At LWG, we believe our expertise is best utilized in the context of your cyber breach response team. To that end, we are available to help you or your clients prepare your response plan, and be positioned as trusted advisors on your team; well-prepared to respond with Computer Forensics Analysis when needed. The application of sound Digital Forensics analysis is a critical component to any defensible cyber response. Below is a summary of our Cyber Response & Analysis Methodology.
Step One- Data Collection
When your client or insured suffers a data loss, we respond and secure the Electronically Stored Information (ESI), log files, and IT system data so that no spoliation occurs. This important step must be done quickly, otherwise critical electronic data and related evidence of the loss can be overwritten or compromised, diminishing your ability to identify the root cause of the loss, and related liabilities.
This critical first step typically includes the computer forensics imaging of key IT systems and computer assets. Imaging the servers creates a "bit-level" snapshot of the systems, preserving key data that will be necessary for the analysis. Other related ESI can be collected preserved from computing systems and this data will be inventoried using strict chain of custody practices, documenting every step of this process in an evidentiary manner. LWG uses industry-recognized remote high-speed imaging equipment and software, including EnCase Computer Forensics software. Our experts are trained, battle-tested, and certified. Our processes ensure this critical data can be authenticated and presented in an expert report in a defensible manner.
Step Two- Data Preservation
Once the relevant electronic data has been harvested from the IT environment under question, we inventory the data in our computer forensics lab, making forensic copies that are secured in our evidence vault. The highest level of security and data redundancy is applied.
Our data collection methodology has been developed with a focus on data privacy, protection of client’s confidential information, and protecting non-related sensitive data. We utilize court - tested protocols, signed protective orders, and highly-secure practices for protecting confidential information, including non-related third party data.
LWG experts know how to ask the right questions, listening to the on-site business representatives, IT professionals, attorneys, and claims professionals. We develop an intimate understanding of the issues, reported facts, and liabilities that are central to the event. This step is imperative, and it enables us to develop an analysis plan that results in relevant findings. This important step also ensures that our analysis is proportional to the value of the claim, and that your budget requirements are respected...without surprises.
Step Three- Data Analysis
The data analysis is tailored to the type of event and often includes a computer forensic examination of server logs, movement of critical intellectual property, data base / file system access determination, and the complete anatomy of the loss or breach, including root cause, dates, times, and sources. Central to any analysis is validating key assumptions such as whether the "loss" or "breach" was real. Were the electronic records assumed to be compromised actually affected? How did this happen? Who is responsible? Was the event caused by a system or process failure, human error, or a violation of data security policy? Of course, these critical questions become central to the claim, and are of utmost importance. Our experts scrutinize the collected data at the bit-level to help you resolve these questions.
Step Four- Data Reporting
The result is an expert computer forensics determination with respect to the event. The findings can be protected under attorney client privilege by partnering with your lawyers, if necessary. An expert report is crafted, covering the key components of the determinations. LWG experts have the necessary credentials and court testimony experience to handle your matter from initial data collection through the claims management process, including depositions, preparing declarations and expert affidavits, and expert witness testimony, if required.