Linkin' Logs to Fraud: The Secret to a Successful Computer Fraud Investigation Is Proper Logging and Audit-Trail Reports. (Focus On: Economic Crime)

By Melia, John J., Jr. | Security Management, November 2002 | Go to article overview

Linkin' Logs to Fraud: The Secret to a Successful Computer Fraud Investigation Is Proper Logging and Audit-Trail Reports. (Focus On: Economic Crime)


Melia, John J., Jr., Security Management


THE TELEVISED REPORT OF A bank computer fraud case had a familiar theme: Law enforcement agents were shown removing computing equipment--specifically, a suspect's PC--as part of what television reporters said would be a computer forensics investigation. A law enforcement spokesperson interviewed by the television reporter stated that the suspect's computer hard drive would be inspected to determine how the fraud was committed.

But there was one key drawback with this investigative process: The "forensics" investigation focused on the suspect's PC hard drive alone. Critical evidence--consisting of host-computer audit-trail logs, computer utilization and user access reports, and other documentation that could have helped investigators reconstruct the fraudulent transaction by revealing the suspect's overall system activity--was never obtained.

For this reason, though the suspect was convicted of the theft of bank funds, the case was not prosecuted under computer-crime statutes. The fraudulent transaction had not been traced back to the suspect, and the prosecutor determined that without any meaningful reconstruction of the transaction events, any prosecution effort would be unsuccessful.

While the scenario just described is not typical of computer-crime investigations, it is clear that a growing number of investigators have developed the mistaken notion that computer forensics has only to do with targeting computer media--specifically, the PC hard drive--and recovering digital evidence. Although there is no question that useful investigative information can be gathered from PC hard drives, servers, laptop drives, and other media, it is critical for investigators to understand the distinction between examining such local media and conducting a full-scale computer-incident forensics investigation.

A full-scale computer-incident forensics investigation is a complete, thorough probe to determine the nature, scope, and duration of the fraudulent transaction in question. This requires the investigator to retrieve user-access log-on reports, time- and date-stamp reports, and other system logging reports that establish what events occurred, whose user identification was associated with each event, and which application systems were involved, creating a complete reconstruction of the incident in question.

Though no two cases are exactly the same, the emphasis of a computer-fraud investigation must be on generating the evidence to prove who conducted the transaction event. This approach generally requires attention to understanding the system structure and gathering the evidence, but of equal importance is how the evidence is presented to a jury if the goal is to obtain a conviction.

System structure. Before looking at the logs, the investigator must gain a basic understanding of the subject organization's IT architecture, its enterprise network infrastructure, and the general components of the computing environment, including the information security controls in place. Questions to ask include: How are users authenticated to the host computing system where the fraud or other crime occurred? What safeguards are in place to offer a high degree of assurance that each user is the individual connecting to the system? How are access events tracked and records stored for later reference? What is the transaction verification process? How are system changes controlled and logged?

Gathering evidence. Once the investigator knows the basics of the computing environment in question, he or she can begin the investigation. The investigator's goal, of course, is to uncover evidence that can be used to convince a jury that only the suspect could have used the combination of passwords, user IDs, and other log-on features in committing the fraudulent transaction. The first step toward that end is for the investigation to be forensically sound, which means that the investigative steps must be documented and repeatable. …

The rest of this article is only available to active members of Questia

Already a member? Log in now.

Notes for this article

Add a new note
If you are trying to select text to create highlights or citations, remember that you must now click or tap on the first word, and then click or tap on the last word.
One moment ...
Default project is now your active project.
Project items

Items saved from this article

This article has been saved
Highlights (0)
Some of your highlights are legacy items.

Highlights saved before July 30, 2012 will not be displayed on their respective source pages.

You can easily re-create the highlights by opening the book page or article, selecting the text, and clicking “Highlight.”

Citations (0)
Some of your citations are legacy items.

Any citation created before July 30, 2012 will labeled as a “Cited page.” New citations will be saved as cited passages, pages or articles.

We also added the ability to view new citations from your projects or the book or article where you created them.

Notes (0)
Bookmarks (0)

You have no saved items from this article

Project items include:
  • Saved book/article
  • Highlights
  • Quotes/citations
  • Notes
  • Bookmarks
Notes
Cite this article

Cited article

Style
Citations are available only to our active members.
Buy instant access to cite pages or passages in MLA, APA and Chicago citation styles.

(Einhorn, 1992, p. 25)

(Einhorn 25)

1. Lois J. Einhorn, Abraham Lincoln, the Orator: Penetrating the Lincoln Legend (Westport, CT: Greenwood Press, 1992), 25, http://www.questia.com/read/27419298.

Cited article

Linkin' Logs to Fraud: The Secret to a Successful Computer Fraud Investigation Is Proper Logging and Audit-Trail Reports. (Focus On: Economic Crime)
Settings

Settings

Typeface
Text size Smaller Larger Reset View mode
Search within

Search within this article

Look up

Look up a word

  • Dictionary
  • Thesaurus
Please submit a word or phrase above.
Print this page

Print this page

Why can't I print more than one page at a time?

Help
Full screen

matching results for page

    Questia reader help

    How to highlight and cite specific passages

    1. Click or tap the first word you want to select.
    2. Click or tap the last word you want to select, and you’ll see everything in between get selected.
    3. You’ll then get a menu of options like creating a highlight or a citation from that passage of text.

    OK, got it!

    Cited passage

    Style
    Citations are available only to our active members.
    Buy instant access to cite pages or passages in MLA, APA and Chicago citation styles.

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn, 1992, p. 25).

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn 25)

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences."1

    1. Lois J. Einhorn, Abraham Lincoln, the Orator: Penetrating the Lincoln Legend (Westport, CT: Greenwood Press, 1992), 25, http://www.questia.com/read/27419298.

    Cited passage

    Thanks for trying Questia!

    Please continue trying out our research tools, but please note, full functionality is available only to our active members.

    Your work will be lost once you leave this Web page.

    Buy instant access to save your work.

    Already a member? Log in now.

    Author Advanced search

    Oops!

    An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.