______________________________________________________________
Computer and Mobile Forensic Approach to Acquire Audit Evidence at the Audit Board of the Republic of Indonesia
Veronika1, Hendratna Mutaqin2
1Faculty of Economics and Business, Universitas Trisakti, Jakarta, Indonesia
2The Audit Board of the Republic of Indonesia, Jakarta, Indonesia [email protected], [email protected]
I. Introduction
Computer and mobile forensic is not a new technique but has been growing and widely considered by Police and the other Law Enforcement Agency to be a prominent technique to gather the necessary evidence. At the moment, the other organisations have also been reviewing and implementing this method to be a part of supporting and improving their roles. The Audit Board of the Republic of Indonesia (BPK) is one of them.
BPK had carried out about the driving simulator is one of the scandalize criminal corruption case in Indonesia in 2013. The procurement of driving simulator at Korlantas Polri had been started since 2005 which at that time was called the clinic of the driver.
Then around the year 2009, the name of the procurement turned into the procurement of driving simulator. The procurement of two-wheeled driving simulators (motorcycle) and four-wheeled driving simulator (car) was continued in 2010 and 2011. The executing company for the driving simulator procurement of both two and four-wheeled in 2011 was PT Citra Mandiri Metalindo Abadi (CMMA).
The procurement of driving simulator two-wheeled and four-wheeled is regulated in Letter of Sale and Purchase Agreement No. SPJB/02/II/2011 on February 25, 2011, on the procurement of two-wheeled driving simulator of 700 units at a price per unit Rp77.790.000,00 and a total contract value of Rp54,453,000,000.00. While the procurement of 556 units four-wheeled driving simulator is set in Letter of Sale and Purchase Agreement No. SPJB/22/IV/2011 on April 18, 2011 with price per unit Rp256.142.000,00 and total contract value of Rp142,414,952,000.00. In the manufacture of two and four-wheeled driving simulator, PT CMMA did an agreement with various companies including PT Inovasi Technology Indonesia (ITI) and PT Adora.
Abstract
Computer and mobile forensic is a new technique for most auditor in the Audit Board of the Republic of Indonesia (BPK). They can use this technique not only for investigative audit but also for state finance and performance audit. Investigative Audit Unit in BPK has already implemented computer and mobile forensic technique to support their assignment although need to improve in several areas. On the other hand, only a few of auditors outside Investigative Audit Unit know and implement this technique. The current issues in implementing this technique is BPK still do not make a special guidance for computer and mobile forensic. The recommendations for BPK regarding the result of the study project is organize a computer and mobile forensic training for all auditors and make a guidance of computer and mobile forensic techniques for auditor.
Keywords computer forensic;
investigative audit; mobile forensic
Budapest International Research and Critics Institute-Journal (BIRCI-Journal) Volume 5, No 3, August 2022, Page: 20255-20262 e-ISSN: 2615-3076 (Online), p-ISSN: 2615-1715 (Print)
www.bircu-journal.com/index.php/birci email: [email protected]
The research aims to investigate the current computer and mobile forensic approach used by the auditor to gather the evidence.
II. Review of Literature
Computer forensic is defined by Nelson (2008) as the process of analyzing and obtaining information in digital form as evidence in criminal, civil or administrative cases.
The other definition by Newman (2007) is the activities related to the process of identification and preservation of digital evidence to support legal or official action. The ultimate goal of computer forensic from both definition is solving cases by using evidence is produced from a computer. Many computer forensic tools are available today either payable or free. Most of the free computer forensic tools based on Linux operating system, for example, Sans Sift run, Sleuth Kit, Deft, Volatility, Lost Activity View, HxD, Caine, Mandiant Redline, and PlaintSight. Encase, FTK is the example of payable computer forensic tools.
Mobile forensic is recovering digital evidence by using the acceptable forensically sound and proven methods (Barmpatsalou, et.al., 2013, cited by Holzknecht, n.d.). ACPO (2012) divide mobile device consist of mobile phones, smartphones, and devices such as a tablet, PDAs and the other which may have wireless connectivity/communications capability. The number of mobile forensic tools in not as many as computer forensic tools and most of them is payable. XRY, Cellebrite is the example of mobile forensic tools.
Electronic evidence is data or information are stored or transmitted by an electronic device not readily viewable and requires hardware and software to make it visible (Nelwan, 2008). ACPO (2012) explain four principles in handling digital evidence. First, any action from law enforcement agencies, persons employed by those agencies or their agents should not change the data. Second, the person who is handling the original data must be competent, can explain the relevant evidence, and know the implications of their action. Third, all activities from processes digital evidence should be documented on audit trail or another record and produce the same result when an independent third party re- examines those processes. Fourth, the law and these principles must be followed by the person in charge of the investigation, and they have full responsibility for ensuring that.
Law enforcement agencies use digital evidence to answer a major question in crime including what happened, that interacts with whom, who was responsible, and evaluation of source (Casey, 2010).
There are four steps usually investigator do to process digital evidence. The first step is identifying digital information or artifacts that can be used as evidence. To address the challenges and harness the opportunities offered by digital technologies during this crisis, participants shared a concern to recognize and protect digital rights in particular around the areas of privacy and inclusion (Hariati, 2021). This can be interpreted as internet users in Indonesia belongs to the category of digital natives group (Gunawan, 2020). The use of digital technology worldwide is increasing, especially since the COVID- 19 pandemic in early 2020 (Yugo, 2021). The second step is collect, preserve, and documents the evidence.
The third step is analyzing, identify, and organize the evidence and the last step is verifying the reliability of proof (Nelson, 2008). Preparing and planning for a seize or search is one of the important in computing investigation. Nelson (2008) explains the important things have to be considered when preparing for a search. An investigator should identify the nature of the case and the type of computing system. It is important to determine technique and method are used to acquire data. An investigator should know in- depth Information about a computer, the location of it and the person who in charge to
make an acquisition process easier. The last step is preparing the team, the tools, and hires additional technical expertise when needed. Digital evidence has many forms, for example, internet history records, E-mails, messages, media files, document, Instant Messaging Logs, Spreadsheets, CCTV (ACPO, 2012). Newman (2008) also explains four steps of computer forensic: acquisition, identification, evaluation, and presentation.
An investigator has to ensure the integrity of their digital evidence which affected of the investigative result. They have to address with the countermeasure of computer forensic or well known as anti-forensic techniques. Kesler (2007), Distefano (2010) and Garfinkel (2007) cited by Azadegan, et.al., (2012) defined anti-forensics is a method and strategy to prevent and make the digital investigation process failed. There various anti- forensic tools and techniques, for example, data hiding, encryption, artifact wiping, and attack against computer forensic tools and processes.
Conducting computer or mobile forensic has to address the legal aspect prevailing in the country. Sometimes, the legal regulation in each country is different. Sammon (2012) explain without including the legal issues of the discipline the discussion on digital forensic fundamentals cannot be complete. A digital forensic expert might provide forensic testimony in the court. The digital forensic expert should do in the court regarding Neman (2007) is presenting evidence and described how it was obtained, taking the only fact not conclusions.
III. Research Method
The method of this project consists of the research question, project aim, objective, and method. Research question are (i) what is the best practice to conduct computer and mobile forensic for government auditor regarding their authority to minimize an indictment?; (ii) do they have an audit assignment solved by computer and mobile forensic evidence?.
Data collection method is interview and case study of audit assignment uses evidence from the computer and mobile forensic. The output of this approach knows the impact and the effectiveness of computer and mobile forensic approach in conducting audit assignment in BPK.
Law Enforcement Agency requested BPK RI to calculate state loss has happened from driving simulator case. The leader of BPK creates a team audit to fulfill the request.
At this moment, BPK RI did an investigative audit. All of the audit evidence used by auditor came from Law Enforcement Agency because it has entered the prosecution stage according to the rule of criminal system in Indonesia. The focus of the investigative assignment is to calculate some state losses have already happened.
In 2011 Traffic Corps (Korlantas) Police conducted procurement driving simulator that is two-wheeled and four-wheeled. The Procurement method is done by general tender pascacualification and knockout system. The contract used was a lump sum. Based on the results of the examination on the procurement of two-wheeled and four wheels driving simulator at Korlantas Polri Fiscal Year 2011 founded various irregularities committed by related parties in the process of budgeting, auctioning payment, and delivery of goods.
The budgeting process involves prospective bidders, PT CMMA and its subcontractor PT ITI. Data from PT ITI is used as a reference in the preparation of two- wheeled and four-wheel driving simulator procurement budget. Also, the involvement of PT CMMA and PT ITI also has available in the making of Owner Estimated as well as the arrangement of shell participants in the auction process. Then the full payment was made even though the delivery of the goods has not been fully executed and the partially
delivered goods do not meet the requirements of the technical specifications in the contract. From the aberrations, it is known that the procurement of two-wheeled and four wheels driving simulator was predictable from the beginning has been planned to be won by certain parties, in this case, is PT CMMA with the contract value in mark up.
The magnitude of the state losses resulting from these irregularities amounts to Rp121,830,768,863,59 consisting of the markup of contract value amounting to Rp100.342.684.527,28 and loss of state due to nonconformity of technical specifications as stipulated in the contract for the two-wheeled driving simulator is Rp10.156.636.657,28, and the four-wheeled driving simulator is Rp11.331.447.679,03.
IV. Results and Discussion
4.1 Evidence from Digital Forensic
Before the process of choosing the partnership of driving simulator’s provider both R2 and R4, the procurement committee prepares the procurement plan first. One of the procurement planning documents compiled is owner-estimated price and technical specification. It is made by Br. Sukotjo S Bambang as requested by Mr. Budi Susanto based on your request. Djoko Susilo. HPS and Spectek related data made by Br. Sukotjo S Bambang stored on external hard drive Br. Sukotjo S Bambang. This matter Known from the results of forensic examination of external hard drive Br. Sukotjo S Bambang.
This is reinforced by the results of forensic examination of external hard drives.
Sukotjo S Bambang. The results of the inspection on the external hard disk owned by Mr.
Sukotjo S Bambang obtained information that the price quote PT Pond Intan Prima, PT Digo Mitra Slogan, PT Bentina Agung, and PT Pharma Kasih Sentosa, PT Citra Mandiri Metalindo Abadi prepared by the PT ITI.
4.2 The Process of Acquiring the Digital Evidence
All of the digital evidence used for this investigation was from Law Enforcement Agency. BPK investigated to examine state loss on this case so that all of the evidence come from Law Enforcement Agency. This is the difference with other investigation. BPK has two type of investigation: an investigation to reveal an indication of a criminal crime related to state finances and investigation to examine state finance losses. Although it came from Law Enforcement Agency, BPK must verify the reliability and validity of all evidence including the digital data. Matching hash value of both hard drive and imaging file is the way the investigative auditor used. Then, the next step is to make a correlation between the digital evidence and the letter of the interview from Law Enforcement Agency.
4.3 Ethical, Legal, and Professional Issue
There is two question auditor face when using a computer and mobile forensic approach during their assignment: (i) can auditor seize the hard drive or other digital evidence storage in the computer and mobile device storage?; (ii) can auditor borrow the hard drive or other digital evidence storage in the computer and mobile device storage?.
The questions emerge regarding people perception that only law enforcement agency can seize and analyse computer and mobile device. Every auditor must gather sufficient audit evidence during their assignment. Audit evidence is the information used by the auditor in determining the suitability of the subject matter with the audit criteria. Auditor has to consider the adequacy and accuracy of the evidence obtained. Audit evidence form such as records of transactions on electronic/physical, written or electronic communication
with parties outside the audited entity, the observation of audit, as well as oral information/writing of the parties. The method used in obtaining evidence can include inspection, observation, inquiry, confirmation, recalculation, analytical procedures, and other techniques.
Three regulations control BPK authorities gathering audit evidence: Section 3, Article 10 Law number 15 2004 about examination on the management and state financial responsibility, Section 2 Article 9 Law number 15 2006 about The Audit Board of the Republic of Indonesia (BPK), and BPK regulation number 1 2017 about state financial audit standard. Regarding the regulation, BPK authorities are request for documents that must be submitted by officials or other parties related to the implementation of the audit of the management and financial responsibility of the state; access all the data stored in various media, assets, locations and all types of goods or documents in the possession or control of the entity that was the object of examination or other entity that is deemed necessary in the implementation of the audit task; sealed storage of money, goods and financial management documents; request information to a person; capture, record or take samples of inspection tools; checks in place to store money and state property, in the implementation of activities, bookkeeping and administration of state finances, as well as an examination of the calculations, letters, proof, bank statement, accountability, and a list of other related to the management state finances; and define the type of documents, data, and information on the management and state financial responsibility of the state which must be submitted to the BPK.
BPK has the high authorities to gather the evidence. The issue emerges regarding section 10 article 43 Law number 11 2008 which being amended by Law number 19 2016 about information and transaction electronic. This law regulates that Police or other Law Enforcement Agency and certain civil servants in the Government of the scope of duties and responsibilities in the field of Information Technology and Electronic Transaction have the authorities to investigate. A search or seizure of Electronic Systems related to an alleged offense in the field of Information Technology and Electronic Transactions conducted by the provisions of the criminal procedure law.
Moreover, regarding Section 4 Article 42 Law number 36 1999 about telecommunication which regulates telecom service providers can record sent or received information from the criminal justice process as well as to provide the necessary information on a written request or the Attorney General and the Indonesian National Police Chief for certain crimes and investigator request for a certain criminal act by the applicable Law.
BPK is not a law enforcement agency so that they have no authorities to seize the evidence. BPK also have no power to request Call Detailed Record (CDR) from telecommunication service provider regarding Law Number 39 1999.
This project interviewed two of investigative unit leader at BPK and two experts from outside BPK who have several experiences as a digital forensic expert in the court.
Investigative Unit Leader at BPK argues that no regulation prohibits auditor at BPK to conduct computer and mobile forensic approach to collect audit evidence during their assignment. Moreover, any evidence obtained by a computer and mobile forensic approach has a function as a clue for auditor which have to check its validity and be confirmed to any person related when holding an interview. Moreover, Head of Sub-Directorate Local State Investigation, Investigative Audit Unit at BPK argue that BPK has a right to conduct computer and mobile forensic regarding the authority of BPK based on article 9 Law number 15 2006.
The research also interviewed two digital forensic experts in Indonesia. Both persons have much experience as a digital forensic expert in the court in a criminal case. The main focus of the interview with both experts is discussing the authority of BPK conducting computer and mobile forensic. The strength of digital evidence founded by investigative auditor BPK is also the other purpose. The result of the interview from both experts are:
Head of Sub-Directorate Investigation and Prosecution, Directorate Information Security, Ministry of Communication and Information argue that audit evidence collected by auditor BPK, not in the process of law enforcement. BPK has no authority to seize a computer and mobile phone so that they cannot do a forensic examination. However, auditor BPK can perform either computer or mobile forensic If the person or organisation as an audit object permits their computer and mobile phone to the auditor to analyze. The information found by auditor cannot use as electronic evidence in the court. They can inform it to Police or other law enforcement agency to reexamine except used as a reference, not an electronic evidence.
Head of Sub-Directorate Computer Forensic, Forensic Laboratory Centre, Indonesian Police argues that Authority means legality. Authority has regulated in Indonesian Law and other regulation which are inherent and must be obeyed by all citizens. If BPK has Law or other regulation which give authority to examine the computer and mobile forensic the person who audited, it could be enough for conducting this technique. If not, BPK should propose to lawmaker to create a regulation to give power to BPK conducting computer and mobile forensic. If the person or organisation as an audit object permits their computer and mobile phone to the auditor to analyze, this will be legally valid as long as both party, the person who has a computer and mobile phone and auditor BPK, sign minutes of approval with a stamp.
Civil law system is used in Law of Indonesia. It has five accepted evidence. The decision that somebody is wrong or right based on at least two accepted evidence and the belief of the judges. Digital evidence founded by auditor BPK can be either document evidence or clue evidence depends on how they treat it. If they inform Police to re-examine the evidence, it will be a documentary evidence. On the other hand, it will only be a clue evidence. The document is better than a clue to convince the judge to give a criminal decision. It is the reason why Police or other Law Enforcement Agency should re-examine the digital evidence founded by the auditor.
Investigative audit leader in BPK explained BPK still have a professional issue in computer and mobile forensic approach to be solved. The limitation of computer and mobile forensic tools and only a few auditors who have skill in this field. Furthermore, the training for computer and mobile forensic is also insufficient. By current technological developments, BPK is expected to have adequate facilities and infrastructure, as well as sufficient resources to develop computer and forensic mobile approaches in conducting audit assignment. The needed of computer and mobile forensic approaches is urgent because at the moment almost all of the audit objects have been using computer technology.
BPK has the authority to request for documents that must be submitted by officials or other parties and access all the data stored in various media, assets, locations and all types of goods or documents in the possession or control of the entity that was the object of.
However, BPK does not have the authority to seize a computer and mobile phone. Take the evidence and store it in the save place without any contamination from any other people is one of the most important things in computer and mobile forensic. Auditor BPK can perform either computer or mobile forensic if the person or organisation as an audit object permits their computer and mobile phone to the auditor to analyze. The information found
by auditor cannot use as electronic evidence in the court. They can inform it to Police or other law enforcement agency to re-examine. If not the evidence only has the function as a reference, not an electronic evidence.
V. Conclusion
Computer and mobile forensic approach is a clear requirement for investigative auditor in BPK. BPK has an authority conducting investigative audit either to reveal an indication of a criminal crime or to examine state financial losses. The project is exploring the current computer and mobile forensic approach used by the auditor in BPK to gather the audit evidence. The strengthens and weakness followed by future enhance recommendation of the current computer, and mobile forensic implementation is also the other area is explored in this research. The real case of investigation used digital evidence also explore on this research. The legal aspect of digital forensic and what digital forensic expert should do at the court is reviewed in the rest of the literature review.
Interview and case study is two techniques used for collecting the data. Two of the Investigative Unit Leader in BPK and two experts from Indonesian Police and Ministry of Telecommunication who have several experiences as a digital forensic expert in the court are the subjects of this research. Investigation on calculating state financial losses in driving simulator case is the object of the third procedure of this investigation.
Investigative Audit Unit in BPK has already used digital electronic as evidence on their assignment. Investigative auditors in BPK have already used many types of digital data as audit evidence. They made detailed and cleared information of digital electronic they used as audit evidence. However, BPK is not law enforcement agency, so they have limited authority to handle the digital evidence. Most of the audit evidence was stored in FAT and NTFS file system, and it comes from removable media such as flash drive and hard drive which using Windows Operating System and little evidence come from Linux and Nuix. BPK has sufficient resources of the computer and mobile forensic tools to help their auditor analyzing the digital evidence.
Recommendations
It is clear that BPK needs to develop computer and mobile forensic approach, especially for their investigation audit. This technique is useful for them to collect audit evidence. The challenge is raised because BPKs’ employees come from multi-discipline knowledge with predominantly from graduated from accounting. It makes the knowledge of computer science is limited. Moreover, several recommendations are made to improve the implementation of computer and mobile forensic techniques in BPK:
1. Organize a computer and mobile forensic training. The knowledge of computer and mobile forensic techniques need to improve not only for investigative auditor but also all auditor outside Investigative Audit Unit. Some of the criminal case assignment comes from the finding from financial audit and performance audit, so this is the reason why they need a computer and mobile forensic knowledge.
Continuity of training is necessary because the perpetrator is likely improving their anti-forensic techniques and the information technology is growing rapidly even every second a new technology is born
2. Make a guidance of computer and mobile forensic techniques for auditor. It is essential for BPK to create this guideline soon to maintain and possibly improve the quality of the audit result.
References
ACPO. (2012). Good practice guide for computer-based electronic evidence version 4.0.
United Kingdom: Police Central e-crime Unit.
Azadegan, S., Yu, W., Liu, H., Sistani, M., Acharya, S. (2012). Novel anti-forensics approaches for smart phones. Towson: Towson University.
BPK regulation number 1 2017 about state financial audit standard.
Carrier, B. 2005. File system forensic analysis. New Jersey: Pearson Education, Inc.
Casey, E. 2010. Handbook of digital forensics and investigation. California: Elsevier.
Gunawan, G.G., and Sulaeman, M. (2020). Determining Factors in the Use of Digital Marketing and Its Effect on Marketing Performance inthe Creative Industriesin Tasikmalaya. Budapest International Research and Critics Institute-Journal (BIRCI- Journal) Vol 3 (3): 2543-2550.
Hariati, P. (2021). Implementation of Digital Literacy toward Pandemic Situation.
Budapest International Research and Critics Institute-Journal (BIRCI-Journal) Vol 4 (2): 2920-2926.
Indonesian Law number 36, 1999 about telecommunication: Section 4, Article 42.
Indonesian Law number 15 2004 about examination on the management and state financial responsibility: Section 3, Article 10.
Indonesian Law number 15 2006 about The Audit Board of the Republic of Indonesia (BPK): Section 2 Article 9.
Indonesian Law number 11 2008 which being amended by Law number 19 2016 about information and transaction electronic: Section 10, Article 43.
Nelson, B., Phillips, A., Enfinger, F., Steuart, C. 2008. Guide to computer forensics and investigation. Massachusetts: Course Technology Thomson Learning, Inc.
Newman, Robert C. 2007. Computer forensic evidence collection and management.
Florida: Taylor & Francis Group, LLC.
Sammons, J. 2012. The basics of digital forensics: The primer for getting started in digital forensics. Massachusetts: Elsevier
Yugo, V.R.S., Juanda, B., and Anggraeni, L. (2021). Does Digital Readiness Affect Economic Growth?. Budapest International Research and Critics Institute-Journal (BIRCI-Journal) Vol 4 (4): 7735-7746.