IS AUDITING GUIDELINE
I
COMPUTER FORENSICS DOCUMENT G28
Introduction—The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require standards that apply specifically to IS auditing. One of the goals of the Information Systems Audit and Control Association (ISACA) is to advance globally applicable standards to meet its vision. The development and dissemination of the IS Auditing Standards are a cornerstone of the ISACA professional contribution to the audit community. Objectives—The objectives of the ISACA IS Auditing Standards are to inform: IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code of Professional Ethics for IS auditors Management and other interested parties of the profession’s expectations concerning the work of practitioners The objective of the IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing Standards. Scope and Authority of IS Auditing Standards—The framework for the IS Auditing Standards provides multiple levels of guidance: Standards define mandatory requirements for IS auditing and reporting. Guidelines provide guidance in applying the IS Auditing Standards. The IS auditor should consider them in determining how to achieve implementation of the standards, use professional judgment in their application and be prepared to justify any departure. Procedures provide examples of procedures an IS auditor might follow in an audit engagement. Procedures should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtain the same results. In determining the appropriateness of any specific procedure, group of procedures or test, the IS auditor should apply their own professional judgment to the specific circumstances presented by the particular information systems or technology environment. The procedure documents provide information on how to meet the standards when performing IS auditing work, but do not set requirements. The words audit and review are used interchangeably. A full glossary of terms can be found on the ISACA web site at www.isaca.org/glossary. ®
Holders of the Certified Information Systems Auditor (CISA ) designation are to comply with the IS Auditing Standards adopted by ISACA. Failure to comply with these standards may result in an investigation into the CISA holder’s conduct by the ISACA Board of Directors or appropriate ISACA committee and, ultimately, in disciplinary action. Development of Standards, Guidelines and Procedures—The ISACA Standards Board is committed to wide consultation in the preparation of the IS Auditing Standards, Guidelines and Procedures. Prior to issuing any documents, the Standards Board issues exposure drafts internationally for general public comment. The Standards Board also seeks out those with a special expertise or interest in the topic under consideration for consultation where necessary. The following COBIT resources should be used as a source of best practice guidance: Control Objectives—High-level and detailed generic statements of minimum good control Control Practices—Practical rationales and “how to implement” guidance for the control objectives Audit Guidelines—Guidance for each control area on how to obtain an understanding, evaluate each control, assess compliance and substantiate the risk of controls not being met Management Guidelines—Guidance on how to assess and improve IT process performance, using maturity models, metrics and critical success factors Each of these is organised by IT management process, as defined in COBIT Framework. COBIT is intended for use by business and IT management as well as IS auditors. Its usage enables the understanding of business objectives and for the communication of best practices and recommendations around a commonly understood and well-respected standard reference. The Standards Board has an ongoing development programme and welcomes the input of ISACA members and other interested parties to help identify emerging issues requiring new standards. Any suggestions should be e-mailed (
[email protected]), faxed (+1.847.253.1443) or mailed (address provided at the end of this document) to ISACA International Headquarters, for the attention of the director of research standards and academic relations. This material was issued on 1 July 2004. INFORMATION SYSTEMS AUDIT AND CONTROL ASSOCIATION 2003-2004 STANDARDS BOARD Chair, Claudio Cilli, CISA, CISM, Ph.D., CIA, CISSP Value Partners, Italy Svein Aldal Scandinavian Business Security AS, Norway Sergio Fleginsky, CISA PricewaterhouseCoopers, Uruguay Christina Ledesma, CISA, CISM Citibank NA Sucursal, Uruguay Andrew MacLeod, CISA, FCPA, MACS, PCP, CIA Brisbane City Council, Australia Ravi Muthukrishnan, CISA, FCA, ISCA NextLinx India Private Ltd., India Peter Niblett, CISA, CA, CIA, FCPA WHK Day Neilson, Australia John G. Ott, CISA, CPA Aetna Inc., USA
1.
BACKGROUND
1.1 1.1.1
Linkage to ISACA Standards Standard S3 Professional Ethics and Standards states, “The IS auditor should adhere to the ISACA Code of Professional Ethics in conducting audit assignments.” Standard S3 Professional Ethics and Standards states, “The IS auditor should exercise due professional care, including observance of applicable professional auditing standards, in conducting the audit assignments.” Standard S4 Professional Competence states, "The IS auditor should be professionally competent, having the skills and knowledge necessary to conduct the audit assignment." Standard S5 Planning states, “The IS auditor should plan the information systems audit coverage to address the audit objectives and to comply with applicable laws and professional auditing standards.” Standard S6 Performance of Audit Work states, “During the course of audit, the IS auditor should obtain sufficient, reliable and relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence.”
1.1.2 1.1.3 1.1.4 1.1.5
1.2 1.2.1 1.2.2
1.2.3
1.2.4 1.2.5 1.2.6 1.3 1.3.1
1.3.2
1.3.3
1.3.4
Linkage to COBIT COBIT Framework states, "It is management's responsibility to safeguard all the assets of the enterprise. To discharge this responsibility, as well as to achieve its expectations, management should establish an adequate system of internal control." COBIT Management Guidelines provides a management-oriented framework for continuous and proactive control self-assessment specifically focused on: Performance measurement—How well is the IT function supporting business requirements? IT control profiling—What IT processes are important? What are the critical success factors for control? Awareness—What are the risks of not achieving the objectives? Benchmarking—What do others do? How can results be measured and compared? Management Guidelines provides example metrics enabling assessment of IT performance in business terms. The key goal indicators identify and measure outcomes of IT processes and the key performance indicators assess how well the processes are performing by measuring the enablers of the process. Maturity models and maturity attributes provide for capability assessments and benchmarking, helping management to measure control capability and to identify control gaps and strategies for improvement. Management Guidelines can be used to support self-assessment workshops, and it can also be used to support the implementation by management of continuous monitoring and improvement procedures as part of an IT governance scheme. COBIT provides a detailed set of controls and control techniques for the information systems management environment. Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IT processes, control objectives, associated management control practices and consideration of relevant COBIT information criteria. Refer to the COBIT reference located in the appendix of this document for the specific objectives or processes of COBIT that should be considered when reviewing the area addressed by this guidance. Need for Guideline The IS auditor is often requested to advise on frauds or irregularities made using computer or telecommunication systems (computer crime) and to check organisation compliance with computer-related laws or regulations. A basic understanding of computer forensics is necessary to help the organisation detect or prevent such irregularities. This document is intended to assist the IS auditor in achieving this purpose. The foremost aim of computer forensics is to establish the truth behind a particular situation by immediately capturing data to identify an attacker and establish proof for criminal proceedings to aid law enforcement. It also aids the organisation in protecting the information assets from future attacks and in gaining an understanding about an attacker and attacks. The main characteristics are: Emphasise the need to immediately respond or evidence will be lost/tampered. Capture and preserve data as close to the breach as possible. Forensically preserve evidence for potential admission in court. Minimally invasive data capture process without disruption to business operations Identify an attacker and establish proof. During the conduct of computer investigation, it is critical that confidentiality is maintained and integrity is established for data and information gathered and made available to appropriate authorities only. The IS auditor will play a crucial role in such instances and may help the organisation by indicating whether legal advice is advisable and which technical aspects of the IS environment need appropriate investigation. There may be instances were the IS auditor may be given information about a suspected irregularity or illegal act and may be requested to use data analysis capabilities to gather further information. Computer forensics has been applied in a number of areas including, but not limited to, fraud, espionage, murder, blackmail, computer misuses, technology abuse, libel, malicious mails, information leakage, theft of intellectual property, pornography, spamming, hacking and illegal transfer of funds. Computer forensics involves the detailed analysis of events in cyberspace and collection of evidence. This guideline briefly describes the elements of computer forensics with the aim to aid the IS auditor in considering such aspects warranted by a situation during the conduct of the assignment. The IS auditor should also communicate the need for computer forensics for Internal investigations, which make up a large percentage of forensic investigations (vs. external attacks): Whistle-blower complaints HR investigations Fraud investigations Compliance investigations—enforce compliance to various legal mandates and industry guidelines (e.g., Sarbanes-Oxley,
Computer Forensics Guideline Page 2
NIST, FISMA) 1.3.5
This guideline provides guidance in applying IS auditing standards S3 Professional Ethics and Standards, S4 Professional Competence, S5 Planning, S6 Performance of Audit Work, while conducting a computer forensic review. The IS auditor should consider it in determining how to achieve implementation of the above standards, use professional judgment in its application and be prepared to justify any departure.
1.4 1.4.1 1.4.2
Guideline Application When applying this guideline, the IS auditor should consider its guidance in relation to other relevant ISACA guidelines. The IS auditor should consult and apply jurisdictional legal investigation guidelines, if applicable, during a computer forensic engagement.
2.
DEFINITIONS
2.1 2.1.1
Computer Forensics Computer forensics can be defined as the process of extracting information and data from computer storage media using courtvalidated tools and technology and proven forensic best practices to establish its accuracy and reliability for the purpose of reporting on the same as evidence. The challenge to computer forensics is actually finding this data, collecting it, preserving it and presenting it in a readable manner that is acceptable in a court of law. Computer forensics primarily involves exploration and application of scientifically proven methods to gather, process, interpret and utilise digital evidence to support an assertion, such as: Provide a conclusive investigation of all activities for the purpose of complete attack verification and enterprise and critical infrastructure information restoration Correlate, interpret and predict adversarial actions and their effect on planned operations Make digital data suitable and persuasive for introduction into a criminal investigative process Computer forensics is a science as well as an art for extracting and gathering data from a computer to determine if and how an abuse or intrusion has occurred, when it occurred and who was the intruder. Organisations that employ good security practices and maintain appropriate logs are able to achieve the objectives easily. However, with the right knowledge and tools, forensic evidence can be extracted even from burned, water-logged or physically damaged computer systems.
2.1.2 2.1.3
2.1.4
3.
AUDIT CHARTER
3.1 3.1.1
Assignment Mandate Prior to commencement of the assignment pertaining to computer forensics, the IS auditor should require a clear, written mandate from the appropriate authority to conduct the assignment. The mandate should specify the responsibilities, authority and limitations of the assignment and ensure independence of the IS auditor in carrying out the assignment. It should also make it clear that the auditor is acting with lawful authority to access the systems and data concerned. The mandate should also specify the scope and responsibilities where an external expert is utilised by the IS auditor to carry out the assignment.
3.1.2 3.1.3 4.
INDEPENDENCE
4.1 4.1.1
Considerations of Independence Prior to commencing the assignment pertaining to computer forensics, the IS auditor should provide reasonable assurance that there are no possible conflicts of interest. Where a computer forensic assignment has been initiated by government, statutory body or any authority under a law, the IS auditor must clearly communicate the independence and authority to perform the task, maintain confidentiality on information acquired, be unbiased and submit a report to appropriate authorities.
4.1.2
5.
AUDIT CONSIDERATIONS
5.1 5.1.1
Judicial Validity of an Electronic Transaction To be considered valid, a contract involving selling goods or services should be signed. For electronic contracts, this can be achieved with a digital signature. The digital signature can achieve the objective of juridical relevance as follows: Authentication—There is evidence of data provenience. Integrity—The verification process will succeed only if none of the message has been changed. Nonrepudiation or paternity—Each key user has the legal responsibility to protect his/her key. Therefore, he/she cannot repudiate or unilaterally modify the content of the signed document. A valid system used to protect the private key might possibly store it in a secure personal device, such a smart card. Is it possible to deny someone’s own digital signature? Even if it would be considered admissible, the negation has no value. The other party should only have to demonstrate that the signature was valid when the contract was signed. This means that the owner must prove that his/her private key was stolen or subjected to unauthorised use before the time the contract was signed. The digital signature authenticated by a notary cannot be denied.
5.1.2
Computer Forensics Guideline Page 3
Confidentiality—To add confidentiality to a signed document, it is only necessary to encrypt it using the addressee’s public key. 5.2 5.2.1 5.2.2
5.2.3 5.2.4 5.3 5.3.1 5.3.2 5.3.3 5.3.4
Identification of Parties and Transaction Content Only people of legal age (ordinarily 18 years old or more in most jurisdictions) have the capacity to conclude a contract. Merchants can utilise any means to prove to themselves that the other party is legally authorised to make a transaction. They can request any kind of proof and proceed to store the buyer’s data in their archives. In case of error or misuse, the vendor is ultimately responsible for the proper execution of the contract. When using a digital signature system, the responsibility resides with the authority that issued the digital signature. This authority is called a certification authority (CA). If contested, the digital certificate owner should demonstrate if the private key was stolen or misused. The same considerations apply to the content of the transaction (integrity), which is preserved when using the digital signature system. Otherwise the merchant is responsible for false, incomplete, ambiguous and erroneous data. The merchant is always responsible for credit card frauds and privacy violation. Location Where the Contract Is Concluded The greatest problem regarding electronic commerce is determining the exact location where the contract is concluded, which determines the legal jurisdiction and the applicable laws and regulations. In the absence of a specific law applicable to a contract, the only alternative is to refer it to the international jurisdiction. Modern technology allows anyone to connect to his/her service provider from virtually everywhere in the world. This results in the impossibility of defining the exact location where the contract concludes. 1 The solution is the proper application of international law and consequent application of international agreements. The most accepted approach states that: If the parties have chosen a specific legislation, this is the only legislation that is applicable If the parties have not chosen any legislation scheme, the one with the closest relationship to the contract (i.e., residence of the service provider) or, in case of product selling, the law of the consumer’s country is applicable
5.3.5
In any case, it is imperative that every kind of prudence is exercised, as it is extremely difficult to determine (and prove) the location of the merchant.
5.4 5.4.1
Category Distinction The intrinsic characteristic of informatics, regardless of the modalities of conclusion of the contract, is to qualify the acquirer as a consumer because legislation protects the consumer in every country. For this reason, there is a distinction between business-tobusiness and business-to-consumer electronic commerce.
5.5 5.5.1
Fraud Prevention The economic system is founded from one side on identification and nonrepudiation of proposals/acceptances, and from the other side on establishing fund transfers reasonably secure both when a subject buys (which implies he/she wants to receive services or a goods) and when the subject sells (which implies he/she wants to receive payment). The digital signature system appears today as the only statutory form of payment online.
5.6 5.6.1
Use of Credit Cards Over the Internet Today, the credit card constitutes the most utilised payment instrument for transactions over the Internet. Unfortunately there are many possibilities for abuse of credit card data (such as allowing the reproduction of these data online). For example, there is a possibility that the transaction receipt could be read by someone unauthorised to do so. For online transactions, it is not necessary to have a credit card, but only its data. Credit card crimes are committed simply using card data in an unauthorised manner. There are three types of credit card crime: Abuse of card data Falsification and possession of false credit card Selling or buying an illegal card
5.6.2
5.6.3
The illegal use of a credit card over the Internet includes any action aimed to fraudulently obtain money, goods or services using card data. A crime is committed even when the owner uses the card after its expiration.
6.
KEY ELEMENTS OF COMPUTER FORENSICS FOR AUDIT PLANNING
6.1 6.1.1 6.1.2
Data Protection It is critical that measures are in place to prevent the sought information from being destroyed, corrupted or becoming unavailable. It is also important to inform appropriate parties that electronic evidence will be sought through discovery from the computer systems, setting out specific protocols requiring all parties to preserve electronic evidence and to not resort to any means of destroying information. Response and forensic investigation capability should be in place prior to an incident or event. This includes the infrastructure and processes for incident response and handling.
6.1.3
1
The Rome Convention, 1980 European law, www.rome-convention.org/instruments/i_conv_cons_it.htm and the Vienna Convention, an international agreement regarding import/export of goods signed in 1980, www.cisg.law.pace.edu/cisg/biblio/volken.html.
Page 4 Computer Forensics Guideline
6.2 6.2.1 6.2.2 6.2.3 6.2.4
6.3 6.3.1 6.3.2
6.4 6.4.1 6.4.2
6.4.3 6.5 6.5.1 6.5.2 6.6 6.6.1 6.6.2
Data Acquisition This involves the process of transferring information and data into a controlled location. This includes the collection of all types of electronic media, such as disk drives, tape drives, floppy disks, backup tapes, zip drives and any other types of removable media. All media should protected with content (image) being transferred to another medium by an approved method. In addition it is important to check that the media are virus-free and write-protected. Data and information are also acquired through recorded statements of witnesses and other related parties. The capture of volatile data, including open ports, open files, active processes, user logons and other data in RAM, are critical in many cases. Volatile data are transient and lost when a computer is shut down. The capture of volatile data assists the investigators in determining what is currently happening on a system Imaging This involves the bit-for-bit copy of seized data for the purposes of providing an indelible facsimile upon which multiple analyses may be performed without fear of damaging the original data or information. Imaging is made to capture the residual data of the target drive. An image copy duplicates the disk surface sector by sector as opposed to a file-by-file copy that does not capture residual data. Residual data include deleted files, fragments of deleted files and other data that are still existent on the disk surface. With appropriate tools, destroyed data (erased, even by re-formatting the media) can also be recovered from the disk surface. Extraction This involves the identification and separation of potentially useful data from the imaged dataset. This includes the recovery of damaged, corrupted or destroyed data, or data that have been tampered with to prevent detection. The entire process of imaging and extraction must meet standards of quality, integrity and reliability. This includes the software used to create the image and the media on which the image was made. A good benchmark would be whether the software is used, relied upon or authorised by law enforcement agencies. The copies and evidence must be capable of independent verification, i.e., the opponent and court must be convinced about the accuracy and reliability of the data, and that the data is tamper proof. Extraction includes examination of many sources of data, such as system logs, firewall logs, intrusion detection system logs, audit trails and network management information. Interrogation This involves the querying of extracted data to determine if any prior indicators or relationships, such as telephone numbers, IP addresses and names of individuals, exist in the data. Accurate analyses of the extracted data are essential to make recommendations and prepare appropriate grounds of evidence before the enforcement authorities. Ingestion/Normalisation This involves the transfer and storage of extracted data using appropriate techniques and in a format easily understood by investigators. This may include the conversion of hexadecimal or binary information into readable characters, conversion of data to another ASCII language set, or conversion to a format suitable for data analysis tools. Possible relationships within data are extrapolated through techniques, such as fusion, correlation, graphing, mapping or time lining, to develop investigative hypotheses.
7.
REPORTING
7.1 7.1.1
Acceptable to Law As stated earlier, the challenge to computer forensics is finding the data, collecting it, preserving it and presenting it in a manner acceptable to a court of law. The IS auditor should have complete information and clarity on the intended recipients and the purpose of the report. The report should be in an appropriate form and should state the scope, objectives, nature, timing and extent of investigation performed. The report should identify the organisation, intended recipients and restrictions on circulation (if any). The report should clearly communicate the findings, conclusions and recommendations, together with any reservations or qualifications that the IS auditor has with respect to the assignment.
7.1.2 7.1.3
7.2 7.2.1 7.2.2
7.2.3
Evidence Electronic evidence ranges from mainframe computers and pocket-sized personal data assistant to floppy diskettes, CDs, tapes or even the smallest electronic chip device. Industry-specified best practices should be adhered to, proven tools should be utilized and due diligence should be exhibited to provide reasonable assurance that evidence is not tampered with or destroyed. Integrity, reliability and confidentiality of the evidence is absolutely necessary for arriving at a fair judgment by the law enforcement authorities. It is also critical that the evidence is produced and made available at an appropriate time to the authorities. Example of tracing Internet e-mail: When an Internet e-mail message is sent, the user typically controls only the recipient line(s) (To and Bcc) and the subject line. Mail software adds the rest of the header information as it is processed. An example of an e-mail header follows:
Computer Forensics Guideline Page 5
(1) (2) (3) (4) (5) (6) (7) (8)
----- Message header follows ----Return-path: <
[email protected]> Received: from o199632.cc.navy.gov by nps.gov.org (5.1/SMI-5.1) id AAO979O; Fri, 7 Nov 2003 18:51:49 PST Received: from localhost byo199632.gov.org (5.1/SMI-5.1) id AA41651; Fri 7 Nov 2003 18:50:53 PST Message-ID: <
[email protected]> Date: Fri, 7 Nov 2003 18:50:53 -0800 (PST) From: "Susan Rock" <
[email protected]> To: Mott Thick <
[email protected]> Cc: Jokey Ram<
[email protected]>
Line 1 tells recipient computers who sent the message and where to send error messages (bounces and warning). Lines 2 and 3 show the route the message took from sending to delivery. Each computer that receives this message adds a received field with its complete address and time stamp; this helps in tracking delivery problems. Line 4 is the message ID, a unique identifier for this specific message. This ID is logged and can be traced through computers on the message route if there is a need to track the mail. Line 5 shows the date, time and time zone when the message was sent. Line 6 tells the name and e-mail address of the message originator (the sender). Line 7 shows the name and e-mail address of the primary recipient; the address may be for a: - Mailing list - System-wide alias - Personal username Line 8 lists the names and e-mail addresses of the courtesy copy (Cc) recipients of the message. There may be blind carbon copy (Bcc) recipients as well; these Bcc recipients get copies of the message, but their names and addresses are not visible in the headers. 8. 8.1
EFFECTIVE DATE This guideline is effective for all information system audits beginning on or after 1 September 2004. A full glossary of terms can be found on the ISACA web site at www.isaca.org/glossary.
APPENDIX COBIT Reference Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IT processes and consideration of COBIT’s control objectives and associated management practices. In the review of computer forensics, the COBIT processes likely to be the most relevant are classified below as primary and secondary. The process and control objectives to be selected and adapted may vary depending on the specific scope and terms of reference of the assignment. Primary: PO8—Ensure compliance with external requirements AI1—Identify automated solutions DS1—Define and manage service levels DS2—Manage third-party service DS5—Ensure security systems DS10—Manage problems and incidents DS11—Manage data M1—Monitor the process M3—Obtain independent assurance Secondary: PO1—Define a strategic IT plan PO4—Define the IT organisation and relationships DS6—Identify and allocate costs DS12—Manage facilities DS13—Manage operations M2—Assess internal control adequacy The information criteria most relevant to a computer forensic review are: Primary—Reliability, integrity and compliance Secondary—Confidentiality and availability Copyright © 2004 Information Systems Audit and Control Association 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Telephone: +1.847.253.1545 Fax: +1.847.253.1443 E-mail:
[email protected] Web site: www.isaca.org
Page 6 Computer Forensics Guideline