Ransomware: A primer for lawyers

By Rogue Heart,

Ransomware: A primer for lawyers

Exfiltration is on the rise. Lawyers need to know how attacks like exfiltration are investigated to prevent further damages to a client or firm’s finances and reputation. Our digital forensic examiners team up with you to understand the scope of the attack and help your investigation. 

What is ransomware?

First, let’s get clear on ransomware.

Ransomware attacks often involve the threat of exfiltrated data. Attackers threaten to publish stolen, sensitive data unless someone pays a ransom.

Here’s what goes down in the event of a ransomware attack:

Ransomware attackers, or cyber attackers, steal your data before encrypting it. And they’re only getting more sophisticated. Think of it like someone stealing something in your house but first changing the locks and holding the new keys hostage. Instead of physically breaking into your home, ransomware attackers enter your device through an email attachment you opened, an ad you clicked on, a hyperlink you followed, or a website you visited that’s embedded with malware (FBI.gov).

These phishing attacks aren’t detected right away. Code is loaded onto your computer and coders work in the background until your files and data are locked and inaccessible. The process could take weeks until you see messages demanding payment to access your data and files again.

Now, back to exfiltration. Exfiltration often relies on circumstantial evidence. Once files are encrypted, usually during exfiltration in most ransomware attacks, firewall log data is encrypted if it’s being saved or stored in the network.

Culprits of ransomware attacks often go for laptops, workstations, and other user-controlled devices – consider starting here to investigate exfiltration attacks. Be mindful that the attackers may have targeted network backups and can disable software used to detect a ransomware attack.

Ransomware protection 

Unfortunately, most ransomware investigations happen after the attack has been deployed. There are precautions your clients can take to prevent an attack. 

  • Look for red flags in activity such as a user logging into a system from a different country at an unusual time of day. 
  • Review log activity
  • Review and update retention policies
  • Make a plan 
  • Automate anti-virus and anti-malware solutions and run scans regularly 
  • Enable two-factor authentication 
  • Backup often and in many places, especially with one isolated backup so data can’t be encrypted or destroyed
  • Update your devices’ software often 

Stuck? Our examiners know where to look for other clues and can help you fill the holes in your client’s network exfiltration story. Give us a call.

The Complete Picture: Cloud-Based Evidence

By Rogue Heart,

The Complete Picture: Cloud-Based Evidence

Explore the fastest growing area in Digital Forensics

Cloud-based evidence is the fastest growing area in digital forensics. Accessing cloud evidence means having legal authority to compel production of the data, manually being provided the username(s) and password(s), or having other authentication credentials to access data, such as a login or password through an authentication token (Elcomsoft 2018). But, having the keys doesn’t mean you’ll access the locked chest treasure trove of data. And there are ethical concerns.

Opinions vary on cloud computing, cloud forensics, and cloud computing environments’ impact on digital forensics (Barrett 2020). Gathering evidence depends on:

  • Standard evidence acquisition procedures
  • Federal and local laws
  • Court accepted methods
  • Cooperation of the individual(s) who “owns” the data
  • And the cooperation of the cloud provider

Protecting and preserving electronic evidence can be done through simple practices:

  • Two-factor authentication
  • Strong passwords
  • Encrypted email services
  • And secure storage.

Safeguarding information is ethical and essential along with streamlining forensic teams’ workflows.

Cloud-Based Data Storage 

Evidential, cloud-based data stored for mobile phones include (American Bar Association 2016):

  • Locations
  • Text messages
  • Pictures
  • Videos
  • Music
  • Voicemails
  • A list of wireless networks where the phone connected
  • Address book
  • Email
  • Call logs
  • Web history

As tech giants move into stronger user-privacy practices, this data could become inaccessible. Google, whose widely-popular browser, operating system, location apps and entertainment platforms are accessed daily by internet users, recently started auto-deleting user data after 18 months. What can you do when your case is impacted?

Call us, the experts.

In traditional digital forensic acquisition, examiners focus on individual computers and isolated environments. Cloud computing forensics acquisition processes are different because they look into account servers, applications, and operating platforms that may be located abroad (Barrett 2020). The challenge is pinpointing the laws and jurisdiction that govern a region where a crime against data occurred (Tripwire 2019). Cloud servers and their data can be hosted in several countries, which makes cloud-based evidence susceptible to third-party compromises, legal red tape, or simply a lack of cooperation with your local laws.

Cloud-Based Evidence. Delivered.

“[Our clients] benefit by having a more complete picture…Of the algorithms that go on and capture information and report on it, we don’t ever see them because they exist somewhere else. But for the Cloud specifically, you know, we’re able to see your Gmail, your Google account, you’re able to see a timeline of activity,” says Josh Michel, a senior examiner on our team.

Roloff Digital Forensics’ examiners keep abreast of the new policies, datasets collected,  and general emergence in cloud-based privacy and technology, bolstering your case strategy, and getting the complete picture.

Want to get the complete picture for your case? Drop us a line.