CHAPTER 12 : ITT 593 : INTRODUCTION TO

PERFORMING A DIGITAL FORENSIC

 Charting Through an Investigation

DIGITAL FORENSIC  What is an Internal Control?

 Digital Forensic Investigation and

INVESTIGATION Internal Auditing

 Internal Control Questionnaire

 Incident Response and Digital

Forensic

 General Incident Response

Questionnaires

1 UITM MELAKA, KAMPUS JASIN

 ITT 593 : INTRODUCTION TO
DIGITAL FORENSICs
2

Charting Through an Investigation

 Challenge of continued and rapid growth of information
technology - increasing frills of devices capable of
storing and transmitting electronic data and ultimately
electronic evidence.
 Potential evidence may be found on many varied
devices , even devices that one might not have
traditionally considered examining, eg : personal digital
assistant (PDA) .
 For an overview of the steps a cyber forensic
investigator may take in the seizure of such a device ,
the reader is directed to Appendix G , which presents a
Flowchart for the Seizure of a Personal Digital
Assistant
UITM MELAKA, KAMPUS JASIN
 ITT 593 : INTRODUCTION TO
DIGITAL FORENSICs
3

WHAT IS AN INTERNAL CONTROL?

 Definition of Internal Control by The Committee of the

Sponsoring Organizations (COSO) : “a process , affected by an
entity’s board of directors , management and other personnel ,
designed to provide reasonable assurance regarding the
achievement of objectives in the following categories :
 Effectiveness and efficiency of operations

 Reliability of financial reporting

 Compliance with applicable laws and regulations

UITM MELAKA, KAMPUS JASIN

 ITT 593 : INTRODUCTION TO
4
DIGITAL FORENSICs

With key concepts supporting this definition to be

• Internal control is a process. It is a mean to an end , not an end in
itself.
• Internal control is affected by people. It’s not merely policy manuals
and forms , but people at every level of an organization
• It also can be expected to provide only reasonable assurance , not
absolute assurance to an entity's management and board
• It is geared to the achievement of objectives in one or more separate
but lapping categories

UITM MELAKA, KAMPUS JASIN

 ITT 593 : INTRODUCTION TO
DIGITAL FORENSICs
5

DIGITAL FORENSIC INVESTIGATION AND

INTERNAL AUDITING

 DIGITALFORENSIC???
VS
 INTERNAL AUDITING???

UITM MELAKA, KAMPUS JASIN

 ITT 593 : INTRODUCTION TO
DIGITAL FORENSICs
6

Cyber forensics Internal auditing

Cyber forensics involves the An independent appraisal function
identification, extraction, established within an organization to
documentation, interpretation and examine and evaluate the
preservation of electronic data, whose organization’s in the effective
eventual disposition maybe used as discharge of their responsibilities.
evidentiary material in a court of law.

A cyber forensic investigator will use Internal auditing furnishes them with
specific tools in an effort to gather analyses, appraisals,
specific data from an information recommendations, counsel and
system which may be a single information concerning the activities
computer, a network of computers or reviewed. The audit objective includes
any device capable of storing and promoting effective control at
transmitting electronic data , in such a reasonable cost
manner as to not alter, those data
identified on a system under
investigation UITM MELAKA, KAMPUS JASIN
 ITT 593 : INTRODUCTION TO
7
DIGITAL FORENSICs

More about internal auditing…….

 An internal auditor is a professional within an organization’s internal
auditing department who is assigned the responsibility of performing
internal auditing functions, and who provides information to the
organization’s management, stakeholders and board of directors.
 With respect to the audit of technology, the information technology (IT)
auditor is a member of an integrated audit team of professionals who
deliver services in the most efficient and effective means possible

UITM MELAKA, KAMPUS JASIN

 ITT 593 : INTRODUCTION TO
DIGITAL FORENSICs
8

 IT auditor is specifically charged with assessing business risk -

relates to an organization’s use and misuse of information
technology assets.
 Although seemingly different on initial examination, the roles
and responsibilities of the cyber forensic investigator and the
IT auditor, are closely related.
 Both are tasked with investigating, examining, assessing and
reporting on how technology has been used legally or illegally, in
the performance of daily operations whether by individuals acting
on their own or as employees of multi-national corporations.
 Each utilizes vast experience to establish procedure,
methodology, and approach - to acquire the proof necessary
to substantiate the existence of inappropriate activities
perpetrated through the application of information technologies

UITM MELAKA, KAMPUS JASIN

 ITT 593 : INTRODUCTION TO
DIGITAL FORENSICs
9

 The cyber forensic investigator as does the IT auditor gathers

substantiating and corroborating evidence, of inappropriate
activity, through many varied means.
 Asking questions - assist in defining the breadth, depth and scope
of investigation or audit.
 One means of gathering information and assessing the potential for
IT risk, exposure and abuse is through the use of an internal control
questionnaire. (ICQ)

UITM MELAKA, KAMPUS JASIN

 ITT 593 : INTRODUCTION TO
DIGITAL FORENSICs
10

INTERNAL CONTROL QUESTIONNAIRE (ICQ)

 ICQ is a tool used by the auditor to conduct an internal control

review. The ICQ should contain a list of key control questions that
the auditor can use to assess how effectively a particular activity
under review is controlled
 The ICQ should be constructed so that
 ‘yes’ responses indicate good control practices
 ‘no’ responses represent potential vulnerabilities.
 not applicable (N/A) column should be provided on the ICQ for areas
that are not appropriate for the specific activity under view.
 comments column should be used by the auditor to explain the
response.

UITM MELAKA, KAMPUS JASIN

 ITT 593 : INTRODUCTION TO
DIGITAL FORENSICs
11

INCIDENT RESPONSE AND DIGITAL FORENSIC

 The cyber forensic investigator should customize the ICQs to

define each specific organization’s constrains, policies and
practices as well as specific goals of the audit or investigation.

 PURPOSE
The general incident response questionnaire were created to
help those responding to an incident protect mission-critical
systems and assets from internal and cyber threats. The specific
questionnaires provide guidelines for five specific types of
incidents , including :
 Intrusions
 Denial-of-service attacks
 Malicious code
 Malicious communication
 Misuse of resources

UITM MELAKA, KAMPUS JASIN

 ITT 593 : INTRODUCTION TO
DIGITAL FORENSICs
12

 The audiences for the questionnaires are practitioners

including IT security officers , members of the IRT
(Incident Response Team) and IT auditors .
 Prior to completing these questionnaires, users should
familiarize themselves with the overall cyber response
methodology.
 During the use of these questionnaires, users should
communicate effectively with the IRT and
management to minimize damage and recovery within
the acceptable time frame.
 After recovering from the incident, users should
debrief the IRT and management and implement steps
to minimize the risk of the future incident.
UITM MELAKA, KAMPUS JASIN
 ITT 593 : INTRODUCTION TO
DIGITAL FORENSICs
13

GENERAL INCIDENT RESPONSE QUESTIONNAIRE

 The purpose of the incident response questionnaire is to provide
an approach for reacting efficiently and quickly to information
security-related incidents, so the current situation can be
resolved and future problems can be prevented .
• They facilitate a common understanding of the problem
• They provide a framework to define and assess the problem
• They provide an efficient approach to respond to incidents

 Each type of incident is broken down into six steps that need to
be executed . These steps include :
• Pre-incident
• Immediate action
• Secondary action
• Evidence collection
• Corrective measures UITM MELAKA, KAMPUS JASIN

• Evaluation
 ITT 593 : INTRODUCTION TO
DIGITAL FORENSICs
14

GENERAL INCIDENT RESPONSE QUESTIONNAIRE

UITM MELAKA, KAMPUS JASIN

 ITT 593 : INTRODUCTION TO
DIGITAL FORENSICs
15

GENERAL INCIDENT RESPONSE QUESTIONNAIRE

UITM MELAKA, KAMPUS JASIN

ITT 593 : INTRODUCTION TO
DIGITAL FORENSICs
16

UITM MELAKA, KAMPUS JASIN

ITT 593 : INTRODUCTION TO
DIGITAL FORENSICs
17

UITM MELAKA, KAMPUS JASIN

ITT 593 : INTRODUCTION TO
DIGITAL FORENSICs
18

UITM MELAKA, KAMPUS JASIN

ITT 593 : INTRODUCTION TO
DIGITAL FORENSICs
19

UITM MELAKA, KAMPUS JASIN

ITT 593 : INTRODUCTION TO
DIGITAL FORENSICs
20

UITM MELAKA, KAMPUS JASIN