Deleted Data in Civil Litigation

Deleted Data
Are you Using it?

Purpose: This paper will describe the steps that one would need to take to preserve, analyze and present findings regarding deleted data. It is meant to inform both attorney and client on the need for deleted data in cases.
Disclaimer: I am not a lawyer. This writing is not meant to be legal advice on any case, rather it is meant to inform the attorney and the client about the use of deleted data in civil cases. Every case is different and requires specific tasks and objectives to find and present the evidence of the case.

Deleted data is used by law enforcement daily for felony crimes. It is almost second nature to look to the deleted data to help make a case. It is the backbone of computer forensics. On the flip side of the legal world in civil cases it seems that deleted data is commonly overlooked. It is on this topic that I wish to address the absolute necessity for deleted data in civil cases.
Deleted data can be almost anything that once resided on a memory based device. Pictures, videos, PowerPoint presentations, documents, audio files, call logs, text messages, emails and the list can go on and on. Attorneys know when you want electronic data from opposing counsel, you must make sure it isn’t destroyed through a preservation letter. This is a no brainer for attorneys, but it is worth mentioning.

Preservation Letters

Your preservation request can’t ask for everything electronic. Most judges will see this as burdensome, not to mention it can look like you are gearing up for a fishing expedition in the case. Your preservation request needs to be targeted and specific. If you are going after deleted data, you will want to request a full physical forensic image of the hard drive of the computer in question. If it’s an Android cell phone, you will want to request the three following images. Logical, File System and Physical (Where applicable). If it’s an Apple device, you will want to request a logical, file system, method one and method two images. Other items to be requested can be smart watches, USB drives, email accounts, GPS devices, voice recorders, cloud based accounts, any external hard drives that have been plugged into a computer in question would all be a good starting point. It is important to always request the metadata as well. This can be redundant, but ensures that you receive everything in an electronic format and shows that you will be examining the metadata in the case. I have assisted in crafting many preservation letters to ensure that are specific enough to show that we know our target, but broad enough to ensure that we are not missing anything.

Data Collections

Data collections are a key component in your case. Do it wrong and the evidence can be thrown out. Do it wrong and the key metadata can be altered and irreversible and potentially destroy your case.

Data collections need to be performed by an independent third-party. Having your client’s IT staff collect the data can present a conflict of interest. Most of the time they also do not possess the tools and skills to do this properly despite how great they are at configuring a firewall for the office. Data collections can take place for computers, email accounts, cell phones, tablets, social media accounts and the list can go on and on. Making sure the data is collected correctly is key to finding and using deleted data in your case.

Analyzing the Data

This is the second most important part of the entire process. Analyzing the deleted data is going to be the key to your success and can greatly enhance the electronic discovery process that most attorneys are used to. I have often thought that if the evidence in a case were critical, it would likely be deleted. It is human nature to hide what we don’t want discovered. It’s no different in electronic evidence. To reduce time and fees to the forensic examiner the more you can tell the examiner the better. Dates, search terms, type of document, timelines and websites can bring you closer to the deleted truth. I have personally seen deleted data be front and center as the crux of multiple cases. The data tells a story and reconstructing that story normally requires deleted data and the standard data you would find in your electronic discovery review.
Deleted data can reside in multiple places on a computer. Not only is it important to find it, but to be able to explain why it was found in a certain area of the computer is crucial. Piecing together the puzzle can go rather quickly in many circumstances. Today computer forensic software has evolved to allow the examiner to perform multiple tasks in a fraction of the time it used to take. Deleted data can uncover photos, videos, previous versions of documents, web history, chat logs and my personal favorite, deleted text messages to name a few.

Presenting Your Findings

This is the most important aspect of dealing with any type of data. Whether it is in a written report, deposition or in court the ability to present the data can make or break a case. I know many people in my industry that are excellent forensic examiners, but terrible at writing and even worse at speaking to people on the topic. I have read reports from experts that had no place in my daughters 8th grade English class, let alone handing over a professionally scripted paper.
For example, if I said, “The deleted data was found within the MFT and it held the EXIF data needed along with the timestamp found to lead us to believe that this was deleted after the time of the preservation order was given”.
Or you could say, “The deleted data was found in what is called the MFT. It stands for Master File Table. Think of it as card catalog in a library that can direct you to everything in the library you wish to find. When we delete something, the MFT it will hold onto the data even though it has been deleted. Part of that data is known as metadata, which simply means data about data. EXIF data is part of the metadata and refers to the GPS coordinates that are captured by different electronic files when they are created. The time stamp we identified as part of this piece of evidence was created after the preservation order went into effect and was then deleted based on where it was found within the forensic image that was examined.
Obviously, it’s still a mouthful, but allows for an explanation of terms normally only used by myself and my nerdy digital colleagues.
Deleted data is crucial in many applications of civil cases from family law, employment, intellectual property and corporate to insurance and securities to name a few. It is best to involve your forensic expert early when you start the discovery process. The best-case scenario would be to have your forensic expert and your electronic discovery vendor be the same entity, or companies that work closely together.

Employers to See More Complex Litigation Cases in 2016

2016 Will See Higher Influx of Employer Based Litigation.


Litigation is good news if you are an attorney, but if not, it’s a hard pill to swallow when you are the actual employer. I don’t know many people other than attorneys who are excited about the prospect of litigation on the horizon. I do however know many attorneys who go to great lengths to help clients avoid litigation. Litigation comes in many shapes and forms and can be anything from wrongful termination to a class-action law suit or a more standard claim between two organizations. Regardless of the reason, it is on the rise and steps need to be taken on how to hedge against yourself and your technology to protect your bottom line.

A recent report I reads showed that reason for more litigation in 2016 will be, “Corporations will be entrenched in cases inspired by new regulations promulgated by the outgoing Obama administration, more aggressive federal agencies, zealous activist groups and quickly advancing technology,” says the introduction to Crowell & Moring’s report, “Litigation Forecast 2016,” by partner Mark Klapow, who edited the report.

“The cases that will mean the most to the bottom line will likely emerge from small questions that pack big implications for outside the court,” said Mr. Klapow in the report.

I will list the rest of the article at the bottom, but the question I have to In-House counsel, HR, Board Members and Business Owners alike will be, “what are you doing to protect yourself over what you have done in the past?”

In addition, said Mr. Winkelman in the report, “Technology change continues to outpace regulations. Fifteen years after 9/11, security — and cybersecurity — is increasingly being addressed through regulation.”

Do you know what employees are doing during the workday? Do you monitor employee issued cellphones for cellphone activity and log it? Do you monitor computer activity? Do you have workshops on data breaches and what to do and what not to do? Do you archive and store employee cell phone images, computer forensic images, just in case something comes back to try and bite you? It is common for corporations to archive and store email for X number of years depending on the industry, but not nearly as common to do the same with digital forensic images that can mean the difference between a case being dropped and a case being settled for any sum of money.

It is time for employers to fully protect themselves from the possibility of litigation and thus settlement and work towards cases being dropped, rather than settled. Settlements affect the bottom line far more than cases being dropped.

We have developed several methods to help In-House counsel and HR as well as IT to protect the company and save money. Will you take this serious, or will you think that it will simply pass you by much like a data breach?|70|71|80|83|302


Facebook Account Hacked? What should YOU do to avoid it from happening to YOU and getting it back?

Don’t let your Facebook get hacked. Steps to take if you are Hacked.

Facebook Like

You’re hanging out online and you start to get messages from friends on Facebook asking why you are sending them links, or uncharacteristic pics are being posted on your Facebook account. If it has not happened to you, chances are you have seen it happen to someone. Heck, I have had to call my mother, ex-girlfriend and real estate agent before to tell them that something was amiss on their accounts.

So your  Facebook account has been hacked. How did it happen? Common methods are…..

  • Man-In-The-Middle attacks
  • Phishing
  • Websites you visit that have been hacked via sql injections
  • Malware

I am not going to define each of these, but it is important to know how your Facebook account can be hacked. Numerous articles have already been written on the matter of each type of hack, but I will speak briefly on Malware. Malware includes keystroke logging, remotely browsing file systems which stores certain passwords that are encrypted, but can be exploited if you know what you are doing(it’s not hard). This can include your computer passwords, as well as the website credentials you are too lazy to log into over and over again, so you save them to your machine. Bad Idea, just FYI. Malware can also include spying on the users via their webcams and microphones. It can also include opening pics in text messages from unknown people that have steganography in them. This is simply concealing malicious code within a picture for example that executes upon you opening it. Here is a link to learn more about “Stego” as we call it from my former professor and all around good guy Gary Kessler.  The data is a bit outdated, but the principles still apply.

If you are not hacked and want to ensure that you don’t get hacked, here is what to do.

  1. Don’t use the same password across multiple sites. Hackers are counting on you doing this. If you do this for two accounts like Facebook and Instagram, chances are that you have done it on your bank account login as well. Make sense? I know it is annoying, but it is much more annoying to get hacked.
  2. Enable two-factor authentication. This can also be annoying, but as long as you have your phone no biggie. This simply sends a code to your phone that changes each time you login to various accounts. If an account doesn’t  offer it, don’t use it.

If you do find that you have been hacked, start by trying to change passwords on that account and then move out to other accounts. DO NOT forget to change banking and personal information based sites. As you do this, set up two-factor authentication (see a pattern here) for higher security across your logins. It is a best practice to follow your website/social media steps for reporting unusual behavior.

Next part is the part that most people don’t do because it is time consuming and frustrating.

Purge your devices of data that may be malicious. This includes cell phones and tablets. I hate to rain on the parade of iOS device users, but this includes you as well. I have personally found malicious software on iOS devices more than once for clients and the methods of how they work are interesting to say the least, but I digress. Antivirus processes come in all shapes sizes and prices. Don’t be fooled by a scam that will only put more malicious code onto your devices. Read reviews and I highly recommend paying for it, rather than going the free route.  If you have vital, to semi-vital information on your machines or devices, I would recommend having a competent digital forensics firm run a series of obfuscation tests on everything running on your machine or device and give you a listing of what was found and where it was found. From that point Google is your friend and you can look into each of them to see if they are harmful, or if they are supposed to be there or not.

I am not going to list off the ones you should use or the ones you should not, but read reviews and find one or two that work for you.

Once everything check and double check that your financial accounts are intact and secure make an announcement on Facebook that you were recently hacked and apologize and tell everyone what you have learned. Better yet, you should share this article on your Facebook page now and let your friends know what to do in the event that they are hacked.




Do you use Digital Forensics in your Human Resource Plan?

 Human Resource Protection Plan….Does your Company have one?

Human Resources

What happens to your employee’s computer and other issued devices when that employee leaves leaves the company?

Normally the equipment is taken to IT and is wiped clean and made available to the next employee. One must ask the question, “why is this employee leaving?” Are they being fired for cause, or are they a disgruntled employee, or are they just leaving for another opportunity? Are they going to a competitor and did they have access to key files or client lists that could bring harm to the company if in the wrong hands?

What Should Happen…..

More and more companies are sending Decipher Forensics devices from around the country that have been used by former employees to hedge against the opportunity of the employee coming back on the company. We can it a Human Resource Protection Plan. We act as an independent third party and create a forensic image of each device for HR and Legal to hold in the event that a suit is filed against the company or they feel that the former employee might have conducted themselves in a manner that hurts the company and they in turn need to open an internal investigation.

We highly recommend that this be done as a matter of precaution in all employees leaving a company for any reason. Whether your company is big or small this is a great HR/Legal standard to put in place in your company.

The price for this service is incredibly reasonable and the turnaround is fast.

Every organization needs a Human Resource Protection Plan in their operations.

Why not just have your own IT department do this? For the same reason that it is never a good idea to self collect data in a litigation proceeding or represent yourself in court. It is less defensible and it is a standard best practice to show that an independent third party was who imaged the data. This takes away the possibility of questions like, “how do we know that data wasn’t erased or added into the computer to make my client look guilty?” Those things can certainly be proved, but at a much greater expense than outsourcing to a third party.


Give us a call and we can set your company up with this easy process to act as a great protection when litigation might end up taking place.



Hackers Have Done it Again

Low-cost IMSI catcher for 4G/LTE networks tracks phones’ precise locations

$1,400 device can track users for days with little indication anything is amiss.

Reposted from:


I normally don’t just repost articles to our blog, but I am making an exception to this one. Love them or hate them, hackers are amazing. Manipulating data to do different tasks that what it was intended to do is precisely what hackers do. It is what fascinates me about hackers. To see something and ask the question of why not? In that same spirit please enjoy the following article by Dan Goodin.

Researchers have devised a low-cost way to discover the precise location of smartphones using the latest LTE standard for mobile networks, a feat that shatters widely held perceptions that the standard is immune to the types of attacks that targeted earlier specifications.

The attacks target the LTE specification, which is expected to have a user base of about 1.37 billion people by the end of the year, and require about $1,400 worth of hardware that run freely available open source software. The equipment can cause all LTE-compliant phones to leak their location to within a 32- to 64-foot (about 10 to 20 meter) radius and in some cases their GPS coordinates, although such attacks may be detected by savvy phone users. A separate method that’s almost impossible to detect teases out locations to within an area of roughly one square mile in an urban setting.

The researchers have devised a separate class of attacks that causes phones to lose connections to LTE networks, a scenario that could be exploited to silently downgrade devices to the less secure 2G and 3G mobile specifications. The 2G, or GSM, protocol has long been known to be susceptible to man-in-the-middle attacks using a form of a fake base station known as an IMSI catcher (like the Stingray). 2G networks are also vulnerable to attacks that reveal a phone’s location within about 0.6 square mile. 3G phones suffer from a similar tracking flaw. The new attacks, described in a research paper published Monday, are believed to be the first to target LTE networks, which have been widely viewed as more secure than their predecessors.

“The LTE access network security protocols promise several layers of protection techniques to prevent tracking of subscribers and ensure availability of network services at all times,” the researchers wrote in the paper, which is titled “Practical attacks against privacy and availability in 4G/LTE mobile communication systems.”

“We have shown that the vulnerabilities we discovered in LTE access network security protocols lead to new privacy and availability threats to LTE subscribers,” the researchers wrote.

Like some of its predecessors, LTE attempts to conceal the location of a specific phone by assigning it a regularly changing TMSI, short for a temporary mobile subscriber identity. When a network interacts with a handset, it will address it by its TMSI rather than by its phone number or other permanent identifier to prevent attackers monitoring network traffic from tracking the location of a given user. The 2G attack worked around this scheme by sending phones an invisible text message or imperceptibly brief call that caused the mobile network to locate the phone. That paging request allowed the researchers to tie the TMSI to the phone number.

Passive aggression versus evolved NodeB

The researchers behind the LTE attack found that similar paging requests can be triggered by social messaging apps such as those provided by Facebook, WhatsApp, and Viber, with little to no indication to the owner that any tracking is taking place. A Facebook message sent by someone not in the receiver’s friend list, for instance, will cause the text to be silently diverted to a folder marked “other.” But behind the scenes, an attacker can use the data sent over the network to link the receiver’s Facebook profile to the TMSI. The TMSI, in turn, can be used to locate the phone and track it as it moves from place to place.

A text sent through Whatsapp or Viber, meanwhile, first must be returned by the targeted phone owner. From then on, the attacker can use the apps’ typing notification feature to trigger paging requests. The researchers describe such exploits as “semi-passive” because they mainly involve the passive monitoring of network traffic rather than the impersonation and traffic manipulation found in a fully active man-in-the-middle attack.

Shaik et al.

Attackers can also opt to launch far more accurate active attacks by operating a rogue base station, which in LTE parlance is known as an eNodeB, short for evolved NodeB. To create their own eNodeB, the researchers used a computer-controlled radio known as a Universal Software Radio Peripheral that ran OpenLTE, an open source implementation of the official LTE specification. The total cost of the gear, including the radio board and antennas, was about €1,250 (about $1,400), Ravishankar Borgaonkar, one of the researchers and a post-doctorate student at Aalto University in Finland, told Ars.

When running in active mode, the eNodeB impersonates an official base station provided by a network carrier and forces LTE phones to connect to it. The attackers can then run troubleshooting routines that cause the handset to provide a wealth of information, including all nearby base stations and the signal strength of each one. Attackers can use the data to triangulate the precise location of the device. In some cases, the rogue eNodeB can be used to obtain the GPS coordinates of the phone.

While the active attack provides much more granular location data, it comes at a cost. Darshak, an IMSI-catcher detection app that was released at the 2014 Blackhat security conference in Las Vegas, as well as similar apps from Pwnie Express and others, can easily detect the full-on attacks. That means the semi-passive attacks may be preferable for many attackers, even though the location data is coarser.

There’s another feature that makes the semi-passive attacks attractive: At least one of the LTE networks the researchers studied allowed TMSIs to last as long as three days before being changed. That means an attacker who executed such an attack could use it to track a target’s comings and goings for days, with an accuracy of about a half mile. While it’s likely the messaging apps will try to make changes that thwart the attack, it wouldn’t be surprising if there are other ways to trigger the paging requests.

But wait… there’s more

The paper includes a separate attack that prevents phones from connecting to LTE networks. Such an attack would either prevent a phone from receiving voice or data service or would cause the devices to connect using 3G or even 2G technology, which are vulnerable to other types of exploits. In any event, the denial-of-service attacks are generally effective until after a device is rebooted.

The researchers also included Altaf Shaik, a doctoral student at Technische Universität Berlin; N. Asokan of Aalto University and University of Helsinki; Valtteri Niemi of the University of Helsinki; and Jean-Pierre Seifert, a professor at Technische Universität Berlin. They said they contacted all manufacturers and carriers affected by their research in June and July and have proposed several changes the companies can make to better secure their products and networks. The researchers are scheduled to present their findings at the upcoming Blackhat Security conference in Amsterdam, the T2 Security conference 2015, and the Internet Society NDSS conference. A brief description of the attacks is here.

As noted earlier, several of the vulnerabilities exploited reside in the LTE specification itself. That likely means every LTE-compatible manufacturer and carrier is vulnerable to these attacks. A fix will almost certainly take time and money, but at least there will be near unanimous agreement among industry partners that the weaknesses represent a concrete and imminent threat to customers.

Don’t Cross the Line, You’re Bound to get Caught

Don’t Cross the Line, You’re Bound to get Caught


Often we receive phone calls with people asking us to do things that either clearly cross the line of what is legal, or push the boundary of what might be considered legal, but not moral. When I have spoken to people like this on the phone, including the rare private investigator, I politely turn them down and let them know that the price they would pay for the case is not worth the price I would pay if I or anyone at Decipher Forensics were caught in such nefarious acts. While we do take part in many amazing cases, we work within the bounds of the law. Do we “know people” yes, yes we do know hackers and they are good people. I have never asked one of them to break the law though. Today so much information can be obtained through proper use of social engineering. When you break the law, you end up getting caught at some point.

Enjoy this example of going too far and getting caught.

This afternoon, Eric Saldarriaga, a private investigator from Astoria, New York, will be sentenced in federal court for his part in a conspiracy to hack into the e-mail accounts of more than 50 individuals as part of his investigations. (He has pled guilty.) Among his victims are two prominent critics of the Church of Scientology, both of whom were recently featured in the book and HBO documentary film Going ClearUpdate: Saldarriaga received a sentence of three months imprisonment, three years of supervised probation, and a $1,000 fine—in addition to forfeiture of $5,000 he received in fees for hacking at least one account.

Who were Saldarriaga’s clients? That remains unclear; court documents haven’t revealed it, and the transcripts of his guilty plea are still held by the court awaiting redaction. But both Scientology critics are now convinced that it was the church which set Saldarriaga on them. “There can be no doubt that one of Mr. Saldarriaga’s clients is Scientology,” Mike Rinder, a former Scientology official and one of the victims notified by the US Attorney’s Office, said in a written statement sent to the court.

Ars attempted to get a comment from a church of Scientology spokesperson, but did not receive a response in time for publication. We will update this story if we receive comment.

Hiring hackers

Here’s how the hacks happened. According to a sentencing letter filed by the US Attorney’s Office for the Southern District of New York, “Between at least 2009 and March 2014, through certain services advertised on the Internet (the ‘Hacking Services’), the defendant hired other individuals to hack into, i.e., to gain unlawful and secret electronic access to, the e-mail accounts of almost 50 different individuals (collectively, the ‘Victims’). For certain victims, the defendant attempted to gain unlawful access to more than one e-mail account. In total, the defendant hired the Hacking Services to attempt to hack into, and provide the defendant with unauthorized access to, at least 60 different e-mail accounts.”

The government has not named the individuals hired by Saldarriaga to perform the mail hacking, but it describes them as “known and unknown”—so cases against them are likely pending. Saldarriaga, who also used the alias “Emmanuela Gelpi” in Internet communications, would contact the “Hacking Services” by e-mail to request the username and password for specific targets’ accounts; when successful, the hackers would e-mail back a screenshot of the targets’ e-mail inbox and demand payment, usually via PayPal. They would then pass along the login credentials for the e-mail account, and Saldarriaga would log in—sometimes to gather information for clients, and sometimes “to investigate individuals in which the defendant was interested for personal reasons,” Assistant US Attorney Daniel Noble wrote in his sentencing memorandum to the court.

The government stated in its sentencing memorandum that Saldarriaga lied to the court in his guilty plea—including lying about having a New York State investigator’s license. The website for his investigative firm, Iona Research Services, Inc. (now just a blank page), previously promoted Saldarriaga’s business as providing “Internet Profiling,” “E-mail Tracing,” and “Computer Security” services. It also used an Investigator’s License number associated with another investigator in Rockland County, New York.

A mysterious client

One of the targeted e-mail accounts belonged to Tony Ortega, executive editor of The Raw Story and former editor of The Village Voice. Ortega, who has written about the Church of Scientology since 1995, has written a book about the church’s campaign against the author Paulette Cooper. In an interview with Ars, Ortega said that he first became aware of Saldarriaga in 2013 when he started receiving read receipts for e-mails sent from an account associated with his Web domain.

Saldarriaga had been sending messages from an account that was set up to look like it belonged to Ortega. The e-mails sent by Saldarriaga used a Point-of-mail account, which allowed him to track when they were read. But he had mistakenly configured his account to send read receipts back to Ortega—as well as to his fake account.

“He screwed up,” said Ortega. “Otherwise I’d have never caught him.”

After tracking the messages back to Saldarriaga in November 2013, Ortega said, “I contacted him and said, ‘What the hell?’ He said that he had been hacked too, and that some other private investigator was using the two of us to investigate some missing persons thing.” Saldarriaga said he believed that both of them were being “punked” by a former client of his.

“I asked him point blank if this was Scientology, and he said no,” Ortega said. Saldarriaga insisted that he “would never work for Scientology.”

After getting assurances from his lawyer—who is also his webmaster—that his website’s server had not been breached, Ortega says he wrote off the whole episode. That is, until recently, when he received a letter from the Justice Department informing him that he had been determined to be a victim of Saldarriaga’s hacking operations. Ortega was given the opportunity to write a “Victim Impact Statement” for Saldiarraga’s sentencing hearing.

Ortega’s attorney, Scott Pilutik, wrote to Peter Brill, the attorney representing Saldarriaga, again asking why Saldarriaga had used Ortega’s e-mail address in an investigation. Brill responded by phone, telling Pilutik that the client was the father of a missing person named Jay Banarjee. He told Pilutik again that there was no connection between the case and the Church of Scientology.

But then Ortega spoke with Mike Rinder, a former international spokesperson for the Church of Scientology who left the group in 2007, and everything changed.

Rinder, who had also acted as a confidential informant to the FBI in a human-trafficking investigation against the church, told Ortega that he had just been notified by the Justice Department that his e-mail had been hacked by some private investigator. Ortega asked him if the investigator was Saldarriaga; Rinder, surprised, replied that it was. So both men filed victim impact statements with the Justice Department, pressing the government to pursue charges against Saldarriaga’s clients—convinced that the Church of Scientology was involved.

In his statement to the court, Rinder wrote:

There can be no doubt that one of Mr. Saldarriaga’s clients is Scientology. One of the other victims of this crime is Tony Ortega, the most prominent journalist in the world exposing Scientology abuses for at least a decade. I spoke with Mr. Ortega yesterday and learned that he received a similar letter to mine. The ONLY thing Tony Ortega and I have in common is that we are at the top of Scientology’s enemies list because we have publicly exposed their abusive practices.

I believe the court would find it helpful to review Mr. Ortega’s victim impact statement in concert with mine, as Mr. Ortega and I have experienced similar surveillance and harassment. Mr. Ortega’s statement also demonstrates that Mr. Saldarriaga lied only weeks ago when he was explicitly asked whether he was working for Scientology.

Scientology may well have used a “cut-out” to hire Mr. Saldarriaga so he can claim ignorance. But following the payments will ultimately go back to Scientology. This should be investigated as this is a pattern of behavior Scientology has gotten away with for too long – while making a mockery of the First Amendment protections they claim as a religion and a falsely obtained tax exempt status. Scientology is violating public policy by hiring people to commit felonies, and that is compounded by the fact they are using tax exempt funds. This sort of criminal behavior should cost them their exempt status under the law – these activities are being subsidized by US taxpayers. This will happen only if the USAO pursues this matter back to the perpetrators. Only then will justice truly be served.

Rinder has some familiarity with that pattern of behavior, as “Mike Rinder used to run these operations,” said Ortega. While with the church of Scientology’s SEA ORG, Rinder has claimed that he was responsible for initiating private investigations against former Scientology members, the family members of church members, and others.

In his victim statement, Ortega told the court, “It is disturbing to me that I have been given no information about the extent of Mr. Saldarriaga’s access to me, and for whom he was working, given that Mr. Brill’s representation on behalf of Mr. Saldarriaga were evidently not truthful. Sentencing Mr. Saldarriaga without pressing him for this information would be as much of a miscarriage of justice as his original crime. Whoever paid Mr. Saldarriaga should be investigated and prosecuted.”

According to filings from the US Attorney’s office, investigators have not yet been able to determine the identities of all of the victims of Saldarriaga’s e-mail incursions. On May 1, Assistant US Attorney Noble filed a request for subpoenas with the court to obtain “basic subscriber information from various service providers for the e-mail accounts the government has identified as being possibly compromised as a result of the defendant’s conduct.”

Decipher Forensics announces partnership with FireEye

White on Black Logo    fireEye logo

Decipher Forensics is proud to announce a partnership with FireEye. Decipher Forensics is a leader in digital forensics, cell phone forensics as well as complex data recovery. Decipher Forensics has now branched its services and expertise into the world of incident response and incident response preparedness and planning. Decipher Forensics is now an authorized reseller for FireEye. Decipher Forensics views the partnership as an obvious move in the right direction for their company. Partner Trent Leavitt said, “Partnering with a FireEye has been a great experience. The professionalism and ease of working with them as a partner company has been fantastic”. The goal for Decipher Forensics in opening this branch of the company is to assist organizations in preparing for and more importantly preventing a data breach from happening. In the event of a data breach Decipher Forensics will respond to the needs of its clients.

FireEye, a leader in providing cyber security solutions, protects the most valuable assets in the world from those who have them in their sights. Our combination of technology, intelligence, and expertise — reinforced with the most aggressive incident response team — helps eliminate the impact of security breaches. We find and stop attackers at every stage of an incursion. With FireEye, you’ll detect cyber attacks as they happen, understand the risk they pose to your most valued assets, and have the resources to quickly respond and resolve security incidents. The FireEye Global Defense Community includes more than 2,500 customers across 65 countries, including over 150 of the Fortune 500.

Computer Forensics in Your Case

You May be Surprised to See How Computer Forensics Can Assist Your Case

Computer Forensics is typically not the first thing you think of in any type of complex litigation. But in today’s era of communications and electronically stored information (ESI), it is not surprising to find that computer forensics plays a larger and more crucial role than one might have thought in recent years. The days of copying or scanning box upon box of documents are not over by any means, but paper documents have been replaced by electronic documents in thousands of lawsuits scattered across the country.

Collecting electronic information is not child’s play. It requires knowledge of both the Federal Rules of Electronic Evidence (which are changing) and an understanding of proper methodologies regarding data collection of networks, servers, mobile devices, social media accounts, and cloud based files like DropBox, Google Drive and we can never forget cloud based or server based email.

It requires knowledge of different types of tools and software to use for collections, whether it is on a cell phone, a cloud based email or an image of a hard drive. All must be done to protect the vital integrity of the data.

Remote and targeted collections are popular forms of data collections used today to reduce the cost of collecting ESI during the discovery phase. Remote collections are simply what they say. Using the internet to gain access to another device and forensically collect data while not being physically present. Remote collections are not meant for every case. For example it does not make sense to remotely collect two terabytes of data across the internet to a remote location. This would be more efficient and more cost effective to be done on-site. Remote collections are designed to be cheaper than flying a forensic examiner to another city and placing them directly in front of the device for a small amount of data. Each case is different in weighing which is better for the client/case.

Targeted collections are becoming a viable way to reduce the cost of electronic collections as well. A targeted collection simply defines a specific custodian and or timeline of which to collect the data from. A classic example would be an email account with all emails between July1st 2013 and October 5th, 2014. They are useful when the parties know who the custodians are and the role they likely play in the case. They also make more sense when you know the data retention policy of the custodians involved.

This leads me into the topic of computer forensic electronic collections vs. electronic discovery collections. Some colleagues might argue they are one in the same. Allow me to make my point as I think they are not.

Gardening allows you to grow things above ground and below ground. My personal garden boasts raspberries, strawberries, blackberries, peas, and tomatoes to name a few. All of these can be found above ground and can be seen in plain sight while standing in or near the garden from a harvesting standpoint. This is my idea of electronic discovery in a case. What can be seen in plain sight that can be harvested above ground.

Computer forensics and its goal in electronic collections dives into the garden to harvest the potatoes, radishes and onions that one cannot normally see when standing in the garden. This is known as collecting unallocated space or free space in order to find every possible morsel of data/evidence. In order to collect this type of data, you must collect entire hard drive, servers, phones, external hard drives etc. Standard electronic discovery collections only focus on the data found within the operating system.

This allows you to ask the same questions that you would have asked before in your normal electronic discovery collection, but now allows you to see deleted data that could hold the potential evidence that one might need to prove or disprove a case.

Keep in mind that this may not always be necessary. If all you need are email records from a particular group of custodians from the last nine months and the company has an email retention policy that is supposed to hold emails for two years for example, then this would not apply. Though if one of the items you wished to review in the discovery request was internet history and no retention policy existed for it, then this might be a good time to look at grabbing all of the data from a particular custodian.

In times past while sitting in a conference room with an attorney, the argument automatically becomes, “you are exceeding the scope of the request” or, “you are making this look like a fishing expedition”. This may be true on the surface. It is the natural response from opposing counsel when one would make a request of this nature. It can be solved in a fairly simple way circumventing the look and feel of the fishing expedition within the request.

In a recent case we accomplished this by convincing opposing counsel and the Judge to allow us to take the full forensic image (meaning deleted data and all) and then search through the forensic image for our keywords. The results were given to opposing counsel before they were given to our client. Opposing counsel was then allowed to review the data pulled from the keyword search and then given an opportunity to create a privilege log and exclude anything deemed by counsel to be privileged in nature, or beyond the scope of the request.

Does this take extra time on the part of counsel and opposing counsel? Yes it does. Are more costs involved? Yes they are. This is the reason to consult with your client and with your digital forensic expert to weigh the options/benefits based on the needs and already known evidence of the case. What works in one case most certainly will not be a perfect fit in the next case.

Many considerations and questions must be asked when starting a new case involving electronic discovery as well as computer forensics. One needs to ask many questions involving custodians, dates, types of evidence such as cell phones, laptops and servers as an example. An entire multimillion dollar case can literally hinge on a single email and its contents.

A list of keywords is a typical starting point. Once these have been searched and the results given, it is typical for more detailed questions or furthermore additional technical questions be asked. These questions will likely bring about the answers that will in many instances make or break a case.

In criminal cases deleted data is typically closely observed and noted. It seems that in numerous civil cases, that deleted data is overlooked because one doesn’t know that it can be recovered, or that it is terribly difficult and expensive to do.

Truth be known, using deleted data costs no more to go through than standard data, beyond the time allotted to go through it. Computer forensics is not the first thing an attorney thinks of in his or her case, but it can prove to be essential in multiple case types of litigation. Law Enforcement earmarks large budgets every year for the purpose of making cases based on the evidence found using computer forensics. Savvy litigation attorneys have found a place for computer forensics in their cases as well. It is well worth the time and cost on behalf of the client.

Law Enforcement Training

Computer Forensic & Cell Phone Forensic Field Training


On March 30th, 2015 Decipher Forensics provided a full day of Law Enforcement training to regional law enforcement. 27 officers, deputies and detectives from multiple agencies in Utah and Wyoming participated in the training event.


Law Enforcement Training

Law Enforcement Training












This law enforcement training course provided officers with the knowledge of handling electronic evidence, preserving said evidence and what can be gleaned from an evidential standpoint in various types of devices/systems, phone apps etc. We appreciated the partnership with Chapman and Associates in providing us this opportunity.

We had a great time with this group of officers in our training. We covered,

  • Web History
  • Email
  • Chat
  • Webmail
  • Exif Data
  • Deleted Data
  • Timelines
  • Registry
  • LNK Files
  • Metadata
  • Peer-to-Peer
  • MMORPG’s
  • Accounting and Financials
  • Passwords/Intelliforms

These were just a sampling of what we covered during the 7 hour course.

Social media evidence that we covered included,

  • Facebook
  • Twitter
  • Snapchat
  • WhatsApp
  • Instagram
  • Tumblr
  • Whisper
  • KiK

We covered the value in pulling evidence from these particular  device applications.

We have always appreciated working with law enforcement in any capacity possible. We look forward to future training opportunities with law enforcement. If your interested in receiving training for yourself or your department, call us today. 801.980.1018

Beware apps that ask for curious permissions

Always inspect the permissions on the apps that you download. Read the full article on

If you think you may have malware on your device and want to know more, submit your contact information to the right.