 of 12
optimize its power. In addition some consideration of using technology in gathering digital
evidence should be noted. Like a hammer, we can build a house with hammer but we cannot
build a house just using a hammer. The same is true in the field of digital forensics. Before
forensic accounting examines any system, forensic accounting need to make sure that forensic
accounting has permission to examine that system. Forensic accounting needs to know the legal
aspects of collection, documentation, and preservation of digital evidence.
Page 10 of 12
REFERENCES
Page 11 of 12
Pearson, TA & Singleton, TW 2008, “Fraud and forensic accounting in the digital
environment”, Issues in accounting education, Vol. 23, No. 4, pp. 545-559, accessed
9-04-2010, http://www.ncjrs.gov/ pdffiles1/ nij / grants / 217589.pdf
Smith, GS 2005, “Computer forensics: helping to achieve the auditor’s fraud mission?”,
Journal of forensic accounting, Vol. VI, No. 1, pp. 119-134, accessed 29-04-2010,
eLearning@UOW
Sheetz, M 2007 Computer forensics: an essential guide for accountants, lawyers, and
managers, John Wiley & Sons, Hoboken, New Jersey
Vlonino, L, Anzaldua, R & Godwin, J 2007, Computer forensics principles and practices,
Prentice Education, Upper Saddle River, New Jersey
Wang, X & Yu, H 2005, “How to break MD5 and other hash functions”, unpublished paper
USC, Los Angeles, accessed 22-05-2010, http://merlot.usc.edu/csac-
f06/papers/Wang05a.pdf
Page 12 of 12