Fast, Free, and Traceless Computer Forensics


(Accounting professor Conan C. Albrecht, Ph.D., teaches an ACFE course, “Advanced Computer-Aided Fraud Prevention & Detection” with W. Michael Kramer, J.D., CFE. Albrecht says one of the participants' favorite sections of the course is the discussion on the free computer forensic program, Knoppix. – ed.)

Sophisticated computer forensics programs could be a bit pricey for your examinations. Knoppix, a free offspring of the open-source Linux operating system, may be just what you need.  

Sam the fraud examiner receives a tip during a routine audit that John, a purchasing manager, has been taking bribes from a preferred customer. Sam needs to look on John's office computer but John has installed software that logs all system activities, and he regularly changes his password to prevent others from accessing his computer.

But Sam has a secret weapon. With permission from the company's legal counsel, he enters John's office one night after work, slips a CD into John's computer, and pushes the “on” button. Soon Sam is able to view and extract spreadsheets, database information, and email correspondence, and John will never know because Windows never boots. What's on that CD Sam put into John's computer? It's “Knoppix” – a free forensic analysis tool that you can download from a Web site.

Recent large corporate frauds and ensuing legislation have pushed fraud examiners, accountants, and law enforcement to acquire computer forensic skills. The high price of sophisticated computer forensics programs can leave many professionals without sufficient tools to complete their work. Fortunately, the “open-source” community has provided many tools – such as Knoppix – that make complex forensic analysis possible at almost no cost.

The Knoppix software, when loaded into a CD drive, allows investigators to access suspect computers without leaving digital footprints. All files are accessed in read-only mode, bypassing most Windows passwords, and allowing unhindered access to suspects' systems. Also, Knoppix requires no installation and includes scores of forensic tools and applications that can be used to analyze a computer.

In the opening case, fraudster John's thoughtfully selected passwords are useless when Sam uses Knoppix because Windows never has a chance to prompt Sam for them. Even though Sam can read John's files, John's disk timestamps are not updated because the disk is accessed in read-only mode. Sam transfers the relevant files to his 512 MB USB keychain drive, shuts down John's computer and leaves. The entire process takes about two hours. Except for Sam's possible fingerprints, John's computer is exactly as it was when Sam entered the office.

For full access to story, members may sign in here.

Not a member? Click here to Join Now and access the full article.