Lee Neubecker: Expert in Cyber Forensics & Investigations

Curriculum Vitae Lee Neubecker

P‌DF Updated as of 3/21/2025

‌BIOGRAPHY

Lee Neubecker is the President and CEO of Enigma Forensics, Inc., a Chicago and Fort Lauderdale based Computer Forensics and Cyber Investigation consultancy. Neubecker assists Fortune 500 clients, government agencies, and private organizations with cyber-related investigations involving theft of electronic data, authentication of digital evidence, electronic medical records, fraud, counterfeiting, and online identity unmasking.

Neubecker also is the founder of IT Security Blog leeneubecker.com. Before starting Great Lakes Forensics, Neubecker had served as CISO for HaystackID and following the acquisition of Envision Discovery and Inspired Review by HaystackID, Neubecker was promoted to serve as CIO over the combined entities. Neubecker was named one of the top Global Computer Forensics and Cyber security experts by Who’s who Legal in 2018, 2019, 2020, 2021, 2022, 2023 and 2024 and many years prior to that.

During 2016 and 2017, Neubecker assisted the U.S. Federal Government in discovering important security compromises including, the compromise of NIST.gov wildcard certificate (boudicca.nist.gov) using deprecated encryption (December 2016), compromise of time.gov NIST time servers (December 2016), compromise of NIST NSRL Hash Set download page (December 2016) and leaked email usernames and passwords from U.S. Intelligence Agency email account credentials onto public sandbox websites such as pastebin.com. (December 2016 and January 2017). Neubecker has a track record of uncovering Cyber Data Breaches and has performed investigations on the State and Federal Government Agency levels.

Neubecker’s has performed extensive research pertaining to hardware based vulnerabilities and exploits including, Serial Peripheral Interface – chip stored malware that has been impacting individuals, companies and government agencies in the wild following the leak of

U.S. Cyber weapons cache. Neubecker identified and reported the hack of chicagoelections.com website, that resulted in millions of Chicago resident (and former resident) voting records being disseminated online. Neubecker also provided important intelligence collection and analysis services that helped bring the perpetrators of the Boston Marathon Bombing to justice. Prior to founding Enigma Forensics, Neubecker founded Forensicon, Inc. and sold the company to QDiscovery, a national eDiscovery services provider. While managing Forensicon, Mr. Neubecker provided consulting services in the areas of computer forensics, electronic discovery, data recovery and litigation support to a diverse range of clients. Mr. Neubecker has worked on both Plaintiff and Defense sides, and has served as a regular speaker on topics in the computer forensics and electronic discovery fields for Midwestern legal bar associations, Professional Associations and National Legal Conferences. Mr. Neubecker has been appointed a special master in civil litigation matters by the courts. Mr. Neubecker has been cited in the appellate court as an expert witness in the case, Liebert Corp. v. Mazur. The published opinion of Justice Wolfson, Circuit Court of Cook County, regarding Mr. Neubecker’s testimony can be found at the following link: https://caselaw.findlaw.com/il-court-of-appeals/1063543.html

Prior to founding Forensicon, Inc., Mr. Neubecker founded BuzzBolt Media, a web development and Search Engine Optimization consultancy which later became Forensicon, Inc. Before moving to Chicago in 2000, Mr. Neubecker led the online communities’ product

‌development and programming initiatives for the Lycos Network, a pioneering Web media model that included three Top 10 Web sites and was one of the most visited hubs on the Internet during Neubecker’s tenure. Neubecker was responsible for creating, launching and managing chat, instant messaging, message boards, and online games across the Lycos network. In this role, Mr. Neubecker led the company’s response to legal inquiries from law enforcement personnel and personally oversaw complicated international investigations involving transcontinental Cyber attacks against company servers and users.‌

Before joining Lycos and graduating with an MBA focused in technology, Mr. Neubecker launched and successfully managed Innovative Consulting, Inc., an information technology consulting company. Mr. Neubecker’s company deployed network management, contact management, sales automation and ERP solutions to small and mid-tier organizations. Prior to Innovative Consulting, Neubecker held operations and finance analyst positions with Ford Motor Company and Comerica Bank. Mr. Neubecker has experience in securities valuation and accounting from his position at Comerica Bank, where he served as a Trust Fund finance analyst. While serving at Ford Motor Company as an intern, Neubecker was integral in automating important processes and bringing financial forecasting methodologies online, resulting in more timely and accurate quarterly financial forecasts.

Mr. Neubecker graduated magna cum laude from Babson College with a Masters of Business Administration, focusing on Technology. Mr. Neubecker also holds an undergraduate degree in Finance, magna cum laude, from Eastern Michigan University.

‌NOTABLE CASES OF RECORD AS A COMPUTER FORENSICS EXPERT WITNESS

LESEAN DOBY v. ZIDAN MANAGEMENT GROUP, INC.

IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION

Case No. 1:23-cv-16602

Provided affidavit regarding the analysis of a biometric fingerprint lock in support of the defendant as it relates to the Illinois Biometric Information Protection Act.

JAQUAN SHORTER v. ADVOCATE HEALTH AND HOSPITALS ) CORPORATION, ET. AL.

IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS

COUNTY DEPARTMENT, LAW DIVISION

Case No. 2023L012024

Filed affidavit regarding user authentication to the defendant’s Electronic Medical Record system and the origins of the logon activities when accessing the patient’s health provider’s EMR system.

EUGENE EVANS v. CORRECTHEALTH CLAYTON, LLC and PAMELA BLAHA, LPN

IN THE SUPERIOR COURT OF FULTON COUNTY STATE OF GEORGIA, Case No. 2023CV379078

Filed affidavit regarding electronic medical records.

MARVA BURNETTE v. RUSSELL P. NOCKELS, M.D., IGNACIO JUSUE-TORRES, M.D., and LOYOLA UNIVERSITY MEDICAL CENTER

IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS COUNTY DEPARTMENT, LAW

DIVISION, Case No. 2023-L-000973

Filed affidavit regarding electronic medical records and audit trails.

CHRISTINE MCLAUGHLIN, CRYSTAL VANDERVEEN, JUSTIN LEMBKE, SCOTT HARDT, ET. AL. v. SELECT REHABILITATION LLC

UNITED STATES DISTRICT COURT FOR THE MIDDLE DISTRICT OF FLORIDA

JACKSONVILLE DIVISION

CLASS and COLLECTIVE ACTION Case No: 3:22-cv-00059-HES-MCR

Filed Declaration regarding the availability of EMR audit log records to show when staff were performing work.

‌CDL 1000, INC. v. SCOTT ROBERTSON

CIRCUIT COURT OF COOK COUNTY, ILLINOIS, Case No. 2022-CV-00415

Provided affidavit detailing the lack of compliance with the courts’ order requiring handover of Robertson’s personal smartphone and computer for forensic preservation and analysis relating to a departed employee investigation and alleged electronic trade secret misappropriation.

‌DEVIN ESTIME v. SOUTHERN CALIFORNIA PERMANENTE MEDICAL GROUP

SUPERIOR COURT OF THE STATE OF CALIFORNIA COUNTY OF LOS ANGELES, Case No.: 22STCV06517

Filed affidavit regarding electronic medical records and audit trail productions.

‌ROBERT BRONSTEIN v. LATIN SCHOOL OF CHICAGO‌

‌IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS COUNTY DEPARTMENT, LAW DIVISION,

‌Case No. 2022-L-003763

‌Completed forensics analysis of iPhone, Macbook, and iPad of defendant in the case.

‌CONNIE & GARY ANDERSON v. PATIENT FIRST MARYLAND MEDICAL GROUP‌

‌IN THE CIRCUIT COURT FOR BALTIMORE COUNTY Case No. C-03-CV-21-001814‌

‌Provided affidavit related to EMR and audit trail logs.

‌PHOTOFAX, INC. v. JOSEPH BRADY CIRCUIT COURT OF KANE COUNTY, IL Case No. 21-CH-000167‌

Provided affidavit detailing the forensic examination of the PhotoFax issued laptop by the departed employee. Reported on the destruction of evidence and provided support for a motion to compel examination of the devices still used by Joseph Brady to look for sensitive company data and trade secrets.

JAMES ABRAHAM, successor Trustee of the JOHN A. ABRAHAM TRUST v. ELIZABETH CHAPMAN

IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS COUNTY DEPARTMENT, MUNICIPAL DIVISION

Case No. 2020 M170426

Provided affidavit regarding the authenticity of alleged lease produced by the defendant relative to a forensic analysis of computing devices.

‌JOSEPH NICOLOSI ET. AL. v. STANDARD PARKING ET. AL.

‌CIRCUIT COURT OF COOK COUNTY, IL Case No. 20-L-007912.

Provided affidavit detailing EXIF photo metadata extracted from the Plaintiff’s production of alleged photos taken of damaged artwork and other effects. Identified photos that were edited after they were taken using Photoshop.

‌PATRICK T. MCKINNEY, BY AND THROUGH HIS LEGAL GUARDIAN, RONI S. MCKINNEY, AND RONI S. AND TIMOTHY C. MCKINNEY, INDIVIDUALLY AND AS THE PARENTS AND NATURAL GUARDIANS OF PATRICK T. MCKINNEY v. THE CLEVELAND CLINIC FOUNDATION AND THE CLEVELAND CLINIC HEALTH SYSTEM

‌COURT OF COMMON PLEAS OF CUYAHOGA COUNTY, OHIO Case No. CV-20-931-660.

Provided affidavit in support of a motion to compel for supervised on-site obtainment of the plaintiff’s full medical records. Involved Epic EMR software.

‌NIMISH SHAH, AS THE NATURAL SON OF PUSHPABEN C. SHAH, v. ST. LUKE’S EPISCOPAL PRESBYTERIAN HOSPITALS, D/B/A ST LUKE’S HOSPITAL, ET. AL. CIRCUIT COURT OF ST. LOUIS COUNTY, MISSOURI. Case No. 20SL-CC04023. Div. 8.‌

Signed an affidavit exhibiting deficiencies in Defense’s production and supporting a motion to compel for an on-site collection of the plaintiff’s medical records. Involved Cerner software.

‌MARC STRAUSS v. KATHLEEN VAN VALKENBURG, M.D. and SIGHT MEDICAL DOCTORS, P.L.L.C.

‌SUPREME COURT OF THE STATE OF NEW YORK, COUNTY OF NASSAU, Index No. 608054/2020.

Submitted an affidavit in support of a motion to compel for full medical records involving MyCare iMedicWare EMR software.

‌DEBORAH CARR v. HOSPITAL SISTERS HEALTH SYSTEM

‌IN THE CIRCUIT COURT OF THE SEVENTH JUDICIAL CIRCUIT SANGAMON COUNTY, ILLINOIS, Case No. 2020-L-105

‌Provided affidavit related to EMR and audit trail logs.

RONI S. AND TIMOTHY C. MCKINNEY, v. THE CLEVELAND CLINIC FOUNDATION

IN THE COURT OF COMMON PLEAS CUYAHOGA COUNTY, OHIO

Case No.: CV-20-931660

Filed affidavit regarding electronic medical records.

AUSTIN ROBERTS v. IOWA HEALTH SYSTEM d/b/a UNITYPOINT HEALTH, TRINITY MEDICAL CENTER

IN THE CIRCUIT COURT OF THE FOURTEENTH JUDICIAL CIRCUIT ROCK ISLAND COUNTY, ILLINOIS, Case No. 2020 L 76

Filed affidavit regarding electronic medical records and audit trails.

‌SMART MORTGAGE CENTERS, INC. V BRIAN NOE, EILEEN PRUITT, AND NEXA MORTGAGE, LLC

IN THE CIRCUIT COURT OF WILL COUNTY, ILLINOIS TWELFTH JUDICIAL CIRCUIT Case No. 20 CH 292

Filed an affidavit regarding allegations of trade secret misappropriation.

PHILIPS NORTH AMERICA, LLC v. FITBIT, INC.

IN THE US DISTRICT COURT FOR THE DISTRICT OF MASSACHUSETTS

Case No.: 1:2019cv11586

Filed affidavit relating to forensic inspection of electronic data relative to allegations of trade secret misappropriation.

ROBERT WATSON and MARK SAULKA, v. RYAN TODD WEIHOFEN and POOL TECHNOLOGIES, LTD.,

IN THE CIRCUIT COURT OF COOK COUNTY ILLINOIS COUNTY DEPARTMENT, CHANCERY DIVISION, Case No. 2019 CH 12252

Filed affidavit regarding the expected cost to comply with a subpoena for production of electronic medical records.

‌LOUIS ARGIRIS v. PAUL V. FAHRENBACH, M.D., GI SOLUTIONS OF ILLINOIS LLC, ATHANASIOS D. DINIOTIS, M.D., TIESENGA SURGICAL ASSOCIATES, S.C. d/b/a SUBURBAN SURGERY CENTER INCORPORATED, JOSEPH Z. PUDLO, M.D., and JOSEPH Z. PUDLO, M.D., S.C.

‌COOK COUNTY CIRCUIT COURT, ILLINOIS, Case No. 2019 L 012187.

Provided affidavit in support of a motion to compel for the revision history of the plaintiff’s medical records. Consulted with counsel in serving subpoena to EMR system provider.

Involved Greenway Health’s EHR platform.

‌CHRISTOPHER JOHANSEN v. NOW MARKETING SERVICES INC. AND INTERCOVE, INC.

‌CIRCUIT COURT OF WILL COUNTY, IL, Case No. 19-L-989.

Provided affidavit relating to departed employee apparent deletion activities including access of emails post employee departure in support of a motion to compel forensic preservation and analysis of the departed employee’s personal electronic devices.

‌ROBERT WATSON AND MARK SAULKA v. RYAN TODD WEIHOFEN AND POOL TECHNOLOGIES, LTD.

CIRCUIT COURT OF COOK COUNTY, IL, Case No. 19-CH-12252.

Provided affidavit discussing the expected costs of a third party producing electronically stored information.

‌BYRON FOXIE, as legal guardian and parent of TIGE W. FOXIE, v. ANN & ROBERT H. LURIE CHILDREN’S HOSPITAL OF CHICAGO, and ALMOST HOME KIDS, and OTHER UNKNOWN PARTIES, JOHN DOES 1-10 and ROE CORPORATIONS 1-10 CIRCUIT COURT OF COOK COUNTY, ILLINOIS, Case No. 19 L 7430

Provided testimony in the form of three affidavits supporting a motion to compel during discovery due to deficiencies in EMR production. Involved Epic EMR software.

‌PHOTOFAX, INC. v. MICHAEL CALDARAZZO

‌CIRCUIT COURT OF KANE COUNTY, ILLINOIS, Case No. 19-CH-000217.

Performed forensic imaging of departed employee devices. Assisted with the construction of an ESI protocol. Analyzed, signed an affidavit, and testified regarding alleged misappropriation of trade secrets.

‌BLACK ROCK TRUCK GROUP, INC. FKA NEW ENGLAND TRUCK SALES AND SERVICE, INC. v. HARRY TARASIEWICZ and JOSEPH TARASIEWICZ

‌UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK, Case No. 7:19-cv-2367

Performed preservation of evidence, search and production of ESI. Analysis regarding allegations of trade secret misappropriation. Provided testimony regarding fabrication of emails and destruction of evidence.

TERRI BROWN v. MOUNT SINAI MEDICAL CENTER OF FLORIDA, INC. ET. AL.

IN THE CIRCUIT COURT OF THE ELEVENTH JUDICIAL CIRCUIT IN AND FOR MIAMI-DADE COUNTY, FLORIDA

Case No. 2018-016560-CA-09

Filed affidavit regarding the inadequate production of Plaintiff’s electronic medical records.

JERAME ANDREWS, and THERESA ANDREWS v ANKLE AND FOOT CENTERS OF GEORGIA. ET. AL

IN THE STATE COURT OF GEORGIA FULTON COUNTY Case No. 18EV003536

Filed affidavit regarding the inadequate production of Plaintiff’s Electronic Medical Records.

UNITED STATES DEPARTMENT OF JUSTICE V. BUYANTOGTOKH DASHDELEG, PETITION FOR REMOVAL.

Executive Office for Immigration Review Chicago, Illinois, File No. A218-056-722

Filed affidavit regarding the authenticity of email transmitted.

‌PEOPLE OF THE STATE OF ILLINOIS v. CHRISTIAN DAIGRE‌

CIRCUIT COURT OF COOK COUNTY, ILLINOIS, Case No. 2018-cr-1626801

Provided affidavit regarding the lack of the original sources of data being preserved that would allow for authentication of SMS and MMS messages allegedly sent and received.

‌RILEY ANN BERGTHOLDT v. ADVOCATE HEALTH AND HOSPITAL CORP, ET. AL.

‌CIRCUIT COURT OF COOK COUNTY, ILLINOIS, Case No. 2018-L-8647

Provided affidavit detailing deficiencies with defendant’s production of Electronic Medical Records (hereafter “EMR”) produced from Allscripts and from EPIC.

‌ANDREA BROCK, MICHAEL BROCK, S.B. v. THE UNIVERSITY OF CHICAGO MEDICAL CENTER D/B/A COMER CHILDREN’S HOSPITAL

‌CIRCUIT COURT OF COOK COUNTY, IL, Case No. 18-L-1175.

Provided affidavit in support of a motion to compel production of the Patient’s complete EMR, including Defendant’s secure file storage system, “Sticky Notes”, “In Basket” messages, audit trail records and complete revision history of the EMR as stored in the EPIC Hospital Information System.

‌TERRI BROWN, an individual, and ALAN ROCK, her husband, v. MOUNT SINAI MEDICAL CENTER OF FLORIDA, INC. d/b/a MOUNT SINAI MEDICAL CENTER, a Florida Corporation; and WILLIAM F. BURKE III, M.D., an individual; and BRETT C. FUKUMA, M.D., an individual

‌CIRCUIT COURT OF MIAMI-DADE COUNTY, FLORIDA, Case No. 2018-016560-CA-09.

Filed two affidavits in support of a motion to compel for an on-site collection of plaintiff’s electronic medical records. Involved Epic EMR software and Synapse PACS.

‌THE FOREST PRESERVE DISTRICT OF COOK COUNTY V. ROYALTY PROPERTIES, LLC; CANNON SQUIRES PROPERTIES, LLC; MERIX PHARMACEUTICAL CORPORATION, RICHARD KIRK CANNON, MERYL SQUIRES-CANNON, MCGINLEY PARTNERS, LLC, AND ROYALTY FARMS, LLC CIRCUIT COURT OF COOK COUNTY, ILLINOIS, Case No. 18 L 315.‌

Provided in courtroom testimony on the significance of electronic file metadata as it relates to when documents were received and modified.

‌BROWARD ENERGY PARTNERS v. RAPPAPORT

‌CIRCUIT COURT OF COOK COUNTY LAW DIVISION, Case No. 18 L 1096.

Provided in court testimony and testimony via affidavit to assist with eDiscovery protocol process and address allegations of spoliation, withholding of information and authenticity of email.

‌JORIE LP, KOPLIN AND CONTENT CURATION & DATA ASSET MANAGEMENT v. ROBERTS MCGIVNEY ZAGOTTA ET AL.‌

‌CIRCUIT COURT OF DUPAGE COUNTY, ILLINOIS, Case No. 17 L 728.

Provided in court testimony and testimony via affidavit involving issues of email authenticity, cell phone fabrication of evidence, and eDiscovery.

‌MCMAHON v. DIGITAL FUEL SOLUTIONS

‌CIRCUIT COURT OF WILL COUNTY, ILLINOIS, Case No. 15 L 681.

Provided written affidavits regarding alleged software code misappropriation. Assisted counsel with seeking preservation of electronic data from third parties.

‌BORCHERS V. FRANCISCAN TERTIARY PROVINCE OF THE SACRED HEART, INC., ET. AL..

‌Case No. 2011 IL App (2d) 101257.

Testified in support of violation of the Electronic Communications Privacy Act by Plaintiff’s former employer.

http://www.illinoiscourts.gov/opinions/AppellateCourt/2011/2ndDistrict/December/2101257

.pdf

‌SABAN v. PHARMACARE MANAGEMENT, LLC ET. AL.

‌NORTHERN DISTRICT OF ILLINOIS (Chicago), Case No. 1:10-cv-02428.

Rebuttal witness regarding trade secret misappropriation.

‌TRANCO INDUSTRIAL SERVICES, INC. v. CAMPBELL

‌NORTHERN DISTRICT COURT OF INDIANA, HAMMOND DIVISION, Case No. 07-CV-206.

Won TRO – Violation of Computer Fraud & Abuse Act – Trade Secret Misappropriation Supervised and prepared our testifying expert for this case.

‌VALUEPART v. ITR NORTH AMERICA ET. AL.

‌NORTHERN DISTRICT COURT OF ILLINOIS, EASTERN DIVISION, Case No. 06-CV-02709.

http://www.forensicon.com/resources/case-summary/valuepart-v-itr

‌CHARLES A. KRUMWIEDE v. BRIGHTON ASSOCIATES, LLC AND ISMAEL C. REYES

‌NORTHERN DISTRICT COURT OF ILLINOIS, EASTERN DIVISION, Case No. 05-C-3003.

Supervised and prepared our testifying expert for this case. http://www.forensicon.com/resources/case-summary/krumwiede-v-brighton-associates/

‌S.C. JOHNSON & SON, INC. v. MILTON E. MORRIS ET. AL.‌‌

‌CIRCUIT COURT OF RACINE COUNTY, WISCONSIN, Case No. 04-CV-1873.

Led the investigation and preservation effort that uncovered personal webmail, revealing a fraudulent kickback scheme, which resulted in a law enforcement sting and later a successful conviction of the accused. This ultimately resulted in an award of $203.8 million to compensate SC Johnson & Son, Inc. for its losses. https://www.forensicon.com/resources/case-summary/wisconsin-appeal-sc-johnson-vs-mor ris-schelle/

LIEBERT CORPORATION ET. AL. v. JOHN MAZUR ET. AL.

‌CIRCUIT COURT OF COOK COUNTY, CHANCERY DIVISION, Case No. 04 CH 02139.

‌Appellate Court, Second Division, Case No. No. 1-04-2794.

Provided testimony via affidavit and in court, identifying patterns of trade secret misappropriation.

‌KALISH v. LEAPFROG ONLINE ET. AL.

‌CIRCUIT COURT OF COOK COUNTY, ILLINOIS, Case No. 03-L-011695.

Performed analysis of the computer used by the recently departed employee and reported on the employee’s actions to the court.

http://www.forensicon.com/resources/case-summary/kalish-v-leapfrog-online/

‌LORILLARD TOBACCO COMPANY v. CANSTAR (U.S.A.), INC. ET. AL.

‌NORTHERN DISTRICT COURT OF ILLINOIS, EASTERN DIVISION, Case No. 03-C-4769.

Performed forensic preservation and forensic analysis that resulted in identifying a counterfeiting syndicate. Located personal email accounts and offshore wiring accounts used to perpetrate the counterfeiting scheme. More than $5 million was awarded from Neubecker’s discovery of a counterfeit scheme.

‌EDUCATION & PROFESSIONAL DEVELOPMENT‌

‌TECHNICAL SKILLS

Managed Engineering Development and data analysis activities across many disparate technologies, from legacy through more recent technologies and platforms including;

‌Database Technology:

Filemaker, MySql, Oracle, Sql, Sql Server, Law eDiscovery, & Medical ERP Patient Record Systems

‌Forensic Software:

Aircrack, Airmon, Access Data, Mobile Edit Pro, Cellebrite, Encase, Paladine, Recon Lab, Forensic Toolkit, Paraben, & WiFite

‌Online Reconnaissance:

Dark Web, IRC, GFI Languard, Maltego, & Usenet

‌Security Monitoring:

Nmap, Splunk, Snort, Wireshark, Sophos UTM, & Shodan

‌Operating Systems / Command Line Shells:

Mac OS X, Windows (Dos/3.1/NT/2000/XP/Vista/2008/2012/7/8/10), Windows Server NT, 2000, 2008, 2012 (Active Directory, Group Policy Management, Certificate Management), Bash, Busybox, Amiga, Commodore, CPM, TI 99/4a, Grub, Kali Linux, Linux, Raspbian OS, Solaris, VMware, Raspberry PI OS, & Unix

‌Programming:

C++, CVS, DOM, Pascal, Xcode, Xml, Kintone, Python, Fabric & Visual Basic

‌Software Applications:

MS Office, SDR, Webx, WebTrends, Camtasia, Adobe Photoshop, MS Office, MS Project, MS Access, MS Excel, MS Powerpoint, MS Word, MS Visio, Peachtree, Quickbooks & Quicken

‌Web:

Expert in Search Engine Optimization, ASP, Coldfusion, HTML, Java, Javascript, Python, PHP, Scripting Languages, Artificial Intelligence, & WordPress

‌EDUCATION & PROFESSIONAL DEVELOPMENT

M.B.A., Magna Cum Laude – Babson F.W. Olin Graduate School of Business – Wellesley, MA
B.B.A. Finance, Magna Cum Laude – Eastern Michigan University Ypsilanti, MI
Guidance Software – EnCase® Introduction to Computer Forensics 32 credits – Sterling, VA
Guidance Software – EnCase® Intermediate Analysis and Reporting 32 credits – Sterling, VA
Guidance Software – Information Risk and Policy Compliance 3 credits – Chicago, IL
Continuing Education – Computer Programming – Harry S. Truman College – Chicago, IL
Novell Computer Network Training – Walsh College – Troy, MI

PROFESSIONAL EXPERIENCE

EnigmaForensics.com — President & CEO
Chicago, IL (8/2018 – Present)‌

Provided direct consulting to clients involving complex issues relating to eDiscovery
Retained by Government Agency to assist with deposing technical deponent in litigation relating to patient health care records
Assisted with developing a court approved protocol for production of ESI
Conducted complex investigations involving the authenticity of emails

HaystackID — Chief Information Officer
Boston, MA (4/2018 – 7/2018)

Managed all IT resources for eDiscovery production environment and internal systems
‌Oversaw data center migration
Created documentation and work ticketing system for tracking problems and improving service response
‌HaystackID — Boston, MA (1/2018 – 3/2018)‌Chief Information Security Officer
Performed initial security assessment of organization
Prepared for GDPR compliance initiatives of organization
Outreach to potential clients

FORENSICON, a QDiscovery Company — Founder and consultant, Chicago, IL (2016 – 2017)

Identified opportunities to provide existing client base with services available from combined companies
Presented on the Telephone Consumer Protection Act regarding strategies towards mitigating lawsuits

‌FORENSICON, INC. — Chicago, IL (2000 – 2016)‌President & CEO

Conducted fraud examinations involving misappropriation of funds, trade secrets, tax evasion, money laundering, and other white collar related investigations
Supervised a team of forensics experts in providing complex litigation plaintiff and defense consulting
Appointed by the U.S District Court of the Northern District of Illinois to assist defense counsel in the trial against accused terrorist trial of Tahawwur Rana – The single count where my firm presented testimony, the defendant was found not guilty
Performed online investigative work to identify and assist law enforcement with the apprehension of the Boston Bombing perpetrators, Dzhokhar and Tamerlan Tsarnaev
Uncovered and reported the third known data breach of the Chicago Board of Elections voter database and election worker personal information
Supervised testifying experts on many cases of record to prepare technical experts for cross examination and rebuttal of their findings
Preserved electronic evidence for a range of clients using legally sanctioned protocols
Selected as preferred vendor by the Illinois Attorney Registration Disciplinary Commission – assisted with investigating various claims filed against licensed Illinois Attorneys
Developed Custom ERP System for evidence management, project management, time tracking and billing
Provided expert testimony to resolve disputes for various commercial, nonprofit, and governmental agency clients
Appeared several times as a computer forensics expert on WCIU TV Chicago Channel 26, First Business, NPR Business News, NBC Chicago and more
Led data breach first responder efforts for; State Government Social Services Department, Non-Profit HealthCare Organization, Financial Services Company, Accounting Firm, Private Membership Club Organization and various Corporations
Oversaw the development and presentations made to attorneys and legal support staff at the Chicago Bar Association, Illinois Attorney & Discipline Regulatory Commission, DuPage County Bar Association, various associations and more
Provided expert witness testimony regarding willful deletion of evidence by a departing employee where the testimony was upheld on appeal proving spoliation of evidence
Compiled emails from numerous platforms into popular litigation support platforms
Speaker at various events on the topic of computer forensics (see list below)
Performed computer forensics examinations in FBI forensics labs
Led the successful forensic analysis defense efforts against a law firm client of our firm that was accused of willful spoliation of evidence – discovered and reported our findings to Judge Mikva that no spoliation had occurred as alleged, the drive was merely encrypted and contained all information
Led numerous anonymous online defamation investigations resulting in the identification of many anonymous persons responsible for the defaming activities
Expert in Search Engine Optimization

LYCOS, INC. — Senior Product Development Manager, Community Products Group,
Waltham, MA (1998 – 1999)

Managed and/or launched a large group of products including chat, message boards, and games
Responded to SEC/FBI Inquiries pertaining to illicit behavior in Lycos network online properties
Tracked hacker attacks on the Lycos network of sites to help identify and prosecute offenders
Implemented safeguards against denial-of-service attacks across product group
Instituted product development and service roadmap management system for teams
Created & managed multiple cross-functional product teams
Managed transition of products from external to internal hosting
Led engineering team on the development of scalable & secure online products

‌INNOVATIVE CONSULTING, INC. — President Brownstown, MI (1994 – 1997)

Led a company of five professionals providing IT support to various sized Companies
Provided Network support in a multi server environment (NT, Novell, Mac, Linux)
Implemented financial management software for tier 3 automotive suppliers
Designed & executed disaster recovery procedures for multiple businesses
Architected multi-office communication infrastructure for multiple companies

‌‌COMERICA BANK — Securities & Trust Fund Accountant, Detroit, MI (1994)

Audited security transactions for bank trust funds
Researched discrepancies in reporting
Published & verified daily yield rates of several portfolios of marketable securities
Initiated automation of trust fund daily reporting

FORD MOTOR COMPANY, INC. — Detroit, MI (1992 – 1994)‌Product Pricing Analyst

Estimated cost impact on production forecast for various product design changes
Benchmarked sourced products to ensure price competitiveness
Designed & implemented a profit forecasting system using Excel & EDI

PRESENTATIONS

“Keys to Unlocking Electronic Medical Records EMR”, MCLE Tuesday May 25, 2021 delivered via Zoom co-sponsored by the Illinois Public Defender Association, the Illinois Innocence Project, the Center for Integrity in Forensic Sciences, and the Family Justice Resource Center.
Illinois Public Pension Advisory Committee: Friday, December 2nd’s IPPAC Winter Conference “The Imminent Threat of Cyber Attacks to your Pension Boards” panel
National Society of Insurance Investigators: “Cellphones, Pictures, Videos . . . What a Cyber Forensic Investigation Can Reveal”, December 4th, 2014
The Disaster Conferences : “Cyber Threats and Data Breaches”, September 18th, 2014
First Chair Awards : “Data Breach & Incident Response: How to Mitigate Your Risk Exposure”, August 2014
Cigar Society of Chicago : “How to Catch a Terrorist”, September 2013
ICPAS Fraud Conference 2012: “What a Responsible Professional (CPA or Attorney)
Should Know about eDiscovery and Document Management”, September 2012
Law Bulletin E-Discovery Seminar: “Managing Scope & Review”, June 28th, 2011
NetSecure ‘11: IT Security and Forensics Conference and Expo: “Protecting Digital Assets from Hackers and Thieves”, March 24th, 2011
Chicago Association of Litigation Support Managers, CALSMposium: “Seventh Circuit Electronic Discovery Pilot Program”, October 7th, 2009
National Business Institute – “E-Discovery Searching the Virtual File Cabinets”:(co-presented with Christopher S. Griesmeyer, partner at Levenfeld Pearlstein, LLC and David W. Porteous, partner at Faegre Baker Daniels LLP) “Obtaining Electronic Data & Best Practices in using Computer Forensics”, September 19th, 2008
Law Bulletin E-Discovery Seminar — “Electronic Discovery in Practice”: (co-presented with Jennifer Wojciechowski of Kroll Ontrack) “Avoiding the Pitfalls of the Electronic Era”, October 2005
Institute of Internal Auditors, Chicago West Chapter Meeting: (co-presented with Cameron Nelson, attorney at Greenberg Traurig) “Using Computer Forensics To Conduct Investigations”, May 9th, 2006
Association of Certified Fraud Examiners Workshop: (co-presented with Kathryn Hoying, attorney at Johnson & Bell, Ltd.) “Using Computer Forensics to Conduct Investigations”, February 10, 2006
Chicago Law & Technology Conference: “Computer Forensic Update”, co-presented with Greenberg Traurig LLP Attorney Cameron Nelson, February 23, 2006
FagelHaber, LLC’s E-Discovery Conference: (co-presented with Richard Chapman, Gary Green, David Rownd and Robert Kamensky, attorneys at FagelHaber, LLC) “Avoiding the Pitfalls of the Electronic Era”, October, 2005
Chicago Bar Association, CLE Seminar: (co-presented with Kathryn Hoying, attorney at Johnson & Bell, Ltd.) — “Deliverables to Request From Your Computer Forensics Examiner”,2005
Chicago Economic Development Council: “Internal Fraud Investigations”, 2005
Law Bulletin Publishing Company E-Discovery Conference 2005: “Show me the Smoking Gun!”, 2005
American Law Firm Association’s International Client Seminar 2005: (co-presented with Joe Marconi, attorney at Johnson & Bell, Ltd and Donald Kaufman, attorney at McNees, Wallace & Nurick LLC) — “Discovery, Document Retention & eDiscovery in aPost-Enron/Andersen World”, 2005
Chicago Bar Association, CLE Seminar: (co-presented with William J. Cook of Wildman Harrold, Jeffrey L. Hartman of Competitive Advantage Solutions and Mark S. Simon of Eclipsecurity, LLC) “Computer Forensics For Lawyers”, May 6th, 2004
Chicago/Milwaukee Joint Midwest Law & Technology Conference 2004: “Finding the Smoking Guns: Legal Computer Forensics Without the Geekspeak”, November 30th, 2004
Chicago Bar Association, CLE Seminar: “Resolving Intellectual Property Theft with Computer Forensics”, October 20th, 2004
Chicago Bar Association, CLE Seminar: “Computer Forensics for Lawyers”, May 6th, 2004
Law Bulletin Publishing Company E-Discovery Conference: “Electronic Document Collection and Processing”, April 27th, 2004
LegalTech 2003, Chicago : “True Electronic Discovery”, October 30th, 2003
Chicago Bar Association (Law Office Technology Committee): “Electronic Discovery 101”, 2003
Illinois Academy of Criminology: “Electronic Discovery 101”, Circa 2003
Greater Chicago Chapter of the Association of Legal Administrators: “Electronic Discovery 101”, Circa 2003
Chicagoland Chamber of Commerce: “Web Page Programming For Search Engine Effectiveness”, Circa 2001
NORBIC: “Web Page Programming For Search Engine Effectiveness”, Circa 2001
Law Practice Today — (July 2004) — Invited to be a contributing expert on a roundtable article by Dennis Kennedy on the online magazine: http://www.abanet.org/lpm/lpt/articles/ftr07041.html

ARTICLES

‌CURRENT & PAST MEMBERSHIPS / CERTIFICATIONS

Certified Information Systems Security Professional (CISSP) — Chicago Chapter
HTCIA (High Tech Crime Investigation Association) — Past President — Midwest Chapter
Illinois Academy of Criminology — Chicago Chapter
U.S. Secret Service Electronic Crimes Task Force Member — Chicago Midwest Region
Union League Club of Chicago — Technology Group Member
Association of Certified Fraud Examiners — Associate Member
State of Michigan — Private Investigator — License Number 3701205872

Raleigh Housing Authority IT Systems Locked Out

Hackers strike demanding ransom payment

On April 29th, the Raleigh Housing Authority fell victim to a cyber attack that shut down their computer system. The attack disrupted the agency’s ability to access their email, files, and financial records, leaving the organization struggling to conduct their day-to-day operations.

The RHA provides affordable housing for low-income individuals and families in the Raleigh area. The cyber attack has had a significant impact on the agency’s ability to fulfill its mission of providing safe and affordable housing. In the aftermath of the attack, the RHA has been forced to rely on manual processes to complete their work, causing delays in critical services for their clients.

Cyber attacks have become increasingly common in recent years, with hackers targeting organizations of all sizes and industries. These attacks can result in the loss of sensitive data, financial losses, and damage to a company’s reputation. In the case of the RHA, the attack has disrupted the lives of the low-income families who rely on their services.

To prevent cyber attacks, organizations must prioritize cyber security. This includes implementing strong password policies, regularly updating software and systems, and educating employees on how to recognize and report suspicious activity. Additionally, organizations should consider investing in cyber security insurance to mitigate the financial impact of an attack.

When a cyber attack does occur, it’s important to have a plan in place to respond quickly and effectively. This includes identifying and isolating affected systems, restoring data from backups, and conducting a thorough investigation to determine the cause of the attack and prevent future incidents.

In the case of the RHA, they have taken steps to restore their computer systems and minimize the impact of the attack. However, the incident serves as a reminder of the importance of cyber security and the devastating consequences that can result from a successful cyber attack.

In conclusion, the cyber attack on the Raleigh Housing Authority is a sobering reminder of the importance of cyber security for organizations of all types and sizes. By prioritizing cyber security, organizations can protect their data, their financial stability, and the well-being of their clients.

Preoperative Care and Informed Consent: An audit trail’s role in retrospective assessment

Informed consent prior to a procedure should be documented in the patients chart and visible on an audit trail.

by Dr. Aikaterina Assimacopoulos

Informed consent is a must prior to any elective procedure. After all risks, benefits and alternatives (r/b/a’s) are thoroughly explained consent can be given. An informed patient is one who understands the nature and purpose of the procedure as well as postoperative expectations of pain, recovery time, need for physical therapy, and any changes to physical appearance. Signed consent should be found in the patients EMR.

Informed Risk Assessment

Common surgical risks include the risk of infection, bleeding or damage to surrounding organs. If a minimally invasive approach is planned, the possibility to convert to an open procedure should be discussed. If the patient is to have an exploratory surgery, a risk is the possibility that nothing is found on exploration. In some cases, there is a potential the surgeon recognizes additional measures must be taken upon viewing the patient’s anatomy. In these cases, the surgeon is usually aware of this potential and should obtain consent and discuss r/b/a’s.

Doctor Washing Hands Before Operating. Hospital Concept.

The benefit or likelihood of a positive outcome should be clearly and realistically defined. The patient should be aware of any alternative options and their r/b/a’s. This includes both more conservative methods of treatment such as medications, physical therapy, or injections as well as any alternative surgical approaches that may vary in method or invasiveness. For example, a vaginal vs. abdominal approach to hysterectomy or LINX vs. Nissen fundoplication methods for gastroesophageal reflux.

A signed consent form and statement should be uploaded in the chart. For example, “r/b/a’s discussed, patient expressed understanding, all questions asked and answered” should be documented in the chart. However, this does not necessarily mean the patient was properly informed. Often this statement is included as part of a provider’s template, without being consciously documented. Therefore, this raises the question of whether or not the conversation actually took place.

Because this discussion is verbal, it is difficult to use an audit trail to prove whether appropriate informed consent was obtained. However, an audit trail can be used to analyze other aspects of preoperative care which, if deficient, or incomplete, could support the notion informed consent was deficient as well.

What to look for in an audit trail

If surgical complications arose and the physician was concerned about the preoperative care provided, the physician could enter the patient chart after the fact and make additions to the patient’s chart. This is why it is necessary to get an audit trail that extends through the date the EMR is generated. Providers can alter a patients EMR at any time. These changes might not be visible on the EMR but will be on the audit trail.

In most cases, evidence of the following actions should exist in both the printed patient chart and the audit trail:

A clinic visit in which the patient’s need for surgery is assessed.
Any attempt to manage symptoms with more conservative first-line measures. For example, prescription orders or referrals to physical therapy or a pain specialist.
A diagnosis made prior to surgery and added to the patient’s problem list.
In some cases, evaluation of the patient’s personal risk due to any comorbid conditions is done using a ‘risk calculator’ and results should be documented.
A preoperative physical/assessment for higher risk patients.
A complete history and physical note (H&P) within the 30 days prior to surgery.
Procedure-specific labs and imaging which should be viewed by the surgeon prior to surgery.

Vehicle Heists Skyrocket – Villains Hack Fobs

As motor vehicle theft rates increase, criminals use of technology to open and start vehicles without breaking in may be accelerating the rate of theft.

Smash and grab is no longer required to open a motor vehicle and drive off.

Vehicle theft over the years has largely been on the decline. Technology has improved, therefore, Anti-Theft Systems have gotten more advanced. Beginning around 1983, keyless entry systems began appearing on American Motors vehicles. By the mid to late 2000s, many fobs enabling remote ignition start became more common place on higher end vehicles. However, as this technology advances, criminals are finding new ways to break through.

Security researchers first reported security vulnerabilities in motor vehicle fobs around 2016. This could allow an unauthorized person to unlock and even start a vehicle by intercepting radio frequency (“RF”) emissions from a driver’s fob. Once intercepted, the unauthorized party could use the intercepted signals to conduct a replay attack. As a result, a successful attack on these identified vulnerabilities can allow the unauthorized person to unlock and start a vehicle.

RF Relay Attack Reported in 2017

On November 28, 2017, Police in West Midlands, UK released video footage showing criminals stealing a car by relaying a signal from the fob key inside the home to the car in the driveway. This fob replay attack effectively allows thieves to unlock a vehicle and start the ignition then are able to drive off with the vehicle undamaged. Later on, the thieves swap out the VINs, and reprogram new key fobs to work with the stolen vehicle.

Defcon Cyber Security and Hacker Conference Focus on Vehicle Exploitation in 2018

In 2018, Defcon, a popular cybersecurity event, attended by black and white hat hackers, featured its first Car Hacking Village. During that convention, a good deal of technology related vulnerabilities on vehicles were shared. Both White and Black Hat hackers attend these events. The Black Hats are the bad guys that seek to use security vulnerabilities to exploit weaknesses and commit crimes.

Motor Vehicle Theft Jumps in 2020

Data obtained from: https://www.iii.org/fact-statistic/facts-statistics-auto-theft

Motor Vehicle Theft data sets have yet to be released for 2021 for the entire United States. Early indicators show these types of crimes are experiencing rapid growth across the US.

High end vehicles are more likely to have keyless entry and remote ignition starting capabilities. They can also fetch a higher dollar amount when resold outside the US. As a result, according to New Jersey state police officer Cory Rodriguez, “Car theft in 2021 is up over 21% year-to-date for total thefts and about 44% for high-end vehicles.” Reports have indicated that thieves are using technology to execute vehicle thefts more efficiently and without immediate detection.

Chicago Motor Vehicle Thefts Climb with Fewer Arrests Made in 2021

Chicago Police Officers have witnessed thieves using laptops and other cyber tools to accelerate their ability to quickly steal locked vehicles. Data compiled from the City of Chicago website shows that “Motor Vehicle Thefts” across the city are accelerating at an alarming rate. The problem isn’t specific to Chicago and vehicle thefts appears to be increasing across the country as well.

Doorbell video: Car thieves use computing device to steal SUV in Metropolitan ChicagolandElmhurst – Video by WGN News

In Chicago, February 2021 crime statistics reported a total of 627 Motor Vehicle Theft incident reports filed. Of those reports, only 26 (4.1%) resulted in an arrest. Comparatively, last month in January 2022, there were 1,073 Motor Vehicle Theft related police reports filed, with only 20 (1.8%) of those resulting in an arrest.

Cyber Motor Vehicle Theft using technology — https://data.cityofchicago.org/Public-Safety/Crimes-Map/dfnk-7re6

Our data analysis of Chicago Crime statistics for the 12 month period beginning February 2021 until January 2022 indicates that there were a total of 10,823. Motor Vehicle Theft incidents reported. This equates to 395 per 100,000 persons based on Chicago’s 2021 estimated population of 2,739,797.

Vehicle thefts on the rise throughout the USA

Vehicle theft isn’t just rising in Chicago. In fact, Chicago doesn’t even rank among the top 20 US cities in vehicle thefts. For example, California, Texas and Florida are continually among the top states in vehicle theft per capita. Bakersfield, California has been the top city in vehicle thefts since 2019 and in the top 10 even longer. The rate of vehicle theft went up almost 25% from 2019 in Bakersfield in 2020.

Other cities are following similar trends. For instance, San Francisco’s rates rose almost 27% while Seattle’s rose almost 26% from 2019 to 2020. Additionally, the city with one of the largest 2019 to 2020 changes being Denver, which rose over 50%.

Conclusion

Above all, it’s important to remain cautious with your vehicle. Furthermore, there are steps you can take to help ensure your vehicle doesn’t get stolen and recovery steps for your vehicles safe return if it does. Despite the overwhelming decrease in motor vehicle thefts throughout the years, this recent upward reversal of the historical trend should be alarming to vehicle owners everywhere.

(Denver statistics filtered for reports coded as any of the following; “burg-auto-theft-busn-no-force”, “burg-auto-theft-busn-w-force”, “burg-auto-theft-resd-no-force”, “burg-auto-theft-resd-w-force”, “robbery-car-jacking “, “theft-items-from-vehicle”, and “theft-of-motor-vehicle”)
California, Texas and Florida lead the states with the greatest number of vehicle thefts and accounted for 37% of all Motor Vehicle Thefts in the nation, based on 2020 National Insurance Crime Bureau statistics.

Ways to Protect Your Vehicle From Theft

The Pandemic Causing Increased Attacks on Corporate Security

Since the start of the pandemic, there has been much disruption in some industries. Many businesses have been challenged during the pandemic as a result of the difficulty of managing cyber and data security. Data breaches relating to remote workers and hacking of corporations continue to escalate at an alarming rate, require prompt response to mitigate the fallout.

There have been several significant shifts in the ways that businesses operate and their reliance on digital systems. Many businesses moved to a largely remote working model. Some have had to focus more on online activities in order to keep their brands active and visible. Businesses in a number of industries began to deliver products and services online for the first time. Meanwhile, those that already existed in online spaces saw an increase in business. All of these changes have meant that various security issues have arisen and become more prominent for businesses everywhere.

Increase in corporate data breaches

Cybercriminals have been taking advantage of the unprecedented circumstances caused by the pandemic, exploiting the vulnerabilities of businesses everywhere. Verizon carried out a recent study called ‘Analyzing the COVID-19 data breach landscape‘, which looks at 36 confirmed data breaches that were directly related to the pandemic. In addition, there was 474 data breaches between March and June 2020. Using this data, they determined that many cybercriminals were using the same methods to obtain data as before the pandemic while exploiting the disruption experienced by many businesses.

Remote Teleworkers facing cyber attacks threatening corporate security

One way in which corporate data breaches have been impacted by the pandemic is through increased use of ransomware. Seven of the nine malware incidents from Verizon’s 36 COVID-19 data breach cases demonstrated a spike in ransomware usage. Another change is in the way that criminals use phishing emails to play on the emotions of users. In a time when stress is high and mental health problems have increased, many people are more susceptible to phishing emails. Phishing was already a popular and often successful form of cyber attack before and even more so now.

Cost of data breaches for companies hit a record high in 2021

The cost of a data breach also hit a record high during the pandemic, according to IBM Security. They revealed the results of a global study showing the average cost of data breaches for companies surveyed was $4.24 million per incident. This is a 10% increase from the previous year. When remote work was a factor in the breach, data breaches cost an average of $1 million more. Stolen user credentials were the most common cause of data breaches. However, the study also showed the use of methods such as AI, security analytics, and encryption helped to reduce costs.

The COVID-19 pandemic has affected corporate data breaches due to a number of shifts in the way businesses are working, user behavior, and more. It’s vital for companies to take the right steps to prevent breaches and protect themselves.

If your company recently fell victim to a cyber attack, such as ransomware, or suspected data exfiltration by an unknown hacker, call Enigma Forensics today. We offer emergency incident response services and can help preserve available data, identify the origins of the attacker, and assist with the restoration of company services. Our experts have experience testifying and helping to mitigate risk and maximize your potential of recovering damages and lost data. Call us today at 312-668-0333 for a complimentary consultation.

Data Breach Incident Response

Data Breach Response After the Fact

COVID-19, Cyber Attack, Cyber Security, Data Breach, digital forensics, Enigma Forenscis, Incident Response, phishing, PhishingAttacks, Small Business Data Breach

Pegasus Apple iPhone Spyware Leads to Litigation

Apple has filed a lawsuit against NSO Group relating to their installation of Pegasus spyware on Apple users’ devices. Apple wishes to hold NSO Group accountable for their surveillance of users.

Apple has taken the significant step to begin notifying individuals about the threat of state-sponsored attacks on their accounts and devices. Apple is suing NSO Group and its parent company to attempt to hold them accountable for surveillance of Apple users. Their lawsuit, filed November 23, 2021, seeks an injunction to ban NSO Group permanently from using any Apple software, services, or devices. It comes after NSO Group has been shown to have infected Apple users’ devices with Pegasus spyware.

Apple’s Actions to Notify Impacted Users

Apple threat notifications are intended to provide warnings to individuals who may have been targeted by state-sponsored attacks. They use two different methods to notify the user through their account. When logging into appleid.apple.com, there will be a Threat Notification displayed at the top of the page. Additionally, the user will receive an email and an iMessage notification to the email addresses and phone numbers associated with their Apple ID account. The notifications offer advice on the steps that they can take to improve their security and protect their devices and personal information.

In a press release, Apple’s senior vice president of Software Engineering, Craig Federighi, said, “State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change.”

NSO Group Allegations

The legal complaint from Apple reveals new information about the activities of NSO Group. It highlights FORCEDENTRY, which exploited a former vulnerability to gain access to Apple devices and install the NSO Group’s spyware Pegasus. The lawsuit from Apple intends to both ban NSO Group from having access to Apple products and services and to seek action on the violation of federal and state law by the NSO Group.

WhatsApp Similar Litigation

In 2019, WhatsApp also brought a court case aiming to hold NSO Group accountable for distributing their spyware through the app. A group of other tech companies, including Google and Microsoft, lent their official support to WhatsApp to encourage the United States Court of Appeals for the Ninth Circuit to hold NSO Group accountable.

Apple responds by funding Cyber Threat Research

Apple has also announced a $10 million contribution in support of cyber-surveillance researchers and advocates. Any damages from the lawsuit have also been pledged to organizations in these areas. Apple is also supporting Citizen Lab, a research group at the University of Toronto that originally discovered the exploit that NSO Group used, by providing technical, threat intelligence, and engineering assistance at no charge. They will also provide assistance to other organizations doing work in the same field, where appropriate.

Ron Deibert, director of the Citizen Lab at the University of Toronto said, “Mercenary spyware firms like NSO Group have facilitated some of the world’s worst human rights abuses and acts of transnational repression, while enriching themselves and their investors. I applaud Apple for holding them accountable for their abuses, and hope in doing so Apple will help to bring justice to all who have been victimized by NSO Group’s reckless behavior.”In response to the complaint, NSO Group replied, “Thousands of lives were saved around the world thanks to NSO Group’s technologies used by its customers”. They said, “Pedophiles and terrorists can freely operate in technological safe-havens, and we provide governments with the lawful tools to fight [them]. NSO group will continue to advocate for the truth.”

Cell Phone Privacy: San Bernardino

Cell Phone Privacy – San Bernardino

Social Media and Cell Phone Forensics

Cell Phone and Social Media Forensics

Decoding EMR Logs: Synapse PACS Database Table Names

Where do I start?

When you’re requesting that a defendant produce medical records from their Health Information System (“HIS”), it can be difficult to know where to start.

Below, we’ve laid out the database table names for Synapse PACS, providing a roadmap to the data you’re seeking. It is possible to generate an EMR audit log using data from any of the listed tables that delineates specific fields contained within those tables.

Sometime in the near future, we will be adding detailed table field pages to show the types of fields contained in each of the listed tables. In the meantime, if you are seeking discovery of the audit trail logs for any Synapse PACS HIS, we are happy to provide a complimentary consultation.

TABLE_NAME:

A   B   C   D   E   F  G  H   I   J   K   L   M
N   O   P   Q   R   S   T   U   V   W   X   Y   Z

A

ACCESSOR
ACCESSOR_ACTIVE_DIRECTORY
ACCESS_ITEM
ACCESS_RESTRICTION
ACR
ADD_TO_QUEUE_JOB_STATUS
AFFINITY_DOMAIN
ALIAS_PATIENT
ANATOMIC_REGION
AUDIT_INSTALL
AUDIT_ROWCOUNT

B

BACKFILL_PROCESS_TYPE
BACKFILL_QUEUE_PRIORITY
BACKFILL_QUEUE_STATUS
BACKUP_CONFIG
BACKUP_LOG
BERMUDA_GSPS_CSPS_CNT_UPD_CTL
BERMUDA_STUDY_INS_EUID_UPD_CTL
BODY_PART
BROADCAST_MESSAGE
BUTTON

C

CALIBRATE_SEQUENCE
CANNED_NOTE
CASCADED_DICOM_SR
CASCADED_IMAGE
CASCADED_SERIES
CASCADED_STUDY
CASCADED_VISIT
CHANGE_NOTIFICATION
CODING_SCHEME
COMMAND
COMMAND_CLASS
COMMAND_COL
COMMAND_COL_OP
COMMAND_COMMAND_CLASS
COMMAND_COND
COMMAND_FILTER
COMMAND_INTERFACE
COMMAND_INTERFACE_CLIENT
COMPONENT_CLASS
COMPRESSION
CONFERENCE_WORKFLOW_STATUS
CONFIG_JSON

D

DASHBOARD_CACHE
DATA_AGGREGATION_NAME
DATA_GUARD_COMMANDS
DATA_MAINTENANCE_LOG
DB_CHARACTER
DB_MEMORY_SIZING_BREAKUP
DB_RECOVERY_CONFIG
DB_STATISTICS_CONFIG
DB_STATS_APRIL_WK#_1
DB_STATS_APRIL_WK#_2
DB_STATS_APRIL_WK#_3
DB_STATS_APRIL_WK#_4
DB_STATS_CBO
DB_STATS_CBO_CONFIG
DB_STATS_JUNE_WK#_1
DB_STATS_MARCH_WK#_2
DB_STATS_MARCH_WK#_3
DB_STATS_MARCH_WK#_4
DB_STATS_MAY_WK#_1
DB_STATS_MAY_WK#_2
DB_STATS_MAY_WK#_3
DB_STATS_MAY_WK#_4
DB_STATS_MAY_WK#_5
DELETED_DICOM_SR
DELETED_IMAGE
DELETED_PATIENT
DELETED_SERIES
DELETED_STUDY
DELETION_REJECT
DEPARTMENT
DIAGNOSTIC_CODE
DICOM_BACKFILL_QUEUE
DICOM_CONFIG
DICOM_DESTINATION
DICOM_GROUP
DICOM_QR_ATTRIBUTE_INFO
DICOM_QR_DATE_CLAUSE_INFO
DICOM_QR_MATCHING_INFO
DICOM_QR_SELECT_INFO
DICOM_RETRIEVAL
DICOM_SR
DICOM_STORAGE
DICOM_STORAGE_BACKUP
DICOM_TAG
DICOM_VALUE_REP
DICT_NOTIFY_BANNER
DISPLAY
DOCUMENT
DOCUMENT_TYPE_CONFIG

E

EBF_DASHBOARD_SUMMARY
EMAIL_CONFIG
EMAIL_TYPE
ERBF_SFQ_STAT_TRANS
ERF_PROFILE_ACTION_TYPE
ERF_PROFILE_VERIF_METHOD
ERROR_MESSAGE
ERROR_TRACE_LOG
EVENT_LOG
EVENT_TYPE_CONFIG
EXTERNAL_IMAGE
EXTERNAL_IMAGE_DELETED

F

FCR_CODE
FCR_TO_CR_QUEUE
FCR_TO_CR_QUEUE_CTL
FETCH_QUEUE
FOLDER
FOLDER_COLUMN_LIST
FOLDER_COLUMN_PROPERTY
FOLDER_ETAG
FOLDER_FILTER
FOLDER_GROUP_COLUMN
FOLDER_ITEM
FOLDER_JSON
FOLDER_LOCALE
FOLDER_MERGE
FOLDER_MIGRATION
FOLDER_OBJECT
FOLDER_TEMP_OAK_PATCH2
FOLDER_TEMP_OAK_PATCH3
FOLDER_TEMP_STARBOARD
FORWARDING_PROFILE
FORWARDING_QUEUE_RESPONSE
FORWARDING_QUEUE_STATUS
FRAME_BOOKMARK
FUJIRDS_LOG

I

IMAGE
IMAGE_CALCULATION
IMAGE_DISPLAY
IMAGE_OVERLAY
IMAGE_REALLOCATE_ACTIVITY
IMAGE_RETRIEVAL_OPTION
IMAGE_STORAGE
IMAGE_VERSION
IMAGE_VERSION_DELETED
IMAGE_VERSION_MIGRATE_CTL
IOCM_REASON
IOCM_REJECTNOTE
IOCM_STUDY_LAST_REJECT
IPP
IPPSET_REF
IPP_CURVE

K

KEYWORD

L

LINK_FOLDER
LINK_FOLDER_CONTENT
LOCALE
LOCALIZATION
LOCALIZATION_LOCALE
LOCALIZATION_TEMP
LOCAL_AE
LOCATION
LOCK_INFO
LOCK_TYPE
LOG_ACTIVITY
LOG_CATEGORY
LONG_TERM_EVENT_LOG
LOOKUP

M

MANUAL_FOLDER_MIGRATION_LOG
MANUFACTURER_MODEL
MATCH_WEIGHT
MENU_CODE
MODALITY
MONTHLY_EVENT_VOLUME
MPPS

O

OAK_FOLDER
OAK_FOLDER_COLUMN_PROPERTY
OAK_PATCH2_FOLDER
OAK_POST_UPGRADE
OBJECT_TYPE
OBSOLETED_IMAGE
OP5_POST_UPGRADE
OS_REGION

P

PATIENT
PATIENT_MERGE_ACTIVITY
PERMANENT_DELETED_STUDY
POST_PROCESS_QUEUE
POST_UPGRADE
POWERJACKET_SETTING
PREFETCH_CFG
PREFETCH_QUEUE
PRESET
PRIORITY
PRIVILEGE
PRIVILEGE_COM_COM_CLASS
PROCEDURE_INFO
PROCEDURE_INFO_FCR
PROC_INFO_BODY_PART
PROPERTY

Q

QBE_FOLDER

R

RADIATION_DOSE
READING_PROTOCOL_OLD
READING_SPECIALTY
READING_SPECIALTY_PROC_INFO
RECYCLE_BIN
RECYCLE_BIN_DELETED
REFERENCE_RECONCILE_QUEUE
REFERENCE_RECONCILE_STATUS
REJECT_DICOM_SR
REJECT_IMAGE
REJECT_TYPE
RELATED_PROCEDURE_SYSTEM
RELATED_PROCEDURE_USER
REMOTE_AE
REMOTE_AE_NET_CONFIG
REMOTE_AE_SOP_STORAGE
REPORT_STATUS
RIS_CONFIG

S

SBP0_POST_UPGRADE
SCHOONER_POST_UPGRADE
SCRIPT
SECURE_URL_KEY
SECURITY_HIERARCHY
SECURITY_KEY_3D
SERIES
SERIES_DESCRIPTION_DOWNLOAD
SERIES_DESCRIPTION_REPORT
SERIES_REALLOCATE_ACTIVITY
SERVICE_PATH
SERVICE_PATH_PARAM
SERVICE_TRACELOG
SESSION_AGGREGATION
SESSION_AGGREGATION_DETAIL
SESSION_INFO
SFI_TEMP_TABLE
SGA_CACHE_TABLES
SHORTCUT
SITE
SOP_CLASS
SOP_CLASS_STORAGE
SSO_CLIENT
SSO_CLIENT_PROPERTY
SSO_CLIENT_SECRET
SSO_EXTERNAL_PROVIDER
SSO_REFRESH
SSO_SCOPE
SSO_SCOPE_CLAIM
SSO_TRANSIENT_DATA
STANDARD_PROCEDURE
STARBOARD_FOLDER
STATUS_CHANGE_QUEUE
STORAGE
STORAGE_BACKUP
STUDY
STUDY_ANOMALY
STUDY_DISPLAY_HISTORY
STUDY_DISPLAY_STATE
STUDY_DOCUMENT
STUDY_FOLDER_INTERSECTION
STUDY_FORWARDING_QUEUE
STUDY_IMAGE_SENDER
STUDY_MEDICAL_EVENT
STUDY_MEDICAL_EVENT_ACTIVITY
STUDY_MERGE_ACTIVITY
STUDY_OPEN_SESSION
STUDY_PRODUCTIVITY
STUDY_REALLOCATE_ACTIVITY
STUDY_SERIES_DESC
STUDY_SESSION_MONITOR
STUDY_STATUS
STUDY_STATUS_LOCALE
STUDY_TAT_HISTORY
STUDY_WF_EVENT_ACTIVITY
STUDY_WF_EVENT_LOG
SUBSCRIPTION
SYMON_ALERT
SYMON_MA_DEFINITION
SYMON_MA_TRIGGER
SYMON_SAMPLE
SYSMODEL_SERVER
SYSTEM_CONFIG
SYSTEM_VERSION

T

TAG_LOOKUP
TAT_AGGREGATION_DETAIL
TAT_AGG_MODALITY
TAT_AGG_MODALITY_PROC
TAT_AGG_MODALITY_STAT
TAT_AGG_MODALITY_STAT_LOC
TAT_AGG_TIME_PERIOD
TAT_AGG_USER_RAD
TAT_AGG_USER_TECH
TAT_AGG_VISIT_CLASS_STAT
TAT_AGG_VISIT_LOC_STAT
TEMP_LOCALIZATION_NEW
TEMP_LOCALIZATION_OLD
TEMP_LOCALIZATION_OLD_NEW
THINK_LOG
THINK_LOG_KEYWORD
TIMEZONE
TIME_PERIOD
TRANSFER_SYNTAX

U

USER_DEBUG_LOG
USER_DEBUG_LOG_DETAIL
USER_INFO
USER_PREFERENCES
USER_SESSION
USER_SESSION_MONITOR

V

VISIT
VISIT_MERGE_ACTIVITY
VISUALIZATION_METRIC
VIZ_METRIC_AGGREGATION
VIZ_METRIC_AGGREGATION_DETAIL

W

WORKFLOW
WORKLIST_COL_LOCALE_MODIFIER
WORKLIST_FAVORITE
WORKSTATION_SPECIAL_PATH
WS_PLUGIN
WS_PLUGIN_PARAM
WS_PLUGIN_TYPE
WS_PLUGIN_TYPE_PARAM

X

XDS_AUTHOR
XDS_AUTHORITY
XDS_BODYPART_EVENTCODE
XDS_BPPC_EVENTCODE_OPT
XDS_BPPC_PRIVACY_OPTION
XDS_CODES
XDS_CODETYPE
XDS_COMMENTS_POLICY
XDS_FORMATCODES_FILETYPE
XDS_MODALITY_EVENTCODE
XDS_PERSONLINK
XDS_PERSON_ID
XDS_PERSON_NAME
XDS_PIX
XDS_PROFILE
XDS_PROFILE_CONFIDENTIALITY
XDS_PROFILE_RECIPIENT_ORG
XDS_PROFILE_RECIPIENT_PERSON
XDS_PROFILE_SHARINGOPTION
XDS_RECIPIENT_ORGANIZATION
XDS_RECIPIENT_PERSON
XDS_RECIP_PERSON_ORG_MAP
XDS_REPOSITORY
XDS_REPOSITORY_DOCUMENT
XDS_SHARINGOPTION
XDS_SUBMISSION
XDS_TYPECODES_PROCCODE
XDS_USERROLE_MAP

A Cautionary Tale of Audio Forensics and Trade Secrets

One private firm’s artificial-intelligence system is deemed insufficient evidence

ShotSpotter, a gunshot detection firm contracted by police departments nationwide, has recently received criticism for its audio forensics system that, it claims, incorporates “sensors, algorithms, and AI” to identify gunshots and locate their source. While several precincts have praised the company for increasing police response to incidents of gun violence, its accuracy as evidence in court remains questionable.

There are two primary reasons for skepticism: 1) studies have indicated that its algorithm has a propensity for generating false positives, and 2) employees are able to modify the database after alerts come in. Since its system is protected as a trade secret, it has been generally inscrutable from oversight.

As seen in this Associated Press investigation, a State’s Attorney’s Office used ShotSpotter’s data for evidence in a case against a Chicago man. This left him in prison for 11 months before the judge dismissed the case. The report eventually released by ShotSpotter showed that the alert in question was identified differently at first. It alerted to a “firecracker” several blocks away from the alleged scene of the crime — but an employee later revised the identification and location. As a result, prosecutors decided that the “evidence was insufficient to meet [their] burden of proof.”

How could it be improved?

This case emphasizes the importance of accountability in regards to digital evidence on either side of a case. The Health Information Portability and Accountability Act (HIPAA), for example, requires retention of Electronic Medical Records (EMR) stored in Health Information Systems (HIS). Healthcare firms must record a permanent record of all additions, changes and deletions of EMR, including the time and person making those changes.

While ShotSpotter obviously isn’t in healthcare, its system would still benefit from similar transparency. It would help improve the reliability of such information. In this case, such logs would have revealed human intervention earlier on. This would have saved the defendant from the 11 he spent months in prison. In other cases, transparency could support prosecution. Regardless, it would bolster ShotSpotter’s credibility when used as evidence.

It’s possible that we could examine information recorded — when the stored data was originally entered and changes to that stored data — without violating trade secret status to a software provider’s algorithms. HIS software providers have trade secret protection to their software. Still, they are required to disclose all record EMR, as well as the revision history to those records.

Where we can help.

Asking the right questions and gathering all available digital evidence is important to achieving an equitable outcome. Enigma Forensics has experience auditing and authenticating digitally stored electronic evidence. We can assist with validating such claims as genuine.

Preparing to Work with an EMR Expert

Learn what details to provide when hiring a data forensic expert during medical malpractice litigation to increase efficiency and cost effectiveness.

Prepare a summary of the following:

Develop timeline of notable events
Organize case documents and provide to your experts
Copy of the Complaint
Requests to produce
Interrogatories filed
Replies to Interrogatories
EMR Produced
Audit Logs Produced

Ask Your EMR Data Expert to Prepare the EMR for efficient review by attorneys & medical experts

OCR the produced EMR (Allows for keyword searching)
Convert the EMR to a spreadsheet format where practical
Identify key events and providers
Consider filtering for key dates, workers, or concepts
Produce subset pdf documents / spreadsheets that are more easily reviewable
Consider having pivot tables created showing overviews

In-Person Direct access provides additional information

Routing History
What the notes looked like at various points in time
Access to deleted records
Communications between healthcare workers
Example Screenshots from Popular HIS Systems follow

Enigma Forensics EMR Data Forensics Experts provide detailed analysis and interpretation of an EMR Audit Trail to assist Medical Malpractice Attorneys during litigation. We help win cases! Hire an Expert (HAE)! Call 312-668-0333

To Learn More about the EMR process

Keys to Unlocking the EMR Audit Trails (Electronic Medical Records)

EPIC Software

Epic software is used by many hospitals that is HIPPA compliant. It is used to track all additions, modifications, and ensures the complete patient history is recorded. Check out this blog to learn more about EPIC software!

EPIC software is used by many hospitals to track patient care and manage the overall patient experience. When something goes wrong during a patient stay that leads to long-term injuries or death of the patient, it is highly common that medical malpractice litigation ensues.

Health Information Personal Privacy Act, HIPPA

The Health Information Personal Privacy Act, commonly referred to as HIPPA, places several important requirements on health care providers. HIPPA requires that all access to a patient’s electronic medical record commonly referred to as EMR, track all addition, modifications, and allow access while ensuring the complete revision history of the EMR is maintained.

EMR Audit Log

Audit logs or audit trails are required to ensure that reconstruction of the complete revision history can be established. EPIC printed reports of patient’s EMR can be produced using various filters that result in a less than complete production of the patient’s full electronic medical records. Some of the filters that are routinely used include:

Date filter to show only the time the patient was receiving care at the healthcare provider
Production of only non-confidential notations
Production of only the final version of the EMR without the detailed revision history
Filter notes exclusive to the named defendant health care providers
Filter by department

These filters described previously when used in producing a patient’s EMR result in an incomplete production of the EMR.

Sticky Notes

EPIC has a communication platform known as Sticky Notes. This serves as an instant messaging mode of communication between healthcare workers discussing a specific patient. EPIC lacks a report that can allow easy printing or export of these notes. This creates a common misperception among health providers that these notes are not part of the legal discoverable record. In fact, there are other ways to access these sticky notes, which are an important part of documenting the patient care provided. An in-person inspection of the EMR using a camera to record the user’s screen can allow for obtaining these important communications. These sticky notes are part of the EMR and are subject to preservation by HIPPA.

On-Site Inspection

During an onsite inspection to obtain the complete EMR, it is important to ensure that the user accessing EPIC has full administrative rights to the system. In some health care organizations, sticky notes may be accessible only to physicians. Regardless, obtaining these important communications can be a vital source of information to reveal important events leading up to a lifelong injury or death.

Enigma Forensics has assisted in numerous medical malpractice cases working with either the plaintiff or defendant’s side of litigation. Our experts dig through each record to analyze ultimately to find the “smoking gun!” We call ourselves the data detectives! If you are working on a medical malpractice case and would like to win, call Enigma Forensics at 312-668-0333.

To learn more about Electronic Medical Records check out these blogs.

Electronic Medical Records Manipulated Post Lawsuit