4 Tips to Reduce eDiscovery Costs

eDiscovery can be a very costly endeavor for anyone going through litigation. Below are a four tips that you can use to help reduce eDiscovery costs.

Identify Custodians and Preserve Early

Identify the Key Custodians to the case and preserve their ESI. This can include data from their issued laptops, desktops, tablets, cell phones, email, databases, file shares, and more. Don’t skip out on anything. It is better to have it and not need it than to not have it and need it.

In-House or Third Party eDiscovery Provider

If you’re not using in-house eDiscovery practices, be sure to pick a provider that not only will be cost effective, but will

Third Party Collections

A lot of people hear the cost to have someone come in and collect their emails or server data forensically and think, “I can just have IT do that for free.” Don’t get pulled into this mistake. Your IT staff don’t have the tools or training to do a forensic acquisition, and by doing so will inadvertently change metadata and possibly accidentally destroy data. You also run the risk of IT grabbing the wrong data, and winding up paying to have more data culled or reduced that didn’t even need to be submitted for processing. Doing it yourself leads to extra costs culling data that doesn’t need to be culled, metadata changes that can hurt your case, and extra costs in having to get a third party involved eventually. Do yourself a favor and get a third party expert involved from the beginning.

reduce costCulled Collections

The normal way of doing things is to get your data collected, then pay someone to cull or reduce the data. This can be a very costly thing to do, paying a third party to make sure the data is collected correctly, then paying them to deNIST it, deDuplicate it, keyword search it and reduce it by date range. Why not do that all in one step for a lower cost? It also helps your clients feel more at ease that non-responsive data is not leaving their doors, keeping their data safe and secure.

Reduce Review Costs

Utilize technology to automatically reduce the amount of data that needs to be manually reviewed. When you do have a firm handle on what does need to be reviewed, utilize third party managed review services to keep the load lower on in house counsel.



What is Ransomware?

Ransomware is a fairly new virus that has taken the globe by storm. It infects your computer, and usually and network shares you have access to, and encrypts the data, making it totally inaccessible to you. Then you get a message telling you to pay a certain amount of money, usually in Bitcoins, or you’ll never get your data back. This is devastating not only individuals, large enterprises, SMBs, government agencies, and even hospitals.

Petya RansomwareYou’ve Been Infected, Now What?

Your employee got an email from “billing@thiscompany.com” with an invoice attached and a message saying that it needs to be paid as soon as possible. Your employee thinks nothing of it and downloads the Word Document containing the invoice. There is a message saying “If you can’t read the invoice below, please enable macros to decode the invoice” along with a jumbled mess of characters. Your employee, again, thinks nothing of it and clicks the banner at the top enabling macros. Now every file on your employee’s computer, as well as every file on any file shares your employee has access to, are completely encrypted. A message pops up informing your employee what they’ve done, and how much it will cost to decrypt the data. Now what?

Engage Your Incident Response Plan

You have one right? Great! Follow the procedures set in place for when your company is struck by a Ransomware attack. First, you’ll need to notify those that need to be notified. Start with your cyber security attorney, incident response team or vendor, as well as upper management. At this point your incident response team will probably want to forensically preserve any data it can. This preservation is important for analysis by them or Law Enforcement. Once data has been preserved, restore your backup and move forward.

What if I don’t have an Incident Response Plan?

The first thing you need to do is contact a cyber security attorney. They will advise you on important legal issues that come with ransomware. Do not skip this step. Don’t get sucked into thinking, “I don’t want to pay an attorney for this, I want to keep this as quiet and cheep as possible.” You need to contact a cyber security attorney. They are worth every penny you will spend. You’ll also find they aren’t as expensive as you think.


Back Up And Restore Keys For Computer Data SecurityRestore a backup

You have backups right? Good! Restore to a backup prior to infection and you’ll be able to move on. You should still do a post breach analysis or debriefing, as well as analysis on how the infection got in and if anything else happened. For the most part though, you’ve survived the ransomware attack.

What if I don’t have a Backup?

If you don’t have a backup in place there are several options, such as attempting recovery on your own, moving on and taking the hit, paying the ransom, or a combination of those methods.

Attempt Recovery on Your Own

There are a lot of articles on the web that give suggestions on how to recover your data from Ransomware. However, the creators of Ransomware are taking those articles and building in workarounds every time a new version comes out. For example, in the past you might have been able to utilize Volume Shadow Copies to recover previous versions of documents. Many newer Ransomware utilities delete the Volume Shadow Copies to prevent you from doing so. Data recovery software is sometimes detected and disabled as well. Because the registry is often infected, system restore points won’t work either. It is highly unlikely you will be able to recover the data without backups on your own, unless you have been hit by an older family of Ransomware or one that has been broken like Petya.

Move on

If you have calculated that the cost of the ransom is more than the cost to recreate the data, then its time to move on. You should still hire an incident response vendor or utilize your in house security team to determine how the ransomware got in though. You also need to figure out how you’re going to deal with ransomware in the future by creating an incident response plan. For now though, wipe the computer and move on.

Pay the Ransom

If you’ve decided to pay the ransom, do so carefully. If you don’t hire a security consultant to help you, do some research on the type of ransomware you have on your network. Find out if people have had success decrytping their files with this family of ransomware. There is always the risk the hacker will just take your money and run, do some research and find out your odds. Chances are though, more than likely the hacker will decrypt your files. If they never did, no one would ever pay.

When you’ve decided to pay, be sure you have someone that understands Bitcoins and how they work before attempting to make payment. Bitcoins are the preferred payment method for hackers because of their anonymity, and can be confusing for first time users. Follow the instructions exactly as they say and hopefully you’ll get decryption instructions.

Hybrid Solution

If you want to, you can attempt several recovery methods at the same time in order to guarantee the quickest recovery time. Have one team working to pay the ransom and restore the data, one team working to restore the newest clean backup, and another team attempting to recover the data on their own. Only highly trained and prepared information security teams should ever try this though. It requires a lot of planning, preparation, and communication.


There is no way to completely prevent such an attack from happening. There are, however, several ways to mitigate the risk that comes with ransomware such as backups, employee training, and security infrastructure on your network.


Our recommendation is that your company should be utilizing backups for all critical data. These backups should store data offsite, on at least a nightly basis. If you have a continuous backup in place, make sure there are offline backups taken on a nightly basis as well. We recently had a client that had continuous backups in place, and as soon as the ransomware encrypted all of the data on their server, all the data in their backup was encrypted at the same time. This doesn’t help you at all. If they had a nightly backup separate from the continuous backup, they could’ve restored to the previous night’s backup and moved on. Backblaze is a great solution. If you’re interested in getting your company set up with Backblaze, be sure to contact us about that.

Employee Training

Social engineering is the name of the game with ransomware. The hackers are doing their best to trick your employee to download, click, or enable something they shouldn’t. Training your employees on what they should and shouldn’t do, what to look out for, and what is normal is your best method for preventing something like a ransomware from hitting your business, or any other type of network breach for that matter.

Security Infrastructure

There are countless security appliances, services, and “guarantees” out there that say they can prevent ransomware. If it says that it can all out prevent it, don’t buy it. Nothing can prevent all types of attacks. The most you can do is mitigate the risk with some security appliances, software, and vendors, and have some sort of  monitoring in place for when something gets past your security infrastructure.  We recommend Fireeye, especially for email protection. Fireeye’s EX and ETP systems scan emails as they come in for known malware as well as unknown malware by analyzing attachments and links to help protect against spear phishing attacks. Contact us for more information on Fireeye.


It really comes down to two options, backup or pay up. Prepare now by getting an incident response plan in place and backing up your data. Train your employees for what to look for and what not to do, and get something on your network to protect and monitor your infrastructure. If you have a problem with ransomware and need assistance, call us at 1-800-537-3424.

Apple v. FBI Simplified

There has been a lot of debate about Apple and the San Bernardino Terrorists iPhone, and if Apple should be forced to unlock the shooter’s iPhone. The SANS Organization put out a deeply technical study of this issue and what capabilities there are. Here is a short summary in much simpler terms.

Apple v. FBI

A judge has ordered that Apple provide a way to unlock the shooter’s iPhone for the FBI. They are not necessarily being told they have to unlock the phone, just make it vulnerable so that the FBI has a chance to try to break the password. Apple’s CEO responded by stating that it will resist as much as possible.

What is it that Apple is being ordered to do?

iPhone’s have an option available to do a factory reset if the password or PIN code is entered incorrectly too many times. The FBI doesn’t know if this option is enabled or not on the shooter’s iPhone, and don’t want to take the chance. Apple has been ordered to send an “update” to the phone that will disable this security feature and allow the FBI to try every possible combination until they get in.

Will it really affect all iPhones?

That is what is really up for debate. Technically, yes, this code could be applied to any iPhone, but not necessarily will be applied to every iPhone.

What about iCloud?

There was an iCloud backup made about two months before the attack, but the FBI wants the most recent data. iCloud will automatically do a backup whenever the iOS device is connected to power and a known WiFi. So why didn’t the FBI just attach the iPhone to these two things? The FBI was afraid that other terrorists would have access to the iCloud account, so they had the AppleID Password changed. Now that the password has changed, the iPhone requires that the new password be entered into the phone in order to do an automatic update, and without knowing the PIN code to get into the phone, the new password can’t be entered, and an iCloud backup can’t be started.

Apple iPhones

What can typical forensics do?

If we have the password or PIN code, or if we have the AppleID and Password for the iCloud backup, we can recover deleted text messages, app data like KIK and Facebook Messager, as well as all kinds of other things. See our iPhone Forensics page for more details. Fill out the contact form or call us if you want anything recovered from your iPhone, iPad, or iCloud Account.

Five of the Biggest Data Breaches of 2015

Data breaches are becoming more and more common, and more SMBs and Enterprises are wondering what they can do to stop it. Below are five of the biggest and most devastating data breaches that happened in 2015.


In June of last year the Office of Personnel Management of the United States (OPM) initially reported that four million records had been lost in a cyber attack, later revised it to 18 million, and is now believed to be at about 21.5 million.

It has been said to be one of the largest data breaches in the US Government history, leaking names, birthdays, address, and even social security numbers. There were also over five million security clearance documents and fingerprints leaked as well.


In February of last year, Anthem told customers that all customers from current to former policy holders, and even other brands under its name like Blue Cross and Blue Shild were affected by an advanced cyberattack, affecting nearly 80 million customers. This is the largest healthcare breach in history, but there are more to come in 2016 for sure.

ashley madison


Ashley Madison

The website describes itself as “the world’s leading married dating services for discreet encounters.” The Impact Team compromised the website and uploaded user data, management emails and more online. Impact Team first held the data at ransom, saying that if the website was not shut down they would release the data. Ashley Madison didn’t believe that the Impact Team actually had the data and refused to shut down, resulting in the data dump. The number of people affected is estimated at around 37 million. Among the data were many US military and government emails.


Hacking Team

The hacking team has been criticized for a long time for working with government agencies, selling their tools to even oppressive governments in Africa and the Middle East. This breach resulted in over a million emails and 400 GB of data being released online. Many governments and agencies around the world were affected by this breach.


Not as well publicized as Ashley Madison or the Hacking team, but this breach resulted in 6.4 million children and 4.9 million customer accounts (their parents) being affected. An individual was arrested for the intrusion. He was supposedly able to bypass security measures with little to no effort.


If you are interested in learning more on how to protect your network and detect these types of intrusions in your network, fill out a contact form and someone will contact you within the next half hour.

Upgrade your Mobile OS

A recent study found that nine out of 10 enterprise mobile devices are using out-of-date OSs, increasing these enterprises exposure.

Key findings from the study reveal:

  • 80% of iPhone users are not running the latest iOS 9.2 release
  • 90% of Android devices are not running the latest 5.1 Android operating system
  • 32% of Android users are running version 4.0 or older, leaving them vulnerable to even known malware such as Stagefright
  • One in 20 of Android devices don’t even have a password on their lock screen

There are an estimated 20 million enterprise mobile devices so old that they are no longer supported by the device manufacturer and can’t even be updated to the latest version.

Although the biggest threat is out-of-date or unwatchable droids, there’s also a patching issue with iPhones and iPads. Outdated iOS devices are vulnerable to well-known attacks, such as Ins0mnia and Quicksand.

An estimated 95% of data breaches are caused by compromised user credentials, according to the latest data breach report by Verizon. Keeping mobile devices upgraded tackles a big part of this problem.

Security Policies need to be in place and enforced in order to fix these issues. Does your business have some of the issues stated above? Contact us for help with your company’s cybersecurity.

Read the whole study here.

Cybersecurity in 2016

Everyone is a Target

2014 was the year that network breaches came to the forefront of everyone’s minds. It was the year Sony, Home Depot, Target, and so many more were breached. In 2015 there was Anthem, the OPM hack, and even the utility hack in Ukraine that caused blackouts. Now, it doesn’t matter if you’re a large corporation or the small shop on main street, you’re a target. A lot of people have said right to my face, “My business isn’t going to be hacked, we have nothing of value.” Most mom-and-pop shops, or even SMBs might think that, but these hacks in the last couple years have shown us that all companies have something of value. From intellectual property to social security numbers in your HR files, from PCI based credit card information to personal reputations, every business has something of value to be sold on the Black Market or to be used for corporate espionage or data collection. The sooner you realize that you’re a target, the better off your company’s cybersecurity is going to be.

Cybersecurity with FireeyeDetection Rather than Prevention

Lets face it, it is impossible to be connected to the internet and prevent 100% of possible breaches. Prevention technology needs to be in place, it would be stupid to not have Anti-Virus on your computers. However, monitoring our networks and endpoints for when something other than malware gets in is key to stopping a small breach from becoming big news. Cybersecurity Technology need to be in place to not only detect known malware, but the techniques, styles, and habits of hackers, so that when something unknown, or somehow a hacker gets valid credentials, it is still detected and stopped. You’re going to be hacked, its not a matter of if, but when. You need detection in place so that when you’re hacked, you know it, and you can stop it from growing.

Cybersecurity Policies

Cybersecurity Policies need to be in place so that in the event of a breach, management and IT aren’t running around like chickens with their heads cut off wondering what to do next and causing more harm than good. Policies that encourage good practice for all users need to be in place and enforced so that easy breaches don’t occur. An incident response plan needs to be in place so that when your detection technology alerts you that you’ve been breached, you know exactly what to do.

Help is Available

Decipher Forensics has the experts that can help you draft these security policies, incident response plans, and put Fireeye Protection Technology on your network and endpoints to help you know when you’ve been breach. Contact us with any questions you have.