Menu

Author Archive for Maragell

Vote for Maragell as Best Computer Forensics Expert and Best Investigator in the NJ Law Journal’s “Best of” Survey 2018

Dear Friends,

The 2018 New Jersey Law Journal “Best of” Voting has begun!

If we delivered exceptional service and results to you and your clients this year, we would greatly appreciate your vote in the following four categories:

  • Best Private Investigator
  • Best Expert–Technology/Computer Forensics
  • Best Corporate Investigations Provider
  • Best End-to-End eDiscovery Provider

You will find our listings at Questions 8, 16, 51 and 79

Please circulate this email to your fellow attorneys and legal support staff (tech support, paralegals, admin assistants)—they are all eligible to vote!!

If you did not already receive a link directly from the New Jersey Law Journal, you can use this one:

https://www.surveymonkey.com/r/BestofNJLJ2018

On behalf of our entire staff, I thank you for your past business and look forward to supporting you in the future.

Jeff

Jeffrey Brenner, Esq., NJLPI

SJ Magazine Top Attorney Night

Maragell, LLC was once again proud to sponsor the 2017 winners of the SJ Magazine Top Attorneys Awards. Congratulations to all the honorees, especially those who have been loyal clients of our firm (and there are a lot of you). We are thrilled to see the public recognizes you as the best in your respective fields—but we’ve known that for a while!

See the photojournal here: https://sjmagazine.net/party-pics/sj-magazine-top-attorney-night

The New Jersey Private Investigators Association Supports NJAJ

Maragell’s Managing Principal Jeffrey Brenner, and fellow southern New Jersey Private Investigator Jeffrey Friedman of Axe Investigations, get ready to greet the lawyers at this year’s New Jersey Association for Justice Boardwalk Seminar. Hundreds of attorneys attended the multi-day continuing legal education programs and spent time learning about the many vendors who support the legal profession in all that they do. The NJ Licensed Private Investigators Association was on hand to answer questions about skip tracing, tracking devices, covert audio and video capture, as well as computer forensics and anti-fraud techniques.

Litigation Goldmine: Employee Internet History – More than just Facebook

When it comes to data breach activity, companies should be examining the Internet activity of their own employees—it is more than just Facebook and ESPN News. In two of our most recent cases, based on the Internet history alone, we discovered one employee was logging into the webmail accounts of the CEO and CFO (and using the financial information contained therein to negotiate a bigger raise for himself), and another, an IT administrator, had copied thousands of files to a thumb drive before he resigned and then ran Google searches on how to destroy key operating system files on his company laptop to hide the activity.

In both cases, the employees thought they had hidden their tracks by deleting their recent browsing history. But because a computer’s operating system maintains the URL addresses of the websites visited in separate files, and other operating system files record images of those sites, through the use of forensic tools, these disparate files were extracted, combined, displayed visually, and the story of their activity revealed. One ended with the employee being terminated, the other with the IT administrator haled into federal court after he surfaced at a competing firm.

While most forensic experts identify the information as the computer’s “Internet history” it is much more than just a compendium of web addresses. Because a number of Windows Explorer system files act in the same fashion as the Internet browser system files, when the “history” is extracted, information such as what files were viewed on a thumb drive or where the user went on the company server can often be determined. This user activity is betrayed by the formation of link files, which are created when a user inserts a USB device into the computer and opens a document from it or uses Windows Explorer to navigate to a location on the server. If an employee is suspected of stealing a customer list or other confidential or proprietary information, but the USB device is not available for inspection, the Internet history might seal his/her fate.

The history will also provide evidence of online document storage sites like Dropbox and Google Drive, and data backup sites such as Carbonite and Mozy. Whenever company file access activity on the employee’s computer matches that of visits to these categories of websites, it is best practice for counsel to issue preservation letters and/or subpoenas to prevent the information from becoming lost.

More sophisticated forensic software can also rebuild cached images of webpages and webmail messages just as the user saw them. Because webmail does not reside on the local hard drive, the only evidence that an employee was communicating with others about potentially unlawful activity or sending company documents to a personal email account might come from an examination of email fragments recovered from the Internet history.

Practice Point: The immediate preservation of a suspect computer should be the top priority for any in-house counsel, litigation counsel, Human Resources Professional or IT administrator. Electronic evidence is ephemeral and can be destroyed through the normal use of the computer. Permitting even the weekly updates by Microsoft to be installed can destroy essential evidence needed to prove a case. In short, to maximize the amount of available evidence in cases like those described above, the computer should be turned off and secured in a location where it cannot be accessed until a forensic bit-by-bit mirror image of its hard drive is created. If the subject of the investigation is suspected of downloading or actively running malware in an effort to harm the company (such as Cryptowall or other ransomware), the computer should be left running, but its power cord or battery removed (to keep its RAM intact for analysis).

Three Reasons Why You Need a Digital Forensics & Incident Response Team on Retainer


Every company, regardless of its size or industry, handles and stores personal, confidential, and proprietary data, and cyber thieves want it all. That is why every business that has a computer network must take steps to harden it against the scourge of malicious activity plaguing the business community today and be ready to react when the attacker strikes. But despite the headlines, too many businesses still feel they are not a target, and many more are unprepared for when they become one.

Digital Forensics & Incident Response (“DFIR”) is a multi-disciplinary approach to addressing and managing both the preparations for, and aftermath of, an information technology security incident. It often includes in-house IT staff, representatives from management (C-suite, HR), outside cybersecurity consultants, public relations, and legal counsel.

From a technical perspective, the primary goals of a DFIR plan are to (A) rapidly mitigate any ongoing (i) data loss, theft, corruption, and/or unauthorized access, and (ii) damage to software and/or hardware, (B) preserve evidence for future analysis/investigation, and (C) reduce recovery time and costs.

Three reasons why you need to have a DFIR team on retainer NOW

1. In the Fog of War, your situational awareness is impaired and when faced with an unfamiliar situation, you will often make mistakes that are fatal to the perseveration of the evidence you will need later and fatal to you safely recovering from the attack.

2. Your IT systems are too complex to learn “on the fly.” By the time you learn you are under attack, your attacker has likely had a 260-day head start. To determine what the attacker has already done and what has already been accessed, Incident Responders need to analyze the access logs, system configurations, file metadata records, and virtual memory for evidence. Time spent learning how your systems are connected, who has access and who should not, where your data is stored, and determining what log information is even available is time that could be better spent containing the threat and collecting and preserving known forensic artifacts.

3. Time is of the essence, and your reputation is on the line. Breach notification laws in 48 states require rapid responses. Encrypted servers require time to triage and/or be replaced. Viruses and malware are now self-replicating, further infecting your systems and those connected to yours. Assembling a DFIR team after your servers are encrypted, or when clients are calling asking why their information is on the Web is not the time to build your team.

Three Solutions to Address the Problem:

Traditional IR – A reactive, cost effective approach where the Incident Responders (who have already been retained and have familiarized themselves with the client’s systems) are notified about an incident, briefed on its details, and work backwards to reconstruct the events leading to the incident. Using digital forensics tools and investigative techniques, the team seeks to determine the root cause of an incident and its aftermath. Response time can begin within 24 hours.

Threat Hunting – A proactive approach that involves the installation of sensors on the client’s workstations and servers before an attack occurs. Routinely searching the data generated by the sensors to detect, isolate, and remove advanced threats that manage to bypass existing traditional anti-virus software and other security measures keeps the dwell time to a minimum. And even if an attacker manages to burrow deep into the system, the threat hunting software records all file modifications, network connections, registry modifications, file executions, processes, and system services on a 24/7/365 basis. In short, the technology provides visibility into the activity taking place on the client’s workstations and servers. This often results in the Incident Response team notifying a client of an incident before it is detected by the client, and provides an audit trail for the investigators.

Hybrid IR – This is a cost savings approach which blends the forensic investigation techniques of Traditional IR with the “hindsight” use of the Threat Hunting technology. If there is an incident, once notified, the DFIR team can use the historical data from the system surveillance software to help resolve the incident and identify the root cause. The difference is that the data collected from the monitoring software is not being actively reviewed and analyzed for threats.

For more information about building your DFIR plan, contact Jeff Brenner at jbrenner@maragell.com or 856 429 0325 x223

ESI Spoliation is as easy as 1-2-3

If you think spoliation of electronic evidence is only caused by careless lawyers, think again. It only takes a click of a mouse, or the insertion of a USB device for you to destroy what could be the most important fact in your client’s case. Case law considers even negligent destruction a basis for a spoliation claim. See Sampson v. City of Cambridge, Md., 251 F.R.D. 172, 179 (D. Md. 2008). Couple that with recently amended FRCP 37(e) which provides a federal court with a means to sanction a party for its failure to take reasonable steps to preserve relevant electronic evidence, and you have cause for many a sleepless night.

In a case involving stolen computer files, the dates and times when those files were copied off a device, and the date and time they were copied onto another (or when they were last accessed or viewed) can mean the difference between inculpation and exculpation.

Consider these fact patterns:

1. “My client may have emailed those confidential documents to herself, but she saved them on her computer only because she was told she might need to work at home to get the project done. She never looked at them again.” Upon a forensic examination of the laptop, the “last accessed” dates for all the company documents she saved to her computer match the date she met with the attorney. Why? Because the attorney wanted to review them before responding to the prior employer’s demand notice/lawsuit. Counsel’s ability to credibly argue her client never looked at the files after she saved them years ago just got harder.

2. Same case, but instead of files on a laptop, the files are on a thumb drive. “My client may have copied them onto a thumb drive, but she swears she never copied them elsewhere.” Upon a forensic examination of the thumb drive, all the “last accessed” dates were changed to the date the client met with the attorney. Why? Because the attorney inserted the thumb drive into her computer and copied them to the server to review them before producing them to the other side. Counsel’s ability to credibly argue her client never copied them elsewhere just got harder.

3. Same case, but instead of saving files to a personal laptop, the client deleted her personal files from the company laptop. “My client only deleted her pictures and personal documents prior to returning the company-issued laptop to HR.” Upon a forensic examination of the laptop, it is determined that on three separate days leading up to the employee’s departure, a file wiping program was used to permanently destroy a host of files—all that was left was a pattern of 1’s and 0’s over wide sections of the hard drive. Counsel’s ability to credibly argue her client didn’t take any company records before destroying “only her personal files” just got harder because it cannot be determined what files were deleted.

Practice Points: Preservation of metadata can be achieved through the use of free write-blocking software that can be installed on a computer, as well as by changing the USB settings on the computer. Doing so will enable the user to freely examine data on the devices without the risk of changing “last accessed” dates and other metadata fields that could prove useful. Metadata can also be preserved through the use of forensic imaging hardware and software tools (which require specialized training), and can be targeted to specific files at issue, or the entire hard drive. In the light of Rule of Professional Conduct 1.1, Competence, and the ease in which data can be lost, altered, and destroyed, it is incumbent upon counsel to rely upon forensic specialists for guidance whenever electronic evidence is involved.

Obtaining Data From Cell Phones

With the arrival of the smartphone, the tools people use to communicate with each other have become as diversified as the number of cell phone makes and models. And that can pose a problem for your case. Previously, you could hire a detective to follow a suspect to determine where and with whom (s)he was going/communicating. Now, many of those interactions occur via cell phones, including emails, texts, photos, social media posts, instant messaging threads within phone apps, and, of course, phone calls. The evidence from Facebook, Twitter, Instagram, call logs, and text messages, can, in some cases, objectively prove or disprove your client’s credibility and truthfulness. However, with this shift in communications from the physical to the virtual comes new challenges in evidence collection.

Depending on the type of phone (iPhone, Android, Blackberry), the data you seek might be stored on the phone itself, with the carrier, or with the phone app developer. Furthermore, preserving the data (wherever it may be) will depend on its status, viz. active or deleted. These three factors (make/model, data sought, status) will determine what your digital forensics expert can do for you when it comes time to gather the evidence.
There are two principal methods to obtain data from a cell phone in a forensically sound manner; a logical image and a physical image.

A logical image obtains data from the phone that is accessible on the phone’s file system. You can think of this data as the active data such as call logs, text messages, pictures, GPS location history, instant message threads, etc. A physical image differs from a logical image in that the forensic software targets the physical storage medium directly (the SD card, and built in memory). A physical image will capture active data as well as having the potential to recover data that was previously deleted from the phone. Ideally, the examiner should create a logical image first and then attempt to create a physical image (if deleted content is at issue). This is important because obtaining a physical image entails more invasive work and could render the device unusable.

It is important to identify the make and model of the cell phone to your expert up front so it can be determined whether any one or more of the forensic software suites commonly used by experts can create a logical and/or physical image of the device. New phones, and some much older models, are not capable of being imaged at all, while others can only be imaged logically. The level of security in each model will often determine its forensic-friendliness. In some cases, regardless of which method is used, email data may not be capable of being extracted from the phone even though it appears on it—logging in to the user’s email account may be the only way to preserve such data.

For smart phones, it is important to know where deleted data sets reside. For example, cell phones running the Android Operating System (OS) store text messages in a database file named “mmssms.db.” Apple iPhones store text messages in a database file named “sms.db.” Depending on the type of acquisition (logical or physical) and the forensic software used, these deleted text messages may still reside in the database file itself or within the cell phone’s unallocated/deleted spaces. If a deleted text message is not found in either location, it is possible the client created a backup on his/her computer and/or online that could contain the missing text. For other phone apps, the deleted data may be retained within the application’s database until purged or it may never have resided on the phone other than in temporary memory until the message was posted/deleted via the application’s cloud site.

Practice Pointers: Before calling a digital forensics expert: (1) get the make/model of the phone involved (including the password and storage capacity), (2) determine what you are looking for—active or deleted data, and the type of data i.e. call logs, emails, instant messages, GPS locations, (3) confirm if there is a local backup, and (4) move quickly, especially if deleted data is at issue—the more the phone is used, the greater the likelihood the text/photo/voice message will be overwritten and lost forever. For more information, please contact Maragell, LLC at info@maragell.com or by phone: 856.429.0325.

93.3 WMMR Rocks with Maragell

ps

Listen to our own Deb Ferguson on 93.3 WMMR as she tells the Delaware Valley why she’s “Not Your Average Listener!”

Fighting CEO Fraud with Cybersecurity Training

spear phishing the CEO

Corporate Spear Phishing on the Rise

No longer fooled by emails seeking help from friends stranded overseas or mugged in New York, scammers are looking for new ways to separate you from your money. And this time, they are thinking big—C-Suite big.  The FBI estimated that from October 2013 through December 2014, companies lost a total of $1.2 billion to CEO Fraud. The FBI blames internal security measures as the number one reason for these losses.

In one instance, the director of accounting for a company in Texas wired $480,000 to an account in China because he received an email from the “CEO” directing him to do it.  However, it was an individual posing as the CEO. The scammer had hacked into the company’s server and spent months learning how the company worked and the relationship between the CEO and the director of accounting. He then emailed the director of accounting and made what appeared to be a normal request in the ordinary course of its business. But for the scammer’s audacious request for $18 million to be wired to the same account a few weeks later, it might have continued unnoticed.

In another case, a magazine publisher lost $1.5 million. The accounting executive of the company sent the wire based on an email from the “CEO,” but prior to sending the second requested transfer, he asked the CEO if he had truly made the request, only to find that he did not.

Because these scams are targeted (known as spear phishing), they appear to come from trusted individuals, contain requests that appear normal, and are often not caught by spam filters because they are not mass-mailed.

In addition to standard internal control features for wire transfers that can and should be implemented, below are three practice pointers to help prevent this from happening to you and mitigating the loss if it does.

Training

Employees need to be trained in the ways in which scammers operate. Typically these scammers will purchase a list of emails from the Dark Web and begin sending phishing emails containing malicious attachments (or links to infected websites) to hundreds of addresses.  Once an unsuspecting employee opens the attachment (or clicks on the link) and the malware is installed, the scammer has access to the company’s network (at least as far as that employee’s computer can see into it).  Depending on the level of access, the scammer may move on if nothing can be exploited or next if the computer has access to company data/emails/etc.  Once the scammer decides to act, he may wait until the CEO/executive is away from the office, or simply alter the email address slightly to trick the non-observant receiver. For instance, jsmith@american.com may become jsmith@amer1can.com.

Proper training to prevent these issues include instructing employees not to open email attachments from a sender the employee does not know or recognize.  In addition, employees need to be instructed to look for variations in email addresses when being asked to complete tasks that are critical to the company’s business, such as releasing sensitive data, or giving access to portions of the company server reserved to departments other than the requesting party, and, most importantly, giving out the company’s money!

Many firms provide on-site and online training.

Cyber Security

Cyber security in the corporate world has become a yeoman’s task. As it pertains to CEO fraud, there are two primary fixes.  The first is to mandate company email accounts use two factor verification. If the CEO’s account is accessed from anywhere that is not a recognized, secure location, as designated by the user, a second verification method would need to be entered (either a code sent via text to the CEO’s phone or a pre-printed verification code).  This prevents a scammer from logging in from Starbucks.  The second is to institute an internal control to require more than one person’s authorization for money transfers or expenditures. Whether it be a wire transfer, check, debit, or other material financial transaction, the approval process should involve two individuals who are privy to the request, purpose, and related specifications.

Insurance Protection

Even the most vigilant company will still find itself a victim.  Traditional insurance policies contain some coverage for fraud protection, but as recent cases have shown, (AF Global Corp. v. Federal Insurance Company) they do not include this new type of fraud. Some of the policies will only pay a claim if the fraud was the result of a traditional negotiable financial instrument having been fraudulently forged or stolen, such as check fraud. Therefore, it is important to review your policies and work with your insurance company to provide a policy that includes coverage for monetary losses incurred by an electronic breach.

If you do have such coverage, your insurance company will need to follow the evidence to learn how the fraud took place.  Therefore, it is important to direct employees not to delete the emails related to the fraud. They emails can be examined forensically to help support your claim.

For more information relating to training, prevention, and investigation, contact the experts at Maragell at info@maragell.com.

Maragell Voted Best Computer Forensic Expert for Third Year in a Row and Best Investigators for 2016

 

For three years in a row, Maragell Corporate Investigations was voted one of the Best Computer Forensic Experts in the region by the readers of the New Jersey Law Journal.  AND, for the second time, we were voted one of the Best Investigators!
On behalf of our entire staff, thank you to all our law firm clients who voted for us and who, year after year, allow us to help them become the smartest attorneys in the room when it comes to electronic-based evidence.