Computer Forensics on Financial Crimes Tsetini Maria SID: 3301120006 SCHOOL OF SCIENCE & TECHNOLOGY A thesis submitted for the degree of Master of Science (MSc) in Information and Communication Systems OCTOBER 2013 THESSALONIKI – GREECE Computer Forensics on Financial Crimes Tsetini Maria SID: 3301120006 Supervisor: Prof. Vasilios Katos Supervising Committee Assoc. Prof. Name Surname Members: Assist. Prof. Name Surname SCHOOL OF SCIENCE & TECHNOLOGY A thesis submitted for the degree of Master of Science (MSc) in Information and Communication Systems OCTOBER 2013 THESSALONIKI – GREECE -ii- Abstract This dissertation was written as a part of the MSc in Information and Communication Technology (ICT) Systems at the International Hellenic University. The topic of this dissertation is "Computer Forensics on Financial Crimes". The financial crime examined here is the Enron scandal, which is considered to be one of the most complex financial crimes in the history of corporate fraud. In order to examine this white-collar crime, the publicly available Enron corpus was used. Enron corpus includes emails exchanged by Enron's employees and it was used as a vehicle so that a computer forensics methodology would be created. Specifically, Enron email dataset was processed in order to provide useful statistical analysis results. Furthermore, Enron email dataset was analyzed so that social network visualization of it would be generated. Hence, by analyzing Enron corpus, this dissertation aims to act as a computer forensics toolkit for further analysis that can be conducted on this subject in the future and for financial crimes in general. I would like to thank my supervisor, Prof. Vasilios Katos, for his valuable guidance and support throughout my thesis process. It was a privilege to have the opportunity to work with such a devoted scientist and inspiring teacher, who always provided me with significantly helpful advice. Additionally, I would like to express my gratitude to my wonderful family for their emotional and financial support throughout my studies and in my life in general. Finally, I would like to thank my amazing friends for their constant encouragement and belief in me. Tsetini Maria, 06/11/2013 -iii- Contents ABSTRACT .................................................................................................................. III CONTENTS ................................................................................................................. IV LIST OF FIGURES ..................................................................................................... VI LIST OF TABLES .................................................................................................... VIII 1 INTRODUCTION .................................................................................................... 1 2 LITERATURE REVIEW ........................................................................................ 5 2.1 COMPUTER FORENSICS ........................................................................................ 5 2.1.1 What is computer and digital forensics? ............................................... 5 2.1.2 Goals of forensic analysis ...................................................................... 7 2.1.3 Computer forensics process ................................................................... 8 2.1.4 Elements of a good process ................................................................. 12 2.1.5 Rules of computer forensics ................................................................. 14 2.1.6 Computer forensics methods ................................................................ 15 2.1.7 The importance of Computer Forensics .............................................. 17 2.2 DIGITAL CRIMES ............................................................................................... 18 2.2.1 Digital crime definition ........................................................................ 19 2.2.2 Classification of crimes ....................................................................... 20 2.2.3 Types and sources of digital data in digital crimes ............................. 23 2.2.4 Types and rules of digital evidence ...................................................... 26 2.3 FINANCIAL CRIMES ........................................................................................... 28 2.3.1 Financial crime definition ................................................................... 28 2.3.2 Financial crime categories .................................................................. 29 2.4 THE CASE OF ENRON ......................................................................................... 35 2.4.1 The outline of the scandal .................................................................... 35 2.4.2 The rise of Enron ................................................................................. 36 2.4.3 Keys to Enron's success ....................................................................... 38 2.4.4 Enron's Innovations ............................................................................. 40 2.4.5 The fall of Enron .................................................................................. 43 -iv- 2.4.6 Reasons of Enron's collapse ................................................................ 46 2.4.7 Federal Investigation ........................................................................... 55 2.4.8 Convictions .......................................................................................... 56 2.4.9 Compensations ..................................................................................... 58 3 PROBLEM DEFINITION ..................................................................................... 60 3.1 THE ENRON EMAIL DATASET ............................................................................. 60 3.2 RELATED WORK ON EMAIL ANALYSIS ............................................................... 61 3.3 DISSERTATION'S PROBLEM DEFINITION ............................................................. 62 4 CONTRIBUTION ................................................................................................... 65 4.1 METHODOLOGY AND TECHNOLOGIES ................................................................ 65 4.2 STATISTICAL ANALYSIS .................................................................................... 72 4.3 SOCIAL NETWORK VISUALIZATION .................................................................... 83 5 CONCLUSIONS ................................................................................................... 100 5.1 OVERVIEW OF THE DISSERTATION ................................................................... 100 5.2 RESULTS EVALUATION .................................................................................... 101 5.3 PERSONAL REFLECTION .................................................................................. 102 5.4 FUTURE WORK ................................................................................................ 104 -v- List of Figures Figure 1: Distribution of information security attacks per country ................................. 5 Figure 2: Types of digital forensics ................................................................................. 6 Figure 3: Digital evidence ................................................................................................ 8 Figure 4: Computer forensics process ............................................................................ 11 Figure 5: Information security triad (CIA) .................................................................... 20 Figure 6: Examples of digital data sources .................................................................... 25 Figure 7: Digital evidence .............................................................................................. 28 Figure 8: Financial crime categories and subcategories (Peter Gottschalk, 2010) ........ 30 Figure 9: Enron logo - "Endless possibilities" ............................................................... 42 Figure 10: Enron's stock price chart (January 2001 - January 2002). ............................ 45 Figure 11: Enron's demise .............................................................................................. 46 Figure 12: Enron, "A true story of false profits" ........................................................... 50 Figure 13: Enron's slogan "ask why" ............................................................................. 54 Figure 14: Federal investigation about Enron ................................................................ 55 Figure 15: A tweet from CNBC regarding Skilling's new sentence deal ...................... 57 Figure 16: Ironic depiction of Enron's slogan "ask why" .............................................. 59 Figure 17: Screen shot of the code that split the dataset into the tables ........................ 65 Figure 18: What it is included in each table .................................................................. 67 Figure 19: The number of records included in each table ............................................. 68 Figure 20: Creation of table "output" ............................................................................. 69 Figure 21: Insert values into table "output" ................................................................... 70 Figure 22: Insert values to table "result" .......................................................................