ICS Products and Auditors



With the growing use of Computers in every aspect of business, the role of auditors in Banking and other Corporate environments have undergone a sea change.

In the manual era, the auditor was required to look at the accuracy of the accounting. Hence the auditor's main role was to certify "Accuracy" of financial information. With the use of Computers, accuracy of figures is no longer the prime concern of the auditors. However to the extent that Computers work on GIGO principle, there is still some requirement to check the accuracy of  data input and therefore "Accuracy Audit" continues to be the first priority of auditors.

The second most important auditing objective has been to check "Compliance" of the working with a given benchmark which could be the manual of the controlling office or the taxation law requirements or the Corporate Governance requirements. The "Compliance Audit" continues to be important today though the scope of such an audit is gradually expanding with multifarious legal requirements being hoisted on the "Accounting Auditors".

Recognizing the "Risks" that have an impact on "Accuracy" and "Compliance", it is now recognized that Information Security Audit with a view to identify the risks and measures taken to control them in an organization has also become an important function of "Audit". However, since it is often beyond the scope of the "Financial Auditors" to undertake effective audit of Information Security, it is often handled by "EDP Auditors" or auditors specially qualified for the purpose with say CISA certification. However for the auditors whose primary concern is financial accuracy, IS audit is still an alien subject and expertise available for the purpose is still low.

Under these circumstances, a need has been felt for specialized "Fraud Auditors" whose primary focus is to identify and analyse "Fraud Risks" in a Computerized accounting environment.  Such a fraud audit undertaken by "Certified Fraud Examiners" need a different approach to audit which can be referred to as "Forensic Audit".

The principle of "Forensic Audit" is that " Data presented by the unit to be audited is amenable for having been manipulated and any audit of such data to be credible has to be based on a Forensic examination of data to identify manipulation".

Forensic audit requires using of "Data Analysis Tools" that interact with the data submitted for audit and extract deleted data or altered data. If in the process, some manipulation is detected, it is also the responsibility of the auditor to capture the fraud evidence and present it in a manner that would stand in a Court of Law. If not, an auditor who accuses a person of fraud which cannot be proved and the Company which takes any action there of against the person so accused,  may be liable for a defamation suit by the accused.

There are some "Network based Concurrent Audit Tools" which can be used to connect to the network and observe the transactions. These do not interrupt the ongoing work on the Computer.  However, these depend on connectivity and cannot always be able to extract and preserve for evidence, data which has been  deleted or over written data..

Forensic Quality Data Capture

In most of the incidents of suspected Fraud investigation by Internal Auditors the it becomes necessary to analyze the hard disk of  a suspect for a detailed examination.

The practical problem in most such cases is that if  the auditor has to take over the computer immediately, it may disrupt the operations of the enterprise seriously.

It therefore becomes necessary for the auditor to make a "Copy" of the original "Evidence" and carry on his investigations on the "Copy". The question then arises that if he stumbles upon some evidence during his examination and then comes back to seize the original hard disk, the data on the original hard disk may no longer contain the evidence he had unearthed during the investigation.

Even assuming that the "Original Hard Disk" itself had been taken over and the investigations have unearthed some evidence, there would be a charge from the accused that the evidence was in the custody of the Auditor and could have been tampered with.

It becomes absolutely essential therefore for the investigator to preserve the original evidence and at the same time subject it to any type of analysis he may like without disrupting the regular user of the system and the hard disk.

A device required for this purpose is one which makes one or more  "Bit Image” copies of the suspect hard disk in the presence of the asset owner which can later be used for invasive analysis without jeopardizing the evidentiary value of the data.

For this purpose it would also be necessary to create a "hash code" for the "original" being copied so that the duplicates can be proved to contain the exact data as found in the original and any analytical result arising out of the duplicate is acceptable against the original also.

Intelligent Computer Solutions (ICS) a company based in USA manufactures the necessary tools that ideally fit the requirements of the Law Enforcement Authorities.

ICS has developed the hard drive duplication technology (patented under US patent no C,131,141) that has been in use by Law Enforcement agencies in several countries and Commercial enterprises including companies such as Intel. These devices are now available in India for the first time.

The two key products offered by ICS are the Image MASSter Solo 2 Forensic unit Solo2 and Link Mater.

 Solo2  is a handheld software duplication device made for computer disk drive data seizure. Image capture operations can be performed from a suspect's drive to another hard drive with duplication speeds in excess of 1.8 GB/Min.

This is powered by the Company's patented Image MASSter technology and provides for MD5 and SHA1 hashing (approved by ITA-2000) for data integrity checking. Upon copying of the suspect disk to an evidence disk, a report can be generated along with the hash code which can be jointly authenticated by the system owner and the investigator to avoid any disputes on the integrity of the data transfer.

Since the copying is a "Bit Image Copy Process", the evidence disk can be analysed with data recovery tools for recovering deleted information. Multiple clones can be generated so that different investigators can simultaneously work on the copies all of which are legally acceptable clones of the original.

Solo 2 is connected directly to the suspect drive and in order to prevent accidental writing on the suspect drive,  an accessory namely "Drive Lock" is used in between Solo-2 Forensic option: USB/FireWire Connection (LinkMasster Forensic)the suspect disk and Solo2.

The Link Masster is a software acquisition device made for seizing data from computers that cannot be opened in the field. It is ideally suited for acquiring data from a Laptop. This can perform high-speed data transfer (upto 3.5 GB per minute) between any suspect hard disk drives through the computer's  USB/Firewire port. It Supports MD5 and, SHA1 hashing during and after the acquisition. A bootable CD is supplied to boot the suspect's computer and run the LinkMASSter acquisition program.

Both devices captures data from suspect's hard drive in Single Capture mode and Multi Capture mode (which can capture more than one source drive to a single evidence drive).

Additionally, there are desk top models of disk duplication which will enable creation of multiple evidence disks which can be sent for Forensic Analysis to different labs.

These devices are the primary hardware requirements for data capture and disk duplication and have been forensically tested and industrially accepted as reliable for judicial evidence.

Once Data is captured using these devices, with a Certificate recording the hash code at the time of seizure, the data can be subjected to analysis using standard software such as ACL or IDEA.

There are also data analysis tools such as “Encase” or “Cyber Check” which are capable of “Un-deleting” the deleted files, reading hidden files, recovering passwords, searching through a mass of data for key words and so on which can be used on the copied disk.

Auditors who need to conduct Forensic audit or Fraud audit need to utilize these tools so that evidence located during such audits can be preserved for the purpose of further legal action. Not using such tools may result in the Fraud charges being dismissed in the Courts leading to the accused filing a counter suit for defamation on the Company.

Forensic Audit System in Banking, Financial and e-Government Institutions

Sensitive records in Banks, Financial Institutions and Government are today mostly in the form of electronic documents. Audit of such institutions today is therefore entirely dependent on the Computerized records. 

Auditing the print outs and computer screens as presented by the Branch Management which is the standard practice today is  logically ineffective in case of any frauds done by the Branch staff themselves since the data being audited may be manipulated.  In these records, deletions and interlineations do not show up as it would have in a manual record and are therefore not available as audit alerts.

These records also can raise the bogey of “Invalid Self Incriminating Evidence” when a criminal prosecution is to be launched based on the evidence produced by the accused who himself is a branch manager or a system administrator. 

The system therefore needs a modified approach which is suggested below and is based on the use of some tools. This is ideal for Banks which maintain branch level servers and any other institution with a similar IT setup. A modified system can also be structured for Institutions which run on the Central server based systems running on a dedicated network or Internet. 

The following audit system is suggested for Indian Banks and similar institutions using client server model of software at the branch level. 

1. Each Branch will be provided with an “Audit Assistance Tool” with which they can send a “Forensic Quality Hard Disk Clone “ of the data base server every month to the central audit unit of the institution in the form of a “Monthly Return”.

2. The Hard disk will be accompanied by a Certificate which indicates the “Hash Value” of the disk on MD5 hash (Legally accepted in India under ITA-2000) and signed by the Branch Manager and the System Administrator as per an approved procedure.

3. Alternatively, the Inspection department will organize a “Roving Data Collector” who is equipped with the “Mobile Audit Assistance Tool” and will collect the necessary disk copy under the authentication of the branch authorities under his presence.

4. The Disk will be sent securely to the central audit unit which will be equipped with a "Set of data analysis tools" capable of undertaking normal audit as well as fraud audit.

5. After analysis the disk will be wiped clean and recycled.

 The above system not only enables the auditor to look for fraudulent file erasures and modifications but also cuts down the time taken by the senior auditors at the branch location drastically.        


April 7, 2004


For Structured Online Courses in Cyber laws, Visit Cyber Law College.com


Back To Naavi.org