An employee clicked on a link in a phishing email. What do you do?
Clicking on a phishing link or opening a phishing attachment can lead to many different, very problematic scenarios.
These include malware being downloaded to the computer, device or network; the use of ransomware to lock up computers
and network systems; and the surreptitious installation of programs that harvest passwords and user credentials, which
could enable the bad actor to log on to the computer or device. Ideally, your response and next steps are covered by
a written Incident Response (IR) plan. In short, immediate actions, including the following, must be taken in response
to all of these situations:
- Report the incident immediately to the appropriate individuals within the organization. If you don’t know who that is, start with your manager
and IT security. Failure to report the incident can make things much, much worse, because the attacker can expand the attack to include other systems,
potentially affecting the company’s entire computer network.
- Change passwords to all accounts that could be affected, including changing the password used to sign in to the computer or device. If you were
presented with a login screen by the attacker and you supplied the username and password to your email, then change that password, too.
- Disconnect the computer or device from the network, which may mean pulling the network cable (not the power cable) out of your computer or turning off
Wi-Fi on your computer or device. If your computer or device was hit by ransomware, this will at least prevent other systems from becoming infected
and encrypted as well.
Understanding what happened, the scope of the incident and the required response should be determined by trained professionals and cybersecurity experts. For some organizations, the IT security team can determine the scope, begin the investigation and address remediation. Others prefer to engage an independent cybersecurity expert like bit-x-bit.
You just learned that a key employee accepted a position with your competitor. What should you do first?
Collect and preserve the evidence: The immediate concern is whether the key employee took confidential information and trade
secrets when exiting. The first step in the investigation is to collect and preserve in a forensically sound manner all the
electronic evidence that may be at issue in the investigation. This evidence will likely include the employee’s company computer, mobile device and backups, email account, cloud repositories such as Dropbox and Google Docs, file share access information on company servers, remote accessing records, and more. For computers and mobile devices, a forensic image is the best means of preservation and will enable the forensic examiner to determine if the computer or mobile device itself was used to take company information or trade secrets.
Conduct a forensic examination: bit-x-bit can determine from a forensic examination of the departed employee’s computer whether the employee used flash or
backup drives to take company information, sent confidential information to personal email accounts, used unauthorized cloud
repositories such as Dropbox or Google Docs to take confidential information, remotely accessed company servers on the eve of
departure, texted the competitor regarding company trade secrets, or used evidence destruction software to cover up these
activities. bit-x-bit prepares a complete timeline (down to the very second) of the employee’s activities, which typically
forms the basis for proceeding against the employee.
Opposing counsel just produced (“dumped”) 100 GB of ESI in response to your document request. Depositions begin in two weeks. What’s next?
The last thing you need when preparing for deposition is to slog through a one-by-one, linear review of thousands of new
documents, hoping to run into the ones you really need before time runs out to use them effectively. bit-x-bit offers
field-proven analytics technology you can leverage to learn what’s in the production and access the most relevant content
A “Clustering” analytics tool visually organizes the data into related groups and provides a bird’s-eye view of the
concepts running through the documents. Clustering may reveal sets of documents that are highly relevant (or, alternatively,
that can be quickly dismissed as irrelevant).
“Concept search” analytics amplify the effectiveness of the search terms you already know by identifying new and
related terms within this new set of data. The same technology enables you to take important passages or even entire
documents and use that information to pull conceptually similar documents into your searches.
“Predictive coding” similarly enables you to leverage the review you already performed on your client’s data to
analyze new documents and make predictions as to what content is relevant and what is not. Or you can start fresh and
train the system to identify relevant material, including categorizing for specific issues in your case.
Fundamentally, the idea behind these technologies is not to replace human review, but to focus review on the most
meaningful information so that you can spend time preparing for those depositions, instead of sifting through junk
email. We have years of experience helping our clients effectively use this analytical toolbox to explore data and
meet tight deadlines.
How do you authenticate electronic evidence under Rule 902?
Rules 902(13) and 902(14) of the Federal Rules of Evidence, as amended and effective December 1, 2017, expressly allow
“self-authentication” of electronic evidence. These amendments permit litigants to provide a foundation for
self-authentication through a certification by a “qualified person” (such as a certified digital forensic examiner)
instead of live testimony at a hearing or trial, that the proffered electronic evidence was generated by a process
that produces an accurate result. Under Rule 902(13), metadata, log files, registry files, social media posts and
more, collected by a certified forensic examiner from a computer or other electronic device, may pass the authenticity
threshold and be authenticated by certification. Similarly, under Rule 902(14), electronic evidence “copied” from a
digital device, hard drive or file can be self-authenticating if a “qualified person” such as a certified digital
forensic examiner certifies that it is authentic “by a process of digital identification.”
Plan ahead – don’t wait until the eve of trial, when it will be too late – by engaging a certified digital forensic
examiner to collect the important electronic evidence before and during discovery, so that the ESI will qualify as
You learn that an employee deleted a critical text that would prove a key issue in a sexual harassment case. How do you get it?
The first step in the process of recovering a deleted text or other critical deleted information is to preserve the
mobile device as soon as possible after the deletion. The more time that passes, the less likely it is that recovery
is possible. A second and parallel step is to determine if a backup of the mobile device exists, for example on a
computer or in a cloud service such as iCloud. If a backup is available, then we may be able to retrieve a deleted
text or any other digital record directly from the backup, without the need to examine the mobile device. However,
if there is no backup available, then recovery of the deleted message from the mobile device is the necessary way
The good news is that text messages on newer mobile devices are often stored in SQLite databases, which can be accessed and searched using forensic
tools built specifically for such recovery. The preservation of most mobile phones such as iPhones and popular
Android-based phones, and the recovery of the text messages, including deleted messages, generally only takes a
few hours of time using the appropriate digital forensic tools and methods.
Learn more about bit-x-bit, and discover how our integrated risk and response services can protect your
company from electronic data theft and security issues—now and into the future.
Your Name (required)