Professional Documents
Culture Documents
3.forensic Audit Report - 1
3.forensic Audit Report - 1
Mr. ABC
CEO
XYZ PVT Ltd.
Hazratganj, Lucknow
U.P. 226001
LIMITATIONS:
Our engagement was performed under the Statements and Standards issued by the
Institute of Chartered Accountants of India (ICAI). We conducted some investigation
but did not conduct an examination, the objective of which would be the expression
of our opinion on compliance. We have worked on standard procedures, other
matters might have come to our attention that had any relation to case would be
intimidated to you.
The sufficiency of the procedures conducted by our firm in connection with the
given matter, if any irregularity or issue or any other further matter arises, then it
would be solely the responsibility of XYZ PVT Ltd. Consequently, we have
maintained all the representations regarding the sufficiency of these procedures
taken by us in terms of our engagement. We will not be responsible for any of the
work carried by us for the matter we engaged or for any other purpose.
The findings set forth herein were prepared by us on the basis that we were
observed and informed by the Bank concerning the above reference of engagement
letter received by us.
BACKGROUND:
Ms. FFF an Account Manager of the company complaint from Mr. ABC for sexual
harassment against Mr. MMM, CFO of the company because he has provided a HP
Pen drive to her as on 11/01/2017 at approx. 08:00 Pm when she was leaving office
to home which contains some pornography movies and asked her repeatedly to see
that .
Mr. MMM, CFO of the company replied that he has provided a HP Pen drive but with
some official data, the pornography movies might be copied by her to cash the
reputation of CFO.
The Company has not found any pornography movies on any one of the computer
system.
OBJECTIVE
AND
SCOPE
AUDIT/INVESTIAGTION:
OF
THE
FORENSIC
INTERVIEWS:
Interviews were used to obtain information about and to understand the allegation
and to verify facts. During the forensic audit investigation, we conducted formal
interviews with individuals. Two (02) of these interviews were conducted with the
assistance of a court stenographer (see sworn statement below).
For formal interviews, notes were taken and/or recordings were made. In some
instances, the person was asked to sign the interview notes. If the interview was of
importance to a particular allegation, the interviewee was informed that he or she
would possibly have to confirm his or her statement at a later date.
The investigation team also conducted numerous informal interviews to collect
information relating to documents and activities. Informal interviews were not
recorded although hand written notes were frequently taken.
SWORN STATEMENTS:
Certain interviews were more important than others due to the position of the
employee or their significance in confirming facts. These interviews were recorded
by an official court stenographer, who took an oath from the interviewee before
commencing the session. Transcripts of the completed sworn statements were
provided to the person who was interviewed, shortly after the sessions.
Description
HP REST NULL
Driver
Microsoft Usbccid
Smartcard Reader
(WUDF)
USB Mass Storage
Device
USB Composite
Device
Microsoft Usbccid
Smartcard Reader
Device Type
Con
nect
ed
Sa
fe
To
Un
pl
ug
Vendor
Specific
No
No
13-01-2017
16:09
Smart Card
No
No
12-01-2017
20:36
Mass Storage
No
Yes
Unknown
No
Yes
Smart Card
No
No
Serial
Number
Last
Plug/Unplug
Date
12-01-2017
20:36
12-01-2017
20:36
12-01-2017
20:32
(WUDF)
USB Mass Storage
Device
USB Composite
Device
No
Yes
Unknown
No
Yes
Yes
Yes
12-01-2017
01:47
Yes
Yes
12-01-2017
01:47
No
Ye
s
hp v220w USB
Device
HID (Human
Interface
Device)
HID (Human
Interface
Device)
Mass
Storage
Unknown
No
No
SM-J700F
Unknown
Yes
Yes
Apple iPhone
Still Imaging
Yes
Yes
Printer
No
Yes
Unknown
No
Yes
Unknown
Yes
Yes
Mass Storage
No
Yes
Application1 port
Vendor
Specific
No
Yes
SanDisk Cruzer
Blade USB Device
Mass Storage
No
Yes
No
Yes
No
Yes
No
Yes
No
Yes
Unknown
No
Yes
Mass Storage
No
Yes
Mass Storage
No
Yes
Bluetooth
Device
Yes
Yes
USB Printing
Support
USB Composite
Device
USB Composite
Device
USB Mass Storage
Device
3GModem port
Application2 port
Application4 port
Application3 port
ALCATEL Mass
Storage USB Device
ALCATEL Mass
Storage USB Device
SanDisk Cruzer
Blade USB Device
Intel(R) Wireless
Bluetooth(R)
12-01-2017
20:32
12-01-2017
20:32
Mass Storage
Vendor
Specific
Vendor
Specific
Vendor
Specific
Vendor
Specific
AA0000000
0003722
048c4fa833
e8
5203f6c8c0
814321
8f116ca468
678b0d211b
d63bf68f24f
0d86bb9dc
CN27B28JZJ
05D2
4C53100145
0807114011
1234567890
ABCDEF
1234567890
ABCDEF
4C53100144
1105112352
11-01-2017
19:58
11-01-2017
17:30
11-01-2017
16:42
11-01-2017
16:24
11-01-2017
16:14
11-01-2017
16:14
11-01-2017
15:24
11-01-2017
14:19
11-01-2017
14:19
10-01-2017
23:51
10-01-2017
22:46
10-01-2017
22:46
10-01-2017
22:46
10-01-2017
22:46
10-01-2017
22:45
10-01-2017
22:43
10-01-2017
20:57
21-09-2016
19:43
Video
Yes
Yes
Unknown
Yes
Yes
Vendor
Specific
Yes
Yes
2009010100
01
2010020139
6000000
User Actions
and Events
List
Created by using
LastActivityView
Actio
Descripti
n
on
Time
11- View
Filename
2.nov 16
Full Path
F:\DIT\BANK AUDIT\concurrent
21-09-2016
19:27
21-09-2016
19:26
21-09-2016
19:26
012017
20:00
11012017
19:59
11012017
19:59
11012017
19:59
11012017
19:59
11012017
19:5
8
11012017
19:58
11012017
19:58
11012017
19:47
11012017
19:47
11012017
19:45
11012017
19:40
1101-
Folder in
Explorer
audit\allahabad\-17\2.nov 16
Run .EXE
file
Eula.exe
Run .EXE
file
OpenWith.exe
C:\Windows\System32\OpenWith.exe
View
Folder in
Explorer
NEXURE B
F:\DIT\BANK AUDIT\concurrent
audit\allahabad\-17\ DEC16\REPORT\CON
AUDIT\NEXURE B
View
Folder in
Explorer
REPORT
F:\DIT\BANK AUDIT\concurrent
audit\allahabad\-17\ DEC16\REPORT
View
Folder in
Explorer
xxx.vob
F:\MULTIMIDIA\FILMS\PORN\1\LL\XXX.
VOB
View
Folder in
Explorer
N AUDIT
N AUDIT
Run .EXE
file
DSMUSERTASK.E
XE
C:\WINDOWS\SYSTEM32\DSMUSERTASK.E
XE
Run .EXE
file
DSMUSERTASK.E
XE
C:\WINDOWS\SYSTEM32\DSMUSERTASK.E
XE
Run .EXE
file
WWAHost.exe
C:\Windows\System32\WWAHost.exe
Run .EXE
file
WWAHost.exe
C:\Windows\System32\WWAHost.exe
User Logon
User Logon
2017
19:40
11012017
19:30
11012017
19:20
11012017
18:31
11012017
18:30
11012017
18:28
11012017
18:28
11012017
18:25
11012017
18:22
11012017
18:20
11012017
18:18
11012017
18:17
11012017
18:03
Resumed
from sleep
Run .EXE
file
LockApp.exe
C:\Windows\SYSTEMAPPS\MICROSOFT.LOC
KAPP_CW5N1H2TXYEWY\LockApp.exe
Run .EXE
file
HP.AIOREMOTE.E
XE
C:\PROGRAM
FILES\WINDOWSAPPS\AD2F1837.HPPRINT
ERCONTROL_65.1.190.0_X64__V10Z8VJAG
6KE6\HP.AIOREMOTE.EXE
Run .EXE
file
PRINTDIALOG.EX
E
C:\Windows\PRINTDIALOG\PRINTDIALOG.E
XE
Run .EXE
file
PRINTDIALOG.EX
E
C:\Windows\PRINTDIALOG\PRINTDIALOG.E
XE
Run .EXE
file
PRINTDIALOG.EX
E
C:\Windows\PRINTDIALOG\PRINTDIALOG.E
XE
Run .EXE
file
PRINTDIALOG.EX
E
C:\Windows\PRINTDIALOG\PRINTDIALOG.E
XE
View
Folder in
Explorer
F:\
Run .EXE
file
OpenWith.exe
C:\Windows\System32\OpenWith.exe
Run .EXE
file
PICKERHOST.EXE
C:\Windows\System32\PICKERHOST.EXE
Run .EXE
file
PICKERHOST.EXE
C:\Windows\System32\PICKERHOST.EXE
Run .EXE
file
MpCmdRun.exe
C:\PROGRAM FILES\WINDOWS
DEFENDER\MpCmdRun.exe
11012017
18:01
11012017
18:01
11012017
17:59
11012017
17:59
11012017
17:58
11012017
17:58
11012017
17:57
11012017
17:57
11012017
17:56
11012017
17:55
11012017
17:54
11012017
17:53
1101-
Run .EXE
file
DELLUPTRAY.EXE
Run .EXE
file
DFS.COMMON.AG
ENT.EXE
C:\PROGRAM FILES\Dell\DELL
FOUNDATION
SERVICES\DFS.COMMON.AGENT.EXE
Run .EXE
file
PICKERHOST.EXE
C:\Windows\System32\PICKERHOST.EXE
Run .EXE
file
PICKERHOST.EXE
C:\Windows\System32\PICKERHOST.EXE
Run .EXE
file
PICKERHOST.EXE
C:\Windows\System32\PICKERHOST.EXE
Run .EXE
file
PICKERHOST.EXE
C:\Windows\System32\PICKERHOST.EXE
BUILDER3D.EXE
C:\PROGRAM
FILES\WINDOWSAPPS\MICROSOFT.3DBUIL
User Logon
User Logon
System
Started
User Logon
System
Shutdown
User
Logof
Run .EXE
file
2017
17:51
11012017
17:49
11012017
17:48
11012017
17:47
11012017
17:45
11012017
17:42
11012017
17:41
11012017
17:41
11012017
17:41
11012017
17:41
11012017
17:34
11012017
17:32
11012017
17:32
DER_11.0.17.0_X64__8WEKYB3D8BBWE\B
UILDER3D.EXE
Run .EXE
file
fsquirt.exe
C:\Windows\System32\fsquirt.exe
Select file
in
open/save
dialog-box
Letter_of_Authori
ty_for_Income_Ta
x.188101920.doc
F:\Letter_of_Authority_for_Income_Tax.188
101920.doc
Run .EXE
file
rundll32.exe
C:\Windows\System32\rundll32.exe
Run .EXE
file
rundll32.exe
C:\Windows\System32\rundll32.exe
View
Folder in
Explorer
11.1.17 BAPU
BHAWAN
F:\DIT\certification\Bank ITR\16-17\10
JAN\11.1.17 BAPU BHAWAN
View
Folder in
Explorer
16-17
F:\DIT\certification\Bank ITR\16-17
View
Folder in
Explorer
Bank ITR
F:\DIT\certification\Bank ITR
View
Folder in
Explorer
.01.2017
G:\.01.2017
View
Folder in
Explorer
G:\
View
Folder in
Explorer
BILL
F:\DIT\BILL
Run .EXE
file
SPEECHUXWIZ.E
XE
C:\WINDOWS\SYSTEM32\SPEECH\SPEECH
UX\SPEECHUXWIZ.EXE
Run .EXE
file
DSMUSERTASK.E
XE
C:\WINDOWS\SYSTEM32\DSMUSERTASK.E
XE
11012017
17:32
11012017
17:30
11012017
17:30
11012017
17:19
11012017
17:19
11012017
17:17
11012017
17:17
11012017
17:17
11012017
17:17
11012017
17:17
11012017
17:17
11012017
17:16
1101-
Run .EXE
file
SPEECHUXWIZ.E
XE
C:\WINDOWS\SYSTEM32\SPEECH\SPEECH
UX\SPEECHUXWIZ.EXE
View
Folder in
Explorer
certification
F:\DIT\certification
Run .EXE
file
DSMUSERTASK.E
XE
C:\WINDOWS\SYSTEM32\DSMUSERTASK.E
XE
Run .EXE
file
McUICnt.exe
C:\PROGRAM FILES\COMMON
FILES\McAfee\platform\McUICnt.exe
Run .EXE
file
DELLUPTRAY.EXE
Run .EXE
file
cmd.exe
C:\Windows\System32\cmd.exe
Run .EXE
file
SIHOST.EXE
C:\WINDOWS\SYSTEM32\SIHOST.EXE
Run .EXE
file
DFS.COMMON.AG
ENT.EXE
C:\PROGRAM FILES\Dell\DELL
FOUNDATION
SERVICES\DFS.COMMON.AGENT.EXE
User Logon
User Logon
Resumed
from sleep
User
Logof
User Logon
2017
17:16
11012017
17:07
11012017
17:07
11012017
17:06
11012017
17:06
11012017
17:04
11012017
17:04
11012017
17:04
11012017
17:04
11012017
17:04
11012017
17:04
11012017
17:03
11012017
17:01
Run .EXE
file
MpCmdRun.exe
C:\PROGRAM FILES\WINDOWS
DEFENDER\MpCmdRun.exe
Software
Installation
Setup.exe
C:\ProgramData\Package Cache\
{afe60883-1215-45d9-a7f6ecda5e7fc13c}\Setup.exe
Run .EXE
file
cmd.exe
C:\Windows\System32\cmd.exe
Run .EXE
file
WWAHost.exe
C:\Windows\System32\WWAHost.exe
Run .EXE
file
PICKERHOST.EXE
C:\Windows\System32\PICKERHOST.EXE
Run .EXE
file
CREDENTIALUIBR
OKER.EXE
C:\Windows\System32\CREDENTIALUIBRO
KER.EXE
Run .EXE
file
IGFXEM.EXE
C:\WINDOWS\SYSTEM32\IGFXEM.EXE
Windows
Installer
Ended
Windows
Installer
Started
Windows
Installer
Ended
User Logon
Windows
Installer
Started
11012017
17:01
11012017
17:01
11012017
17:01
11012017
17:01
11012017
17:01
11012017
17:01
11012017
17:01
11012017
16:58
11012017
16:58
11012017
16:57
11012017
16:57
11012017
16:57
1101-
Run .EXE
file
cmd.exe
C:\Windows\System32\cmd.exe
Run .EXE
file
SearchUI.exe
C:\Windows\SYSTEMAPPS\MICROSOFT.WIN
DOWS.CORTANA_CW5N1H2TXYEWY\Searc
hUI.exe
Run .EXE
file
SHELLEXPERIENC
EHOST.EXE
C:\Windows\SYSTEMAPPS\SHELLEXPERIEN
CEHOST_CW5N1H2TXYEWY\SHELLEXPERI
ENCEHOST.EXE
Run .EXE
file
explorer.exe
C:\Windows\explorer.exe
Run .EXE
file
SIHOST.EXE
C:\WINDOWS\SYSTEM32\SIHOST.EXE
User Logon
User Logon
System
Started
User Logon
System
Shutdown
Windows
Installer
Ended
User
Logof
Windows
Installer
2017
16:57
11012017
16:55
11012017
16:55
11012017
16:54
11012017
16:54
11012017
16:52
11012017
16:52
11012017
16:52
11012017
16:50
11012017
16:44
11012017
16:44
11012017
16:42
11012017
16:35
Started
Windows
Installer
Ended
Software
Installation
Windows
Installer
Started
Run .EXE
file
setup.exe
C:\PROGRAMDATA\Adobe\Setup\
{AC76BA86-7AD7-1033-7B44AB0000000001}\setup.exe
Run .EXE
file
MICROSOFTEDGE
.EXE
C:\Windows\SYSTEMAPPS\MICROSOFT.MIC
ROSOFTEDGE_8WEKYB3D8BBWE\MICROS
OFTEDGE.EXE
Run .EXE
file
OpenWith.exe
C:\Windows\System32\OpenWith.exe
View
Folder in
Explorer
FORM 2
View
Folder in
Explorer
F:\
User Logon
User Logon
Run .EXE
file
WWAHost.exe
C:\Windows\System32\WWAHost.exe
Run .EXE
file
OpenWith.exe
C:\Windows\System32\OpenWith.exe
11012017
16:35
11012017
16:35
11012017
16:35
11012017
16:34
11012017
16:34
11012017
16:34
11012017
16:29
11012017
16:29
11012017
16:28
11012017
16:28
11012017
16:28
11012017
16:27
1101-
Software
Installation
Uninstall.exe
Run .EXE
file
MAINTENANCESE
RVICE_INSTALLER
.EXE
Software
Installation
firefox.exe
Run .EXE
file
SETUP-STUB.EXE
C:\USERS\DELL
PC\APPDATA\LOCAL\TEMP\7ZS1FC7.TMP\S
ETUP-STUB.EXE
Run .EXE
file
SETUP-STUB.EXE
C:\USERS\DELL
PC\APPDATA\LOCAL\TEMP\7ZS1FC7.TMP\S
ETUP-STUB.EXE
Run .EXE
file
FIREFOX SETUP
STUB 50.1.0.EXE
C:\Users\dell pc\DOWNLOADS\FIREFOX
SETUP STUB 50.1.0.EXE
Run .EXE
file
OpenWith.exe
C:\Windows\System32\OpenWith.exe
Run .EXE
file
MAINTENANCESE
RVICE_INSTALLER
.EXE
Run .EXE
file
SETUP.EXE
C:\USERS\DELL
PC\APPDATA\LOCAL\TEMP\7ZS4BF0.TMP\S
ETUP.EXE
Run .EXE
file
SETUP.EXE
C:\USERS\DELL
PC\APPDATA\LOCAL\TEMP\7ZS4BF0.TMP\S
ETUP.EXE
Run .EXE
file
FIREFOX SETUP
16.0B1.EXE
F:\Software\BROWSERS_IE_CROME_FIRFO
X\FIREFOX SETUP 16.0B1.EXE
View
Folder in
Explorer
browsers_ie_cro
me_firfox
F:\Software\browsers_ie_crome_firfox
New folder
E:\wallpapers\home\shriya\New folder
View
Folder in
2017
16:20
11012017
16:20
11012017
16:20
11012017
16:20
11012017
16:20
11012017
16:20
11012017
16:14
11012017
16:14
11012017
16:14
11012017
16:13
11012017
16:11
11012017
16:07
11012017
15:45
Explorer
View
Folder in
Explorer
shriya
E:\wallpapers\home\shriya
Run .EXE
file
WinRAR.exe
C:\PROGRAM FILES\WinRAR\WinRAR.exe
View
Folder in
Explorer
WinRAR
C:\ProgramData\Microsoft\Windows\Start
Menu\Programs\WinRAR
Run .EXE
file
UNINSTALL.EXE
C:\PROGRAM
FILES\WinRAR\UNINSTALL.EXE
Run .EXE
file
WINRAR-X6450B8.EXE
F:\Software\WINRAR-X64-50B8.EXE
View
Folder in
Explorer
View
Folder in
Explorer
hul
F:\DIT\certification\t Wealth\hul
View
Folder in
Explorer
t Wealth
F:\DIT\certification\t Wealth
View
Folder in
Explorer
VIJAY GUPTA
View
Folder in
Explorer
.01.2017
.01.2017
Run .EXE
file
OHUB.EXE
C:\PROGRAM
FILES\WINDOWSAPPS\MICROSOFT.MICROS
OFTOFFICEHUB_17.6801.23751.0_X64__8
WEKYB3D8BBWE\OHUB.EXE
Run .EXE
file
POWERPNT.EXE
11012017
15:30
11012017
15:30
11012017
15:24
11012017
15:23
11012017
15:11
11012017
14:28
11012017
14:22
11012017
14:21
11012017
14:20
11012017
14:19
11012017
14:18
11012017
14:18
1101-
View
Folder in
Explorer
allahabad
F:\DIT\BANK AUDIT\concurrent
audit\allahabad
View
Folder in
Explorer
BANK AUDIT
F:\DIT\BANK AUDIT
Run .EXE
file
LockApp.exe
C:\Windows\SYSTEMAPPS\MICROSOFT.LOC
KAPP_CW5N1H2TXYEWY\LockApp.exe
View
Folder in
Explorer
RIYA
RIYA
Run .EXE
file
POWERPNT.EXE
Run .EXE
file
POWERPNT.EXE
Run .EXE
file
POWERPNT.EXE
Run .EXE
file
MODEMAPPLICAT
ION.EXE
Run .EXE
file
SearchUI.exe
C:\Windows\SYSTEMAPPS\MICROSOFT.WIN
DOWS.CORTANA_CW5N1H2TXYEWY\Searc
hUI.exe
Run .EXE
file
McUICnt.exe
C:\PROGRAM FILES\COMMON
FILES\McAfee\platform\McUICnt.exe
User Logon
Resumed
from sleep
Resumed
from sleep
2017
14:18
11012017
14:18
11012017
11:32
11012017
11:32
11012017
11:11
11012017
11:11
11012017
11:11
11012017
11:11
11012017
10:51
11012017
10:51
11012017
10:40
11012017
10:38
11012017
10:38
User Logon
User
Logof
User Logon
Run .EXE
file
SearchUI.exe
C:\Windows\SYSTEMAPPS\MICROSOFT.WIN
DOWS.CORTANA_CW5N1H2TXYEWY\Searc
hUI.exe
Run .EXE
file
IGFXEM.EXE
C:\WINDOWS\SYSTEM32\IGFXEM.EXE
MpCmdRun.exe
C:\PROGRAM FILES\WINDOWS
DEFENDER\MpCmdRun.exe
Resumed
from sleep
User Logon
User
Logof
User Logon
Run .EXE
file
Windows
Installer
Ended
Windows
Installer
Started
11012017
10:35
11012017
10:35
11012017
10:35
11012017
10:34
11012017
10:33
11012017
10:33
11012017
10:32
11012017
10:32
11012017
10:32
11012017
10:32
11012017
10:32
Run .EXE
file
SearchUI.exe
C:\Windows\SYSTEMAPPS\MICROSOFT.WIN
DOWS.CORTANA_CW5N1H2TXYEWY\Searc
hUI.exe
Run .EXE
file
SHELLEXPERIENC
EHOST.EXE
C:\Windows\SYSTEMAPPS\SHELLEXPERIEN
CEHOST_CW5N1H2TXYEWY\SHELLEXPERI
ENCEHOST.EXE
Run .EXE
file
IGFXEM.EXE
C:\WINDOWS\SYSTEM32\IGFXEM.EXE
Run .EXE
file
schtasks.exe
C:\Windows\SysWOW64\schtasks.exe
Run .EXE
file
MSI20B7.TMP
C:\WINDOWS\INSTALLER\MSI20B7.TMP
Run .EXE
file
schtasks.exe
C:\Windows\SysWOW64\schtasks.exe
User Logon
System
Started
User Logon
Windows
Installer
Ended
User Logon
DATA RECOVERY
During the data recovery phase we have found that file in folder
F:\MULTIMIDIA\FILMS\PORN\1\LL\XXX.VOB was exist in the PC of Mr. MMM, CFO but
deleted from the PC
OBSERVATION:
1. As per the list of the devices which was connected in the Mr. MMM, CFO PC it
has been found that the pen drive hp v220w USB Device containing serial
no AA00000000003722 was connected at 11-01-2017 19:58 .
2. As per the comparison of hash function of hp v220w USB Device we found
it exactly match with the pen drive and no changes occur in the pen drive
after that.
3. As per the User Actions and Events List it has been found that file XXX.VOB
(A porn film) existed at address F:\MULTIMIDIA\FILMS\PORN\1\LL\XXX.VOB in
the PC of Mr. MMM, CFO was copied at the same time.
4. During the data recovery we have observed that the same file was existed in
the same location in the PC Of Mr. MMM but deleted permanently.