DEVELOP A PLAN OF ACTION.

Clicking on a phishing link or opening a phishing attachment can lead to many different, very problematic scenarios. These include malware being downloaded to the computer, device or network; the use of ransomware to lock up computers and network systems; and the surreptitious installation of programs that harvest passwords and user credentials, which could enable the bad actor to log on to the computer or device. Ideally, your response and next steps are covered by a written Incident Response (IR) plan. In short, immediate actions, including the following, must be taken in response to all of these situations:

• Report the incident immediately to the appropriate individuals within the organization. If you don’t know who that is, start with your manager and IT security. Failure to report the incident can make things much, much worse, because the attacker can expand the attack to include other systems, potentially affecting the company’s entire computer network.
• Change passwords to all accounts that could be affected, including changing the password used to sign in to the computer or device. If you were presented with a login screen by the attacker and you supplied the username and password to your email, then change that password, too.
• Disconnect the computer or device from the network, which may mean pulling the network cable (not the power cable) out of your computer or turning off Wi-Fi on your computer or device. If your computer or device was hit by ransomware, this will at least prevent other systems from becoming infected and encrypted as well.

Understanding what happened, the scope of the incident and the required response should be determined by trained professionals and cybersecurity experts. For some organizations, the IT security team can determine the scope, begin the investigation and address remediation. Others prefer to engage an independent cybersecurity expert like bit-x-bit.

Collect and preserve the evidence: The immediate concern is whether the key employee took confidential information and trade secrets when exiting. The first step in the investigation is to collect and preserve in a forensically sound manner all the electronic evidence that may be at issue in the investigation. This evidence will likely include the employee’s company computer, mobile device and backups, email account, cloud repositories such as Dropbox and Google Docs, file share access information on company servers, remote accessing records, and more. For computers and mobile devices, a forensic image is the best means of preservation and will enable the forensic examiner to determine if the computer or mobile device itself was used to take company information or trade secrets.

Conduct a forensic examination: bit-x-bit can determine from a forensic examination of the departed employee’s computer whether the employee used flash or backup drives to take company information, sent confidential information to personal email accounts, used unauthorized cloud repositories such as Dropbox or Google Docs to take confidential information, remotely accessed company servers on the eve of departure, texted the competitor regarding company trade secrets, or used evidence destruction software to cover up these activities. bit-x-bit prepares a complete timeline (down to the very second) of the employee’s activities, which typically forms the basis for proceeding against the employee.

The last thing you need when preparing for deposition is to slog through a one-by-one, linear review of thousands of new documents, hoping to run into the ones you really need before time runs out to use them effectively. bit-x-bit offers field-proven analytics technology you can leverage to learn what’s in the production and access the most relevant content sooner.

A “Clustering” analytics tool visually organizes the data into related groups and provides a bird’s-eye view of the concepts running through the documents. Clustering may reveal sets of documents that are highly relevant (or, alternatively, that can be quickly dismissed as irrelevant).

“Concept search” analytics amplify the effectiveness of the search terms you already know by identifying new and related terms within this new set of data. The same technology enables you to take important passages or even entire documents and use that information to pull conceptually similar documents into your searches.

“Predictive coding” similarly enables you to leverage the review you already performed on your client’s data to analyze new documents and make predictions as to what content is relevant and what is not. Or you can start fresh and train the system to identify relevant material, including categorizing for specific issues in your case.

Fundamentally, the idea behind these technologies is not to replace human review, but to focus review on the most meaningful information so that you can spend time preparing for those depositions, instead of sifting through junk email. We have years of experience helping our clients effectively use this analytical toolbox to explore data and meet tight deadlines.

Rules 902(13) and 902(14) of the Federal Rules of Evidence, as amended and effective December 1, 2017, expressly allow “self-authentication” of electronic evidence. These amendments permit litigants to provide a foundation for self-authentication through a certification by a “qualified person” (such as a certified digital forensic examiner) instead of live testimony at a hearing or trial, that the proffered electronic evidence was generated by a process that produces an accurate result. Under Rule 902(13), metadata, log files, registry files, social media posts and more, collected by a certified forensic examiner from a computer or other electronic device, may pass the authenticity threshold and be authenticated by certification. Similarly, under Rule 902(14), electronic evidence “copied” from a digital device, hard drive or file can be self-authenticating if a “qualified person” such as a certified digital forensic examiner certifies that it is authentic “by a process of digital identification.”

Plan ahead – don’t wait until the eve of trial, when it will be too late – by engaging a certified digital forensic examiner to collect the important electronic evidence before and during discovery, so that the ESI will qualify as “self-authenticating.”

The first step in the process of recovering a deleted text or other critical deleted information is to preserve the mobile device as soon as possible after the deletion. The more time that passes, the less likely it is that recovery is possible. A second and parallel step is to determine if a backup of the mobile device exists, for example on a computer or in a cloud service such as iCloud. If a backup is available, then we may be able to retrieve a deleted text or any other digital record directly from the backup, without the need to examine the mobile device. However, if there is no backup available, then recovery of the deleted message from the mobile device is the necessary way to proceed.

The good news is that text messages on newer mobile devices are often stored in SQLite databases, which can be accessed and searched using forensic tools built specifically for such recovery. The preservation of most mobile phones such as iPhones and popular Android-based phones, and the recovery of the text messages, including deleted messages, generally only takes a few hours of time using the appropriate digital forensic tools and methods.