UNIT 2

Cyberspace and the Law & Cyber Forensics:

Introduction, Cyber Security Regulations, Roles of
International Law. The INDIAN Cyberspace, National
Cyber Security Policy.
Introduction, Historical background of Cyber forensics,
Digital Forensics Science, The Need for Computer
Forensics, Cyber Forensics and Digital evidence, Forensics
Analysis of Email, Digital Forensics Lifecycle, Forensics
Investigation, Challenges in Computer Forensics, Special
Techniques for Forensics Auditing
 Introduction
• Here we address the other side of crime, that is use of forensic
techniques in the investigation of cybercrimes.
• “Cyberforensics” is a very large domain ,complex technical aspects
are involved in digital forensics/computer forensics.
• This chapter provides only a broad understanding about
cyberforensics.
• Cyberforensics plays a key role in investigation of cybercrime.
• “Evidence” in the case of “cyberoffenses” is extremely important
from legal perspective.
• There are legal aspects involved in the investigation as well as
handling of the digital forensics evidence.
• Only technically trained and experienced experts should be involved
in the forensics
 Historical background of Cyberforensics
• The different types of cybercrime are explained in unit 1.
• Computer is either subject or the object of cybercrimes or is used as a
tool to commit a cybercrime.
• The earliest recorded computer crimes-
cases in 1969-1970 when students burned computers at various
universities
Around the same time ,people were discovering methods for gaining
unauthorized access to large-time shared computers.
Computer intrusions and fraud commited with the help of computers were
first crimes recognized as a new type of crime.
The Florida Computer Crimes Act was the first computer crime law to
address computer fraud and intrusion. It was enacted in Florida in 1978.
Application of computer for investigating computer based crime has led to
development of a new field called Computer Forensics.
”Forensics evidence” is important in the investigation of cybercrimes.
• Computer forensics is relatively new discipline in the domian of computer
security, it is a rapidly growing discipline and a fast growing profession as well
as business.
• The focus of computer forensics is to find out the Digital evidence- such
digital evidence is required to establish whether or not a fraud or crime has
been conducted.
• Computer forensics is primarily concerned with the systematic
“identification” , ”acquisation” , ”preservation” and “analysis” of the digital
evidence , typically after an unauthorised access to computer or
unauthorised use of computer has taken place.
• While main focus of “computer security” is the prevention of unauthorised
access to computer systems as well as maintaining “confidentiality” , “
integrity” and “availability” of computer system.
• There are two categories of computer crime:
1.criminal activity that involves using a computer to commit a crime.
• 2.criminal activity that has computer as a target.
• “Forensics science” is the application of physical sciences to
law in search for truth in civil, criminal and social behavioral
matters to the end that injustice shall not be done to any
member of society.
• An alternative definition for digital forensics science is:
• “the use of scientifically proven methods towards the
preservation , collection , validation, identification,
analysis ,interpretation , documentation and presentation of
digital evidence derived from digital sources for the purpose of
facilitating or furthering the reconstruction of events found to
be criminal, or helping to anticipate unauthorized actions
shown to be disruptive to planned operations.”
• Typical types of data are requested for a digital forensics
examination by the law enforcement agencies:
• They are:
• Investigation into electronic mail usage, website history,
cell phone usage , file activity history, file creation or
deletion , chat history, account login/logout records and
more.
• Therefore , it becomes necessary to address the legal
issues involved in cyber forensics.
• The goal of digital forensics is to determine the “evidential
value” of crime scene and related evidence.
 Digital Forensics Science
• The objective of Cyberforensics is is to provide digital evidence of a
specific or general activity.
• The following are two more definitions worth considering:
• It is difficult to provide precise definition of “digital evidence” because
the evidence is recovered from devices that are not traditionally
considered to be computers.
• Some researchers prefer to expand the definition by including the
“collection” and “examination” of all forms of digital data, including the
data found in cell phones, PDAs, iPods and other electronic devices.
• The role of digital forensics is to :
• 1.Uncover and document evidence and leads.
• 2.Corroborrate evidence discovered in other ways.
• 3.Assist in showing a pattern of events.
• 4.Reveal an end to end path of events leading to a compromise attempt.
• 5.Extract data that may be hidden , deleted or otherwise not directly
available.
Following figure shows what kind of data you
“see” using forensics tools.
 The Need for Computer Forensics
• The convergence of Information and Communication Technology(ICT) advances and
the pervasive use of computers worldwide have brought many advantages to mankind
,at the same time these high technical capacity modern computers/computing devices
provide avenues for misuse as well as opportunities for committing crime.
• The widespread use of computer forensics is the result of two factors:
1.Increasing dependence of law enforcement on digital evidence
2.The ubiquity of computers that followed from the microcomputer revolution.
• The media on which clues related to cybercrime reside, would vary from case to case.
There are many challenges for the forensic investigator because storage devices are
getting miniaturized due to advances in electronic technology.
• Looking for a digital forensic evidence(DFE) is like looking for a needle in haystack.
• There comes the help from software- it helps sieve relevant data from the irrelevant
mass.
• “Evidence “ includes everything that is used to determine or demonstrate the truth of
an assertion . Evidence can be used in the court to convict people who are believed to
have committed crimes.
• The term Chain of custody is important.
• A police officer or detective will take charge of piece of evidence, document its
collection and hand it over to an evidence clerk for storage in a secure place.
• All such transactions, as well as succeeding transaction between evidence
collection and its appearance in court need to be completely documented
chronologically to withstand legal challenges to the authenticity of the
evidence.
• Documentation must include conditions under which evidence is collected, the
identity of all those who handled the evidence,duration of evidence custody,
security conditions while handling or storing evidence and the manner in which
evidence is transferred to subsequent custodians each time transfer occurs.
• Chain of custody means the chronological documentation that indicates the
seizure, custody, control, transfer, analysis and disposition of physical or
electronic evidence.
• Chain of custody helps in maintaining the integrity of evidence by providing
documentation of the control, transfer and analysis of evidence.
Cyberforensics and Digital Evidence
• Cyberforensics can be divided into two domains:
• 1.Computer forensics 2.Network forensics
• Many security threats are possible through computer networks.
• Network forensics is very important in context of cybercrime.
• Network forensics is the study of network traffic to search for truth
in civil, criminal, and administrative matters to protect users and
resources from exploitation, invasion of privacy .
• Digital evidence is different in nature compared to physical evidence.
• First, Digital evidence is much easier to change/manipulate.
• Second, Perfect digital copies can be made without harming original
one.
• At the same time integrity of digital evidence can be proven.
• There are many forms of cyber crimes:
• Sexual harassment cases: by the way of memos , letters ,emails;
obscene chats.
• Online banking information ; corporate espionage by the ways of
emails , chats, memos.
• In the case of computer crimes/cyber crimes computer forensics
help.
• Computer forensics experts know the techniques to retrieve the data
from files , hidden files , deleted files , deleted emails and
passwords , login ids , encrypted files , hidden partitions etc.
• Typically evidence resides on the computer systems, user created
files, user protected files, computer created files and on computer
networks.
Computer systems have the following:
 Rules of Evidence
The indian IT Act amended the Indian Evidence Act.According to the Indian
Evidence Act 1872 “Evidence” means and includes:
1.All statements which the court permits or requires to be made before it by the
witnesess, in relation to matter of fact under inquiry, are called oral evidence.
2.All the documents that are produced for the inspection of the court are called
documentary evidence.
Legal community believes that “electronic evidence” is a new breed of evidence.
Paper evidence , the process is clear obvious. Digital Evidence by its very nature
is invisible to eye. Therefore evidence must be developed using special tools
and methods.
At times they have an apprehension that Indian evidence Act 1872 may not hold
good for electronic evidence.
Indian Evidence Act 1972 through IT act 2000 added provisions which constitute
the body of law applicable to electronic evidence.
Acquisition of digital evidence is both a legal and technical
problem. Difficulties associated with gathering digital
evidence:
 Determining what piece of digital evidence is required

 Where the evidence is physically located

Different contexts involved in actually identifying a piece of

digital evidence:
• Physical context

o It is definable by its physical form, that is, it should reside

on a specific piece of media

• Logical context

o It must be identifiable as to its logical position, that is,

where does it reside relative to the file system

• Legal context

o The evidence must be placed in the correct context to

 Guidelines for digital evidence collection phase:
• Follow site’s security policy and engage the appropriate
incident handling and law enforcement personnel
• Capture a picture of the system as accurately as possible
• Keep detailed notes with dates and times
• Be prepared to testify outlining all actions you took and at
what times
• Minimize changes to the data as you are collecting it
• Remove external avenues for change
• Always choose collection before analysis
• Your procedures should be implementable
• For each device systematic approach should be adopted
follow guidelines of collection procedure. Manage the work
among the team members
• Proceed from most volatile to less volatile areas while collecting evidence:
– Registers, cache
– Routing table, ARP cache, process table, kernel statistics, RAM
– Temporary file systems
– Disk
– Remote logging and monitoring data
– Physical configuration and network topology
– Archival media
• Do a bit-level copy of the media (try to avoid conducting forensics on the evidence
copy)
 Forensic Analysis of E-Mail
• Introduction to E-Mail System
• An E-Mail system is a combination of hardware and software that
controls the flow of E-Mail. Two most important components of an
email system are:
• E-Mail server
• E-Mail gateway
• E-Mail servers are computers that forward, collect, store, and
deliver email to their clients.
• E-Mail gateways are the connections between email servers.
• Mail server software is a software which controls the flow of email.
• Mail client is the software which is used to send and receive (read)
emails.
The general overview of how an email system works is shown in the following
figure:
 Email Header Forensics Analysis

• An email contains two parts:

• Header
• Body
• Email header is very important from forensics point of view. A full
header view of an email provides the entire path email’s journey
from its source to destination. The header also includes IP and other
useful information. Header is a sequence of fields (key-value pair).
• Header information varies with E-Mail service provider, Email
applications and system configuration.
• Header: carries information that is neede for email routing,subject
line and time stamps.
• Body: contains actual message/data of an Email.
Email header examples
• Header protocol analysis is important for investigating
evidence. After getting the source IP address we find the ISP’s
details. By contacting ISP, we can get further information like:
• Name
• Address
• Contact number
• Internet facility
• Type of IP address
• Any other relevant information
• It is important during investigations that logs of all servers in
the chain need to be examined as soon as possible
• If the server mentioned in the bottom
received section does not match the server of
the email sender, it is a fake email.
 RFC2822 defines the Internet message format

• RFC2822 defines the Internet message format.

• According to RFC2822:
Each email must have a globally unique identifier
• Defines the syntax of Message-ID
• Message-ID can appear in three header fields:
– Message-ID header
– In-reply-to header
– References header
 Digital Forensics Life Cycle

• Digital forensics life cycle. We will explore different

phases or steps in the digital forensics life cycle.
• The digital forensics process is shown in the following
figure. Forensic life cycle phases are:
• 1. Preparation and identification
2. Collection and recording
3. Storing and transporting
4. Examination/investigation
5. Analysis, interpretation, and attribution
6. Reporting
7. Testifying
 1. Preparing for the Evidence and Identifying the Evidence

• In order to be processed and analysed, evidence must first be

identified. It might be possible that the evidence may be
overlooked and not identified at all. A sequence of events in a
computer might include interactions between:
• Different files
• Files and file systems
• Processes and files
• Log files
• In case of a network, the interactions can be between devices
in the organization or across the globe (Internet). If the
evidence is never identified as relevant, it may never be
collected and processed.
 2. Collecting and Recording Digital Evidence
• Digital evidence can be collected from many sources. The obvious sources can be:
• Mobile phone
• Digital cameras
• Hard drives
• CDs
• USB memory devices
• Non-obvious sources can be:
• Digital thermometer settings
• Black boxes inside automobiles
• RFID tags
• Proper care should be taken while handling digital evidence as it can be changed
easily. Once changed, the evidence cannot be analysed further.
• A cryptographic hash can be calculated for the evidence file and later checked if
there were any changes made to the file or not. Sometimes important evidence
might reside in the volatile memory. Gathering volatile data requires special
technical skills
 3. Storing and Transporting Digital Evidence

• Some guidelines for handling of digital evidence:

• Image computer-media using a write-blocking
tool to ensure that no data is added to the
suspect device
• Establish and maintain the chain of custody
• Document everything that has been done
• Only use tools and methods that have been
tested and evaluated to validate their accuracy
and reliability
• Care should be taken that evidence does not go anywhere without
properly being traced. Things that can go wrong in storage include:
• Decay over time (natural or unnatural)
• Environmental changes (direct or indirect)
• Fires
• Floods
• Loss of power to batte-ries and other media preserving mechanisms
• Sometimes evidence must be transported from place to place either
physically or through a network.
• Care should be taken that the evidence is not changed while in
transit. Analysis is generally done on the copy of real evidence. If
there is any dispute over the copy, the real can be produced in court.
 4. Examining/Investigating Digital Evidence

• Forensics specialist should ensure that he/she has proper

legal authority to seize, copy and examine the data. As a
general rule, one should not examine digital information
unless one has the legal authority to do so. Forensic
investigation performed on data at rest (hard disk) is called
dead analysis.
• Many current attacks leave no trace on the computer’s hard
drive. The attacker only exploits the information in the
computer’s main memory. Performing forensic investigation
on main memory is called live analysis. Sometimes the
decryption key might be available only in RAM. Turning off
the system will erase the decryption key.
• For the purpose of digital evidence examination “imaging of electronic
media” is necessary The process of creating and exact duplicate of the
original evidence is called imaging. Using a stand alone hard drive
duplicator or software imaging tools the entire hard drive is completely
duplicated.
• Some tools which can create entire hard drive images are:
• DCFLdd
• Iximager
• Guymager
• The original drive is moved to secure storage to prevent tampering. During
imaging , a write protection device or application is used to ensure that no
information is introduced onto evidentiary media during forensics process.
• The imaging process is verified by using the SHA-1 or any other hashing
algorithms. At critical points throughout the analysis, the media is verified
again , known as “hashing” to ensure that the evidence is still in its original
state.
 5. Analysis, Interpretation and Attribution

• Analysis, Interpretation and Attribution of evidence are the most difficult aspects
encountered by most forensic analysts.
• In digital forensics, only a few sequences of events might produce evidence. But
the possible number of sequences is very huge.
• The digital evidence must be analyzed to determine the type of information
stored on it. For this purpose specialty tools are used that can display information
in a format useful to investigators.
Examples of forensics tools:
• Forensics Tool Kit (FTK)
• EnCase
• Scalpel (file carving tool)-Process of recovering files from an investigative target,
potentially without knowledge of the file system structure.
• The Sleuth Kit (TSK)-library and collection of Unix and Windows based tools and
utilities to allow for forensic analysis of computer systems.
• Autopsy
Forensic analysis includes the following activities:
• Manual review of data on the media
• Windows registry inspection
• Discovering and cracking passwords
• Performing keyword searches related to crime
• Extracting emails and images
Types of digital analysis:
• Media analysis- Analysis of the data from a storage device.
• Media management analysis- Analysis of management system used to organize
media.
• File system analysis- Analysis of file system data inside a partition or disk
• Application analysis- It is analysis of data inside a file. Files are created by users
and applications.
• Network analysis- Analysis of data on communications network.
• Image analysis- “Image” is a single searchable file analysis on digital image
• Video analysis- Digital video used in security cameras and in personal
video cameras and webcams.
6. Reporting

• After the analysis is done, a report is generated. The report may

be in oral form or in written form or both. The report contains all
the details about the evidence in analysis, interpretation, and
attribution steps.
• As a result of the findings in this phase, it should be possible to
confirm or discard the allegations.
• There is some substantial amount of scientific literature on
methods of presentation and their impact on those who observe
those presentations.Aspects ranging from order of presentation
of information to use of graphics and demonstrations .
• In general, reporting is a complex and tricky process. Some of
the general elements in the report are:
Some of the general elements in the report are:

• Identity of the reporting agency;

• Case identifier or submission number;
• Case investigator;
• Identity of the submitter;
• Date of receipt;
• Date of report;
• Descriptive list of items submitted for examination;
• Identity and signature of the examiner;
• Brief description of steps taken during examination;
• Results / conclusions.
7.Testifying
• This phase involves presentation and cross-examination of expert
witnesses.
• A computer forensic expert witness possesses the expertise to
uncover hidden or deleted data, recover information from damaged
devices, and identify digital footprints left behind by users. Their
technical proficiency enables them to uncover relevant evidence that
will lead the direction of the particular case. .
• Their role is to provide an unbiased analysis of the electronic
evidence and present their findings based on ethical principles.
An expert witness can testify in the form of:
• Testimony is based on sufficient facts or data
• Testimony is the product of reliable principles and methods
• Witness has applied principles and methods reliably to the facts of
the case
• Experts with inadequate knowledge are sometimes chastised
by the court.
Precautions to be taken when collecting digital evidence are:
• No action taken by law enforcement agencies or their agents
should change the evidence
• When a person to access the original data held on a computer,
the person must be competent to do so
• An audit trial or other record of all processes applied to digital
evidence should be created and preserved
• The person in-charge of the investigation has overall
responsibility for ensuring that the law and these are adhered
to.
Approaching a Computer Forensics Investigation

The process in approaching a computer forensics investigation.

The phases in a computer forensics investigation are:
• Secure the subject system
• Take a copy of hard drive/disk
• Identify and recover all files
• Access/view/copy hidden, protected, and temp files
• Study special areas on the drive
• Investigate the settings and any data from programs on the system
• Consider the system from various perspectives
• Create detailed report containing an assessment of the data and
information collected
Things to be avoided during forensics investigation:
• Changing date/timestamps of the files
• Overwriting unallocated space
Things that should not be avoided during forensics
investigation:
• Engagement contract-
• Non-Disclosure Agreement (NDA)-
• The engagement contract and NDA are some of those
crucial not to forget things.
• Customers of computer forensics laboratory must agree
to be bound by the terms and conditions for any services
offered by a computer forensics laboratory.
 Typical Elements Addressed in a Forensics Investigation Engagement
Contract:

• Authorization: the customer will be asked to authorize the computer forensics

laboratory or its agents to conduct an evaluation of the data/media/equipment onsite
or offsite to determine the nature and scope of the engagement and to enable the
company to provide an estimate of the cost of forensics investigation.
• Confidentiality: the concerned computer forensics is supposed to use any information
contained in the data, media provided to the company by the customer only for the
purpose of the fulfilling the engagement.
• Payment: customer agrees to pay the computer forensics laboratory all sums
authorized from time to time by customer.
• Consent and acknowledgement: any consent required of either party becomes
effective only if provided in a commercially reasonable manner. The customer needs to
acknowledge that the efforts of computer forensics laboratory to complete forensic
investigation engagement may result in the destruction of or damage to the
equipment/data/media.
• Limitation of liability: the concerned computer forensics laboratory will not consider
itself to be liable for any claims regarding physical functioning of the
equipment/data/media.
• Although the computer forensics laboratory is
to make every effort to preserve the integrity
of any data or equipment related to the
engagement, the customer has to agree not to
hold the forensics laboratory responsible for
any accidental damages to the data or
equipment in its possession .
 Solving a Computer Forensics case
• These are some broad illustrative steps and may vary depending on the specific
case in hand.
• General steps in solving a computer forensics case are:
1. Prepare for the forensic examination
2. Talk to key people about the case and what you are looking for
3. If you are convinced that case has strong foundation, start assembling tools to
collect the data and identify the target media.
4. Collect the data from the target media.You will be creating an exact duplicate
image of the device in question.To do this they need to use imaging software
application like the commercial EnCase or the open source Slueth kit/Autopsy
5. Use a write blocking tool while performing imaging of the disk.This makes sure
nothing is added to the device when you are creating your image.
6. Check emails records too while collecting evidence
7. Examine the collected evidence on the image that is created, document
anything that you find and where you found
8. Analyze the evidence you have collected .
9. Report your finding to your client.
 Challenges in Computer Forensics

• Challenges in computer forensics. We will look at various

challenges in network forensics, technical forensics and legal
forensics.
• Although there are well-developed forensic techniques,
cybercrime investigation is not easy. Huge amount of data is
available and searching for evidence in that enormous data is not
easy. Most of the existing tools allow anyone to change the
attribute associated with digital data.
• Cybercrime investigators often face a problem of collecting
evidence from very large groups of files. They need to use
techniques like link analysis and visualization.
• To find leads they need to use machine learning techniques
(patterns). Using text mining or data mining techniques
 Challenges in network forensics

• Networks span multiple time zones and multiple jurisdictions,ensure that all
jurisdictions collaborate.
• Network data will be available offline and online (real-time)
• Real-time data requires ability to capture and analyze data on the fly
• The data may involve different protocols and the data may be huge due to
increasing bandwidth
• A protocol might also involve multiple layers of signal (VoIP, HTTP tunneling)
• Current forensic tools will not be able to handle real-time data and huge amount
of data , techniques are required for rapidly tracing a computer criminal’s
network activities

There need to be a paradigm shift for network forensics techniques to analyze the
real-time data and huge amounts of data. Duration of forensics investigation
may vary, some simple cases might take a few hours and complex cases may take
some years to solve.
 Technical Challenges
• The two challenges faced in a digital forensic investigation are complexity and quantity.
• The complexity problem refers to the data collected being at the lowest level or in raw
format. Non-technical people will find it difficult to understand such data.
• For example : to view the contents of directory from a file system image , tools process
file system structure so that appropriate values are displayed.
• The data format that represent files in a directory are too low level to identify without
assistance of tools.
• Tools can be used to transform the data from low level format to readable format.

• The quantity problem refers to the amount of data that needs to be analyzed.
• Data reduction techniques can be used to group data or remove known data.
Data reduction techniques include:
• Identifying known network packets using IDS signatures
• Identifying unknown entries during log processing
• Identifying known files using hash databases
• Sorting files by their types
 Legal challenges
• Digital evidence can be tampered easily,
sometimes, even without any traces. It is common
for modern computers to have multiple gigabyte
sized disks.
• There is also the problem of finding relevant
evidence within massive amounts of data which is
a daunting task.
• The real legal challenges involve the artificial
limitations imposed by constitutional, statutory
and procedural issues.
• There are many types of personnel involved in digital/computer
forensics like a) technicians, b) policy makers, and c)professionals.
• Technicians have sound knowledge and skills to gather information
from digital devices, understand software and hardware as well as
networks. Understanding various types of OS, forensic products
software and hardware available in market. In addition Professional
training is a must to enter this domain.
• Policy makers establish forensics policies that reflect broad
considerations. Policy makers focus is on big picture , but they must
be familiar with computing and forensics also.
• Professionals are the link between policy and execution - who have
extensive technical skills as well as good understanding of the legal
procedures.
Skills for digital forensics professionals are the following:
– Identify relevant electronic device associated with violations of specific
laws;
– Identify cause necessary to Obtain a search warrant and recognize
limits of the warrans;
– Locate and recover electronic device from computer systems using
tools;
– Recognize and maintain chain of custody;
– Follow a documented forensics investigation process.
• Detection and recovery is heart of computer forensics. This aspect which matters in legal
presentation of a cybercrime case in the courthe.
• Goal of detection and recovery is to recognize the digital object that may contain
information about the incident and document them.
• By “forensic acquisition of media” we mean process of making bit-for-bit copy or image
file of a piece of media, where these image files are frequently used in civil or criminal
court proceeding.
• Therefore completeness and accuracy of acquisition process is required.
• The source of the evidence must remain and not get altered by attackers or by normal
processes.
• Technical persons involved in digital forensics /computer forensics need simple technical
skills such as understanding the various kinds of filesystems, system software, data
organization and specific OS.
• The legal professionals need to understand the working of court system, the legislations,
Laws(for cybercrime) and the investigative process and the evidential value of the
electronic artifacts recovered/seized as potential evidence to be presented in court while
putting up the case.
 Forensics Auditing
• Forensics auditing is also known as forensics
accounting.
• Forensics auditing includes the steps needed to
detect and deter fraud.
• Forensics auditor makes use of the latest
technology to examine financial documents and
investigate white collar crimes like frauds, identity
theft, securities fraud, insider trading, etc.
• Forensic accounting is specialized form of
accounting; it uses 1.accounting , 2.auditing and
3.investigative techniques
• Forensics auditors are responsible for
detecting fraud, identifying individuals
involved, collecting evidence, presenting the
evidence in criminal proceedings, etc.
• Forensic Auditors can work in both small and
large organizations like insurance companies,
banks, courts, Government departments or
agencies and law firms.
 Common forensic auditing techniques include:
• Data Analysis: Forensic auditors use data analysis tools and techniques to examine large
volumes of financial data for patterns that may indicate fraudulent activity.
• Interviews and Interrogations: Forensic auditors may conduct interviews with employees,
management, or other individuals to gather information
• Document Examination: Forensic auditors review financial documents such as invoices,
receipts, bank statements, and contracts to identify any discrepancies or irregularities that
may indicate fraud.
• Surveillance: In some cases, forensic auditors may conduct surveillance to observe
individuals or activities that are suspected of being involved in fraudulent activities.
• Financial Statement Analysis: analyze financial statements to assess the accuracy and
completeness of the information presented and to identify any potential red flags or
inconsistencies.
• Forensic Technology: Forensic auditors use specialized technology tools and software to aid
in the investigation and analysis of financial data,
• Tracing Assets: Forensic auditors may trace the flow of funds or assets through various
accounts and transactions to identify any fraudulent activities.
• Expert Witness Testimony: Forensic auditors may provide expert witness testimony in legal
proceedings to explain their findings and opinions related to financial fraud or misconduct.
These are just a few of the techniques that forensic auditors use to investigate financial fraud
and misconduct. The specific techniques used in a forensic audit will vary depending on the
nature of the investigation and the specific circumstances of the case.