All posts tagged Data Breach

Only write the novel when you can solve the crime

A forensic mystery at Churchill War Rooms

When I first started as a Trainee Computer Forensic Analyst the sage advice I received from my manager was (as best as I can remember) “There are two types of people in this business: those that sit around figuring out how to commit a crime and the others that actually do it”.

When Tracey Stretton first suggested that my ‘creative’ imagination ought to be used for a “CF Murder Mystery” event I reeled.  Where do you start? How can I make it believable? What details are necessary for a mystery story?

By far the quote I found most helpful was from Andrew Hixson, of the James Bond short stories.

“I only write the novel when I can solve the crime”.

After the initial shock had worn off I quickly realised that I had been given a free ticket.  Without any billable time pressures I could finally, once and for all, take the time to work out from start to finish all aspects of a full ‘crime’.

The core of the plot came about in our first brainstorming session.  The event was to be limited both in time and, as alcohol was likely to be involved, complexity.  We needed a goldilocks computer security incident which was ‘just right’.

The simplest story is often the most believable, so it’s no surprise that we went with good old fashioned larceny.  After all, barring the consequences, we all can think of a way to steal data.

Between myself, Julian Sheppard and Tony Dearsley we collectively had enough stories about thieves and experience with thefts to provide a whole mini-series, not just one evening.

One of the more entertaining ideas we came up with was the discovery of a USB key found in the Channel Tunnel, equally laid on a rail across the Anglo-Franco border (The Discovery).  Unfortunately Sky Atlantic beat us to it and unveiled The Tunnel.  I still maintain that they took my idea and filmed an entire series in two weeks, just to throw me off!

Writing up the suspects and their backstory caused the most concern.  Each time I mentioned the name of an obscure fictional British or American spy there would be worried looks between colleagues.  “Is he day dreaming again?”, “What has this got to do with The War Rooms?”, “Why aren’t you on billable work?” was often asked.

Working out the details was easy once we had realistic characters.  Ultimately, for each of our suspects we laid out their motives and opportunities so as to leave a trail of clues to be picked out by our guests.  The plot becomes something far more interesting when we cheat and use the imagination of others to fill in the gaps.

In the words of Tolkien “Good stories deserve embellishment”, so it was decided that in order to describe a unique story we would need a unique visual guide.  This was Dial D for Data Theft, not Death by Powerpoint!

With judicious use of motion sickness inducing Prezi we were able to develop an interesting, if quirky, set of ‘slides’.

And then suddenly it was time for us to set out to the Cabinet War Rooms!

What a night it was! A perfect combination of story, location and audience.  Indeed the audience participation was, as I expected, the most inventive part of the presentation.

When asked why they thought a particular culprit was guilty, some of the answers were not exactly scientific:

Shifty Eyes”
“He owns a Porsche.”
“She reminds me of my ex-wife”

However, my favourite quote of the night goes to the guest who wrote on his guessing card:

“It was Felix [because] his shirt is far too tight and he’s a liar!  There’s no way he’s 6’10”! 5’11” at MOST“.

Then, with a bottle of something nice to the winning entry from our audience (none of the above were winners, sadly) we wrapped up the evening with an exciting dénouement and final farewell.

Mrs. Brown with the USB drive in the HR Office

Have you ever wondered what the life of a Computer Forensic Consultant is like? What am I saying, of course you have, who hasn’t?

But set aside the fast cars, glamorous women and shaken beverages for the moment, and think about the work they perform. What is it to think like a Forensic Investigator, to seek out digital evidence and uncover the truth?

Well today (or Thursday 24th April to be more accurate) is your lucky day. Come and join us at the historic Churchill War Rooms for food, drinks and general conviviality, plus a chance to help conduct a true to life computer forensic investigation. Successfully pick out the shady perpetrator and enter the prize draw.

But bear in mind, as Sherlock Holmes once said, ‘There is nothing more deceptive than an obvious fact’ so be sure to look closely to figure out what is relevant and dodge the red herrings.

If you would like to come to the event then please sign up here:

We very much look forward to seeing you on the evening.

Is there a nephologist in the building?

Cloud computing

Nephologist  (nɪˈfɒlədʒɪst)
-noun (rare)
(meteorology) an expert or specialist in the study of clouds

The advent of cloud computing and cloud storage has undoubtedly had a huge impact on the business and forensic stratosphere. An increasingly common answer to the question “where is your data stored?” is a shrug of the shoulders and a point to the sky.

This can have a serious impact on the security of an organisation’s data and on any subsequent forensic investigation. No longer is the dishonest employee required to employ cloak and dagger tactics to smuggle hardware from the premises. No longer are we called upon to investigate physical items that can be removed to a secure lab and, as such, Computer Forensic investigators are becoming nephologists.

Data can be transferred, synced and/or downloaded outside the firewall in minutes, so it is more important than ever to know what data is vital to your business and who can access it. We recently undertook an investigation where an employee in a data sensitive industry had installed a well-known cloud storage facility, transferred thousands of files and then Google searched “how to uninstall [cloud storage facility]”. The elapsed time from install to uninstall was a little more than 4 minutes, and if the internet history for the device had not been available, the outcome of that matter could have been very different.

There are clearly huge business advantages associated with the cloud, however, bearing in mind the strapline for the cloud service of a leading provider: “your stuff, anywhere”, the prudent business owner must exercise caution when choosing the right cloud service for business sensitive data.

If you do fancy a bit of atmospheric storage, Kroll Ontrack’s team of experienced ‘techno-nephologists’ are able to assist you in implementing a bespoke Forensic Readiness Plan to ensure that you are perfectly placed to prevent the loss of key data, and also on hand to help uncover key evidence if an incident does occur.


As we approach the end of 2013 it is only natural to look to the future and wonder what 2014 will bring.  Kroll Ontrack gathered together a panel of industry experts, supplied copious bubbly drinks (to help with the creative juices) and cajoled them into giving up their predictions for next year.  My personal favourite:

Kroll Ontrack will achieve ediscovery world domination!

On a less aggressive note, the predictions identify a number of themes that were also hot topics in 2013.  “Data Protection will be top of the agenda” from one law firm partner.  Hidden behind all the cross-border matters, data protection has always been a lingering issue for any lawyer. However, since the surreptitious release of NSA files, the day to day café discussion has been emotional and heated. This has led politicians, companies and law firms in EMEA, and other parts of the world, to review practices and procedures in relation to information provided to other countries, and especially to the US. An extensive overhaul of the EU’s data protection regulation is due in 2014 with fines of up to €100m and mandatory data protection officers.  This far-reaching data protection regulation is due to replace Europe’s 1995 Data Protection Directive, following a vote by the European Union.   This new regulation is likely to result in complex technological, process and governance challenges for organisations across Europe.

“A major law firm will suffer a cyber attack”.  This is not so much a new prediction for 2014, as a continuation of a theme from 2013.  A major city law firm successfully fought a ‘drive by’ or ‘watering hole’ attack in October 2013, but it has highlighted the vulnerabilities in the legal profession.  If you attack a corporation, you get one company’s information.  If you attack a law firm, you potentially get hundreds.  As corporations strive to keep their IT infrastructure airtight, one must ask whether their legal advisors are doing the same when handling sensitive and privileged data.

“Discovery of Twitter (private messages) and Facebook accounts”.  I think we can lump these in under the general heading of  “social media”.  Without the express co-operation of the account holder, what options are there for discovery?  Using talented forensic consultants there is a possibility of finding fragments of data previously accessed on a hard drive but unless you have the user name and password the only option to obtain a full data set is a court order to the service provider.

“The first request from a lawyer will be ‘can I use predictive coding on this matter’?”  Whilst predictive coding is on the rise, our first question would be how much data, how long do you have to review?  If the matter fits we will happily unleash our expertise on said lawyer, providing consultancy and guidance. Predictive coding is finally entering the mainstream, and as we see it being used more and more often as lawyers become familiar with the technology, I can see lawyers asking for its use, rather than it being suggested to them.

Finally, is there potential for a shift in the way ediscovery is approached? Perhaps ediscovery will start being considered as part of the integral process of litigation, competition cases and internal investigations and “In 2014 the worlds of law, technology and business will finally converge as they should!”

In conclusion, the most important predictions of the year ahead:

  •  “Warrington Wolves to win the rugby league super league”
  • “Royal Wedding – Harry and a posh blond”
  • And most importantly “We discover Sherlock can fly”

Amsterdam: The Layover – E-Crime congress 2013

Don't Panic: Responding to Data Theft

Day 1

4:00 pm – Nexus, Farringdon Street, London
Here’s some wise advice – never answer your phone when your train is leaving in 15 minutes. Robert Jones learned this the hard way and as a result he had to set a new track record Nexus – City Thameslink Station, in under 2 minutes. “Surely that can’t be done!” I hear you cry. Well thankfully Rob, like all Kroll Ontrack employees, is a finely tuned athlete and has been training for marathons, and so made it with seconds to spare. Robbie J, quite literally going the extra mile to keep his clients happy. So the three intrepid travellers – Luke Aaron, Robert Jones and myself – got the train on time and were on our way to Gatwick airport.

5:30 pm – Gatwick Airport, Departure Lounge
Dinner consisted of tortilla chips, guacamole sauce and some random roasted vegetables, eaten with one of those silly security knives, more handle than blade, hardly gourmet cuisine. “That’ll be £9.50 please sir” –“How much? For some crisps and a dip” so lighter in the pocket, but ‘heavy’ on food we headed to the plane. After the traditional security routine – put toiletries in small evidence bag, take off coat, jacket and belt, unpack laptop, put all small change in tray (not that we had much left after dinner), get tray jammed by eight others in machine, get patted down by male security guard, feel violated, put belt back on, lose passport and boarding card, panic, find passport and boarding card in pocket you didn’t know existed, re-pack entire contents of luggage – we boarded the plane. Without naming names, it was the orange and white budget one that sounds like Cheesypet, who have started to allocate seats nowadays, much to the consternation of familiar Cheesypet travellers who had prepared for the scrum to get a seat near the front of the plane. We finally took off and were on our way to Amsterdam.

10:00 pm – Hotel Okura, Amsterdam
An hour later we landed on Dutch soil with the final destination as the Okura hotel. A fine and opulent hotel, the pinnacle of which was the remote controlled blind between the bath and bedroom. Rob claims he overheard Luke getting at least half an hour of entertainment by continually sending it up and down.

Day 2

12:25 pm – Hotel Okura, Amsterdam
After building up the stand with extreme precision, it was Luke Aaron’s time to shine at his debut as a Kroll Ontrack speaker. His educational seminar was entitled ‘Don’t panic: Responding to data theft’. In the 35 minute slot Luke explained to around 25 captivated visitors, from a variety of backgrounds including banking, telecoms and software companies, what policies and procedures every company should embrace regarding to a possible data theft. The presentation was very well received and was for many an eye-opening introduction to the world of data theft response.

Luke Aaron on data theft

2:25 pm – Hotel Okura, Amsterdam
Now it was time for Robert Jones and his special guest, Misha lutje Beerenbroek, Head of EC Competition and Trade at Baker & McKenzie, Amsterdam to impress the crowd. This pairing, which some (Rob) have compared to the compliance world’s equivalent to Jimmy Page and Robert Plant*, rocked the conference with a talk centred around ‘Using innovative technology to audit for compliance’. With a very relaxed and open approach the duo riffed away on regulatory trends towards cross-border investigations and fines, the growth of a compliance culture and the benefits of building strong compliance programmes to be better prepared for the risk of regulatory intervention in relation to antitrust, corruption and other issues.  A particular topic which got the audience talking was the frank discussion of approaches taken by companies when weighing up the problem of carrying out an internal investigation to defend the company, versus the risk of infringing an employee’s personal rights and data privacy laws. It was clear this gave many visitors a new perspective on internal audits and some audience members were still humming away afterwards to the tune of ‘Communication Breakdown’ (or ‘email analytics’, as we like to call it).

*Of ‘Led Zeppelin’ fame – apparently some people have never heard of them.

7:00 pm – Schipol, Departure Lounge
After re-hashing over dinner we came to the conclusion that it was a productive day. With our data centre in Germany due to be operational in late January and our French data centre to come online shortly afterwards, hopefully congresses like this will help make more businesses aware of our continued commitment to providing solutions in Continental Europe.

About Jasper van Dooren

Jasper is part of the Electronic Evidence Consultancy team, which provides scoping consultancy and advice to potential clients in ediscovery or computer forensics matters. He also assists clients by providing demonstrations, presentations, documentation and advice before and during project engagements to ensure that expectations and legal requirements are being met. Jasper graduated from Utrecht University, Netherlands, with a Master’s degree in Private law before moving to London.

E-Discovery and E-Investigations Forum 2013

Visits to countless hotels with their endless Las-Vegan style psychedelic carpets, exchanging a metric ton of business cards with sales folk in  shiny suits, shinier badges and yet shinier teeth and a veritable bounty of canapés and foods on sticks that so epically fail to satiate one’s hunger. All of the above can only mean one thing…conference season is well and truly upon us.


Rob and Luke at AKJ

That time of year where the legal technology industry crams in a quarter’s worth of conferences in to a 3 week period, so that everyone can feel slightly more comfortable with the fact that everyone will be mentally checked out from mid-November until we’re safely into 2014 and our New Year’s resolution requires us to work harder.

But the season isn’t all pretentious canapés and teeth whitening, it can’t all be fun and games! Occasionally, as a subject matter “expert” in one’s field, you are asked to share your knowledge with a room full of strangers; and that is precisely what I was asked to do when chairing a panel discussion entitled “Protecting data in business and in investigations”. I was joined by Martin Pratt, Head of the Employment Group at Gordon Dadds Solicitors in Mayfair and E.J Hilbert, Head of Cyber Security at Kroll Advisory Solutions and regular creator of  audible gasps as he tells people of his 8 years spent as an FBI secret agent countering international hacking (no prism jokes please).


Luke at AKJ

The discussion was incredibly well received and the feedback has been overwhelmingly positive. Huge thanks for this must go to the two gentlemen mentioned above, whom I, in a Dimblebyesque way, merely pointed in what I hoped to be an interesting direction and let their vast experience and expertise come across to the audience.  I know from feedback, that some even took some helpful hints back to office with them that day. I can hear you all thinking “Luke, helpful takeaways from a conference seminar? Such a thing does not exist, I just go for the chicken ballotine with quince jelly.”

At a high level, the points are basic. For external threats, it’s all about educating staff. The identity of external threats may have shifted, but their methods continue to be repeated ad nauseam.  As long as people are still using their dog’s name or favourite football team as their password, hackers will always be able to crack it. As long as people follow links, even those that appear to come from a trusted source, their ‘email to click’ ratio will remain high and this method remains viable. So change your obvious password to a phrase instead. You won’t forget “tobeornottobe” in a hurry, but it’s infinitely harder to crack. Instead of clicking that link you’ve been sent, Google the name, find the original source and then decide whether to trust that email or not.

For internal threats the messaging is more important than ever: control who can access data. Categorise it so that staff have access to data required for their job but nothing else and ensure that your employment contracts are fit for the modern workplace, and regularly updated.

We have been asked to present further on this topic of data theft/loss in business at both the E-Crime forum in Amsterdam on the 28th November 2013 and as the final part of our current Webinar series  which is set to broadcast in early December. They promise to be excellent discussions and if at all possible I strongly urge people to register and listen in.

Until then, look after yourself and each other.

Please take a seat Mr. Snowden

Please take a seat Mr. Snowden

As we begin to set the table for the ediscovery and edisclosure predictions of 2014 we often reflect on those invited in past years:  an ever expanding cloud, big data, technology assisted review, social media collection and others. This year however, is unusual in that we have an unanticipated guest who reminds us that while forecasting trends is an important process, we are never prepared for everything.

Please take a seat Mr. Snowden.

It is unclear exactly what effects Mr Snowden’s revelations will have in the long run, but already clients are becoming more protective regarding dross-border data transfers and the European Union is questioning safe harbour certification.

Global networks and the explosion of cloud storage has continually raised security concerns but they are rarely highlighted on such a massive scale. This is causing clients to rethink where data is stored, how it is collected, and where it is processed, as well as how to manage review teams that may be scattered across the globe.

A year ago the idea of shipping a fully-formed processing and review platform, independent storage, and an entire legal review team to a client’s facility would have been ludicrous, both from a logistical and financial standpoint. Yet since Spring, when some of the major revelations from Snowden’s materials surfaced, I have discussed the possibility of providing exactly this with three different clients.

Continually addressing clients’ concerns is our business, and while it is premature and reactionary to say good-bye to the cloud, an increase in local data centres and on premise solutions may end up being one of the biggest trends of the coming years.

About Orion Wisness

Orion provides consultancy and training to assist clients with the identification, preservation, collection and analysis of potential evidence in document intensive cases. He advises clients on strategies and techniques to help lawyers and corporate clients deploy technology efficiently and cost effectively, as well as assisting them in the fundamentals of document reviews, the design of practical workflow processes and the selection of the technical solutions required to fulfill these goals. He is frequently called on to comment on best practices and new developments in the electronic disclosure and discovery industries.

Autumn Ediscovery News: New Solutions and Education for Companies

We are very excited this week to announce the launch of in-country ediscovery processing capabilities in Germany and France as well as Ontrack® Onsite™, a self-contained ediscovery solution that can be deployed onsite to any country.  Many of our European clients have grappled for a long time with data protection laws that restrict data transfers in cross-border cases and increase the complexity, cost and risk associated with ediscovery. We have also seen data security and the protection of intellectual property become more important to companies as cyber attacks, data breaches and surveillance become a day to day reality.  As our President and CEO, Dean Hager notes in our press release issued on 1 October, we are addressing these needs head on with flexible solutions that allow data to be processed either in country in Germany and France, in addition to already established data centre hubs in the U.S., U.K. or Japan, or behind a company’s own firewall when data cannot leave its premises.  If you would like further information about these new capabilities you can read our press release or give us a call.

Coinciding with the announcement we are also launching a complimentary webinar programme in EMEA in which we will be examining the management of electronically stored evidence from the point of view of corporate counsel in Europe and some of key issues which arise.

In our first webinar on 8 October on Data Control: Ediscovery Solutions for European Companies we will look at how to manage company data in litigation, regulatory inquiries and internal investigations when security, confidentiality and compliance with data protection laws are of paramount importance.   If you would like further information about the event please click here and if you would like to register please email us at

We have on our panel:

Christian Kuss, Associate, IT, Copyright and Data Protection Law, Luther, Cologne

Mark Surguy, Partner, Fraud and Investigations Group, Eversheds, Birmingham

Thomas Sely, Electronic Evidence Consultant, Kroll Ontrack, Paris

Andrew Szczech, Director for EMEA, Kroll Ontrack, London (Moderator)

The panel will be discussing the reasons clients choose to process data in country or onsite, whether that be due to data protection and privacy laws or concern about data security.  We will also be looking into solutions such as behind the firewall ediscovery solutions, in country solutions and other legal mechanisms for handling data protection restrictions on cross-border data transfers and client concerns about confidentiality.  This intended to be a practical session and our speakers will share experiences in an area where the law is often grey and client’s appetite for risk varies.

In our next two webinars we will be hosting discussions on the following:

22 October – Ediscovery – What In-house Counsel Need to Know – what companies need to do to ensure that costs, risks and response times are reduced when responding to formal demands on company information such as discovery requests in litigation, compliance checks, due diligence or regulatory requests.

5 November – The Changing Face of Data Theft – what new risks companies face due to advances in technology such as the use of mobile devices, cloud storage and social media by employees and how to respond forensically

About Tracey Stretton

Tracey Stretton is a legal Consultant at Kroll Ontrack in the UK. Her role is to advise lawyers and their clients on the use of technology in legal practice. Her experience in legal technologies has evolved from exposure to its use as a lawyer and consultant on a large number of cases in a variety of international jurisdictions.