As cyber threats and attacks have increased year over year, Coalfire has seen a drastic increased need for support to law firms in cybersecurity cases. Attacks and threats vary so often, many law firms lack the skills required to properly evaluate cyber-attacks involving their clients. As such law firms across the nation are looking to partner with skilled cybersecurity companies to provide expert testimony, litigation consulting, and support related to cases involving cyber-attacks.
I sat down with Mike Weber, Vice President of Coalfire LABS and Robert Meekins, Forensics Principal Consultant at Coalfire LABS to discuss the Coalfire’s Forensics practices, the trends we are seeing, and the types of cases we are supporting.
Jennifer Velnoskey (JV): Mike and Robert, thank you for joining me today, tell me, how does Coalfire partner and support law firms in their IT forensics cases?
Mike Weber (MW): For support of civil cases Coalfire provides a range of services, collection and acquisition of digital evidence and data, analysis of the evidence and we can provide an opinion of the occurrence (or non-occurrence) of a specific action, expert testimony, and litigation consulting.
JV: Recently, there have been significant breach activities for all types of organizations. Hackers (both internal and external) are becoming more adventurous in their approaches. How is Coalfire working with law firms in regards to cases involving a breach?
Robert Meekins (RM): Coalfire partners directly with the organization’s internal or external counsel under attorney client privilege. In direct response to a breach investigation, Coalfire is tasked by counsel and the company to determine the extent of the breach. This typically includes potentially leaked or vulnerable information, potential attack vectors used, and the point of origin. Ultimately, Coalfire provides the “who, what, where, when, why, and how” of the breach.
JV: To take this question a step further, what trends are Coalfire seeing when it comes to the types of cases supported?
MW: Coalfire consistently and most commonly provides support on cases involving theft of protected data (e.g. credit cards, health information, etc.), however; companies have a vested interest in their intellectual property (IP), as a company’s IP is often its foundation. Therefore Coalfire is more frequently supporting both law firms and the company on cases involving intellectual property theft. Furthermore, ‘bad leaver’ cases involving an organization’s former employees and potential intellectual property theft or improper use of computer resources is becoming increasingly more prominent requiring forensic analysis companies like Coalfire to provide litigation consulting and expert testimony.
JV: Let’s talk about emerging threats and different types of attacks Coalfire is seeing.
RM: Mobile devices are really a market that is just exploding when it comes to forensics analysis. Coalfire would say a mobile device is one stop shop for evidence; it collects business and personal emails, names, contacts, applications, records of text messages and phone calls. Most mobile devices nowadays contain more computing power than full-fledged systems just a few years ago.
Almost every case Coalfire is involved with has a mobile device (cell phones, tablets, GPS, etc.) component. Take many GPS devices for example: they can record your routes and destinations. Additionally, many of these GPS devices have the capability to connect through a cell phone or other mobile device that has Bluetooth capabilities. Often, this allows for call logs or text messages to be stored, which can be retrieved and used as evidence.
MW: Cell phones in general are extremely valuable assets and resources for Coalfire to obtain evidence. Cell phones can typically tell a forensics specialist details on an individual’s movements (where someone has been or not been). Using a cell tower’s data, a forensics specialist can pin point to the day and time where an individual’s phone has been.
JV: Mobile devices, understandably, are completely integrated into our lives these days. In fact many companies are even allowing for “Bring your Own Device” (BYOD). BYOD obviously allows for convenience to employees but opens a company to risk.
MW: You bring up an excellent point and yes companies are allowing employees to connect their personal devices to the corporate network. There are risks, but a form of protection is a policy giving the company the right to retain and examine an employee’s cell phone which connects to the corporate network. This is a policy Coalfire is familiar with and has helped several companies create for their needs.
JV: Data recovery analysis is extremely important for cybersecurity related cases. Law firms need evidence such as cell phone recordings, voice recordings, image recordings, etc. as it relates to their cases. How can Coalfire support on data recovery? What can Coalfire do to recover needed data?
RM: A cell phone is very much like a computer, in that data is on it still resides on the device once it’s been deleted. The majority of items on a cell phone can’t be erased completely without specialized tools. For example, voice recordings could be deleted by the user of the phone, but it will still reside in the memory of the device. Coalfire has the capability and tools to recover this type of data. Another good example would be pictures. Mobile users use their devices for photos regularly and many times. When a photo is taken the device will embed the location and sometimes even the direction the user was facing. Mobile devices contain a tremendous amount of metadata for a forensics specialist to discover as evidence for a case.
JV: These days social media serves as a way to communicate and broadcast information. How do we handle cases that involve a social media component?
RM: Social media is really used as an outlet for an individual to express themselves. For example, an individual may post or make a defamatory statement against a company, in which a company wishes to have removed from a site. Coalfire supports law firms by researching and archiving social media feeds which may be used as evidence during a case.
JV: So I’d like to shift the conversation now to talk about what a law firm should look for in partnering with a third party IT forensics investigator?
MW: Experience is key when researching a third party company. Law firms will come to find several companies looking to support in this practice, however; evaluation of their experience is extremely important.
Questions that should be asked include: How many years has the company been doing IT forensics? What certifications does the forensics team have? Do they have experience testifying and providing expert testimony support?
JV: So what makes Coalfire different?
MW: Coalfire has been in the forensics business for 8 years and has a team dedicated to forensic analysis. Law firms are typically missing the IT expertise needed when these cases emerge. Coalfire can provide the consulting and technical services required to assist counsel in understanding and communicating the facts of the incident. Coalfire brings a different level of understanding as IT forensic investigation is a core service which requires unique skills.
In many cases, law firms prefer the use of a company like Coalfire because of its ability to collect, examine, maintain and interpret evidence effectively and efficiently for the law firm.
Labs Forensic Services for Law Firms