Anti Virus Scan

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Wednesday, 16 May 2012

Finding Fraudulent Documents Preview

Posted on 19:09 by Unknown
Anyone who looks at the topics I discuss on my blog may not easily see the kind of cases I frequently work at my day job. For the most part my blog is a reflection of my interests, the topics I’m trying to learn more about, and what I do outside of my employer. As a result, I don’t blog much about the fraud cases I support but I’m ready to share a technique I’ve been working on for some time.

Next month I’m presenting at the SANs Forensic and Incident Response Summit being held in Austin Texas. The summit dates are June 26 and 27. I’m one of the speakers in the SANs 360 slot and the title of my talk is “Finding Fraudulent Word Documents in 360 Seconds” (here is the agenda). My talk is going to quick and dirty about a technique I honed last year to find fraudulent documents. I’m writing a more detailed paper on the technique as well as a query script to automate finding these documents but my presentation will cover the fundamentals. Specifically, what I mean by fraudulent documents, types of frauds, Microsoft Word metadata, Corey’s guidelines, and the technique in action. Here’s a preview about what I hope to cover in my six minutes (subject to change once I put together the slides and figure out my timing).

What exactly are fraudulent documents? You need to look at the two words separately to see what I’m referring to. One definition for fraudulent is “engaging in fraud; deceitful” while a definition for document is “a piece of written, printed, or electronic matter that provides information or evidence or that serves as an official record”. What I’m talking about is electronic matter that provides information or serves as an official record while engaging in fraud. In easier terms and the way I describe it: electronic documents providing fake financial information. There are different types of fraud which means there are different types of fraudulent documents. However, my technique is geared towards finding the electronic documents used to commit purchasing fraud and bid rigging.

There are a few different ways these frauds can be committed but there are times when Microsoft Word documents are used to provide fake information. One example is an invoice for a product that was never purchased to conceal misappropriated money. As most of us know electronic files contain metadata and Word documents are no different. There are values within Word documents’ metadata that provide strong indicators if the document is questionable. I did extensive testing to determine how these values change based on different actions taken against a document (Word versions 2000, 2003, and 2007). My testing showed the changes in the metadata are consistent based on the action. For example, if a Word document is modified then specific values in the metadata changes while other values remain the same.

I combined the information I learned from my testing with all the different fraudulent documents I’ve examined and I noticed distinct patterns. These patterns can be leveraged to identify potential fraudulent documents among electronic information. I’ve developed some guidelines to find these patterns in Word documents’ metadata. I’m not discussing the guidelines in this post since I’m saving it for my #DFIRSummit presentation and my paper. The last piece is tying everything together by doing a quick run through about how the technique can quickly find fraudulent documents for a purchasing fraud. Something I’m hoping to include is my current work on how I’m trying to automate the technique using a query script I’m writing and someone else’s work (I’m not mentioning who since it's not my place).

I’m pretty excited to finally have the chance to go to my first summit and there’s a great lineup of speakers. I was half joking on Twitter when I said it seems like the summit is the DFIR Mecca. I said half because it’s pretty amazing to see the who else will be attending.  


Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in fraud, metadata | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Ripping VSCs – Developer Method
    For the past couple of weeks I’ve been talking about the Ripping VSCs approach to examining Volume Shadow Copies (VSCs). I started using the...
  • Linkz 4 Free Infosec and IT Training
    In this day and age budgets are shrinking, training funds are dwindling, and the threats we face continue to increase each day. It's not...
  • Dual Purpose Volatile Data Collection Script
    When responding to a potential security incident a capability is needed to quickly triage the system to see what's going on. Is a rogue ...
  • Finding the Initial Infection Vector
    There are different ways to spread malware. Email, instant messaging, removable media, or websites are just a few options leveraged to infec...
  • Man versus AntiVirus Scanner
    Knowing what programs ran on a system can answer numerous questions about what occurred. What was being used to communicate, what browsers a...
  • Re-Introducing $UsnJrnl
    The NTFS change journal ($UsnJrnl) is not a new artifact and has been discussed before by others. The file's importance may have been ov...
  • You Are Not Admin with UAC
    There is a tendency to focus on what is different when we are faced with newer operating systems. What are the security changes and how does...
  • Building Timelines – Tools Usage
    Tools are defined as anything that can be used to accomplish a task or purpose. For a tool to be effective some thought has to go into how t...
  • Houston We’ve Had a Problem – Wow64
    This is a piggyback post to an issue Harlan has been raising about the Wow64 issue. His most recent post on the subject Wow64Node: Registry ...
  • Microsoft Word Jump List Tidbit
    Performing examinations on the Windows 7 (and possibly 8) operating systems is going to become the norm. In anticipation of this occurring, ...

Categories

  • adobe
  • advice
  • antivirus
  • attack vectors
  • autoplay
  • autorun
  • book review
  • categories
  • chain of evidence
  • conferences
  • delivery artifacts
  • detection
  • digital forensics search
  • drive-by
  • education
  • EEDI
  • email
  • encase
  • examination steps
  • exploits
  • feedreader
  • fraud
  • Google
  • hcp
  • investigation process
  • java
  • jumplists
  • kinect
  • links
  • malvertizing
  • malware
  • malware analysis
  • memory analysis
  • metadata
  • microsoft office
  • NTFS
  • perl
  • pfic
  • prefetch
  • program execution
  • readiness
  • registry
  • regripper
  • scams
  • script
  • search poisoning
  • sharing
  • shortcut files
  • spam
  • testing
  • timeline
  • timestomping
  • tools
  • tr3secure
  • training
  • triage
  • uac
  • volume shadow copies
  • xbox

Blog Archive

  • ►  2013 (20)
    • ►  November (1)
    • ►  October (2)
    • ►  September (4)
    • ►  July (2)
    • ►  May (3)
    • ►  April (2)
    • ►  March (3)
    • ►  February (1)
    • ►  January (2)
  • ▼  2012 (38)
    • ►  December (3)
    • ►  November (3)
    • ►  October (3)
    • ►  September (1)
    • ►  August (3)
    • ►  July (3)
    • ►  June (3)
    • ▼  May (3)
      • Finding Fraudulent Documents Preview
      • More About Volume Shadow Copies
      • Practical Malware Analysis Book Review
    • ►  April (3)
    • ►  March (5)
    • ►  February (6)
    • ►  January (2)
  • ►  2011 (41)
    • ►  December (4)
    • ►  November (3)
    • ►  October (3)
    • ►  September (4)
    • ►  August (4)
    • ►  July (3)
    • ►  June (5)
    • ►  May (3)
    • ►  April (3)
    • ►  March (3)
    • ►  February (2)
    • ►  January (4)
  • ►  2010 (17)
    • ►  December (2)
    • ►  November (3)
    • ►  October (3)
    • ►  September (3)
    • ►  August (6)
Powered by Blogger.

About Me

Unknown
View my complete profile