Digital forensics is a branch of forensic science that involves the collection, recovery, and investigation of data found on devices and accounts that store electronic data. Common devices that are the subject of digital forensic analysis include personal computers, laptops, tablets, smart phones, servers, email accounts, social media accounts, web-based storage accounts, wearable technology, and Internet connected devices (Internet of Things), among others.
The terms “computer forensics” and “digital forensics” often are used interchangeably. Because experts in our industry routinely work with many device types other than computers, as well as electronic storage accounts, digital forensics more accurately captures the modern scope of expertise.
Forensic imaging is the process of creating exact, verifiable copies of data stored on hard drives and other electronic storage devices. In the case of computer hard drives, forensic images are bit-for-bit copies of all data stored on such drives. For targeted collections, forensic images are verifiable exact copies of the selected files. For smart phones, forensic images are verifiable copies of the maximal amount of data supported for copying by the associated phone models and operating systems, and as such work performed on phones often is more accurately referred to as forensic collections.
There are too many to list, but here are a few examples:
Here are a few reasons clients hire outside computer forensic experts instead of using internal personnel:
There is no single certifying body in the computer forensics industry. There are, however, many digital forensic software providers who offer certification programs, as well as vendor-neutral certifications. One of the most prestigious vendor certifications is the EnCase Certified Examiner (EnCE), which requires rigorous training, passing a multiple choice exam, passing a practical exam requiring examination of digital evidence and creation of an associated report, and continuing education requirements to maintain active EnCE certification.
The eDiscovery lifecycle consists of the following stages:
Assisted review utilizes technology such as predictive coding and advanced machine learning to apply reviewers’ coding decisions to a broader data set, thereby decreasing review time and costs.
Batching is the process of dividing data sets into groups for processing or review, often organized by a single custodian or issue.
Bates stamps are alpha-numeric identifiers for produced documents, utilized so that produced documents easily can be identified, e.g. DEF0000001.
Boolean searches connect sets of keywords or phrases with a single query, such as AND/OR/NOT. When a single word or phrase generates an unexpectedly large number of hits, Boolean searches can be an effective technique to more effectively pinpoint documents of interest.
A clawback agreement is an agreement that provides a mechanism to retrieve inadvertently produced privileged documents, and to preclude their usage.
Coding is the process of entering fields of information from a document into a database, so that a set of documents can be more easily sorted and searched. Coding can be objective or subjective. Objective coding is coding that can be applied by anyone able to read the language of a document, such as the date of a document. Subjective coding is coding that requires understanding the document, such as the legal issues dealt with in a document.
A container file is a single file that contains multiple other files or documents, often in a compressed format. Examples of container files are Microsoft Outlook OST and PST files, ZIP files, and forensic image evidence files. File counts in eDiscovery can be underestimated if container files are not expanded prior to generating such counts, as a single container could contain thousands of files.
Culling is the process of limiting ESI after collection but prior to review, typically through automated means such as indexing the data and applying search criteria.
A custodian refers to an individual from whom ESI has been or will be collected, who possesses potentially relevant data.
Data extraction refers to extraction of searchable fields of information and data from documents, such that they can be populated into a review database. For example, in an email message extracted data includes, among others, the following information? to, from, cc, bcc, subject, date, attachment count, attachment names, and body text. Extraction and processing often are used interchangeably.
Data mapping is the process of creating a “map” to identify and record the locations and types of information within an organization. Organizations that work with multiple law firms can find data maps particularly useful, so that they quickly can inform counsel where potentially relevant data could reside and streamline the eDiscovery identification process.
De-duplication is the process of comparing electronic records based on their characteristics to identify and remove duplicate records from data sets, thereby reducing review time and increasing coding consistency.
De-NISTing is the process of filtering out files that appear on lists of files that are common across operating systems and programs as compiled by the National Institute of Standards and Technology (NIST). The NIST lists include digital fingerprints of files that are not user-generated, which can be compared to eDiscovery data sets in order to eliminate known irrelevant files prior to review.
Discovery is the process of identifying, collecting, processing, reviewing, and producing potentially relevant evidence. By extension, eDiscovery is that process with respect to electronically stored information.
Email threading is the process of compiling all emails within a review tool so that all emails from a chain can be viewed together as a single conversation.
Early case assessment is a method of performing an initial review of potentially relevant data in a cost-effective manner for the purpose of getting an initial sense as to the merits and potential costs associated with a legal matter.
Electronic discovery, also referred to as “eDiscovery” or “e-discovery”, is the process of identifying, collecting, processing, reviewing, and producing potentially relevant electronically stored information.
Electronically stored information, or ESI, is information that exists in electronic (i.e. not paper) format, such as emails, word processing documents, presentations, spreadsheets, and text messages, among a vast array of other ESI categories.
Filtering is the process of using certain parameters to identify or exclude documents, typically in order to identify a narrower set of documents to review. Filtering often requires indexing data and then using search criteria such as keywords, phrases, Boolean expressions, proximity expressions, dates, and custodians as mechanisms to narrow the universe of documents to be reviewed.
A hash value is a digital fingerprint of a document created through the use of a standardized algorithm, such that if the same document from different systems is analyzed, its hash values will match. Hash values are computed in order to de-duplicate documents. Examples of hash value algorithms include MD5 and SHA1.
Hosting is the process of loading electronically stored information onto a review platform, often provided by an eDiscovery data hosting provider. Data hosting through an eDiscovery vendor allows legal teams to review large quantities of data remotely in an efficient manner, without needing to purchase their own software/hardware or to employ personnel experienced in administering such environments.
A legal hold, also known as a “preservation order” or “hold order,” is the temporary interruption of a company’s document retention and/or destruction policies for data that might be relevant to a lawsuit.
A load file is a database created using eDiscovery software that enables processed electronically stored information to be loaded to a review tool in a manner that can be sorted and searched.
Metadata is micro data, about electronic data. Some examples would include: dates, file names, authors, and other electronic characteristics. Metadata itself can be as relevant as document content, and collecting ESI in a manner that preserves document metadata often is important in litigation.
Native format is the format in which electronically stored information originally was created. A native file format sustains metadata and other details that can be absent when documents are converted to other formats, such as conversion to PDF and TIFF images.
Near duplicates are documents that contain a high percentage of the same content. Certain review tools enable near-duplicate identification, which can expedite review of similar documents. Typically near-duplicates should be identified, rather than removed, as for example a response to an email containing only the word “no” could register a very high near-duplicate percentage be relevant to review.
OCR is an abbreviation for Optical Character Recognition, which is the process of identifying and extracting searchable text from electronic files, such as PDFs and TIFF images. OCR often is utilized to increase the efficacy of text searches, but can be limited by the quality and nature of the documents lacking searchable text. Although OCR can lead to more documents being identified, the process of applying OCR can increase the time and/or cost of eDiscovery processing.
A parent-child relationship is the relationship between a file (the parent) that contains one or more sub-files (the children). An example of a parent-child relationship is an email, in which the message is the parent and the attachments are the children. Together, the parent and children are described as a document family.
Predictive coding is the process of combining machine-learning technology, work flows, and human review to apply decisions about the relevance of reviewed documents to a larger set of unreviewed documents, thereby reducing review time and cost.
Processing is the extraction of data and metadata from collected electronically stored information, and assembly of same into load file databases, so that the data more easily can be searched and sorted within review software.
Production is the delivery of documents and electronically stored information to other parties in a litigation matter, typically performed after a review for relevance and privilege. Often productions include bates stamped PDFs or TIFF files with an accompanying eDiscovery load file.
A proximity search connects sets of keywords or phrases with a single query based on the number of words apart in which they appear in a document, e.g. electronic w/2 discovery. When a single word or phrase generates an unexpectedly large number of hits, proximity searches can be an effective technique to more effectively pinpoint documents of interest.
Redaction is deliberately covering portions of documents that are considered privileged, proprietary, or confidential, such that the redacted portions cannot be seen or searched.
Spoliation is the destruction or alteration of relevant evidence. Rules regarding evidence spoliation vary, but the cost of litigating evidence spoliation issues (much less the possible sanctions) often ae significantly higher than the costs would have been to properly preserve and collect responsive electronically stored information.
Structured data is data that is stored in a structured format, such as a database.
A system file is an electronic file that is part of an operating system or other program. System files typically are excluded from processing and/or removed during de-NISTing, so that only user-generated file types are searched.
Tagging is the process of assigning classifications, such as by relevance or privilege, to one or more documents.
A TIFF (Tagged Image File Format) is a common graphical file format to which hard copy documents are scanned, or ESI is converted for purposes of bates stamping and production. PDF files can fulfill an equivalent function.
Unitization is the process of assembling individually scanned pages into documents. Unitization can be physical, such as through the use of staples and binders, or logical, which involves human review to determine which pages belong together as a single document.
Unstructured data is electronically stored information not stored in a database format. Examples include emails, word processing files, spreadsheets, presentations, and various other documents.
Cybersecurity M&A Due Diligence is the process of reviewing cybersecurity risks within an organization that is the subject of a potential merger or acquisition, for purposes of planning and assessing whether such risks necessitate deal term changes. Cybersecurity M&A due diligence is an often overlooked component of information technology due diligence, and can include interviewing personnel, reviewing policies and procedures, evaluating previous security testing, and performing updated vulnerability and penetration tests. When performed properly, cybersecurity M&A due diligence can minimize risk, reduce costs, and identify potential deal-breakers.
An external vulnerability assessment is an evaluation of Internet-facing systems to evaluate potential vulnerability to outside hackers and prioritize associated remediation. Unlike penetration testing, external vulnerability assessments do not involve attempting to exploit identified vulnerabilities and penetrate into company systems.
An internal vulnerability assessment is an evaluation of systems behind an entity’s firewall, such as networked PCs and laptops, to evaluate potential security vulnerabilities and prioritize associated remediation. Unlike penetration testing, internal vulnerability assessments do not involve attempting to exploit identified vulnerabilities and penetrate into company systems.
The information security landscape and associated threats constantly are evolving, and outside vulnerability assessments are performed by information security experts who are focused on keeping pace with such changes. In-house information technology personnel often have a wide variety of duties, including supporting the core business of an organization, and often other organizational priorities interfere with keeping up to date with the latest security vulnerabilities. Even highly talented information technology personnel can use a second set of eyes to reduce the risk of inadvertent mistakes, and to provide feedback regarding recent security patches. From a marketing standpoint, being able to demonstrate to an organization’s clients that active steps have been taken to ensure that best practices for information security are being followed can provide comfort to those clients and serve as a differentiator for an organization. Finally, and most basically, your information often is the most valuable asset your organization possesses, and the relatively low costs of performing an information security assessment relative to the cost of your information being exposed to third parties represents significant value to an organization in the form of risk reduction.
Vulnerability assessments are an affordable means to identify potential security risks in order to prioritize their remediation. The security landscape is constantly evolving, and regular vulnerability assessments allow organizations to identify potential security weaknesses in systems once thought to be reasonably secure.
Penetration testing is the act of assessing the security of your network, websites, or other computer systems by simulating the actions of a potential attacker. Penetration testing is authorized activity that typically is planned and scheduled in order to minimize the risks of adversely affecting organizational systems. Penetration testing can be performed with a combination of automated and manual tools.
Penetration testing is the next step in proactive network security. It can help overcome the challenges mentioned above by assessing the real impact of vulnerabilities on a network and by prioritizing remediation. Vulnerability assessment and penetration testing go hand-in-hand. Vulnerability assessment results can be used as a starting point for a penetration test.
Black box testing assumes no prior knowledge of the infrastructure to be tested. The testers must first determine the location and extent of the systems before commencing their analysis. Black box testing simulates an attack from someone who is unfamiliar with the system.
A successful penetration test provides indisputable evidence of an existing problem as well as a starting point for prioritizing remediation. Penetration testing focuses on high-severity vulnerabilities and there are no false positives.
White box testing provides the testers with complete knowledge of the infrastructure to be tested, often including network diagrams, source code, and IP addressing information. White box testing simulates what might happen during an “inside job” or after a “leak” of sensitive information, where the attacker has access to source code, network layouts, and possibly even some passwords.
A vulnerability assessment simply identifies and reports noted vulnerabilities, prioritizing areas for remediation, whereas a penetration test attempts to exploit the vulnerabilities to determine whether unauthorized access or other malicious activity is possible and what data potentially can be accessed.
Any computer activity has certain risks. Penetration testing focuses on vulnerabilities that allow command execution. Many command-execution vulnerabilities are buffer overflows, which inherently run the risk of crashing computers or services. Proper planning and scheduling can minimize these risks.
An exploit is a program designed to demonstrate the presence of a specific vulnerability usually by executing commands on the target. Penetration testing works by running a series of exploits that are chosen based on the target’s operating system and running services. There are three basic types of exploits: (1) Remote – an initial break-in; exploitable by a remote user through a network service; (2) Local – privilege elevation; exploitable by an attacker who is already on the system; and (3) Client – exploitable when a user is tricked into loading an attacker-supplied file.
An exploit can be prevented or counter-measured through host-based intrusion prevention systems, properly maintaining firewalls, and a variety of other preventative methods. How to best resolve an exploit depends on the nature of the exploit and your computer systems.
ELIJAH prides itself on providing high quality, insightful reports with each of its assessments in order for you to be able to best prioritize your resources for the remedy of any identified vulnerabilities. Our security consultants love to offer advice on how to prioritize vulnerabilities and even provide consultancy and training on how to implement fixes. We are also here to answer any other questions you may have with regards your project.
Network Layer testing includes firewall configuration testing, including state-full analysis tests and common firewall bypass testing, IPS evasion, DNS attacks including zone transfer testing, switching and routing issues and other network related testing.
The cost penetration testing varies depending on the nature and size of your IT infrastructure. Retaining ELIJAH to perform penetration testing is more affordable than you might have thought if you received quotes from the wrong vendors. Please contact ELIJAH for a free consultation to obtain more information on pricing and approaches tailored to your needs.
Absolutely, just let a member of our team know and we’ll factor that in when estimating the time needed to complete your project.
Host Configuration testing includes a full port scan and subsequent testing of all discovered services on a host EXCEPT custom applications and services. Services like SSH, MySQL/MSSQL and other database services, SMTP, FTP etc. are all included. Standard, well known web applications like Microsoft Outlook logon pages, standard administrative interfaces for firewalls, printers and other standard administrative web pages are included and will receive black box testing if discovered. Any applications or services that you have written or customized are not included. Custom web applications require the purchase of a web application test.
Social engineering penetration testing consists of testing whether employees adhere to an organization’s security policies and procedures, typically through the use of subterfuge or other scams, in order to determine the organization’s level of vulnerability to the exploit used. Testing provides an organization with information regarding how easily intruders could convince employees to break security rules or provide access to sensitive data. Physical testing could involve a tester trying to enter a secured building, for example, during a busy time and seeing if someone holds the door open rather than adhering to required access procedures. Phishing testing, another common social engineering method, can be used to test whether employees open email attachments from unknown sources, which could leave the organization vulnerable to various attacks. Telephonic testing could include a tester calling employees pretending to be a member of the organization’s IT team, providing them with new passwords and telling them they need to change their passwords to the new ones.
Incident Response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack (also known as an incident). Incident Response involves people, process, and technology, to detect and respond to the attack. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.
Some common categories of incidents (not a fully inclusive list):
An Incident Response Plan includes a policy that specifically defines what constitutes an incident, who is responsible for responding to the incident within the company, and what step-by-step process should be followed when an incident occurs.
Ultimately senior executives are responsible for ensuring that a robust Incident Response Plan is in place. The Incident Response Plan should identify the chain of command for an incident. Many organizations will pre-select an outside incident response expert and include their contact information within the Incident Response Plan in order to eliminate the step of vetting vendors while attempting to respond to an incident.
The most effective Incident Response Teams are cross-functional and include representatives from senior-level executives to HR, Finance, PR, IT and security teams, as well as outside cyber security experts and law firms, so every chain of command understands how to identify and react to an incident that may affect them. For example, depending on the magnitude of an incident, forensics will be conducted by the security team and corrective actions will be taken by network/system administrators. Business functions such as finance or human resources could have protocols to follow, as confidential financial or employee information is often at risk when there is a cyber-attack.
Incident Response planning, testing, and execution needs to be championed from the executive level to maintain the focus and resources required for developing and sustaining an effective Incident Response Plan. Once a plan is in place, regular readiness drills (like fire drills) should also be conducted on a monthly or quarterly basis so all team members have a chance to practice their response before an incident happens. Outside cyber-security experts can assist in this process.
Although cloud storage often simplifies data backups, management of those systems can pose their own sets of challenges, including configuring user accounts, managing security settings, establishing litigation holds, exporting and migrating data, and a wide variety of other challenges. Whether in Office 365, G-Suite, or the wide variety of other cloud-based platforms, a skilled outside information technology provider can manage these services or augment your personnel, helping ensure that your systems run smoothly and securely.
Information technology managed services involve retaining an outside vendor as a single point of contact to meet routine information technology needs of an organization. Information technology managed services agreements often provide response time guarantees, and include specified services within predictable flat rates. Partnering with a skilled information technology managed services provider can increase organizational efficiency and profitability, while minimizing security risks.
Cybersecurity managed services are a subset of information technology managed services, in which an outside vendor is retained to develop and manage efforts to improve an organization’s data security posture. This can include reviewing cybersecurity policies and procedures, performing regular vulnerability assessments and penetration testing, conducting cybersecurity training, and overseeing other cybersecurity efforts.
Any organization needs to ensure that critical data can be recovered in the event of a disaster. Disaster recovery and backup services can include reviewing disaster recovery policies and procedures, implementing systems that ensure various company systems regularly are backed up, and consulting regarding disaster recovery best practices.
When flood, fire, theft, or other unforeseen events disrupt an organization, getting information technology systems back online quickly can be the difference between a minor inconvenience and a major business disruption. A skilled IT insurance repair service provider works side-by-side with the insurer and insured to quickly get an organization up and running again, restoring information systems and data back to an operational status.
Help desk support provides employees of an organization with a highly available resource to troubleshoot day-to-day computer and mobile device issues. Contracting with an outside vendor to provide help desk support services allows an organization to focus on its core business, while the outside vendor addresses routine challenges associated with computer glitches, software updates, and other daily needs.
Sometimes an organization does not require managed information technology services, but rather simply needs an outside vendor to fix things that go wrong on an as-needed basis. Break-fix is simply industry jargon for being available to assist. Although cloud storage often simplifies data backups, management of those systems can pose their own sets of challenges, including configuring user accounts, managing security settings, establishing litigation holds, exporting and migrating data, and a wide variety of other challenges. An outside information technology provider can manage these services or augment your personnel, helping ensure that your systems run smoothly and securely.
Choosing among the many available software options to meet an organization’s needs can be overwhelming, and an outside software evaluation service provider can help an organization make the right decisions.
Virus and malware detection typically consists of software that routinely scans computers to detect known viruses, spyware, and malware, and that quarantines same. Notwithstanding the use of such software, computers can become infected in zero-day attacks (which take place before software is designed to detect the attacks), due to user error, or otherwise. A skilled outside vendor can ensure that viruses, spyware, and malware are removed from a system, and can work with an incident response team if the issue appears to have compromised company data or systems.
ELIJAH emphasizes a personal touch in IT consulting, guaranteeing a rapid response and bringing our local experts on site to address critical needs. Additionally, we can provide managed solutions that reduce risks associated with outside hacking and insider data theft, delivering a holistic approach to information technology that enhances your efficiency, security, and profitability.
Anyone can say that, but we back it up:
ELIJAH typically performs digital forensic services through ELIJAH LTD, an Illinois corporation; cybersecurity services through ELIJAH Data Security LLC, a Florida limited liability company; and information technology services through ELIJAH Information Technology LLC, a Florida limited liability company. ELIJAH also has formed corporations to support private investigator licensing in certain states, such as ELIJAH Technologies Ltd. in Michigan, which is a licensed professional investigator agency, License No. 3701-205600.
Better Evidence, Clearly. That means ELIJAH is second-to-none at collecting and investigating digital evidence, and devoted to presenting it in the clearest possible manner.
Anyone can say that, but we back it up:
Yes! ELIJAH offers electronic discovery hosting services, including leading platforms such as Relativity and Indexed I/O. We have experienced project managers who can assist around the clock, and our depth of experience with analytics and AI-assisted review helps you find key documents faster. We have been recognized as eDiscovery Provider of the Year in several industry award surveys.
ELIJAH works with plaintiffs and defendants with approximately the same level of frequency. We also often act as a third-party neutral expert or a jointly-retained expert, helping to facilitate data collection and investigation in contentious matters involving highly sensitive information. ELIJAH also routinely performs internal investigations and provides expert digital forensic services in other matters in which no litigation is pending.
ELIJAH’s CEO is Andrew Reisman. Andrew has over 20,000 hours of digital forensics experience, and has testified throughout the country as a digital forensics expert. He maintains numerous certifications in computer forensics, electronic discovery, and data security, and routinely is invited to speak at industry events and in CLE presentations. Andrew was recognized as 2016’s Legal Technology Gamechanger of the Year by the ACQ Global Awards. Prior to founding ELIJAH in 2003, Andrew was a partner at one of the country’s largest law firms, practicing in litigation and technology law.
ELIJAH’s President is Rick Weber. Rick has nearly two decades of experience in the legal technology space, in particular developing software designed to extract and present data in a forensically sound manner. Rick is a frequent speaker, speaking on issues involving insider data theft and data security. Before joining ELIJAH, Rick was an attorney with one of the world’s largest law firms and served as a prosecutor at the United States Securities and Exchange Commission.