I

IS AUDITING GUIDELINE
COMPUTER FORENSICS
DOCUMENT G28

Introduction—The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require
standards that apply specifically to IS auditing. One of the goals of the Information Systems Audit and Control Association (ISACA) is to
advance globally applicable standards to meet its vision. The development and dissemination of the IS Auditing Standards are a
cornerstone of the ISACA professional contribution to the audit community.

Objectives—The objectives of the ISACA IS Auditing Standards are to inform:

IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code
of Professional Ethics for IS auditors
Management and other interested parties of the profession’s expectations concerning the work of practitioners

The objective of the IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing Standards.

Scope and Authority of IS Auditing Standards—The framework for the IS Auditing Standards provides multiple levels of guidance:
Standards define mandatory requirements for IS auditing and reporting.
Guidelines provide guidance in applying the IS Auditing Standards. The IS auditor should consider them in determining how to
achieve implementation of the standards, use professional judgment in their application and be prepared to justify any departure.
Procedures provide examples of procedures an IS auditor might follow in an audit engagement. Procedures should not be considered
inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtain the same
results. In determining the appropriateness of any specific procedure, group of procedures or test, the IS auditor should apply their own
professional judgment to the specific circumstances presented by the particular information systems or technology environment. The
procedure documents provide information on how to meet the standards when performing IS auditing work, but do not set requirements.

The words audit and review are used interchangeably. A full glossary of terms can be found on the ISACA web site at
www.isaca.org/glossary.
®
Holders of the Certified Information Systems Auditor (CISA ) designation are to comply with the IS Auditing Standards adopted by ISACA.
Failure to comply with these standards may result in an investigation into the CISA holder’s conduct by the ISACA Board of Directors or
appropriate ISACA committee and, ultimately, in disciplinary action.

Development of Standards, Guidelines and Procedures—The ISACA Standards Board is committed to wide consultation in the
preparation of the IS Auditing Standards, Guidelines and Procedures. Prior to issuing any documents, the Standards Board issues exposure
drafts internationally for general public comment. The Standards Board also seeks out those with a special expertise or interest in the topic
under consideration for consultation where necessary.

The following COBIT resources should be used as a source of best practice guidance:
Control Objectives—High-level and detailed generic statements of minimum good control
Control Practices—Practical rationales and “how to implement” guidance for the control objectives
Audit Guidelines—Guidance for each control area on how to obtain an understanding, evaluate each control, assess compliance and
substantiate the risk of controls not being met
Management Guidelines—Guidance on how to assess and improve IT process performance, using maturity models, metrics and
critical success factors

Each of these is organised by IT management process, as defined in COBIT Framework. COBIT is intended for use by business and IT
management as well as IS auditors. Its usage enables the understanding of business objectives and for the communication of best practices
and recommendations around a commonly understood and well-respected standard reference.

The Standards Board has an ongoing development programme and welcomes the input of ISACA members and other interested parties to
help identify emerging issues requiring new standards. Any suggestions should be e-mailed (standards@isaca.org), faxed
(+1.847.253.1443) or mailed (address provided at the end of this document) to ISACA International Headquarters, for the attention of the
director of research standards and academic relations.

This material was issued on 1 July 2004.

INFORMATION SYSTEMS AUDIT AND CONTROL ASSOCIATION 2003-2004 STANDARDS BOARD

Chair, Claudio Cilli, CISA, CISM, Ph.D., CIA, CISSP Value Partners, Italy
Svein Aldal Scandinavian Business Security AS, Norway
Sergio Fleginsky, CISA PricewaterhouseCoopers, Uruguay
Christina Ledesma, CISA, CISM Citibank NA Sucursal, Uruguay
Andrew MacLeod, CISA, FCPA, MACS, PCP, CIA Brisbane City Council, Australia
Ravi Muthukrishnan, CISA, FCA, ISCA NextLinx India Private Ltd., India
Peter Niblett, CISA, CA, CIA, FCPA WHK Day Neilson, Australia
John G. Ott, CISA, CPA Aetna Inc., USA
1. BACKGROUND

1.1 Linkage to ISACA Standards

1.1.1 Standard S3 Professional Ethics and Standards states, “The IS auditor should adhere to the ISACA Code of Professional Ethics in
conducting audit assignments.”
1.1.2 Standard S3 Professional Ethics and Standards states, “The IS auditor should exercise due professional care, including
observance of applicable professional auditing standards, in conducting the audit assignments.”
1.1.3 Standard S4 Professional Competence states, "The IS auditor should be professionally competent, having the skills and
knowledge necessary to conduct the audit assignment."
1.1.4 Standard S5 Planning states, “The IS auditor should plan the information systems audit coverage to address the audit objectives
and to comply with applicable laws and professional auditing standards.”
1.1.5 Standard S6 Performance of Audit Work states, “During the course of audit, the IS auditor should obtain sufficient, reliable and
relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriate analysis
and interpretation of this evidence.”

1.2 Linkage to COBIT

1.2.1 COBIT Framework states, "It is management's responsibility to safeguard all the assets of the enterprise. To discharge this
responsibility, as well as to achieve its expectations, management should establish an adequate system of internal control."
1.2.2 COBIT Management Guidelines provides a management-oriented framework for continuous and proactive control self-assessment
specifically focused on:
Performance measurement—How well is the IT function supporting business requirements?
IT control profiling—What IT processes are important? What are the critical success factors for control?
Awareness—What are the risks of not achieving the objectives?
Benchmarking—What do others do? How can results be measured and compared?
1.2.3 Management Guidelines provides example metrics enabling assessment of IT performance in business terms. The key goal
indicators identify and measure outcomes of IT processes and the key performance indicators assess how well the processes are
performing by measuring the enablers of the process. Maturity models and maturity attributes provide for capability assessments
and benchmarking, helping management to measure control capability and to identify control gaps and strategies for
improvement.
1.2.4 Management Guidelines can be used to support self-assessment workshops, and it can also be used to support the
implementation by management of continuous monitoring and improvement procedures as part of an IT governance scheme.
1.2.5 COBIT provides a detailed set of controls and control techniques for the information systems management environment. Selection
of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IT
processes, control objectives, associated management control practices and consideration of relevant COBIT information criteria.
1.2.6 Refer to the COBIT reference located in the appendix of this document for the specific objectives or processes of COBIT that should
be considered when reviewing the area addressed by this guidance.

1.3 Need for Guideline

1.3.1 The IS auditor is often requested to advise on frauds or irregularities made using computer or telecommunication systems
(computer crime) and to check organisation compliance with computer-related laws or regulations. A basic understanding of
computer forensics is necessary to help the organisation detect or prevent such irregularities. This document is intended to assist
the IS auditor in achieving this purpose.
1.3.2 The foremost aim of computer forensics is to establish the truth behind a particular situation by immediately capturing data to
identify an attacker and establish proof for criminal proceedings to aid law enforcement. It also aids the organisation in protecting
the information assets from future attacks and in gaining an understanding about an attacker and attacks. The main
characteristics are:
Emphasise the need to immediately respond or evidence will be lost/tampered.
Capture and preserve data as close to the breach as possible.
Forensically preserve evidence for potential admission in court.
Minimally invasive data capture process without disruption to business operations
Identify an attacker and establish proof.

1.3.3 During the conduct of computer investigation, it is critical that confidentiality is maintained and integrity is established for data and
information gathered and made available to appropriate authorities only. The IS auditor will play a crucial role in such instances
and may help the organisation by indicating whether legal advice is advisable and which technical aspects of the IS environment
need appropriate investigation. There may be instances were the IS auditor may be given information about a suspected
irregularity or illegal act and may be requested to use data analysis capabilities to gather further information.
1.3.4 Computer forensics has been applied in a number of areas including, but not limited to, fraud, espionage, murder, blackmail,
computer misuses, technology abuse, libel, malicious mails, information leakage, theft of intellectual property, pornography,
spamming, hacking and illegal transfer of funds. Computer forensics involves the detailed analysis of events in cyberspace and
collection of evidence. This guideline briefly describes the elements of computer forensics with the aim to aid the IS auditor in
considering such aspects warranted by a situation during the conduct of the assignment. The IS auditor should also communicate
the need for computer forensics for Internal investigations, which make up a large percentage of forensic investigations (vs.
external attacks):
Whistle-blower complaints
HR investigations
Fraud investigations
Compliance investigations—enforce compliance to various legal mandates and industry guidelines (e.g., Sarbanes-Oxley,

Computer Forensics Guideline Page 2

 NIST, FISMA)

1.3.5 This guideline provides guidance in applying IS auditing standards S3 Professional Ethics and Standards, S4 Professional
Competence, S5 Planning, S6 Performance of Audit Work, while conducting a computer forensic review. The IS auditor should
consider it in determining how to achieve implementation of the above standards, use professional judgment in its application and
be prepared to justify any departure.

1.4 Guideline Application

1.4.1 When applying this guideline, the IS auditor should consider its guidance in relation to other relevant ISACA guidelines.
1.4.2 The IS auditor should consult and apply jurisdictional legal investigation guidelines, if applicable, during a computer forensic
engagement.

2. DEFINITIONS

2.1 Computer Forensics

2.1.1 Computer forensics can be defined as the process of extracting information and data from computer storage media using court-
validated tools and technology and proven forensic best practices to establish its accuracy and reliability for the purpose of
reporting on the same as evidence.
2.1.2 The challenge to computer forensics is actually finding this data, collecting it, preserving it and presenting it in a readable manner
that is acceptable in a court of law.
2.1.3 Computer forensics primarily involves exploration and application of scientifically proven methods to gather, process, interpret and
utilise digital evidence to support an assertion, such as:
Provide a conclusive investigation of all activities for the purpose of complete attack verification and enterprise and critical
infrastructure information restoration
Correlate, interpret and predict adversarial actions and their effect on planned operations
Make digital data suitable and persuasive for introduction into a criminal investigative process
2.1.4 Computer forensics is a science as well as an art for extracting and gathering data from a computer to determine if and how an
abuse or intrusion has occurred, when it occurred and who was the intruder. Organisations that employ good security practices
and maintain appropriate logs are able to achieve the objectives easily. However, with the right knowledge and tools, forensic
evidence can be extracted even from burned, water-logged or physically damaged computer systems.

3. AUDIT CHARTER

3.1 Assignment Mandate

3.1.1 Prior to commencement of the assignment pertaining to computer forensics, the IS auditor should require a clear, written mandate
from the appropriate authority to conduct the assignment.
3.1.2 The mandate should specify the responsibilities, authority and limitations of the assignment and ensure independence of the IS
auditor in carrying out the assignment. It should also make it clear that the auditor is acting with lawful authority to access the
systems and data concerned.
3.1.3 The mandate should also specify the scope and responsibilities where an external expert is utilised by the IS auditor to carry out
the assignment.

4. INDEPENDENCE

4.1 Considerations of Independence

4.1.1 Prior to commencing the assignment pertaining to computer forensics, the IS auditor should provide reasonable assurance that
there are no possible conflicts of interest.
4.1.2 Where a computer forensic assignment has been initiated by government, statutory body or any authority under a law, the IS
auditor must clearly communicate the independence and authority to perform the task, maintain confidentiality on information
acquired, be unbiased and submit a report to appropriate authorities.

5. AUDIT CONSIDERATIONS

5.1 Judicial Validity of an Electronic Transaction

5.1.1 To be considered valid, a contract involving selling goods or services should be signed. For electronic contracts, this can be
achieved with a digital signature.
5.1.2 The digital signature can achieve the objective of juridical relevance as follows:
Authentication—There is evidence of data provenience.
Integrity—The verification process will succeed only if none of the message has been changed.
Nonrepudiation or paternity—Each key user has the legal responsibility to protect his/her key. Therefore, he/she cannot
repudiate or unilaterally modify the content of the signed document. A valid system used to protect the private key might
possibly store it in a secure personal device, such a smart card. Is it possible to deny someone’s own digital signature? Even
if it would be considered admissible, the negation has no value. The other party should only have to demonstrate that the
signature was valid when the contract was signed. This means that the owner must prove that his/her private key was stolen
or subjected to unauthorised use before the time the contract was signed. The digital signature authenticated by a notary
cannot be denied.

Computer Forensics Guideline Page 3

 Confidentiality—To add confidentiality to a signed document, it is only necessary to encrypt it using the addressee’s public
key.

5.2 Identification of Parties and Transaction Content

5.2.1 Only people of legal age (ordinarily 18 years old or more in most jurisdictions) have the capacity to conclude a contract.
5.2.2 Merchants can utilise any means to prove to themselves that the other party is legally authorised to make a transaction. They can
request any kind of proof and proceed to store the buyer’s data in their archives. In case of error or misuse, the vendor is
ultimately responsible for the proper execution of the contract. When using a digital signature system, the responsibility resides
with the authority that issued the digital signature. This authority is called a certification authority (CA). If contested, the digital
certificate owner should demonstrate if the private key was stolen or misused.
5.2.3 The same considerations apply to the content of the transaction (integrity), which is preserved when using the digital signature
system. Otherwise the merchant is responsible for false, incomplete, ambiguous and erroneous data.
5.2.4 The merchant is always responsible for credit card frauds and privacy violation.

5.3 Location Where the Contract Is Concluded

5.3.1 The greatest problem regarding electronic commerce is determining the exact location where the contract is concluded, which
determines the legal jurisdiction and the applicable laws and regulations.
5.3.2 In the absence of a specific law applicable to a contract, the only alternative is to refer it to the international jurisdiction. Modern
technology allows anyone to connect to his/her service provider from virtually everywhere in the world. This results in the
impossibility of defining the exact location where the contract concludes.
5.3.3
1
The solution is the proper application of international law and consequent application of international agreements.
5.3.4 The most accepted approach states that:
If the parties have chosen a specific legislation, this is the only legislation that is applicable
If the parties have not chosen any legislation scheme, the one with the closest relationship to the contract (i.e., residence of
the service provider) or, in case of product selling, the law of the consumer’s country is applicable

5.3.5 In any case, it is imperative that every kind of prudence is exercised, as it is extremely difficult to determine (and prove) the
location of the merchant.

5.4 Category Distinction

5.4.1 The intrinsic characteristic of informatics, regardless of the modalities of conclusion of the contract, is to qualify the acquirer as a
consumer because legislation protects the consumer in every country. For this reason, there is a distinction between business-to-
business and business-to-consumer electronic commerce.

5.5 Fraud Prevention

5.5.1 The economic system is founded from one side on identification and nonrepudiation of proposals/acceptances, and from the other
side on establishing fund transfers reasonably secure both when a subject buys (which implies he/she wants to receive services
or a goods) and when the subject sells (which implies he/she wants to receive payment). The digital signature system appears
today as the only statutory form of payment online.

5.6 Use of Credit Cards Over the Internet

5.6.1 Today, the credit card constitutes the most utilised payment instrument for transactions over the Internet. Unfortunately there are
many possibilities for abuse of credit card data (such as allowing the reproduction of these data online). For example, there is a
possibility that the transaction receipt could be read by someone unauthorised to do so.
5.6.2 For online transactions, it is not necessary to have a credit card, but only its data. Credit card crimes are committed simply using
card data in an unauthorised manner. There are three types of credit card crime:
Abuse of card data
Falsification and possession of false credit card
Selling or buying an illegal card

5.6.3 The illegal use of a credit card over the Internet includes any action aimed to fraudulently obtain money, goods or services using
card data. A crime is committed even when the owner uses the card after its expiration.

6. KEY ELEMENTS OF COMPUTER FORENSICS FOR AUDIT PLANNING

6.1 Data Protection

6.1.1 It is critical that measures are in place to prevent the sought information from being destroyed, corrupted or becoming unavailable.
6.1.2 It is also important to inform appropriate parties that electronic evidence will be sought through discovery from the computer
systems, setting out specific protocols requiring all parties to preserve electronic evidence and to not resort to any means of
destroying information.
6.1.3 Response and forensic investigation capability should be in place prior to an incident or event. This includes the infrastructure and
processes for incident response and handling.

1
The Rome Convention, 1980 European law, www.rome-convention.org/instruments/i_conv_cons_it.htm and the Vienna Convention, an
international agreement regarding import/export of goods signed in 1980, www.cisg.law.pace.edu/cisg/biblio/volken.html.

Page 4 Computer Forensics Guideline

6.2 Data Acquisition
6.2.1 This involves the process of transferring information and data into a controlled location.
6.2.2 This includes the collection of all types of electronic media, such as disk drives, tape drives, floppy disks, backup tapes, zip drives
and any other types of removable media. All media should protected with content (image) being transferred to another medium by
an approved method. In addition it is important to check that the media are virus-free and write-protected.
6.2.3 Data and information are also acquired through recorded statements of witnesses and other related parties.
6.2.4 The capture of volatile data, including open ports, open files, active processes, user logons and other data in RAM, are critical in
many cases. Volatile data are transient and lost when a computer is shut down. The capture of volatile data assists the
investigators in determining what is currently happening on a system

6.3 Imaging
6.3.1 This involves the bit-for-bit copy of seized data for the purposes of providing an indelible facsimile upon which multiple analyses
may be performed without fear of damaging the original data or information.
6.3.2 Imaging is made to capture the residual data of the target drive. An image copy duplicates the disk surface sector by sector as
opposed to a file-by-file copy that does not capture residual data. Residual data include deleted files, fragments of deleted files
and other data that are still existent on the disk surface. With appropriate tools, destroyed data (erased, even by re-formatting the
media) can also be recovered from the disk surface.

6.4 Extraction
6.4.1 This involves the identification and separation of potentially useful data from the imaged dataset. This includes the recovery of
damaged, corrupted or destroyed data, or data that have been tampered with to prevent detection.
6.4.2 The entire process of imaging and extraction must meet standards of quality, integrity and reliability. This includes the software
used to create the image and the media on which the image was made. A good benchmark would be whether the software is
used, relied upon or authorised by law enforcement agencies. The copies and evidence must be capable of independent
verification, i.e., the opponent and court must be convinced about the accuracy and reliability of the data, and that the data is
tamper proof.
6.4.3 Extraction includes examination of many sources of data, such as system logs, firewall logs, intrusion detection system logs, audit
trails and network management information.

6.5 Interrogation
6.5.1 This involves the querying of extracted data to determine if any prior indicators or relationships, such as telephone numbers, IP
addresses and names of individuals, exist in the data.
6.5.2 Accurate analyses of the extracted data are essential to make recommendations and prepare appropriate grounds of evidence
before the enforcement authorities.

6.6 Ingestion/Normalisation
6.6.1 This involves the transfer and storage of extracted data using appropriate techniques and in a format easily understood by
investigators. This may include the conversion of hexadecimal or binary information into readable characters, conversion of data
to another ASCII language set, or conversion to a format suitable for data analysis tools.
6.6.2 Possible relationships within data are extrapolated through techniques, such as fusion, correlation, graphing, mapping or time
lining, to develop investigative hypotheses.

7. REPORTING

7.1 Acceptable to Law

7.1.1 As stated earlier, the challenge to computer forensics is finding the data, collecting it, preserving it and presenting it in a manner
acceptable to a court of law. The IS auditor should have complete information and clarity on the intended recipients and the
purpose of the report.
7.1.2 The report should be in an appropriate form and should state the scope, objectives, nature, timing and extent of investigation
performed.
7.1.3 The report should identify the organisation, intended recipients and restrictions on circulation (if any). The report should clearly
communicate the findings, conclusions and recommendations, together with any reservations or qualifications that the IS auditor
has with respect to the assignment.

7.2 Evidence
7.2.1 Electronic evidence ranges from mainframe computers and pocket-sized personal data assistant to floppy diskettes, CDs, tapes or
even the smallest electronic chip device.
7.2.2 Industry-specified best practices should be adhered to, proven tools should be utilized and due diligence should be exhibited to
provide reasonable assurance that evidence is not tampered with or destroyed. Integrity, reliability and confidentiality of the
evidence is absolutely necessary for arriving at a fair judgment by the law enforcement authorities. It is also critical that the
evidence is produced and made available at an appropriate time to the authorities.
7.2.3 Example of tracing Internet e-mail:
When an Internet e-mail message is sent, the user typically controls only the recipient line(s) (To and Bcc) and the subject
line.
Mail software adds the rest of the header information as it is processed. An example of an e-mail header follows:

Computer Forensics Guideline Page 5

 ----- Message header follows -----
(1) Return-path: <sasrock@o199632.cc.nps.gov.org>
(2) Received: from o199632.cc.navy.gov by nps.gov.org (5.1/SMI-5.1) id AAO979O; Fri, 7 Nov 2003 18:51:49 PST
(3) Received: from localhost byo199632.gov.org (5.1/SMI-5.1) id AA41651; Fri 7 Nov 2003 18:50:53 PST
(4) Message-ID: <9611080150.AA16514@o199632.cc.navy.gov>
(5) Date: Fri, 7 Nov 2003 18:50:53 -0800 (PST)
(6) From: "Susan Rock" <sasrock@o199632.cc.nps.gov.org>
(7) To: Mott Thick <mott.thick@ocean.com>
(8) Cc: Jokey Ram<J.ram@seabeas.com>

Line 1 tells recipient computers who sent the message and where to send error messages (bounces and warning).
Lines 2 and 3 show the route the message took from sending to delivery. Each computer that receives this message adds a
received field with its complete address and time stamp; this helps in tracking delivery problems.
Line 4 is the message ID, a unique identifier for this specific message. This ID is logged and can be traced through
computers on the message route if there is a need to track the mail.
Line 5 shows the date, time and time zone when the message was sent.
Line 6 tells the name and e-mail address of the message originator (the sender).
Line 7 shows the name and e-mail address of the primary recipient; the address may be for a:
- Mailing list
- System-wide alias
- Personal username
Line 8 lists the names and e-mail addresses of the courtesy copy (Cc) recipients of the message. There may be blind carbon
copy (Bcc) recipients as well; these Bcc recipients get copies of the message, but their names and addresses are not visible
in the headers.

8. EFFECTIVE DATE
8.1 This guideline is effective for all information system audits beginning on or after 1 September 2004. A full glossary of terms can be
found on the ISACA web site at www.isaca.org/glossary.

APPENDIX
COBIT Reference
Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IT
processes and consideration of COBIT’s control objectives and associated management practices. In the review of computer forensics, the
COBIT processes likely to be the most relevant are classified below as primary and secondary. The process and control objectives to be
selected and adapted may vary depending on the specific scope and terms of reference of the assignment.

Primary:
PO8—Ensure compliance with external requirements
AI1—Identify automated solutions
DS1—Define and manage service levels
DS2—Manage third-party service
DS5—Ensure security systems
DS10—Manage problems and incidents
DS11—Manage data
M1—Monitor the process
M3—Obtain independent assurance

Secondary:
PO1—Define a strategic IT plan
PO4—Define the IT organisation and relationships
DS6—Identify and allocate costs
DS12—Manage facilities
DS13—Manage operations
M2—Assess internal control adequacy

The information criteria most relevant to a computer forensic review are:

Primary—Reliability, integrity and compliance
Secondary—Confidentiality and availability

Copyright © 2004
Information Systems Audit and Control Association
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Telephone: +1.847.253.1545
Fax: +1.847.253.1443
E-mail: standards@isaca.org
Web site: www.isaca.org

Page 6 Computer Forensics Guideline