Forensic Services

Forensic Accounting Services (SEC 2)

2.1 Introduction
2.2 Types Of Risk
2.3 Services
2.4 Cyber Forensic
2.5 Products
2.6 Client Base


Managing risk today is more complex than before. If security is compromised, the initiative is lost and one's competitive advantage is eroded. How does an institution, entity maintain the piece of mind, that its key information, assets, business knowledge and operations remain secure?

We have depth of experience in designing, implementing and reviewing strategic security programmes and policies to align it with international best practice.

We have been retained to design security systems appropriate to National Key Points (JIA a National Key Point), Blue chip organisations and international companies.

Our company follows a holistic approach to security and risk management practice that encompasses the A to E to security, with a focus of driving down the cost of generic security measures by the use of appropriate solutions to unlock embedded value.

Prior to the new found democracy in South Africa , security was primary focused on retaining the then political system. Over the last eight years, the traditional understanding and application of the terms security has slowly evolved to the concept of risk management and becoming, in the process, one of the elements of risk management. Given the contexts in which the South African Economy is rapidly evolving by means of the impetus of government policies, programmes etc., Risk Management as a management tool is developing in becoming an integral part of Business Administration. Within the South African Public and Corporate contexts, this phenomenon is becoming the rule rather than the exception.

Philosophy of Risk Management

Every area/field of operations of a business, organization and or institutions faces risk which could result in considerable losses to the organization (e.g. financial, human capital, intellectual, market opportunity etc.). Companies, institutions, organizations etc. is integrating risk management as a component of business management and aligning it with its strategic objectives. Within the South African context, Risk Management can be divided into four broad components viz.

  • Anticipating Risks
  • Preventing Risks
  • Managing Risks
  • Evaluating Risk
  Back to top >>

2.2 Types of Risk Management

  1. Corporate Security Risk Management can be divided into four sub elements of risk viz.
  2. 1.1 Integrity deals predominantly with the vetting, evaluation and assessment of the under mention bullets to ascertain compliance with requirements (e.g. BEE etc.) and to establish a rating and value of the risk.

    • Human Resources (personnel)
    • Industrial Relations
    • Procurement (services and or goods)
    • Profiling (companies and individuals)

  3. Protection deals predominantly with the protection of VIP's. Within Corporate South Africa over the past 24 months their have been a steep increase for services of this nature.
  4. Security Risk has been the traditional “risk” operating in South Africa and deals with the physical protection of facilities e.g. banks, buildings, cash in transit, crowd control at sports venues, access etc. This type of risk is currently undergoing a transformation and is developing into the concept of “Smart Security” e.g. designing facilities incorporating and combining architectural, engineering and security elements as one.
  5. Information Risk
    • Information Technology, hardware and software including systems (e.g. Portholes, networks etc.).
    • Document Management, the storage of hard and soft copies of documents, flow of document in organisations, classification etc.
    • Disaster recovery planning (IT)
    • Public Relations
  6. Intellectual Risk
  7. Market Risk
  8. Political Risk with specific reference to NEPAD and SADAC initiative, South African Companies and African Companies would be investing, setting up shop in other parts of Africa including South Africa . The role of a Risk Management Company in this regard would be that of a facilitator and evaluating and assessing the right partner. It would also analyse the political situation, its governance policies and the level of security.
  9. Forensic services deals predominantly with fraud corruption, dishonesty and is coupled into two portions viz.
    • Prevention by means of policies development, guidelines, orientations and training.
    • Investigations

    Currently in South Africa this type of Risk Services is more predominant and on the increase. Although government institutions/organisations are in the process of developing and building capacity in its own domain, there scope for private companies such as Xavier Forensic and Accounting Services to heighten and strengthen institutions capacity to deal with these challenges.

  10. Counter Industrial Espionage Measures
  11. Litigation Risk

      Back to top >>

2.3  Services

2.3.1 Forensic Accounting
2.3.2 Information Technology Forensics
2.3.3 Forensic Investigation

2.3.4 Polygraph

  • Voice stress analysis
  • Handwriting analysis

  Back to top >>

2.4  Cyber Forensics

Computer forensics is the application of scientifically proven methods to gather, process, interpret, and to use digital evidence to provide a conclusive description of cyber crime activities.  Cyber forensics also includes the act of making digital data suitable for inclusion into a criminal investigation. Today cyber forensics is a term used in conjunction with law enforcement, and is offered as courses at many colleges and universities worldwide.

The business of securing and investigating potential evidence is an extremely demanding one.  It must be undertaken properly and to the highest scientific and professional standards in the service of Justice.  To this end we maintain strict confidentiality and ensure the utmost security when dealing with original evidence.  That way there can never be any question about the continuity or integrity of the evidence we may present.  Once secured, the information is checked and collated before being searched and analysed in accordance with the client's requirements.  We may advise on how to make the best use of resources in collecting and organising any evidence that is recovered.  Our extensive experience may be invaluable if there are questions concerning current legislation and how the courts may interpret it with regard to computer based material.

The procedures that we have developed to handle evidential material are designed so that maximum security may be maintained whilst it is in our possession.

First of all, we arrange to make forensic copies of the data to be examined.  In civil cases this is usually done on-site - reducing downtime and leaving the original material in the possession of the owner.  We then retain the copies for examination and these are stored in our own secure facility for as long as is necessary to complete the case.

In criminal cases, arrangements are made with the Police to forensically copy the data and once again we retain these securely for as long as is necessary.

The actual data content remains strictly controlled during the life of the case and are only divulged in the confidential report produced at the client's request.

Once a case is concluded, the client's instructions are sought concerning what should be done with both the copied data and the notes, tables, charts and reports which were produced during the investigation.

Of course, there are occasions when these procedures may be modified according to circumstances.  For instance - arrangements can be made to copy data covertly in order that a preliminary investigation may be conducted without alerting possible suspects.  In another instance - where there is a possibility that legally privileged information might be involved - a copy can be taken under strictly controlled conditions, and immediately transferred into the safe keeping of a trusted third party pending a decision on its legal status.  Since the copying process does not reveal the data content, there is no question of breach of privilege at this stage.

Defensive information technology will ultimately benefit from the availability of cyber forensic evidence of malicious activity.

Criminal investigators rely on recognized scientific forensic disciplines, such as medical pathology, to provide vital information used in apprehending criminals and determining their motives. Today, an increased opportunity for cyber crime exists, making it imperative for advances in the law enforcement, legal, and forensic computing technical arenas. Cyber forensics is the discovery, analysis, and reconstruction of evidence extracted from any element of computer systems, computer networks, computer media, and computer peripherals that allow investigators to solve the crime.1 Cyber forensics focuses on real-time, on-line evidence gathering rather than the traditional off-line computer disk forensic technology.

Two distinct components exist in the emerging field of cyber forensics. The first, computer forensics, deals with gathering evidence from computer media seized at the crime scene. Principle concerns with computer forensics involve imaging storage media, recovering deleted files, searching slack and free space, and preserving the collected information for litigation purposes. Several computer forensic tools are available to investigators. The second component, network forensics, is a more technically challenging aspect of cyber forensics. It gathers digital evidence that is distributed across large-scale, complex networks. Often this evidence is transient in nature and is not preserved within permanent storage media. Network forensics deals primarily with in-depth analysis of computer network intrusion evidence, while current commercial intrusion analysis tools are inadequate to deal with today's networked, distributed environments.

Similar to traditional medical forensics, such as pathology, today's computer forensics is generally performed postmortem (i.e., after the crime or event occurred). In a networked, distributed environment, it is imperative to perform forensic-like examinations of victim information systems on an almost continuous basis in addition to traditional postmortem forensic analysis. This is essential to continued functioning of critical information systems and infrastructures. Few, if any, forensic tools are available to assist in preempting the attacks or locating the perpetrators. In the battle against malicious hackers, investigators must perform cyber forensic functions in support of various objectives, including timely cyber attack containment, perpetrator location and identification, damage mitigation, and recovery initiation in the case of a crippled, yet still functioning, network. Standard intrusion analysis includes examination of many sources of data evidence (e.g., intrusion detection system logs, firewall logs, audit trails, and network management information). Cyber forensics adds inspection of transient and other frequently overlooked elements such as contents or state of the following: memory, registers, basic input/output system, input/output buffers, serial receive buffers, L2 cache, front side and back side system caches, and various system buffers (e.g., drive and video buffers).

The cyber forensic tools involved in CFX-2000 consisted of commercial off-the-shelf software and directorate-sponsored R&D prototypes. The SI-FI integration environment, developed under contract by WetStone Technologies, Inc.3, was the cornerstone of the technology demonstrated. SI-FI supports the collection, examination, and analysis processes employed during a cyber forensic investigation. The SI-FI prototype uses digital evidence bags (DEBs), which are secure and tamperproof "containers" used to store digital evidence. Investigators can seal evidence in the DEBs and use the SI-FI implementation to collaborate on complex investigations. Authorized users can securely reopen the DEBs for examination, while automatic audit of all actions ensures the continued integrity of its contents. The teams used other forensic tools and prototypes to collect and analyze specific features of the digital evidence, perform case management and timelining of digital events, automate event link analysis, and perform steganography detection. The results of CFX-2000 verified that the hypothesis was largely correct and that it is possible to ascertain the intent and identity of cyber criminals. As electronic technology continues its explosive growth, researchers need to continue vigorous R&D of cyber forensic technology in preparation for the onslaught of cyber reconnaissance probes and attacks.

  • Digital forensic science
  • Computer forensics
  • Cyber crime scene analysis
  • Computer Crime
  • Intrusion Detection
  • Cyber Forensics

  Course Objectives:

Upon successful completion of this course, you will be able to:

  • Describe the various issues facing the field of cyber forensics
  • Explain how some of these issues can be addressed
  • Submit your paper/project for consideration in a peer reviewed journal

Course Format:

Although this is not an exclusive graduate course, the format will be graduate oriented. This means that indepent work will be encouraged. We will meet at the beginning of the term, once during the middle time frame and again at the end of the term. The pursuit of formal scientific discovery will be stressed. As cyber forensics is a multidisciplinary field, the only restriction on research topics, is that they in some way shape or form deal with a current or near term issue in the field.

The exact dates of the meeting will be announced later. While there are no scheduled labs, students in this course get priority for time in the Cyber Forensiscs Lab (228 Knoy), as well as access to forensics software, hardware, and other resources needed to complete the project.

There are 4 deliverables required for this course:

  • Statement of the problem to be addressed accompanied by a literature or industry review
  • Draft or in the case of tool development a proof of concept statement or SDLC outline
  • Class presentation of your project
  • Paper suitable for publication in a peer reviewed publication. This paper is required even if the project is tools development based. In the case of tool development, the paper will be less extensive and account for 30% of the project mark with the tool being weighted at 70%.
  Back to top >>

2.5  Products

Website Access Data (click here to download PDF)

  Back to top >>

2.6  Client Base

  • Department of Land Affairs (National)
  • Auditor General
  • City of Johannesburg
  • Institute for Municipal Officers
  • Damelin College
  • Ekurhuleni Metropolitan Municipality
  • Gauteng Shared Service Centre (GSSC)
  Back to top >>