Security breach captured with BlackBox





About One Source Discovery
One Source Discovery (OSD) is a consulting firm and global service provider of Digital Forensics, Information Security, and Electronic Discovery services. OSD keeps BlackBox in its incident response toolbox and is a registered BlackBox Enterprise Partner.

Background
OSD receives a frantic phone call near the end of the business day from a repeat customer - an attorney specializing in Business Litigation - whose client, a mid-sized construction firm, had apparently been hacked. The breach was discovered on a Monday morning when the Controller noticed that over $280k had been transferred out of the company bank account over the preceding weekend. OSD quickly provided two options to immediately respond to the security breach: 1) send several technicians to the construction firm to begin the process of imaging all relevant computer systems or 2) deploy a remote collection tool, BlackBox, to securely collect all custodian machines involved using the man power of the company’s internal IT staff. The client elected to use BlackBox after evaluating the costs of bringing a team of technicians on-site versus completing the work by means of remote collection with BlackBox. The client was understandably anxious and eager to get the response underway; choosing BlackBox meant it could get started within minutes, not hours. 

Ticking clock
Working against the clock and balancing client’s cost sensitivity without sacrificing forensic standards. Sending a technician to each location to obtain a forensic image is time consuming, costly, and can become logistically complicated. While OSD is a digital forensics firm equipped with a staff of trained technicians accustomed to completing on-site collections within tight time frames, the speed at which a traditional forensic collection could take place was limited by the necessary equipment and number of trained examiners available on short notice. Furthermore, sending multiple technicians on-site presents a number of secondary challenges for OSD, namely that analysis work in the lab is put on hold.

“Time was truly of the essence; using BlackBox enabled our client’s in-house IT to serve as an extension of our forensic collection team to begin acquiring data within the hour.” - 

Jason Hale, MS, CCE Computer Forensic Examiner One Source Discovery

Remote Collection Saves the Day
BlackBox, unlike traditional collection methods, allows for rapid deployment of devices – not technicians - to acquire data from live systems spread throughout a network. This means deployment time is reduced from hours to minutes – an extremely important factor when responding to a security breach. 

Traditional methods are not always the best fit.  BlackBox is:75% faster than traditional forensic collection methods 1/2 the cost of a technician.

With the use of BlackBox, OSD was able to quickly collect all disk-based data and preserve valuable information in a manner that drastically reduced the possibility of key data loss moving forward. OSD was able to complete the data collections for over 20 custodians 75% faster than the alternative option of sending technicians to complete the collection, all for less than half the cost of traditional methods. As an added bonus, OSD was able to (1) quickly scale its operations without a high up-front investment in additional hardware and (2) keep its technicians in the lab working on other billable projects. Ultimately, BlackBox was the best solution for preserving potentially volatile disk-based evidence relevant to this security breach.

Become a BlackBox Partner today.


How Do I Get BlackBox? Top 5 Questions About BlackBox Answered: Part 5

I’ve been reading about BlackBox and I’d like to use it. How do I get BlackBox?

Lightbulb, marker and hand.You can locate a BlackBox Partner near you by entering your zip code on the BlackBox website. BlackBox is available exclusively through our network of professional Partners. BlackBox Partners are vetted computer forensics and/or electronic discovery providers. Not only will these Partners set you up with BlackBox for data collections, they may also be able to help make your job easier by providing advice for your case based upon their technical experience with similar matters. Visit blackboxforensics.com today and find a Partner near you.


Are you a digital forensics firm or an eDiscovery vendor interested in becoming a BlackBox Partner?

Good news. You don’t have to be a large eDiscovery corporation to use BlackBox. BlackBox vets and partners with skilled firms of all sizes, from one-person forensics shops to global providers of litigation support and eDiscovery services. BlackBox will make your job easier and result in less travel to remote job locations. Best of all, becoming a BlackBox Partner is free. Purchase licenses only as you need them. No equipment to buy and no annual support fees. Sign up to become a BlackBox Partner today.

How is BlackBox different from other remote collection tools? Top 5 Questions About BlackBox Answered: Part 4

To recap the previous three posts in this series, we’ve learned that (1) BlackBox is a forensically sound remote data collection software tool (See Part 1: What is BlackBox?), (2) BlackBox collections are securely configured by the legal team and then triggered by the data custodian on-site (See Part 2: How Does BlackBox Work?), and (3) you can trust that BlackBox is completing a defensible collection because it’s tamper-resistant technologies relies on hashing algorithms, audit logs and encryption (See Part 3: Is Remote Collection Defensible?). Now, let’s talk about how and why BlackBox is different (and better) than the other tools in this space.

BlackBox Is Thoughtful.
BlackBox caters to the needs of every user likely to be involved in a data collection
scenario, making the process user-friendly for all.
  • Legal Teams. BlackBox gives the attorneys control over what is collected. The attorneys also get the peace of mind that comes with knowing the data custodian onsite cannot alter the collection.
  • Digital Forensics/Electronic Discovery Vendors Technicians are spared traveling to remote (read, scary) places. Industry standard safeguards in place assure that the collection is defensible and verifiable. Technicians can stay productive completing analysis in the lab rather than traveling to then waiting around onsite for a collection to run.
  • Data Custodians. BlackBox makes their role painless. Data custodians simply plug BlackBox into their machine and hit Start. Once the collection is finished a Chain of Custody pre-filled with the collection specifics is generated. Custodians simply click the “Print Chain of Custody” button and sign it. Then they’re done.

BlackBox is not dependent on hardware.
BlackBox software can be loaded onto any NTFS-formatted hard drive or storage device (such as a thumb drive). Since you can use BlackBox with basically any storage device, BlackBox is infinitely scalable to meet your data collection needs. Having the hardware required for a large scale collection at a moments notice is no longer a concern.

Pricing is clear and upfront with BlackBox.
There is no guessing what you’ll pay for a collection using BlackBox. BlackBox lists the cost of $249 per collection clearly on their website for all to see. The price remains the same regardless of the size of the hard drive being collected, whether it’s 250GB or 1TB. There are no minimum purchase requirements, buy only the number of licenses you need, as you need them.

BlackBox is a true global data collection solution.
BlackBox allows hard drives to be remotely licensed thus eliminating the delays and costs associated with initially shipping remote collection devices to the custodian.
“BlackBox provided a trouble-free process for me to get forensic images out of a third world country from the comfort of my office. I would not have been able to get these images without BlackBox.”
--Jerry Hatchett, aka ChopOMatic, Certified Computer Examiner
Depending upon the needs of your case, a BlackBox hard drive can alternatively be licensed and configured by the legal team at their location then shipped out to the data custodians.

Conclusion
BlackBox was designed to address the unique concerns and needs of each user during the data collection process, whether an attorney, technician, or data custodian. All the features of BlackBox add up to equal a data collection product that is greater than the sum of it’s parts.

Is remote collection defensible? Top 5 Questions About BlackBox Answered: Part 3


Remote data collection tools allow legal teams to maintain control over the collections without requiring them to be physically present for the collection. Despite the many advantages of employing remote collection tools, some remain skeptical about the overall defensibility of remote collection. As with any new technology, people want to know why they should place their trust in a new way of doing things. This post will outline three key features of remote collection tools that ensure the defensibility.


1. Encrypted Collection Settings
After the legal team determines the collection parameters required for the matter at hand, the configuration of the data to be collected is locked down by encryption. Encrypting the
collection settings prevents the custodian from changing what the legal team wishes to collect. In summary, this feature ensures that the custodian cannot tamper with the collection settings determined by the legal team, allowing the legal team to maintain control.

2. Audit Logs
Audit logs document EVERY action performed by the custodian from the beginning of the remote collection to the end, including any errors during the collection. In addition, the audit log includes the information about the system being used to perform the collection, including the user logged into the system that triggered the collection as well as the make, model and serial
number of the hard disk. Tamper-resistant methods, utilizing hashing algorithms and encryption, detect efforts to manipulate the data after the collection is completed.

3. Encryption of Data Collected
Once the remote collection is complete, the resulting data collected is protected from interception by ne'er-do-wells thanks to strong encryption. Encrypting the collection ensures that it arrives safely back to the legal team without risk of tampering en route.

By far, the primary factor that boosts the confidence of legal teams that utilize this new technology is that the process is documented and controlled by them rather than the custodian. All of these features ensure a simple, cost-effective and defensible ESI collection process that the legal team can be confident will hold up in court. The three features
outlined above, along with the chain of custody documentation, provide for the defensibility and admissibility of ESI collected by an on-site remote collection tool in court.

Remote Collection = Litigation Cost Savings + Peace of Mind

Remote Collection = Litigation Cost Savings + Peace of Mind
by Andy Cobb, PhD, CCE

While the majority of the costs related to electronic discovery - upwards of 70% - reside in the review of the information, the costs associated with data preservation and collection cannot be ignored.  In 2012, the RAND corporation carried out a study of 57
eDiscovery projects, consisting of traditional litigation and regulatory investigations, with a focus on the costs associated with different parts of the eDiscovery process.  The study showed that on average, the preservation and collection of electronically stored information (ESI) for litigation consisted of up to 8% of the total eDiscovery costs.  So on project that costs $100,000 total, up to $8,000 would be spent on collection of ESI.

Although data preservation and collection costs initially represent a much smaller piece of the pie, the potential negative effects resulting from sub-standard methods of preservation and  collection can far eclipse those costs later in the process.  For example, when data is not properly preserved and it is subsequently overwritten, courts have sanctioned parties for not producing the relevant data that was either not preserved and/or collected.  Thus, legal teams would be wise to balance their desire to save money by cutting corners at the onset of litigation, with their duty to make sure that preservation and collection is done properly early on.

Wait and See Approach to Data Preservation
In lieu of incurring the costs of data preservation when litigation is reasonably anticipated, some attorneys have chosen the risky practice or “waiting to see” if litigation would come to fruition before initiating data preservation measures in order to avoid the associated costs.  While this gamble may sometimes pay off, is it really worth the risk?  Especially when preservation and collection using modern tools is now less expensive and more user friendly than ever.

Remote Data Preservation (and Collection) to the Rescue
Remote data collection tools can help cut data preservation and collection costs for litigation in a variety of ways.  For example, a challenge that faces many large corporations that have multiple locations is in collecting the data from custodians across those locations.  Logistics and costs of hiring vendors to perform the collections at each location as well as the related costs, like travel, can become burdensome, especially considering the value of the litigation.  Preservation and collection costs can be dramatically cut by using a remote collection tool that can be configured and controlled by the legal team, but executed by custodians on the ground.

Nowadays, tamper-resistant technologies present in most remote collection tools ensure that even though the custodians at the locations are triggering the collections, the data that is collected is that which the legal team has deemed potentially relevant.  An additional advantage of using remote collections tools is that, since the custodian is triggering the data collection on site, the entire legal team is freed up to perform other tasks that require their expertise rather than stuck at the client’s location.  

Conclusion
Remote data collection strikes the perfect balance between cost and defensibility.  Every legal team wants to save their clients money, but not at the risk of potentially indefensible actions in the areas of preservation and collection.  With remote data collection tools, the custodian triggers the collection, which keeps the costs down, but the nature of the collection - i.e. what is collected - is controlled by the legal team, thus providing legal teams a balanced solution.


Dr. Andy Cobb, CCE is the Chief Developer of the patent-pending BlackBox remote forensic collection tool.  He is also Partner at One Source Discovery, a full service Digital Forensics and eDiscovery firm.  Dr. Cobb has served as a consultant on hundreds of Electronic Discovery matters and provided expert testimony on various Computer Forensics matters in Federal and State Courts.  He has given several talks and CLE's as well as published numerous technology journal articles related to Computer Forensics and Electronic Discovery.





Remote Collection: A Defensible Alternative To Self Collection

Remote Collection: A Defensible Alternative To Self Collection

When litigation is pending or “reasonably anticipated”, legal counsel has a duty to preserve electronically stored information (ESI) that is potentially relevant.  While many methods exist to carry out this duty, each have advantages and disadvantages.  Forensic collections completed by technicians are the gold standard, but they are expensive and time consuming.  To avoid these
costs, some attorneys have allowed custodians to “self-collect” their data.  Self-collection in this sense means custodians copy the data they deem relevant, either using their own discretion or under instruction of counsel, employing a variety of methods to do the copying.  While custodian self-collection appears to save money on the surface, the risks of allowing this precarious method of data collection can far outweigh the money saved. 

Self-Collection: A Risky Proposition
Many courts have frowned upon the practice of self-collection.  In Green v. Blitz, the court levied a $250,000 sanction against the defendant for allowing a manager at the company to collect the data, thereby, as the plaintiff would later discover, missing a large amount of relevant ESI.  In this matter, the Eastern District of Texas allowed a plaintiff to re-open a suit she had previously settled, based on the discovery of several discovery abuses committed by the defendant, who had made one employee “solely responsible for searching for and collecting documents relevant to litigation.”  This employee didn’t issue a litigation hold, didn’t do any electronic word searches for emails, and didn’t speak to IT about how to search for electronic documents.  To make it worse, there was also a possibility that this employee was biased because of a close connection to the R&D that had led to the production of the product at issue in the lawsuit.  As a result of these abuses, the court not only awarded a quarter million dollar judgment to the plaintiff, but also ordered the defendant to provide a copy of its order to past and future plaintiffs.’

Another matter involving self-collection was Northington v. H&M Int’l.  In this dispute, the court sanctioned the defendant for negligence and noted that “most non-lawyer employees…do not have enough knowledge of the applicable law to correctly recognize which documents are relevant to a lawsuit and which are not.”

Allowing a party, even a company, to oversee its own collection process (a macro version of the self-collection issue) can also expose the outside counsel to possibly severe consequences.  In S2 Automation v. Micron Technology, a dispute arose over S2’s search strategy for locating responsive documents.  Micron claimed that it was obvious that outside counsel did not properly oversee S2’s collection process, given his lack of knowledge of certain basic data preservation and collection issues.  Noting that outside counsel may have failed to comply with his obligations under FRCP 26(g)(1) (every discovery response must be signed by at least one attorney of record as as a certification of the correctness and completeness of the discovery response), the court ordered S2 to provide “its search strategy for identifying pertinent documents, including the procedures it used and how it interacted with its counsel to facilitate the production process.”

While there still may be situations in which allowing self-collection of electronic data is permissible, parties must be aware that many courts will view the process skeptically and they must be able to defend both why they chose to do a self-collection and how they went about their self-collection.  Further, in the event that custodians self-collect, but the ESI is not properly collected, a technician may have to be called in to perform the collection again, but this time under a tighter schedule which may cause the client to incur additional fees for quick turnaround, and entirely defeat the beginning goal of saving money. Outside counsel also need to be sure they adequately oversee the self-collection process, so that they don’t violate FRCP 26(g)(1).

Avoiding The Pitfalls Of Self Collection
In order to provide a defensible method of data collection, while not incurring the often prohibitive fees of a forensics technician, many legal teams are turning to remote data collection.  The best remote data collection tools provide a method for legal teams to completely control what is copied from each custodian’s computer hard drive.  Complete control is achieved only when the tool protects the configuration of the data slated for collection by counsel from tampering by the custodian.  Tamper-resistant technologies ensure that the custodian cannot change the data collected to suit what they believe should be copied from their hard drive. 

Once the data is collected from the custodian, the data must be protected so that it is not altered  after the collection or in transit back to the legal team.  Several technologies are available to either prevent or detect data-tampering after the collection.  For example, BlackBox, a remote forensic collection tool, uses a combination of hashing - a method for verifying that data sets match - and encryption to detect any tampering with the data after the collection.  In addition, BlackBox uses encryption to protect the data in transit.  

Some of the other benefits of remote data collection are the lower costs and the convenience.  If data can be collected remotely, a forensic technician is not needed onsite.  While many tools still require a technician to operate the software, several newer methods only require the technician to configure the software.  In these newer methods, even more time is saved since the custodian triggers the data collection, thus not requiring the time and expense of the forensic technician to monitor the collection.

Another related major benefit is the convenience of the technology.  For some remote collection tools, the remote collection process doesn’t require a forensic technician at all.  Simple user interfaces and simplified procedures allow minimally trained members of the legal team to quickly and easily deploy the configured tool to the custodian.  From there, the custodian can run the software on their computer and return it to the legal team when the collection is complete.

Conclusion
Legal teams must routinely operate under tight deadlines.  The convenience and efficiency of  remote collection can save precious time when the tools, like BlackBox, can be deployed quickly, thereby making deadlines much less burdensome.  The use of dependable remote collection tools give legal teams peace of mind that the collection is performed correctly, minus the substantial price tag of sending a forensic technician.  Now that there are affordable and widely available solutions to replace self-collection, court-levied sanctions for the risky practice of self-collection can be completely avoided.

Stomach growling? Chew On These 2015 eDiscovery Resolutions.

It’s that the time of year for crowded gyms and hangry (that’s slang for hungry and angry) people trying to meet the expectations of the new year.  While some resolutions are easier than others to keep, here are three tips designed to streamline and improve discovery now and for years to come.



  1. A pound of cure.  Revisit data retention plans now, before litigation hits.  Holding onto everything forever has both present and future potential costs.  Putting the resources into organizing electronically stored information (ESI) now can save tons of time in a variety of business practices that use the data, including responding to litigation discovery requests.  When your data is categorized and you know where it is, it’s obviously easier to get to, making the data collection process much more efficient and easier to execute.


  1. Work early and often with opposing counsel.  Contrary to popular belief, this can be done without sacrificing your strategy and has the added benefit of saving everyone time and money.  In the long run, this is a win win for everyone, especially the clients.


  1. Have your cake and eat it too.  Instead of risking the pitfalls of allowing custodians to self- collect responsive documents, arm them with the cost-effective, remote and forensically sound tool to complete the collection onsite: BlackBox.  

Happy New Year!  We hope these tips are helpful in your practice.  Learn more about how BlackBox works.