Data Spoliation – Uncovering the Cover-Up

Concerned your adversary’s client altered a document and deleted the original? Worried your own client deleted key evidence from his computer before turning it over for inspection? Years ago, when a user hit “delete” it didn’t always mean “delete” and forensic examiners were quick to amaze litigants with their ability to reclaim the information. With improved hard drive technology and increased operating system security (combined with full disk encryption), today, delete can really mean delete. Or does it? Enter forensic artifact.
Just as the human brain tells the muscles in the arm to curl, a computer’s operating system tells the device what to do when a thumb drive is inserted, how to display a webpage, or when a file is deleted. These types of commands/ instructions, among thousands of others, are routinely recorded and stored by the computer’s operating system. By studying these items, a forensic examiner can often recreate the user’s activities on the computer, including the spoliation of information.By way of example, a user can remove a file from a computer by simply deleting it. Doing so “sends” the file to the Recycle Bin. This action creates a host of forensic artifacts depending on the (Windows) operating system of the computer (Mac computers have different artifacts). These artifacts can reveal when the file was sent to the Recycle Bin, the original location of the file on the computer, its original size, and the user profile involved.

The file remains in the Recycle Bin until either the user restores the file (either by undoing the deletion or simply dragging it out) or removes it (by deleting the contents of the entire Recycle Bin or selectively deleting the one file). Deleting the deleted file from the Recycle Bin “sends” it to the unallocated/deleted space of the computer. If the drive is an older one, this space may contain the “permanently” deleted data until the data is overwritten by new files created on the computer or until a cleanup process is performed. Until the data is overwritten, keyword searches and forensic file recovery software can be used to locate and/or reclaim the information. If the drive is new (solid state drive or a virtual machine), the file itself is likely unrecoverable.

But what if the custodian were to wipe the relevant files from the computer instead of just deleting them? When a person wipes a file using a software program such as Eraser, Window Washer, or PC Cleaner, generally four actions will occur: the software will rename the original file, it will overwrite the original file’s data, it may change the timestamps of the original file, and it will delete the original file (not necessarily in this exact sequence).

Many of these transactions can be found in the operating system files even though the file itself has since been destroyed. By extracting and analyzing these operating system files, an examiner can potentially determine the original file’s name and location on the hard drive.

If the file cannot be identified, using other forensic artifacts found in the operating system, the examiner may still be able to determine what program was used (assuming the user deleted the wiping program too), when it was installed, and when it was used. The mere use of a wiping program after a litigation hold is in place (or subpoena received) may be enough to impose sanctions even if the original files cannot be identified. And, if that evidence can be coupled with an examination of the user’s Internet history showing what searches were conducted (i.e. “how to permanently delete a file”) an intentional act can be established.

Another “hiding” place for lost files is the computer’s Shadow Copy (sometimes referred to as a “Restore Point”). Depending on the configuration of the operating system, the computer itself may create several Shadow Copies, each one containing a snapshot of the content of the computer at the time. If a file is missing from the computer, by examining this artifact, the examiner may succeed in locating it. The bigger question of why it went missing is a topic for deposition.

Practice Tips: By knowing the original file names and locations of the wiped files, an examiner can potentially restore them from Shadow Copies. In the event no Shadow Copies exist, knowing the wiped file names/folders even existed may provide sufficient evidence to claim spoliation. Finally, analyzing other artifacts on the computer may show when a wiping program was initially used, when it was last run and how many times, and whether the user searched the Internet for tips on how to destroy sensitive files, thereby providing circumstantial evidence of an intentional act.

A Cybersecurity Risk Assessment is the First Step to Managing your Compliance Burden

Traditional risk management is already a mission critical practice for businesses. Add to it the scourge of computer hackers tapping into IT systems via emails laden with malware or through insecure remote connections and it becomes a seemingly impossible task. Append those daily efforts to the increasing demands of state and federal regulators to be notified of potential breaches in almost real time and you get a business that may not survive the resulting costs and reputational damage.

The solution proactive businesses (and their counsel) are using to help identify how data flows through their companies, the risks it faces as it moves, and how to use that knowledge to rapidly respond the ever-changing data privacy/breach notification regulatory environment is a Cybersecurity Risk Assessment.

A Cybersecurity Risk Assessment focuses on the value of the information contained within a business’s computers and the losses it may incur if that information is exposed, destroyed, stolen, or becomes otherwise inaccessible. The Assessment identifies and categorizes the critical electronic data in the business’s possession or control, where that data is located, who has access to it, and the strength of the business’s current IT systems and controls to protect it from harm. This catalog of information allows business leaders, risk officers and legal counsel to build, upgrade, and maintain systems, processes and protocols which will ultimately reduce the risk of a cyber incident, limit the legal, financial and reputational exposure should an incident occur, and enable the business to respond to regulatory notification requirements in an efficient and cost effective manner. This strategy ultimately aligns with the goals of state and federal data and privacy regulations and responsibilities.

A Cybersecurity Risk Assessment is often confused with protectionist tools like cybersecurity audits, vulnerability assessments, and penetration tests. Each tool is important, but they are not interchangeable nor do they address the business’s IT architecture as a whole. These tools are designed to evaluate the strength or weakness of a particular piece of software (computer operating systems, programs, applications), or hardware (routers, firewalls), or business processes (data flow and usage), and the channels over which the business’s information flows (third party vendors, cloud storage, email). The results these tools yield become part of the Cybersecurity Risk Assessment and impact how the business re-organizes itself, its processes, and its equipment to better protect its data and the value it represents.

New Regulations to Come:

The Office of the New Jersey Attorney General recently announced that it will be creating a new civil enforcement unit, known as the Data Privacy & Cybersecurity Section, to investigate data breaches impacting New Jersey residents and to enforce federal and state data privacy and cybersecurity laws. New Jersey’s AG joins an expanding list of state AGs, including those of California, Connecticut, Indiana, Maryland, Massachusetts, New York, and North Carolina, who are dedicating more resources to data breach investigation and enforcement actions.

In 2017 the New York Department of Financial Services released Cybersecurity Regulation 23 NYCRR 500 (DFS 500), a set of regulations that places new cybersecurity requirements on all covered financial institutions. In addition, the NY state Attorney General has proposed the SHIELD ACT, which would place a legal
on companies to adopt “reasonable” administrative, technical, and physical safeguards for sensitive data; the standards would apply to any business that holds sensitive data of New Yorkers, whether they do business in New York or not. The performance of a Cybersecurity Risk Assessment is a primary requirement for compliance with these regulations.
Pennsylvania is one of 24 states that requires customer notification, “without unreasonable delay,” when a data breach affects more than 1,000 residents. Pennsylvania’s attorney general is taking on a national role on data breaches in the midst of a wave of incidents impacting millions of Americans and Pennsylvanians. Attorney General Shapiro filed his office’s first-ever lawsuit under Pennsylvania’s Breach of Personal Information Notification Act against the ride-sharing company Uber based on a data breach impacting 600,000 Uber drivers in the United States — including 13,500 in Pennsylvania.
Performing a Cybersecurity Risk Assessment will not only improve the business’s security posture, it will help align the organization with these, and other state and federal regulations and activities (e.g. Sarbanes Oxley, HIPAA Privacy, PCI) and the most recent addition, the international data transfer requirements of GDPR (General Data Protection Regulation). Knowing where the data is, what personally identifiable information it contains, who has access to it, and for how long, will not only put the organization in the most efficient compliance posture, it will greatly improve its incident response time.
To learn more about how Black Cipher Security can help improve your outcomes, visit our website at or email

Thank you for Voting! Maragell Named One of the Best Computer Forensics Experts and Best Investigators for 2018

Dear Friends,

Thank you for your continued support! Maragell has been named in the New Jersey Law Journal’s 2018 Survey of vendors to the legal community as a Top 3 “Best of” winner in the following categories:

Best Expert Witness (Technology/Computer Forensics)
Best Corporate Investigations Provider

On behalf of our entire staff, we thank you for your past business and look forward to supporting you in the future.


Jeffrey Brenner, Esq., NJLPI

Don’t Get Digitally Burned by a Departing Employee

As a business owner, often your most valuable asset is your employees. But what happens when your best employee leaves without reason or mentions she or he is going to work for another company? This should raise a red flag if that employee has access to your company’s sensitive data and/or intellectual property.

Even if you don’t suspect any nefarious motives, in addition to conducting an in-depth exit interview, another pro-active measure a company can take to protect itself is to engage a computer forensic expert to forensically image the departing employee’s computer hard drive (i.e. create an exact bit-by-bit mirror copy).

By having the hard drive imaged immediately, the digital evidence is preserved just as it was the day the employee last laid his or her fingers on the keyboard. Preserving the hard drive has two primary benefits:

  • An analysis of the forensic image can be conducted quickly if needed (if, for example, the employee left and “failed to mention” he was going to work for a competitor or open his/her own shop); and
  • The evidence would not be trampled upon. Often the company’s IT department will re-issue the computer to another employee thus making forensic analysis more difficult). Even worse, the computer hard drive could be wiped/destroyed and a new one inserted into the shell.

In the event the forensic image does need to be analyzed, the electronic fingerprints the employee left behind can reveal (i) what files were copied to external devices (thumb drives / USB hard drives), (ii) the file folders to which the ex-employee browsed prior to departure, (iii) which websites/cloud storage sites the ex-employee navigated to on the Internet, (iv) the personal or company email the ex-employee sent to her/himself or the new company, and (v) the files s/he may have deleted.

The next time a key employee leaves your company, contact us to discuss which data preservation options best fit your needs.

Post by Steve Hilary, Digital Forensic Examiner
Certified Computer Examiner (CCE)
Encase Certified Examiner (EnCE)
AccessData Certified Examiner (ACE)
New Jersey License Private Detective

How to Use Social Media as an Employee Screening Tool

Social media is a staple in life.

Social media is a staple in life. It is the way in which many people obtain news, communicate with one another, and even conduct political conversations. Therefore, it makes sense that employers want to utilize social media when conducting employee screening investigations on potential employees. While using social media can be helpful, it is important to be mindful of the ways in which social media can, and should, be used in this delicate process.

Farm; Don’t Hunt with Social Media

Social media is a wonderful screening tool that can be used to farm information to create a full picture. The idea is to browse everything available to the public and get to know your candidate through this public persona. As opposed to running criminal background checks and credit reports, which allows you to hunt for specific information, social media is an open-ended search process. Anything can be found through the social media profiles and activities, whether the information is more of a personal nature or even a professional nature.

Therefore, do not be closed-minded when perusing a candidate’s public profiles and activities online. Reviewing information such as profiles, as well as postings, Reddit activity, Twitter follows, and even Instagram and Snapchat activity can create an in-depth picture of whom you are potentially hiring.

Stay Within Legal Guidelines

Since social media is an open book for those who offer public glimpses into their lives and activities, it is easy to get swept away in the idea that anything goes. However, this is still an employment situation with federal and state guidelines in place to protect the rights of employment candidates.

For instance, in New Jersey it is illegal to mandate an employment candidate provide you credentials to access their social media accounts. Employees have the right to privacy. Unless they have purposefully, and willfully added you as a friend or follower, you can only have the same access any member of the general public has to the candidate’s social media.

In addition, hiring decisions cannot be based on discriminatory facts, such as age, race, creed, sexual orientation, or other similar factors. Social media gives you an insight to all of these types of issues surrounding a potential candidate. Therefore, tread lightly and do your best to only focus on the activities at hand, as opposed to facts that you know to be discriminatory.

Finally, it is best to have a clear policy in place for your hiring staff and management regarding the use of social media for employee screening purposes. This is something to design with your HR team and legal team to ensure you are following the guidelines set forth by any and all laws affecting the hiring process.

Social Media’s Standard Practices

Beyond the legal issues (click the link to view a national summary), there are several standard practices that may be a good idea to follow when researching potential or even current employees on social media. While the following concepts may not be illegal they may put you into a generally difficult position, at best, or be unethical, at worst.

1. Do not “friend” employees or candidates on social media. This creates a level of personal connection that may be detrimental, especially if any adverse action is to be taken with that employee in the future.

2. Speak to the potential employee or candidate about the findings before making any decision. Sometimes social media is not truly an accurate portrayal of an individual. Maybe a photo was posted without the person’s permission. Maybe that photo was photoshopped and is not a truthful photo. Maybe the person was hacked and information on their social media account is inaccurate as a result.

3. Be cautious when making decisions based on findings on social media to make sure there is no breach of any legal duties.

It is not a bad idea to utilize all available resources to get to know the potential employee, however, when utilizing social media, make sure you are appropriately cautious in your approach. If you are in need of a company who specializes in employee screening and using all available resources while abiding by state and local laws, contact us at 856.429.0325. Our investigative experts will be happy to help you make sound hiring decisions without compromising ethics or legal requirements.

SJ Magazine Top Attorney Night

Maragell, LLC was once again proud to sponsor the 2017 winners of the SJ Magazine Top Attorneys Awards. Congratulations to all the honorees, especially those who have been loyal clients of our firm (and there are a lot of you). We are thrilled to see the public recognizes you as the best in your respective fields—but we’ve known that for a while!

See the photojournal here:

The New Jersey Private Investigators Association Supports NJAJ

Maragell’s Managing Principal Jeffrey Brenner, and fellow southern New Jersey Private Investigator Jeffrey Friedman of Axe Investigations, get ready to greet the lawyers at this year’s New Jersey Association for Justice Boardwalk Seminar. Hundreds of attorneys attended the multi-day continuing legal education programs and spent time learning about the many vendors who support the legal profession in all that they do. The NJ Licensed Private Investigators Association was on hand to answer questions about skip tracing, tracking devices, covert audio and video capture, as well as computer forensics and anti-fraud techniques.

Litigation Goldmine: Employee Internet History – More than just Facebook

When it comes to data breach activity, companies should be examining the Internet activity of their own employees—it is more than just Facebook and ESPN News. In two of our most recent cases, based on the Internet history alone, we discovered one employee was logging into the webmail accounts of the CEO and CFO (and using the financial information contained therein to negotiate a bigger raise for himself), and another, an IT administrator, had copied thousands of files to a thumb drive before he resigned and then ran Google searches on how to destroy key operating system files on his company laptop to hide the activity.

In both cases, the employees thought they had hidden their tracks by deleting their recent browsing history. But because a computer’s operating system maintains the URL addresses of the websites visited in separate files, and other operating system files record images of those sites, through the use of forensic tools, these disparate files were extracted, combined, displayed visually, and the story of their activity revealed. One ended with the employee being terminated, the other with the IT administrator haled into federal court after he surfaced at a competing firm.

While most forensic experts identify the information as the computer’s “Internet history” it is much more than just a compendium of web addresses. Because a number of Windows Explorer system files act in the same fashion as the Internet browser system files, when the “history” is extracted, information such as what files were viewed on a thumb drive or where the user went on the company server can often be determined. This user activity is betrayed by the formation of link files, which are created when a user inserts a USB device into the computer and opens a document from it or uses Windows Explorer to navigate to a location on the server. If an employee is suspected of stealing a customer list or other confidential or proprietary information, but the USB device is not available for inspection, the Internet history might seal his/her fate.

The history will also provide evidence of online document storage sites like Dropbox and Google Drive, and data backup sites such as Carbonite and Mozy. Whenever company file access activity on the employee’s computer matches that of visits to these categories of websites, it is best practice for counsel to issue preservation letters and/or subpoenas to prevent the information from becoming lost.

More sophisticated forensic software can also rebuild cached images of webpages and webmail messages just as the user saw them. Because webmail does not reside on the local hard drive, the only evidence that an employee was communicating with others about potentially unlawful activity or sending company documents to a personal email account might come from an examination of email fragments recovered from the Internet history.

Practice Point: The immediate preservation of a suspect computer should be the top priority for any in-house counsel, litigation counsel, Human Resources Professional or IT administrator. Electronic evidence is ephemeral and can be destroyed through the normal use of the computer. Permitting even the weekly updates by Microsoft to be installed can destroy essential evidence needed to prove a case. In short, to maximize the amount of available evidence in cases like those described above, the computer should be turned off and secured in a location where it cannot be accessed until a forensic bit-by-bit mirror image of its hard drive is created. If the subject of the investigation is suspected of downloading or actively running malware in an effort to harm the company (such as Cryptowall or other ransomware), the computer should be left running, but its power cord or battery removed (to keep its RAM intact for analysis).

Three Reasons Why You Need a Digital Forensics & Incident Response Team on Retainer

Every company, regardless of its size or industry, handles and stores personal, confidential, and proprietary data, and cyber thieves want it all. That is why every business that has a computer network must take steps to harden it against the scourge of malicious activity plaguing the business community today and be ready to react when the attacker strikes. But despite the headlines, too many businesses still feel they are not a target, and many more are unprepared for when they become one.

Digital Forensics & Incident Response (“DFIR”) is a multi-disciplinary approach to addressing and managing both the preparations for, and aftermath of, an information technology security incident. It often includes in-house IT staff, representatives from management (C-suite, HR), outside cybersecurity consultants, public relations, and legal counsel.

From a technical perspective, the primary goals of a DFIR plan are to (A) rapidly mitigate any ongoing (i) data loss, theft, corruption, and/or unauthorized access, and (ii) damage to software and/or hardware, (B) preserve evidence for future analysis/investigation, and (C) reduce recovery time and costs.

Three reasons why you need to have a DFIR team on retainer NOW

1. In the Fog of War, your situational awareness is impaired and when faced with an unfamiliar situation, you will often make mistakes that are fatal to the perseveration of the evidence you will need later and fatal to you safely recovering from the attack.

2. Your IT systems are too complex to learn “on the fly.” By the time you learn you are under attack, your attacker has likely had a 260-day head start. To determine what the attacker has already done and what has already been accessed, Incident Responders need to analyze the access logs, system configurations, file metadata records, and virtual memory for evidence. Time spent learning how your systems are connected, who has access and who should not, where your data is stored, and determining what log information is even available is time that could be better spent containing the threat and collecting and preserving known forensic artifacts.

3. Time is of the essence, and your reputation is on the line. Breach notification laws in 48 states require rapid responses. Encrypted servers require time to triage and/or be replaced. Viruses and malware are now self-replicating, further infecting your systems and those connected to yours. Assembling a DFIR team after your servers are encrypted, or when clients are calling asking why their information is on the Web is not the time to build your team.

Three Solutions to Address the Problem:

Traditional IR – A reactive, cost effective approach where the Incident Responders (who have already been retained and have familiarized themselves with the client’s systems) are notified about an incident, briefed on its details, and work backwards to reconstruct the events leading to the incident. Using digital forensics tools and investigative techniques, the team seeks to determine the root cause of an incident and its aftermath. Response time can begin within 24 hours.

Threat Hunting – A proactive approach that involves the installation of sensors on the client’s workstations and servers before an attack occurs. Routinely searching the data generated by the sensors to detect, isolate, and remove advanced threats that manage to bypass existing traditional anti-virus software and other security measures keeps the dwell time to a minimum. And even if an attacker manages to burrow deep into the system, the threat hunting software records all file modifications, network connections, registry modifications, file executions, processes, and system services on a 24/7/365 basis. In short, the technology provides visibility into the activity taking place on the client’s workstations and servers. This often results in the Incident Response team notifying a client of an incident before it is detected by the client, and provides an audit trail for the investigators.

Hybrid IR – This is a cost savings approach which blends the forensic investigation techniques of Traditional IR with the “hindsight” use of the Threat Hunting technology. If there is an incident, once notified, the DFIR team can use the historical data from the system surveillance software to help resolve the incident and identify the root cause. The difference is that the data collected from the monitoring software is not being actively reviewed and analyzed for threats.

For more information about building your DFIR plan, contact Jeff Brenner at or 856 429 0325 x223

ESI Spoliation is as easy as 1-2-3

If you think spoliation of electronic evidence is only caused by careless lawyers, think again. It only takes a click of a mouse, or the insertion of a USB device for you to destroy what could be the most important fact in your client’s case. Case law considers even negligent destruction a basis for a spoliation claim. See Sampson v. City of Cambridge, Md., 251 F.R.D. 172, 179 (D. Md. 2008). Couple that with recently amended FRCP 37(e) which provides a federal court with a means to sanction a party for its failure to take reasonable steps to preserve relevant electronic evidence, and you have cause for many a sleepless night.

In a case involving stolen computer files, the dates and times when those files were copied off a device, and the date and time they were copied onto another (or when they were last accessed or viewed) can mean the difference between inculpation and exculpation.

Consider these fact patterns:

1. “My client may have emailed those confidential documents to herself, but she saved them on her computer only because she was told she might need to work at home to get the project done. She never looked at them again.” Upon a forensic examination of the laptop, the “last accessed” dates for all the company documents she saved to her computer match the date she met with the attorney. Why? Because the attorney wanted to review them before responding to the prior employer’s demand notice/lawsuit. Counsel’s ability to credibly argue her client never looked at the files after she saved them years ago just got harder.

2. Same case, but instead of files on a laptop, the files are on a thumb drive. “My client may have copied them onto a thumb drive, but she swears she never copied them elsewhere.” Upon a forensic examination of the thumb drive, all the “last accessed” dates were changed to the date the client met with the attorney. Why? Because the attorney inserted the thumb drive into her computer and copied them to the server to review them before producing them to the other side. Counsel’s ability to credibly argue her client never copied them elsewhere just got harder.

3. Same case, but instead of saving files to a personal laptop, the client deleted her personal files from the company laptop. “My client only deleted her pictures and personal documents prior to returning the company-issued laptop to HR.” Upon a forensic examination of the laptop, it is determined that on three separate days leading up to the employee’s departure, a file wiping program was used to permanently destroy a host of files—all that was left was a pattern of 1’s and 0’s over wide sections of the hard drive. Counsel’s ability to credibly argue her client didn’t take any company records before destroying “only her personal files” just got harder because it cannot be determined what files were deleted.

Practice Points: Preservation of metadata can be achieved through the use of free write-blocking software that can be installed on a computer, as well as by changing the USB settings on the computer. Doing so will enable the user to freely examine data on the devices without the risk of changing “last accessed” dates and other metadata fields that could prove useful. Metadata can also be preserved through the use of forensic imaging hardware and software tools (which require specialized training), and can be targeted to specific files at issue, or the entire hard drive. In the light of Rule of Professional Conduct 1.1, Competence, and the ease in which data can be lost, altered, and destroyed, it is incumbent upon counsel to rely upon forensic specialists for guidance whenever electronic evidence is involved.