Chapter 13: Investigation of Electronic Data: A Brief Introduction

_____ is the analysis of electronic data for the purposes of its recovery, legal preservation, authentication, reconstruction, and presentation to solve or aid in solving technology-based crimes.

Computer forensics

While computer forensics is restricted to the investigation of computer data, when forensic investigations go beyond just computers, they are called _____. 

digital forensics

A computer may contain electronic evidence of criminal activity for two reasons.

1. First, when a computer is the target of a criminal, it contains evidence of the attack. Stealing financial data, such as credit card or pin numbers, on a server is an example of such an attack.

2. Second, a computer may be a tool or instrument used to commit a crime. Such an example is an employee’s workplace computer being used to carry out a financial fraud.

Currently, auditors have several auditing standards to provide them with guidance in dealing with fraud and illegal acts by their clients. 

• Evidential Matter (AU 326)

• SAS No. 80, Amendment to SAS No. 31, Evidential Matter (now AU Section 326)

• in SAS No. 54, Illegal Acts by Clients (AU 317), and SAS No. 99 (AU 316), Consideration of Fraud in a Financial Statement Audit

Evidential Matter (AU 326) provides guidelines for audit engagements encountering electronic documents. It states that-

When an audit relies heavily on electronic evidence, substantive testing alone may not be sufficient to reduce detection risk, because digital data can be complex, incomplete, or unreliable without evaluating the system that produced it. If auditors cannot reduce detection risk through substantive testing, they must test internal controls to ensure the system generating electronic data is reliable enough to support financial statement assertions.

Because large volumes of data are processed electronically, auditors may need to use generalized audit software or continuous auditing tools to test controls and analyze transactions efficiently.

SAS No. 80 defines evidential matter as both ____ and ____ information, e.g., written checks and electronic fund transfers, respectively.

written and electronic

Time Sensitivity of Electronic Evidence

Unlike paper evidence, electronic data may be deleted, overwritten, or become inaccessible over time, so auditors must consider timing when collecting and testing evidence.

The Information Technology Age: Evidential Matter in the Electronic Environment (ITA) recommends-

that auditors need a working understanding of how electronic data is stored and extracted from systems, as well as the risk that data may be intentionally manipulated or altered.

SAS No. 99 (AU 316), Consideration of Fraud in a Financial Statement Audit. SAS No. 99 provides guidelines for testing digital data. It states that:

In IT environments, auditors are expected to use computer-assisted audit techniques (CAATs) such as data extraction tools to identify and test unusual journal entries and adjustments.

Auditors must maintain heightened __________, meaning they actively question data, consider fraud risks, and do not assume management is always truthful.

professional skepticism

Audit teams are required to ______ how fraud could occur within the organization, helping identify potential schemes and areas of risk before testing begins.

brainstorm

Because electronic data can be complex, auditors should involve IT specialists in fraud brainstorming and testing to analyze systems and detect manipulation (e.g., altered journal entries)

In an audit, the auditor’s primary responsibility is to assess whether financial statements are fairly presented, so cybersecurity is only considered if it impacts financial reporting (e.g., causes material misstatements).

If a cyberattack leads to unauthorized access or data issues, it may require financial statement disclosures or recognition of losses/contingent liabilities, making it relevant to the audit.

Management is responsible for broad cyber risk analysis and prevention, while auditors only assess cyber risks to the extent they affect financial reporting.

Cyber risk analysis must be proactive and continuous, and this responsibility lies with management—not auditors—since auditors do not monitor systems on an ongoing basis.

cyber risk analysis is dependent on:

(1) accepting management's sole responsibility in accessing risk;

(2) being aware of the digital data related to identifying potential risk;

(3) having knowledge of the types of cyberattacks that are currently occurring and the company's vulnerability to those attacks; and

(4) having an organized structure to measure cyber risks.

The primary purpose of the Sarbanes-Oxley Act is to help avoid the financial frauds of the past. The approach taken in the legislation is

(1) to make management directly responsible for the integrity of the company’s financial statements, and

(2) to require a strengthening of internal control procedures.

Under Section 404, management must ensure internal controls are effective, and external auditors must validate and test those controls, including how financial data flows through IT systems.

The Securities and Exchange Commission requires companies to use the _______ Framework as the standard for evaluating internal control effectiveness under SOX. This framework emphasizes strong internal controls as the primary method for preventing and detecting financial fraud, especially in digital environments.

Committee of Sponsoring Organizations of the Treadway Commission (COSO)

The general information technology (IT) guidelines under the COSO framework have been established for the following eight areas:

1. Internal control environment, 

2. Objective setting, 

3. Event identification, 

4. Risk assessment, 

5. Risk response, 

6. Control activities, 

7. Information and communication, and 

8. Monitoring. 

COSO – Control Environment

means the underlying corporate culture is evaluated for its views on risk including risk-taking, ethical values, and adequate controls.

COSO – Objective-setting

evaluates whether there is a process in place for setting objectives that correspond with the organization’s mission.

COSO – Event identification

tries to determine how internal and external occurrences are separated by the organization into risk and opportunity classifications and then how they correlate with objectives.

COSO – Risk assessment

determines whether there is an effective response for managing IT risks faced by the organization.

COSO –Risk response

deals with avoiding, accepting or reducing such identified risk

COSO –Control activities

evaluate controls to determine whether effective controls are in place to work effectively in controlling IT risk.

COSO – Information and communication

Communication must be established so that it allows information to be broadly shared up and down the organization. It is also important to have assurances that the proper information is identified and captured.

COSO – Monitoring

Correct monitoring is in place if it can be verified that the controls in place are effective enough so that when weaknesses are detected there are corrective actions taken.

Auditors may use network vulnerability analysis tools to assess risks of unauthorized access and system weaknesses during audits.

Auditing Standard No. 2 requires auditors to assess both the design and operating effectiveness of internal controls as part of the financial statement audit.

The PCAOB emphasizes that a company’s use of information technology directly affects internal controls, meaning auditors must understand IT systems to properly evaluate financial reporting reliability.

PCAOB standards outline what auditors must evaluate (e.g., controls, fraud risk) but provide limited detail on how to implement effective IT controls, making frameworks like COBIT more useful in practice.

Auditing Standard No. 12 requires auditors to evaluate risks of unauthorized system access, which could lead to data destruction, manipulation, or incorrect financial reporting.

Key Controls in Electronic Transaction Systems - Effective systems should ensure:

• Data transfers are complete and accurate (no loss or mismatch)

• Transactions are reconciled and not duplicated

• Missing or altered transactions are detectable

• Timing of transactions is tracked and verifiable

What is COBIT?

COBIT is a framework developed by ISACA that provides detailed IT control guidelines to support audits, especially for evaluating internal controls in technology environments. IT audits should be closely integrated with financial audits, since financial reporting depends on IT systems, and COBIT helps align IT controls with financial reporting requirements.

COBIT supports Sarbanes-Oxley Act compliance by defining IT controls specifically for financial reporting, ensuring systems produce accurate and reliable data. COBIT allows organizations to compare their IT controls against established standards, helping evaluate performance, identify weaknesses, and improve control effectiveness.

ISACA provides additional standards for IT audits, including control evaluation, audit procedures, performance measurement, IT profiling, and benchmarking practices.

Good network security includes:

1. Restricted access to systems and data

2. Monitoring access and activity logs

3. Strong password controls

4. Detection of security violations

5. Oversight of system processes and job activity

What is ISO/IEC 17799 (27002)?

ISO/IEC 27002 (formerly ISO 17799) provides global best practices for information security, helping organizations protect digital assets and meet IT control requirements (including SOX).

ISO guidelines aim to protect information assets, reduce cyber risk, and ensure business continuity, since weak security can lead to financial loss and operational disruption.

The sections of the ISO are:

(1) security policy;

(2) organization of information security;

(3) asset management;

(4) human resources security;

(5) physical and environmental security;

(6) communications and operations management;

(7) access control;

(8) information systems acquisition, development, and maintenance;

(9) information security incident management;

(10) business continuity management; and

(11) compliance.

Strong ISO-based security reduces risk across connected businesses, preventing attackers from exploiting weaker partners or systems in a network (weakest link risk).

A key first step in ISO-based security is identifying all digital and intangible assets (e.g., financial data, customer lists, contracts, algorithms), since assets must be known before they can be protected.

Important Digital Assets include not just accounting data, but also emails, intellectual property, databases, models, and cloud-stored information, all of which have business value and must be secured.

Failure to secure digital assets can lead to financial loss, reduced ROI, business disruption, and loss of competitive advantage.

When evaluating IT systems (e.g., outsourced payroll), key concerns include:

• Strength of encryption methods

• Vulnerability to hacking

• Where encryption/decryption occurs

• Monitoring systems for breaches or malware

Importance of Audit Logs in Security - Effective systems must track who accessed data, when, and what actions were taken, and detect errors or anomalies that could indicate compromised data.

Can Digital Evidence Really Be Destroyed?

Digital evidence is hard to completely destroy but very easy to contaminate, so proper forensic handling is critical in investigations.

When fraud is suspected, auditors must either understand forensic tools or involve specialists, since improper handling can destroy the usefulness of evidence.

Forensic investigations require imaging tools (e.g., EnCase, FTK) that create read-only copies of entire drives, preserving original data integrity for legal use.

What is a Bitstream Image?

A bitstream image is a complete copy of a hard drive, including active files, deleted data, and unused space, allowing investigators to recover hidden or erased information.

Deleting a file does not erase it—it only marks the space as available, so deleted data can often be recovered unless it is fully overwritten.

Opening, copying, or modifying files improperly can change metadata or overwrite data, making digital evidence unreliable or inadmissible in court.

The longer the delay in collecting evidence, the greater the risk that data will be overwritten, lost, or altered, reducing its usefulness in an investigation.

Investigators must always work on ______ (not original data) and act quickly to preserve evidence integrity.

imaged copies

The technical skills needed for working with digital evidence collection are based on the following six requirements.

1. Understanding Operating Systems - Auditors must understand different OSs and file structures (e.g., Windows, iOS) to locate relevant data quickly.

2. Identifying Relevant Data Quickly - Investigators must perform read-only searches and prioritize volatile data (e.g., cache, RAM) that can disappear.

3. Preserving Data (Timestamps) - Evidence must be preserved by maintaining file dates and timestamps, which help determine when and by whom changes were made.

4. Securing Data (Hashes) - Hash values are used to verify data integrity and detect whether files have been altered.

5. Collecting Data Properly - Use bitstream/mirror imaging (read-only copies) to collect evidence without modifying the original data.

6. Maintaining Chain of Custody - Keep detailed records of who handled the data and how, ensuring evidence is not contaminated and is admissible in court.

CAATs vs Forensic Analysis
Traditional audit tools (CAATs) analyze data at the surface/application level, while forensic analysis examines deeper system-level data (e.g., metadata, kernel, databases) that auditors normally don’t see.

Risk of Using Normal Applications Using regular programs (e.g., Excel) can alter hidden data (slack space, swap files) and destroy evidence, so forensic work must avoid modifying original data.

Hidden & Volatile Data (Key Evidence Sources)
Important evidence exists in:

• Slack space (remnants of deleted files)

• Swap files (recoverable temporary data)

• RAM (volatile, lost if power is off)

_______ (e.g., MD5) are used to verify data integrity and detect changes, even if file names or extensions are altered.

Hash values

In many legal jurisdictions, collection of evidence is automatically assumed to mean electronic documents without requiring that “electronic documents” per se be specifically described in the request for information.

Electronic evidence must be collected in a way that is _______, meaning proper procedures must be followed from the start since all data may end up in court.

legally admissible

Electronic devices can be seized if they are:

• Contraband (illegal items)

• Fruits of a crime

• Instrumentalities of a crime (used to commit it)

Evidence may be inadmissible if:

• It falls outside the scope of a warrant

• It involves unrelated crimes (requires a new warrant)

• It violates legal protections (e.g., privacy, First Amendment)

Law enforcement must follow _______, meaning searches must be specific and reasonable—not overly broad.

Fourth Amendment protections

Evidence may exist on third-party or “zombie” computers (e.g., botnets), meaning investigators may need to collect data from systems not owned by the criminal.

Courtroom Evidence & Testimony

• Evidence can be physical (logs, files) or direct (testimony)

• Forensic accountants often testify to explain digital evidence

• Evidence must be clear and understandable to a jury

Maintaining a proper ______ is critical to prove evidence was not altered or contaminated and is admissible in court.

chain of custody

Key Evidence Collection Practices - To preserve evidence:

• Document the scene

• Avoid altering systems (no booting or changes)

• Use read-only imaging + hashing

• Secure and track all data handling

When a _____ is issued, organizations must stop normal data deletion/overwriting practices and preserve all relevant electronic data.

legal request

Destroying or altering evidence (intentionally or not) is called spoliation and can lead to fines, sanctions, or losing a case.

Electronic evidence includes:

• Metadata (file history, timestamps)

• Active, inactive, archival, and residual data
  → All must be preserved for investigations

SSD vs Traditional Drives

• Traditional drives → data may be recoverable

• SSDs → data can be permanently deleted faster due to built-in cleanup processes

Data Mining vs Computer Forensics

• Data mining analyzes large transaction datasets to find patterns and anomalies

• Computer forensics examines system-level data and metadata
  → Both require imaged data + hashing to preserve integrity

Purpose of Data Mining in Fraud Detection

Data mining uses statistical methods (e.g., clustering, classification, link analysis) to identify unusual patterns that may indicate fraud in large datasets.

Data Mining Preparation Steps (Critical)
Before analysis:

• Use imaged data (not originals)

• Verify with hash codes

• Clean the data (remove errors)
  → Required for reliable and admissible results

Key Data Mining Techniques (Combined)

• Link analysis → finds relationships between data (e.g., items purchased together)

• Case-based reasoning → compares current data to past fraud cases

• Sequence analysis → detects suspicious timing patterns

• Cluster analysis → groups similar data and flags outliers
  → All aim to identify anomalies for further investigation

Link Analysis

The underlying assumption in link analysis is that there are some fundamental correlations or associations between the items in a database. With link analysis, an algorithm of that relationship is developed and used to identify cases that do not fit what would be expected.

Case Based Reasoning

reasoning uses the closest approximations from the past to adapt a correct past solution to a current situation. Case-based reasoning can be considered memory-based problem solving, which is based on predicting future events as a result of studying previous events.In fraud detection, uncovering similar characteristics in current accounts that are indicative of past fraudulent accounts may be useful.

Sequence Analysis

concerned with evaluating patterns in time series data to uncover fraudulent activity. It is assumed that an ordered set of events (s=a1, a2,…an) will be encountered together. A time delay separates the transaction order.

Cluster Analysis

used to divide data into nonoverlapping groups containing similar characteristics. Each group should have a strong level of “sameness” that separates it from the other data groups. The data in a cluster should be closer to the mean in that cluster than the mean in any of the other clusters formed from the data under analysis. The underlying data forming a cluster can be based on a single characteristic or on multiple characteristics measured in different ways, just as long as they are similar within clusters.

Zipf’s Law & Pattern Detection

frequency is inversely related to rank (most common = X, second = X/2, third = X/3, etc.). In fraud detection, expected frequency patterns are compared to actual data (e.g., invoice attributes), and deviations are identified using regression and z-scores to flag anomalies for further investigation.

Tools like IDEA, ACL, TeamMate Analytics help automate fraud detection by identifying:

• Duplicate or missing data

• Unusual transactions (e.g., just below approval limits)

• Suspicious patterns in payments, vendors, or employees

______ record who did what and when in a system, allowing investigators to trace transactions and identify suspicious activity.

Audit trails

Logs can reveal:

• Unauthorized access or changes

• Suspicious transaction timing

• Repeated edits or anomalies by specific users

Logs can be compromised if:

• Users have admin/root access

• Logs are deleted or altered

• System design allows changes without proper tracking