3 min read

Digital Forensics Saves the Day!

Featured Image

A digital forensics investigation can make an impactful difference in an otherwise "routine" eDiscovery document review. Craig Ball of Ball in Your Court and Dr. Gavin Manes of Avansic will be highlighting examples and experiences on this topic on December 8th at 1:30 CT – and we want to give you a preview of what you'll be hearing (click here to register for this event).

Specifically, they will be discussing top cases where forensics went beyond general eDiscovery practices to shine a light on advanced, hard-to-find, or less obvious case-related information. In general, cases that move from eDiscovery to forensics follow that path because an attorney reviewer either has a suspicion about the authenticity of a particular document or notices something odd. Was an email sent? Was it received? Is the email address real? Were the attachments changed?

These are all valid inquiries. The most common approach for authenticating an email is to look at transport headers (also called the SMTP headers) which are more than the To, From, Subject, and Date fields. These also include every mail server that touched the email. Comparing this to snail-mail, it's much like how an envelope contains a cancellation zip code or FedEx tracking number that tells you all of the package locations.

Case Study Example

Indeed, a dive into this information was a critical component of the case study to follow. A purchaser and a supplier were suing each other due to a multimillion-dollar payment sent but not received. They both suspected the other had defrauded them. Through the course of discovery, they exchanged documents and began a typical eDiscovery review process, where a reviewer noticed that emails were not threaded together correctly. Upon further inspection, the reviewer noticed there was a domain name difference. The issue rose to the level of the attorneys, and the question was put before Avansic's experts – who have experience in both digital forensics and eDiscovery.

Avansic's forensics team noticed that some of the email threads were from john@johndoe.com and some, particularly those later in the exchange, were from john@j0hndoe.com. A subtle difference but certainly enough to interrupt the email threading by the eDiscovery software and to be noticed by a sharp-eyed reviewer. But why the change?

A deeper dive into all the emails exchanged between the purchaser and supplier over the time period of the purchase revealed a cause far more complex than simple fraud. Forensic investigation revealed that a bad actor had sent a spear phishing email that one of the purchaser's employees had clicked on. They input their password and username at the site of the fake link, which was the same information needed to access their email. The bad actor now had unfettered access to their email. As an aside, multi-factor authentication is the best defense against this kind of hack.

The bad actor then monitored the email address for several months until a communication thread opened regarding the purchase of a large piece of construction equipment. The bad actor then created a rule in the mailbox to hide inbound emails about the transaction from the legitimate user such that the actor could log in and respond at their convenience. Once the bad actor had control of one side of the conversation, they were able to change the email addresses ever so slightly by buying domain names similar to the parties to fool both sides into thinking they were transacting with the original parties but were, in fact, communicating with the "man-in-the-middle." This is where the john@johndoe.com and john@j0hndoe.com came in.

Now the bad actor had control of the communication. When wire instructions and a down payment were sent, it was deposited into the bad actor's account. But, because he had his eyes on a bigger prize, he transmitted that money to the supplier's account. Neither purchaser nor supplier noticed anything amiss, so as far as they knew, the bank account was legitimate, and the larger transaction would follow the same smooth path. But when the remainder of the amount was due, the bad actor received the funds (millions of dollars) to his account and kept them.

Knowing what happened with this man-in-the-middle, the case then hinged on who allowed the bad actor in and how much liability each party shouldered based on their actions. This is where cyber liability insurance and disclosure come in - but that's an entirely different blog post.

Hear the Cases - Register Now

Dr. Manes and Mr. Ball will be discussing several more cases like this where eDiscovery turns into forensics – we hope you'll join us on December 8th. You can register here.