Month: May 2013

PKF IT Opportunities

One of the main reasons we moved the IT advisory function out of internal audit was the fact that IT encompassed so much more than just doing an audit.

I believed in the exponential growth of IT based on the simple belief: IT is integral to efficient and effective businesses. Businesses that do not leverage on IT will go nowhere. So it only makes sense that IT will get more complex and more critical as each year goes by.

Back in 2010, PKF Malaysia realised this pattern. By staying stagnant and doing what the other firms were doing: Internal Auditors doing IT audits, we were going to simply die off. The first thing we realised was that, while Internal Auditors were OK doing IT audits, these were two different animals. We didn’t want to do checklist audits. We didn’t want someone ┬ádoing IT audit who didn’t even know what the heck was an AAA server or how to do a simple VLAN config on a Cisco router. We didn’t want someone who would go up to the Audit Committee, put someone else’s career at stake by giving ridiculous recommendations and reports, based on ‘previous experience’ and ‘industry best practices’, when they don’t even know head or tail on what Active Directory is used for, or what’s the basics of DNS poisoning or IP spoofing. We needed serious technical people who have been on both customer and consulting end, and we needed to separate from the Internal Audit group….simply because we want an audit to be done differently.

We moved quickly into ISO27001 (ISMS) and PCI-DSS, we went through ISO27005 for risk assessment, we did COBIT 4.1 training and enablement and got everyone at least CISA certified. Most of us, like me, have multiple certs, for instance in IT forensics, IT ethical hacking, IT management, Project management and so forth.

We moved quickly to become MSC status to be a serious player in 2011, and we started strategic collaborations for different purposes. We joined workgroups with government and private agencies, opening channels to MOSTI, MIMOS, Bank Negara and so on, to conduct knowledge sharing sessions. For free. I am a great believer that contribution back to the industry should be done as part of our professional duty, and not as an engagement service.

So here we are, at the precipice of change. PKF itself has undergone some tremendous changes over 2012 and 2013. This week, we had our PKF Asia Pac Conference, where different countries got together, to explore different areas and opportunities. We’re excited, as we see the work we’ve done in the past 3 years to build our knowledge and reputation, possibly coming to fruition. I am also a big believer that PKF requires an IT function regionally. There should be a Center of Excellence, not just to do IT audit but to do Technical Services like penetration testing and forensics, or troubleshooting and service management; and also project management.

This is where we are. We still have a long way to go, but with the extension of our services into the other firms in PKF, we’re set to stay for a long while.

Here is the link to the presentation we did to the other PKF Firms last week.

PKF Avant Edge – Partner Presentation

Forensics Steps: Imaging

Over the past 18 months, our profile in IT forensics has been raised a bit. What started out sometime back as a call to me on a Saturday from another partner, asking “Can you guys recover deleted files from a computer?”, turned into another journey that eventually created our relatively new technical services group catering to IT forensics and penetration testing services. So aside from CISA for auditors and assurance, we ended up with CHFI guys, and CEH guys. More acronyms usually make us more technical sounding.

On a serious note, IT forensics is relatively new; and we didn’t go into it totally without guidance. We’ve worked with Cybersecurity, and still do, especially during the acquisitions and analysis. Recently, we’ve got in a few devices ourselves, namely the Tableu TD2 and writeblocker to do some serious work with imaging. Before this, we primarily used FTK and USB based imaging, and using software writeblocking through the registry. It was fine, but it wasn’t something that we could do long term, especially looking at a job where we had to image 30 hard drives in 2 days. While we roped in our partners to help out, we also used our TD2 to good effect, and happy to add, that we’re ready for bigger projects.

Imaging itself is simply half the job done. In fact it’s just a part of it. We’ve also had to physically tag, inventorise, chain of custody, secure the physical evidence through tamper proof tapes and bags. Once imaged, we have to verify the image for integrity through a hash check and then secure the original evidence under lock and key. The original evidence, in this case, we sent back to the owners, along with the chain of custodies.

While you might think imaging is relatively simple, it’s tedious. In this case, we had a server where we had to image live, in order not to break the RAID. Live imaging is a pain, because it takes enormous amount of time to get it done. Sometimes, we face hours of imaging and at the end of it, it says that the disk is corrupted.

But overall, get the documentation right, and make sure the images are secured. These will be the images where we will run analysis with, so take it as seriously as a primary evidence.

Once this portion is done, we are looking at analysis, which constitutes a whole other chapter. CSI, this is not, I guarantee you. Most of the time, we’re looking for a needle in a barnyard of haystacks. The proverbial smoking gun. Usually we don’t find it, so I don’t quite believe how CSI New York can solve a case in 45 minutes, built on a hair found conveniently trapped within the car door. Which has been burnt and sunk. And scrapped into a million pieces and left in the trash for 20 years. Seriously, Hollywood.

From the hours of bleary eyed reviews of thousands of lines of files and emails and patched up text files, we can use bits and pieces, but it’s usually not as rewarding as our CSI bedfellows.

If you need any more information or services regarding IT forensics or data recovery, do let us know at


© 2020 PKF AvantEdge

Theme by Anders NorenUp ↑