Lee Neubecker: Expert in Cyber Forensics & Investigations

Curriculum Vitae Lee Neubecker

P‌DF Updated as of 3/21/2025

BIOGRAPHY

Lee Neubecker is the President and CEO of Enigma Forensics, Inc., a Chicago and Fort Lauderdale based Computer Forensics and Cyber Investigation consultancy. Neubecker assists Fortune 500 clients, government agencies, and private organizations with cyber-related investigations involving theft of electronic data, authentication of digital evidence, electronic medical records, fraud, counterfeiting, and online identity unmasking.

Neubecker also is the founder of IT Security Blog leeneubecker.com. Before starting Great Lakes Forensics, Neubecker had served as CISO for HaystackID and following the acquisition of Envision Discovery and Inspired Review by HaystackID, Neubecker was promoted to serve as CIO over the combined entities. Neubecker was named one of the top Global Computer Forensics and Cyber security experts by Who’s who Legal in 2018, 2019, 2020, 2021, 2022, 2023 and 2024 and many years prior to that.

During 2016 and 2017, Neubecker assisted the U.S. Federal Government in discovering important security compromises including, the compromise of NIST.gov wildcard certificate (boudicca.nist.gov) using deprecated encryption (December 2016), compromise of time.gov NIST time servers (December 2016), compromise of NIST NSRL Hash Set download page (December 2016) and leaked email usernames and passwords from U.S. Intelligence Agency email account credentials onto public sandbox websites such as pastebin.com. (December 2016 and January 2017). Neubecker has a track record of uncovering Cyber Data Breaches and has performed investigations on the State and Federal Government Agency levels.

Neubecker’s has performed extensive research pertaining to hardware based vulnerabilities and exploits including, Serial Peripheral Interface – chip stored malware that has been impacting individuals, companies and government agencies in the wild following the leak of

U.S. Cyber weapons cache. Neubecker identified and reported the hack of chicagoelections.com website, that resulted in millions of Chicago resident (and former resident) voting records being disseminated online. Neubecker also provided important intelligence collection and analysis services that helped bring the perpetrators of the Boston Marathon Bombing to justice. Prior to founding Enigma Forensics, Neubecker founded Forensicon, Inc. and sold the company to QDiscovery, a national eDiscovery services provider. While managing Forensicon, Mr. Neubecker provided consulting services in the areas of computer forensics, electronic discovery, data recovery and litigation support to a diverse range of clients. Mr. Neubecker has worked on both Plaintiff and Defense sides, and has served as a regular speaker on topics in the computer forensics and electronic discovery fields for Midwestern legal bar associations, Professional Associations and National Legal Conferences. Mr. Neubecker has been appointed a special master in civil litigation matters by the courts. Mr. Neubecker has been cited in the appellate court as an expert witness in the case, Liebert Corp. v. Mazur. The published opinion of Justice Wolfson, Circuit Court of Cook County, regarding Mr. Neubecker’s testimony can be found at the following link: https://caselaw.findlaw.com/il-court-of-appeals/1063543.html

Prior to founding Forensicon, Inc., Mr. Neubecker founded BuzzBolt Media, a web development and Search Engine Optimization consultancy which later became Forensicon, Inc. Before moving to Chicago in 2000, Mr. Neubecker led the online communities’ product

development and programming initiatives for the Lycos Network, a pioneering Web media model that included three Top 10 Web sites and was one of the most visited hubs on the Internet during Neubecker’s tenure. Neubecker was responsible for creating, launching and managing chat, instant messaging, message boards, and online games across the Lycos network. In this role, Mr. Neubecker led the company’s response to legal inquiries from law enforcement personnel and personally oversaw complicated international investigations involving transcontinental Cyber attacks against company servers and users.

Before joining Lycos and graduating with an MBA focused in technology, Mr. Neubecker launched and successfully managed Innovative Consulting, Inc., an information technology consulting company. Mr. Neubecker’s company deployed network management, contact management, sales automation and ERP solutions to small and mid-tier organizations. Prior to Innovative Consulting, Neubecker held operations and finance analyst positions with Ford Motor Company and Comerica Bank. Mr. Neubecker has experience in securities valuation and accounting from his position at Comerica Bank, where he served as a Trust Fund finance analyst. While serving at Ford Motor Company as an intern, Neubecker was integral in automating important processes and bringing financial forecasting methodologies online, resulting in more timely and accurate quarterly financial forecasts.

Mr. Neubecker graduated magna cum laude from Babson College with a Masters of Business Administration, focusing on Technology. Mr. Neubecker also holds an undergraduate degree in Finance, magna cum laude, from Eastern Michigan University.

NOTABLE CASES OF RECORD AS A COMPUTER FORENSICS EXPERT WITNESS

LESEAN DOBY v. ZIDAN MANAGEMENT GROUP, INC.

IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION

Case No. 1:23-cv-16602

Provided affidavit regarding the analysis of a biometric fingerprint lock in support of the defendant as it relates to the Illinois Biometric Information Protection Act.

JAQUAN SHORTER v. ADVOCATE HEALTH AND HOSPITALS ) CORPORATION, ET. AL.

IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS

COUNTY DEPARTMENT, LAW DIVISION

Case No. 2023L012024

Filed affidavit regarding user authentication to the defendant’s Electronic Medical Record system and the origins of the logon activities when accessing the patient’s health provider’s EMR system.

EUGENE EVANS v. CORRECTHEALTH CLAYTON, LLC and PAMELA BLAHA, LPN

IN THE SUPERIOR COURT OF FULTON COUNTY STATE OF GEORGIA, Case No. 2023CV379078

Filed affidavit regarding electronic medical records.

MARVA BURNETTE v. RUSSELL P. NOCKELS, M.D., IGNACIO JUSUE-TORRES, M.D., and LOYOLA UNIVERSITY MEDICAL CENTER

IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS COUNTY DEPARTMENT, LAW

DIVISION, Case No. 2023-L-000973

Filed affidavit regarding electronic medical records and audit trails.

CHRISTINE MCLAUGHLIN, CRYSTAL VANDERVEEN, JUSTIN LEMBKE, SCOTT HARDT, ET. AL. v. SELECT REHABILITATION LLC

UNITED STATES DISTRICT COURT FOR THE MIDDLE DISTRICT OF FLORIDA

JACKSONVILLE DIVISION

CLASS and COLLECTIVE ACTION Case No: 3:22-cv-00059-HES-MCR

Filed Declaration regarding the availability of EMR audit log records to show when staff were performing work.

CDL 1000, INC. v. SCOTT ROBERTSON

CIRCUIT COURT OF COOK COUNTY, ILLINOIS, Case No. 2022-CV-00415

Provided affidavit detailing the lack of compliance with the courts’ order requiring handover of Robertson’s personal smartphone and computer for forensic preservation and analysis relating to a departed employee investigation and alleged electronic trade secret misappropriation.

DEVIN ESTIME v. SOUTHERN CALIFORNIA PERMANENTE MEDICAL GROUP

SUPERIOR COURT OF THE STATE OF CALIFORNIA COUNTY OF LOS ANGELES, Case No.: 22STCV06517

Filed affidavit regarding electronic medical records and audit trail productions.

ROBERT BRONSTEIN v. LATIN SCHOOL OF CHICAGO

IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS COUNTY DEPARTMENT, LAW DIVISION,

Case No. 2022-L-003763

Completed forensics analysis of iPhone, Macbook, and iPad of defendant in the case.

CONNIE & GARY ANDERSON v. PATIENT FIRST MARYLAND MEDICAL GROUP

IN THE CIRCUIT COURT FOR BALTIMORE COUNTY Case No. C-03-CV-21-001814

Provided affidavit related to EMR and audit trail logs.

PHOTOFAX, INC. v. JOSEPH BRADY CIRCUIT COURT OF KANE COUNTY, IL Case No. 21-CH-000167

Provided affidavit detailing the forensic examination of the PhotoFax issued laptop by the departed employee. Reported on the destruction of evidence and provided support for a motion to compel examination of the devices still used by Joseph Brady to look for sensitive company data and trade secrets.

JAMES ABRAHAM, successor Trustee of the JOHN A. ABRAHAM TRUST v. ELIZABETH CHAPMAN

IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS COUNTY DEPARTMENT, MUNICIPAL DIVISION

Case No. 2020 M170426

Provided affidavit regarding the authenticity of alleged lease produced by the defendant relative to a forensic analysis of computing devices.

JOSEPH NICOLOSI ET. AL. v. STANDARD PARKING ET. AL.

CIRCUIT COURT OF COOK COUNTY, IL Case No. 20-L-007912.

Provided affidavit detailing EXIF photo metadata extracted from the Plaintiff’s production of alleged photos taken of damaged artwork and other effects. Identified photos that were edited after they were taken using Photoshop.

PATRICK T. MCKINNEY, BY AND THROUGH HIS LEGAL GUARDIAN, RONI S. MCKINNEY, AND RONI S. AND TIMOTHY C. MCKINNEY, INDIVIDUALLY AND AS THE PARENTS AND NATURAL GUARDIANS OF PATRICK T. MCKINNEY v. THE CLEVELAND CLINIC FOUNDATION AND THE CLEVELAND CLINIC HEALTH SYSTEM

COURT OF COMMON PLEAS OF CUYAHOGA COUNTY, OHIO Case No. CV-20-931-660.

Provided affidavit in support of a motion to compel for supervised on-site obtainment of the plaintiff’s full medical records. Involved Epic EMR software.

NIMISH SHAH, AS THE NATURAL SON OF PUSHPABEN C. SHAH, v. ST. LUKE’S EPISCOPAL PRESBYTERIAN HOSPITALS, D/B/A ST LUKE’S HOSPITAL, ET. AL. CIRCUIT COURT OF ST. LOUIS COUNTY, MISSOURI. Case No. 20SL-CC04023. Div. 8.

Signed an affidavit exhibiting deficiencies in Defense’s production and supporting a motion to compel for an on-site collection of the plaintiff’s medical records. Involved Cerner software.

MARC STRAUSS v. KATHLEEN VAN VALKENBURG, M.D. and SIGHT MEDICAL DOCTORS, P.L.L.C.

SUPREME COURT OF THE STATE OF NEW YORK, COUNTY OF NASSAU, Index No. 608054/2020.

Submitted an affidavit in support of a motion to compel for full medical records involving MyCare iMedicWare EMR software.

DEBORAH CARR v. HOSPITAL SISTERS HEALTH SYSTEM

IN THE CIRCUIT COURT OF THE SEVENTH JUDICIAL CIRCUIT SANGAMON COUNTY, ILLINOIS, Case No. 2020-L-105

Provided affidavit related to EMR and audit trail logs.

RONI S. AND TIMOTHY C. MCKINNEY, v. THE CLEVELAND CLINIC FOUNDATION

IN THE COURT OF COMMON PLEAS CUYAHOGA COUNTY, OHIO

Case No.: CV-20-931660

Filed affidavit regarding electronic medical records.

AUSTIN ROBERTS v. IOWA HEALTH SYSTEM d/b/a UNITYPOINT HEALTH, TRINITY MEDICAL CENTER

IN THE CIRCUIT COURT OF THE FOURTEENTH JUDICIAL CIRCUIT ROCK ISLAND COUNTY, ILLINOIS, Case No. 2020 L 76

Filed affidavit regarding electronic medical records and audit trails.

SMART MORTGAGE CENTERS, INC. V BRIAN NOE, EILEEN PRUITT, AND NEXA MORTGAGE, LLC

IN THE CIRCUIT COURT OF WILL COUNTY, ILLINOIS TWELFTH JUDICIAL CIRCUIT Case No. 20 CH 292

Filed an affidavit regarding allegations of trade secret misappropriation.

PHILIPS NORTH AMERICA, LLC v. FITBIT, INC.

IN THE US DISTRICT COURT FOR THE DISTRICT OF MASSACHUSETTS

Case No.: 1:2019cv11586

Filed affidavit relating to forensic inspection of electronic data relative to allegations of trade secret misappropriation.

ROBERT WATSON and MARK SAULKA, v. RYAN TODD WEIHOFEN and POOL TECHNOLOGIES, LTD.,

IN THE CIRCUIT COURT OF COOK COUNTY ILLINOIS COUNTY DEPARTMENT, CHANCERY DIVISION, Case No. 2019 CH 12252

Filed affidavit regarding the expected cost to comply with a subpoena for production of electronic medical records.

LOUIS ARGIRIS v. PAUL V. FAHRENBACH, M.D., GI SOLUTIONS OF ILLINOIS LLC, ATHANASIOS D. DINIOTIS, M.D., TIESENGA SURGICAL ASSOCIATES, S.C. d/b/a SUBURBAN SURGERY CENTER INCORPORATED, JOSEPH Z. PUDLO, M.D., and JOSEPH Z. PUDLO, M.D., S.C.

COOK COUNTY CIRCUIT COURT, ILLINOIS, Case No. 2019 L 012187.

Provided affidavit in support of a motion to compel for the revision history of the plaintiff’s medical records. Consulted with counsel in serving subpoena to EMR system provider.

Involved Greenway Health’s EHR platform.

CHRISTOPHER JOHANSEN v. NOW MARKETING SERVICES INC. AND INTERCOVE, INC.

CIRCUIT COURT OF WILL COUNTY, IL, Case No. 19-L-989.

Provided affidavit relating to departed employee apparent deletion activities including access of emails post employee departure in support of a motion to compel forensic preservation and analysis of the departed employee’s personal electronic devices.

ROBERT WATSON AND MARK SAULKA v. RYAN TODD WEIHOFEN AND POOL TECHNOLOGIES, LTD.

CIRCUIT COURT OF COOK COUNTY, IL, Case No. 19-CH-12252.

Provided affidavit discussing the expected costs of a third party producing electronically stored information.

BYRON FOXIE, as legal guardian and parent of TIGE W. FOXIE, v. ANN & ROBERT H. LURIE CHILDREN’S HOSPITAL OF CHICAGO, and ALMOST HOME KIDS, and OTHER UNKNOWN PARTIES, JOHN DOES 1-10 and ROE CORPORATIONS 1-10 CIRCUIT COURT OF COOK COUNTY, ILLINOIS, Case No. 19 L 7430

Provided testimony in the form of three affidavits supporting a motion to compel during discovery due to deficiencies in EMR production. Involved Epic EMR software.

PHOTOFAX, INC. v. MICHAEL CALDARAZZO

CIRCUIT COURT OF KANE COUNTY, ILLINOIS, Case No. 19-CH-000217.

Performed forensic imaging of departed employee devices. Assisted with the construction of an ESI protocol. Analyzed, signed an affidavit, and testified regarding alleged misappropriation of trade secrets.

BLACK ROCK TRUCK GROUP, INC. FKA NEW ENGLAND TRUCK SALES AND SERVICE, INC. v. HARRY TARASIEWICZ and JOSEPH TARASIEWICZ

UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK, Case No. 7:19-cv-2367

Performed preservation of evidence, search and production of ESI. Analysis regarding allegations of trade secret misappropriation. Provided testimony regarding fabrication of emails and destruction of evidence.

TERRI BROWN v. MOUNT SINAI MEDICAL CENTER OF FLORIDA, INC. ET. AL.

IN THE CIRCUIT COURT OF THE ELEVENTH JUDICIAL CIRCUIT IN AND FOR MIAMI-DADE COUNTY, FLORIDA

Case No. 2018-016560-CA-09

Filed affidavit regarding the inadequate production of Plaintiff’s electronic medical records.

JERAME ANDREWS, and THERESA ANDREWS v ANKLE AND FOOT CENTERS OF GEORGIA. ET. AL

IN THE STATE COURT OF GEORGIA FULTON COUNTY Case No. 18EV003536

Filed affidavit regarding the inadequate production of Plaintiff’s Electronic Medical Records.

UNITED STATES DEPARTMENT OF JUSTICE V. BUYANTOGTOKH DASHDELEG, PETITION FOR REMOVAL.

Executive Office for Immigration Review Chicago, Illinois, File No. A218-056-722

Filed affidavit regarding the authenticity of email transmitted.

PEOPLE OF THE STATE OF ILLINOIS v. CHRISTIAN DAIGRE

CIRCUIT COURT OF COOK COUNTY, ILLINOIS, Case No. 2018-cr-1626801

Provided affidavit regarding the lack of the original sources of data being preserved that would allow for authentication of SMS and MMS messages allegedly sent and received.

RILEY ANN BERGTHOLDT v. ADVOCATE HEALTH AND HOSPITAL CORP, ET. AL.

CIRCUIT COURT OF COOK COUNTY, ILLINOIS, Case No. 2018-L-8647

Provided affidavit detailing deficiencies with defendant’s production of Electronic Medical Records (hereafter “EMR”) produced from Allscripts and from EPIC.

ANDREA BROCK, MICHAEL BROCK, S.B. v. THE UNIVERSITY OF CHICAGO MEDICAL CENTER D/B/A COMER CHILDREN’S HOSPITAL

CIRCUIT COURT OF COOK COUNTY, IL, Case No. 18-L-1175.

Provided affidavit in support of a motion to compel production of the Patient’s complete EMR, including Defendant’s secure file storage system, “Sticky Notes”, “In Basket” messages, audit trail records and complete revision history of the EMR as stored in the EPIC Hospital Information System.

TERRI BROWN, an individual, and ALAN ROCK, her husband, v. MOUNT SINAI MEDICAL CENTER OF FLORIDA, INC. d/b/a MOUNT SINAI MEDICAL CENTER, a Florida Corporation; and WILLIAM F. BURKE III, M.D., an individual; and BRETT C. FUKUMA, M.D., an individual

CIRCUIT COURT OF MIAMI-DADE COUNTY, FLORIDA, Case No. 2018-016560-CA-09.

Filed two affidavits in support of a motion to compel for an on-site collection of plaintiff’s electronic medical records. Involved Epic EMR software and Synapse PACS.

THE FOREST PRESERVE DISTRICT OF COOK COUNTY V. ROYALTY PROPERTIES, LLC; CANNON SQUIRES PROPERTIES, LLC; MERIX PHARMACEUTICAL CORPORATION, RICHARD KIRK CANNON, MERYL SQUIRES-CANNON, MCGINLEY PARTNERS, LLC, AND ROYALTY FARMS, LLC CIRCUIT COURT OF COOK COUNTY, ILLINOIS, Case No. 18 L 315.

Provided in courtroom testimony on the significance of electronic file metadata as it relates to when documents were received and modified.

BROWARD ENERGY PARTNERS v. RAPPAPORT

CIRCUIT COURT OF COOK COUNTY LAW DIVISION, Case No. 18 L 1096.

Provided in court testimony and testimony via affidavit to assist with eDiscovery protocol process and address allegations of spoliation, withholding of information and authenticity of email.

JORIE LP, KOPLIN AND CONTENT CURATION & DATA ASSET MANAGEMENT v. ROBERTS MCGIVNEY ZAGOTTA ET AL.

CIRCUIT COURT OF DUPAGE COUNTY, ILLINOIS, Case No. 17 L 728.

Provided in court testimony and testimony via affidavit involving issues of email authenticity, cell phone fabrication of evidence, and eDiscovery.

MCMAHON v. DIGITAL FUEL SOLUTIONS

CIRCUIT COURT OF WILL COUNTY, ILLINOIS, Case No. 15 L 681.

Provided written affidavits regarding alleged software code misappropriation. Assisted counsel with seeking preservation of electronic data from third parties.

BORCHERS V. FRANCISCAN TERTIARY PROVINCE OF THE SACRED HEART, INC., ET. AL..

Case No. 2011 IL App (2d) 101257.

Testified in support of violation of the Electronic Communications Privacy Act by Plaintiff’s former employer.

http://www.illinoiscourts.gov/opinions/AppellateCourt/2011/2ndDistrict/December/2101257

.pdf

SABAN v. PHARMACARE MANAGEMENT, LLC ET. AL.

NORTHERN DISTRICT OF ILLINOIS (Chicago), Case No. 1:10-cv-02428.

Rebuttal witness regarding trade secret misappropriation.

TRANCO INDUSTRIAL SERVICES, INC. v. CAMPBELL

NORTHERN DISTRICT COURT OF INDIANA, HAMMOND DIVISION, Case No. 07-CV-206.

Won TRO – Violation of Computer Fraud & Abuse Act – Trade Secret Misappropriation Supervised and prepared our testifying expert for this case.

VALUEPART v. ITR NORTH AMERICA ET. AL.

NORTHERN DISTRICT COURT OF ILLINOIS, EASTERN DIVISION, Case No. 06-CV-02709.

http://www.forensicon.com/resources/case-summary/valuepart-v-itr

CHARLES A. KRUMWIEDE v. BRIGHTON ASSOCIATES, LLC AND ISMAEL C. REYES

NORTHERN DISTRICT COURT OF ILLINOIS, EASTERN DIVISION, Case No. 05-C-3003.

Supervised and prepared our testifying expert for this case. http://www.forensicon.com/resources/case-summary/krumwiede-v-brighton-associates/

S.C. JOHNSON & SON, INC. v. MILTON E. MORRIS ET. AL.

CIRCUIT COURT OF RACINE COUNTY, WISCONSIN, Case No. 04-CV-1873.

Led the investigation and preservation effort that uncovered personal webmail, revealing a fraudulent kickback scheme, which resulted in a law enforcement sting and later a successful conviction of the accused. This ultimately resulted in an award of $203.8 million to compensate SC Johnson & Son, Inc. for its losses. https://www.forensicon.com/resources/case-summary/wisconsin-appeal-sc-johnson-vs-mor ris-schelle/

LIEBERT CORPORATION ET. AL. v. JOHN MAZUR ET. AL.

CIRCUIT COURT OF COOK COUNTY, CHANCERY DIVISION, Case No. 04 CH 02139.

Appellate Court, Second Division, Case No. No. 1-04-2794.

Provided testimony via affidavit and in court, identifying patterns of trade secret misappropriation.

KALISH v. LEAPFROG ONLINE ET. AL.

CIRCUIT COURT OF COOK COUNTY, ILLINOIS, Case No. 03-L-011695.

Performed analysis of the computer used by the recently departed employee and reported on the employee’s actions to the court.

http://www.forensicon.com/resources/case-summary/kalish-v-leapfrog-online/

LORILLARD TOBACCO COMPANY v. CANSTAR (U.S.A.), INC. ET. AL.

NORTHERN DISTRICT COURT OF ILLINOIS, EASTERN DIVISION, Case No. 03-C-4769.

Performed forensic preservation and forensic analysis that resulted in identifying a counterfeiting syndicate. Located personal email accounts and offshore wiring accounts used to perpetrate the counterfeiting scheme. More than $5 million was awarded from Neubecker’s discovery of a counterfeit scheme.

EDUCATION & PROFESSIONAL DEVELOPMENT

TECHNICAL SKILLS

Managed Engineering Development and data analysis activities across many disparate technologies, from legacy through more recent technologies and platforms including;

Database Technology:

Filemaker, MySql, Oracle, Sql, Sql Server, Law eDiscovery, & Medical ERP Patient Record Systems

Forensic Software:

Aircrack, Airmon, Access Data, Mobile Edit Pro, Cellebrite, Encase, Paladine, Recon Lab, Forensic Toolkit, Paraben, & WiFite

Online Reconnaissance:

Dark Web, IRC, GFI Languard, Maltego, & Usenet

Security Monitoring:

Nmap, Splunk, Snort, Wireshark, Sophos UTM, & Shodan

Operating Systems / Command Line Shells:

Mac OS X, Windows (Dos/3.1/NT/2000/XP/Vista/2008/2012/7/8/10), Windows Server NT, 2000, 2008, 2012 (Active Directory, Group Policy Management, Certificate Management), Bash, Busybox, Amiga, Commodore, CPM, TI 99/4a, Grub, Kali Linux, Linux, Raspbian OS, Solaris, VMware, Raspberry PI OS, & Unix

Programming:

C++, CVS, DOM, Pascal, Xcode, Xml, Kintone, Python, Fabric & Visual Basic

Software Applications:

MS Office, SDR, Webx, WebTrends, Camtasia, Adobe Photoshop, MS Office, MS Project, MS Access, MS Excel, MS Powerpoint, MS Word, MS Visio, Peachtree, Quickbooks & Quicken

Web:

Expert in Search Engine Optimization, ASP, Coldfusion, HTML, Java, Javascript, Python, PHP, Scripting Languages, Artificial Intelligence, & WordPress

EDUCATION & PROFESSIONAL DEVELOPMENT

  • M.B.A., Magna Cum Laude – Babson F.W. Olin Graduate School of Business – Wellesley, MA
  • B.B.A. Finance, Magna Cum Laude – Eastern Michigan University Ypsilanti, MI
  • Guidance Software – EnCase® Introduction to Computer Forensics 32 credits – Sterling, VA
  • Guidance Software – EnCase® Intermediate Analysis and Reporting 32 credits – Sterling, VA
  • Guidance Software – Information Risk and Policy Compliance 3 credits – Chicago, IL
  • Continuing Education – Computer Programming – Harry S. Truman College – Chicago, IL
  • Novell Computer Network Training – Walsh College – Troy, MI

PROFESSIONAL EXPERIENCE

EnigmaForensics.com — President & CEO
Chicago, IL (8/2018 – Present)

  • Provided direct consulting to clients involving complex issues relating to eDiscovery
  • Retained by Government Agency to assist with deposing technical deponent in litigation relating to patient health care records
  • Assisted with developing a court approved protocol for production of ESI
  • Conducted complex investigations involving the authenticity of emails

HaystackID — Chief Information Officer
Boston, MA (4/2018 – 7/2018)

  • Managed all IT resources for eDiscovery production environment and internal systems
  • Oversaw data center migration
  • Created documentation and work ticketing system for tracking problems and improving service response
    HaystackID — Boston, MA (1/2018 – 3/2018)Chief Information Security Officer
  • Performed initial security assessment of organization
  • Prepared for GDPR compliance initiatives of organization
  • Outreach to potential clients

FORENSICON, a QDiscovery Company — Founder and consultant, Chicago, IL (2016 – 2017)

  • Identified opportunities to provide existing client base with services available from combined companies
  • Presented on the Telephone Consumer Protection Act regarding strategies towards mitigating lawsuits

FORENSICON, INC. — Chicago, IL (2000 – 2016)President & CEO

  • Conducted fraud examinations involving misappropriation of funds, trade secrets, tax evasion, money laundering, and other white collar related investigations
  • Supervised a team of forensics experts in providing complex litigation plaintiff and defense consulting
  • Appointed by the U.S District Court of the Northern District of Illinois to assist defense counsel in the trial against accused terrorist trial of Tahawwur Rana – The single count where my firm presented testimony, the defendant was found not guilty
  • Performed online investigative work to identify and assist law enforcement with the apprehension of the Boston Bombing perpetrators, Dzhokhar and Tamerlan Tsarnaev
  • Uncovered and reported the third known data breach of the Chicago Board of Elections voter database and election worker personal information
  • Supervised testifying experts on many cases of record to prepare technical experts for cross examination and rebuttal of their findings
  • Preserved electronic evidence for a range of clients using legally sanctioned protocols
  • Selected as preferred vendor by the Illinois Attorney Registration Disciplinary Commission – assisted with investigating various claims filed against licensed Illinois Attorneys
  • Developed Custom ERP System for evidence management, project management, time tracking and billing
  • Provided expert testimony to resolve disputes for various commercial, nonprofit, and governmental agency clients
  • Appeared several times as a computer forensics expert on WCIU TV Chicago Channel 26, First Business, NPR Business News, NBC Chicago and more
  • Led data breach first responder efforts for; State Government Social Services Department, Non-Profit HealthCare Organization, Financial Services Company, Accounting Firm, Private Membership Club Organization and various Corporations
  • Oversaw the development and presentations made to attorneys and legal support staff at the Chicago Bar Association, Illinois Attorney & Discipline Regulatory Commission, DuPage County Bar Association, various associations and more
  • Provided expert witness testimony regarding willful deletion of evidence by a departing employee where the testimony was upheld on appeal proving spoliation of evidence
  • Compiled emails from numerous platforms into popular litigation support platforms
  • Speaker at various events on the topic of computer forensics (see list below)
  • Performed computer forensics examinations in FBI forensics labs
  • Led the successful forensic analysis defense efforts against a law firm client of our firm that was accused of willful spoliation of evidence – discovered and reported our findings to Judge Mikva that no spoliation had occurred as alleged, the drive was merely encrypted and contained all information
  • Led numerous anonymous online defamation investigations resulting in the identification of many anonymous persons responsible for the defaming activities
  • Expert in Search Engine Optimization

LYCOS, INC. — Senior Product Development Manager, Community Products Group,
Waltham, MA (1998 – 1999)

  • Managed and/or launched a large group of products including chat, message boards, and games
  • Responded to SEC/FBI Inquiries pertaining to illicit behavior in Lycos network online properties
  • Tracked hacker attacks on the Lycos network of sites to help identify and prosecute offenders
  • Implemented safeguards against denial-of-service attacks across product group
  • Instituted product development and service roadmap management system for teams
  • Created & managed multiple cross-functional product teams
  • Managed transition of products from external to internal hosting
  • Led engineering team on the development of scalable & secure online products

INNOVATIVE CONSULTING, INC. — President Brownstown, MI (1994 – 1997)

  • Led a company of five professionals providing IT support to various sized Companies
  • Provided Network support in a multi server environment (NT, Novell, Mac, Linux)
  • Implemented financial management software for tier 3 automotive suppliers
  • Designed & executed disaster recovery procedures for multiple businesses
  • Architected multi-office communication infrastructure for multiple companies

‌‌COMERICA BANK — Securities & Trust Fund Accountant, Detroit, MI (1994)

  • Audited security transactions for bank trust funds
  • Researched discrepancies in reporting
  • Published & verified daily yield rates of several portfolios of marketable securities
  • Initiated automation of trust fund daily reporting

FORD MOTOR COMPANY, INC. — Detroit, MI (1992 – 1994)Product Pricing Analyst

  • Estimated cost impact on production forecast for various product design changes
  • Benchmarked sourced products to ensure price competitiveness
  • Designed & implemented a profit forecasting system using Excel & EDI

PRESENTATIONS

  • “Keys to Unlocking Electronic Medical Records EMR”, MCLE Tuesday May 25, 2021 delivered via Zoom co-sponsored by the Illinois Public Defender Association, the Illinois Innocence Project, the Center for Integrity in Forensic Sciences, and the Family Justice Resource Center.
  • Illinois Public Pension Advisory Committee: Friday, December 2nd’s IPPAC Winter Conference “The Imminent Threat of Cyber Attacks to your Pension Boards” panel
  • National Society of Insurance Investigators: “Cellphones, Pictures, Videos . . . What a Cyber Forensic Investigation Can Reveal”, December 4th, 2014
  • The Disaster Conferences : “Cyber Threats and Data Breaches”, September 18th, 2014
  • First Chair Awards : “Data Breach & Incident Response: How to Mitigate Your Risk Exposure”, August 2014
  • Cigar Society of Chicago : “How to Catch a Terrorist”, September 2013
  • ICPAS Fraud Conference 2012: “What a Responsible Professional (CPA or Attorney)
  • Should Know about eDiscovery and Document Management”, September 2012
  • Law Bulletin E-Discovery Seminar: “Managing Scope & Review”, June 28th, 2011
  • NetSecure ‘11: IT Security and Forensics Conference and Expo: “Protecting Digital Assets from Hackers and Thieves”, March 24th, 2011
  • Chicago Association of Litigation Support Managers, CALSMposium: “Seventh Circuit Electronic Discovery Pilot Program”, October 7th, 2009
  • National Business Institute – “E-Discovery Searching the Virtual File Cabinets”:(co-presented with Christopher S. Griesmeyer, partner at Levenfeld Pearlstein, LLC and David W. Porteous, partner at Faegre Baker Daniels LLP) “Obtaining Electronic Data & Best Practices in using Computer Forensics”, September 19th, 2008
  • Law Bulletin E-Discovery Seminar — “Electronic Discovery in Practice”: (co-presented with Jennifer Wojciechowski of Kroll Ontrack) “Avoiding the Pitfalls of the Electronic Era”, October 2005
  • Institute of Internal Auditors, Chicago West Chapter Meeting: (co-presented with Cameron Nelson, attorney at Greenberg Traurig) “Using Computer Forensics To Conduct Investigations”, May 9th, 2006
  • Association of Certified Fraud Examiners Workshop: (co-presented with Kathryn Hoying, attorney at Johnson & Bell, Ltd.) “Using Computer Forensics to Conduct Investigations”, February 10, 2006
  • Chicago Law & Technology Conference: “Computer Forensic Update”, co-presented with Greenberg Traurig LLP Attorney Cameron Nelson, February 23, 2006
  • FagelHaber, LLC’s E-Discovery Conference: (co-presented with Richard Chapman, Gary Green, David Rownd and Robert Kamensky, attorneys at FagelHaber, LLC) “Avoiding the Pitfalls of the Electronic Era”, October, 2005
  • Chicago Bar Association, CLE Seminar: (co-presented with Kathryn Hoying, attorney at Johnson & Bell, Ltd.) — “Deliverables to Request From Your Computer Forensics Examiner”,2005
  • Chicago Economic Development Council: “Internal Fraud Investigations”, 2005
  • Law Bulletin Publishing Company E-Discovery Conference 2005: “Show me the Smoking Gun!”, 2005
  • American Law Firm Association’s International Client Seminar 2005: (co-presented with Joe Marconi, attorney at Johnson & Bell, Ltd and Donald Kaufman, attorney at McNees, Wallace & Nurick LLC) — “Discovery, Document Retention & eDiscovery in aPost-Enron/Andersen World”, 2005
  • Chicago Bar Association, CLE Seminar: (co-presented with William J. Cook of Wildman Harrold, Jeffrey L. Hartman of Competitive Advantage Solutions and Mark S. Simon of Eclipsecurity, LLC) “Computer Forensics For Lawyers”, May 6th, 2004
  • Chicago/Milwaukee Joint Midwest Law & Technology Conference 2004: “Finding the Smoking Guns: Legal Computer Forensics Without the Geekspeak”, November 30th, 2004
  • Chicago Bar Association, CLE Seminar: “Resolving Intellectual Property Theft with Computer Forensics”, October 20th, 2004
  • Chicago Bar Association, CLE Seminar: “Computer Forensics for Lawyers”, May 6th, 2004
  • Law Bulletin Publishing Company E-Discovery Conference: “Electronic Document Collection and Processing”, April 27th, 2004
  • LegalTech 2003, Chicago : “True Electronic Discovery”, October 30th, 2003
  • Chicago Bar Association (Law Office Technology Committee): “Electronic Discovery 101”, 2003
  • Illinois Academy of Criminology: “Electronic Discovery 101”, Circa 2003
  • Greater Chicago Chapter of the Association of Legal Administrators: “Electronic Discovery 101”, Circa 2003
  • Chicagoland Chamber of Commerce: “Web Page Programming For Search Engine Effectiveness”, Circa 2001
  • NORBIC: “Web Page Programming For Search Engine Effectiveness”, Circa 2001
  • Law Practice Today — (July 2004) — Invited to be a contributing expert on a roundtable article by Dennis Kennedy on the online magazine: http://www.abanet.org/lpm/lpt/articles/ftr07041.html

ARTICLES

CURRENT & PAST MEMBERSHIPS / CERTIFICATIONS

  • Certified Information Systems Security Professional (CISSP) — Chicago Chapter
  • HTCIA (High Tech Crime Investigation Association) — Past President — Midwest Chapter
  • Illinois Academy of Criminology — Chicago Chapter
  • U.S. Secret Service Electronic Crimes Task Force Member — Chicago Midwest Region
  • Union League Club of Chicago — Technology Group Member
  • Association of Certified Fraud Examiners — Associate Member
  • State of Michigan — Private Investigator — License Number 3701205872

In-Person Direct Access Provides Additional Information

An in-person on-site discovery will allow you to view what the EMR notes look like at different points in time, and gain access to inactive or deleted records. Check out this blog to learn more!


In-person direct access is what is often required to be able to get a complete view of what happened, because some of the data doesn’t show when you’re just looking at the produced printed charts. Such missing items may include: routing history, what the notes look like at different points in time, access to inactive or deleted records, and communications. Below is a screenshot from a popular Health Information System, Epic.

EPIC

Epic Notes View

So this is Epic and here you see the notes view and when you’re entering into the system, there’s routing which can give you additional detail about what happened in terms of the routing of the notes. You have a note time, a filed time, and a note time. In this case, all these records with exception of this one down here, the 10:04 AM note time was filed 15 minutes later. So it’s important to have both date and timestamps because sometimes, the file times are many days after discharge or nowhere contemporaneously to the events and that’s important if notes are being entered into this EMR days after something awful happened, you really want to know when those notes were filed. If they’re filed long after things went wrong, oftentimes, that suggests that fabrication of the EMR took place. You can see here, here’s some of the routing, it allows for you to specify different recipients and so knowing that routing of information, that’s important because it’s not always evident when you’re looking at the chart. Here’s an example of adding a note and you can see here, there’s the ability to copy and paste different notations. The date and time on these notes when you first go to create a note, default to the current computer’s clock time but it’s totally possible to change the date and time to put it back in time by dates or hours and that information is relevant. Here’s an example of the Cerner notes. Again, Cerner allows the user to change the date to something other than the current date and time. And it still stores, again, the creation time of that note, even if the note purports to be days earlier. And there are also different filters here, when you’re looking at the EMR with power notes on Cerner, there are different filters, such as my notes only, there’s inactive, active, and so on.

Watch other videos making up this 4 part series, Unlocking the EMR Audit Trail.

Part 1 of 4: “The Keys to Unlocking Electronic Medical Records”
https://enigmaforensics.com/blog/keys-to-unlocking-the-emr-audit-trails-electronic-medical-records/
Part 2 of 4: “HIPAA”
https://enigmaforensics.com/blog/health-insurance-portability-and-accountability-act-of-1996-hipaa/
Part 3 of 4: “Navigating to Trial or Settlement”
https://enigmaforensics.com/blog/navigating-to-trial-or-settlement/
Part 4 of 4: “In-Person Direct Access”
https://enigmaforensics.com/blog/in-person-direct-access-provides-additional-information/

Cyber-Attacked on Supply Chain Again!

In lieu of the recent ransomware cyber attacks on critical supply chain assets, Enigma Forensics analyzes two recent cyber attacks and what lessons we have learned.

Cyber attacks on our supply chain. Will it stop? Enigma Forensics is a cyber forensic company and our love for data security keeps us focused on the 4W’s and 1H of a Cyber Attack. Here’s the latest of two very important cyber attacks on our crucial supply chain.

Who was involved? What happened? When? Where? How did it happen?

On May 7, 2021, Colonial Pipeline, an American oil pipeline system that originates in Houston, Texas, experienced a ransomware cyberattack. Colonial Pipeline carries gasoline and jet fuel mainly to the Southeastern United States. The cyber attackers impacted computerized equipment managing the pipeline. They took the company offline and wanted a sizable ransom to reverse the cyber attack.

This pipeline disruption caused an immediate reaction. Americans felt a rise in gasoline prices, people were panic buying and there were crazy long lines at the pump. Some areas reported no gasoline at all. What was the company’s response? Colonial Pipeline’s CEO Joseph Blount reported, they learned the criminal cyber attackers infiltrated Colonial’s computers through a legacy or old virtual private network, commonly known as a V.P.N.

Joseph Blount, CEO of Colonial Pipeline paid approximately $5 million in Bitcoin ransom to the attackers. Blount told the Senate Homeland Security Committee at a hearing, paying the ransomware was the hardest decision of his career. Blount said he knew how critical Colonial’s pipeline is to the country and he put the interests of the country first. When asked about the security on the particular VPN that was hacked, Blount said it was not a two-factor security password that texts to a phone but single factor authentication using only a plain text password. He said it was more complicated than the typical Colonial123 password. Lesson learned?

Following the attack on Colonial Pipeline, another ransomware cyber-attack occurred on our supply chain.

JBS Meat Packing Hack (it rhymes!)

JBS is considered to be one of the largest meatpacking companies in the world. At the end of May, they reported cyber criminals used ransomware to take over the company’s network systems and stopped meat production. JBS revealed they made a payment of $11 million to a Russian-speaking ransomware gang called “REvil” to protect JBS meat plants from any further impact on farmers, grocery stores, and restaurants.

Why are we seeing a surge in targeting a crucial supply chain?

There are many contributing factors in the recent wave of hacking attacks. It’s a fact more folks are working from home and lack the cybersecurity necessary to guard against intrusions. Another large contributing factor is that software used to allow bad actors to break into a network system is more sophisticated and readily available. The largest factor is that the United States companies are more globally connected than ever before therefore increasing their exposure to cybercriminals.

Who’s in Charge?

You might be asking who is in charge. It’s the United States Department of Homeland Security (DHS). Its stated missions involve anti-terrorism, border security, immigration and customs, cybersecurity, and disaster prevention and management.

Cyber Security Prevention

June 10, 2021 – The Department of Homeland Security Cybersecurity and Infrastructure Security Agency unveiled guidance for defending against ransomware attacks targeting operational technology assets and control systems, in light of the rise in critical infrastructure attacks.

The guidance joins a host of federal agency and White House efforts to crack down on ransomware and improve threat sharing between entities, as the frequency and disruption of attacks continue to ripple across the country. Combining knowledge and sharing prevention ideas will be the key to thwarting future attacks.

Fingers Crossed that the guidance works. We have all learned the lesson that it’s vital that we secure our supply chain in the United States and abroad. We don’t want to say what’s next!

Check out this series of our video blogs pertaining to cyber breaches!

Russian Hacker’s Latest Hack Or Did They?

Will 2021 become the year of heightened cyber security? What will it take for the U.S. Government get their act together? Here we are reported yet another cyber attack that gained entry through a supply chain. 2021 Year of Cyber Security!


As a Cyber Security company, Enigma Forensics is always interested in the 4W’s and 1H of a Cyber Attack. We would be remiss if we didn’t write a post about the most recent SolarWinds Hack allegedly by the Russians. Did the Russians time this cyber attack at precisely the moment in time when the United States is preoccupied? Amidst the Coronavirus shutdowns, the election results, the holidays, and the COVID-19 relief plan, it’s almost as if this particular Russian Hack completely flew under the radar.

What happened?

The attackers gained entry by using a software update sent out by Texas-based software company SolarWinds, which counts multiple U.S. government agencies as customers. In early December 2020, the news media reported at least 200 organizations, including U.S. government agencies and other companies around the world, have been hacked as part of this suspected Russian cyber attack.

Government’s response

The New York Times reported on December 13, 2020, “The Trump administration acknowledged on Sunday that hackers acting on behalf of a foreign government almost certainly a Russian intelligence agency, according to federal and private experts — broke into a range of key government networks, including in the Treasury and Commerce Departments, and had free access to their email systems.” We can’t find any reporting on what information was stolen.

Who raised the alarm?

It looks like FireEye, a computer security firm first raised the alarm about the Russian cyber attack after its own systems were compromised back in early Spring of 2020. What perfect timing to stage an attack considering the whole country is preoccupied with the rise of the pandemic! FireEye discovered a supply chain attack that was accessed through SolarWinds Orion business software updates in order to distribute malware that they called “SUNBURST.” Experts agree this is the work of highly-skilled actors and was performed with significant operational security. But, the real issue is why didn’t the government cyber protection agencies that are sworn to protect recognize the breach? It took an outside company to inform them of the cyber attack.

Where was the Cyber Attack aimed?

In this case, the U.S. government agencies seemed to be the target. As noted before, the hack was done through what is called a “supply chain attack,” in which malicious code is hidden in legitimate software updates and meant to target third parties. Could it have been the Chinese masquerading as the Russians? President Trump laid claim that there was potential it could have been the Chinese and not the Russians.

When was the Attack Noticed?

As reported by the New York Times, in a statement after a briefing for committee staff members, Senator Ron Wyden of Oregon, who has often been among the sharpest critics of the National Security Agency and other intelligence agencies, said that the Treasury Department had acknowledged that “the agency suffered a serious breach, beginning in July, the full depth of which isn’t known.” But no one will say just how serious the breach was!

Today, as reported in the Hill, the headline reads, “Intel vice chair says government agency cyber attack ‘may have started earlier’.” Sen. Mark Warner (D-Va.), the vice-chairman of the Senate Intelligence Committee, said on Wednesday, December 30, 2020, that the cyberattacks on U.S. government agencies reported at the beginning of the month may have begun earlier than previously believed.

How did the Hackers Hack?

The hackers used malicious code inserted into legitimate software updates for the SolarWinds Orion software. This allowed the hacker to remotely access the victim’s electronic environment. In order to avoid detection, they used a very small footprint and went to significant lengths to lay low and blend in. Very stealth-like in nature! The malware attacked slowly and moved with precision, covering its tracks and using tools that were hard to detect. Does this sound familiar?

Check out another Enigma Blog

https://www.forbes.com/sites/thomasbrewster/2021/01/26/google-warning-north-korean-hackers-breach-windows-and-chrome-defenses-to-attack-security-researchers/?utm_source=newsletter&utm_

Top Five Cyber Attacks

Phishing, Ransomware, Endpoint Security, IoT Devices and Cloud Jacking. What do they have in common? Top Five Cyber Attacks we are concerned about and you should be too!

The frequency of cyberattacks is growing. The following is Enigma Forensics’ top five cyber attacks that you should be made aware of.

Phishing Attacks are specific forms of email or text messages that are targeting victims to gain access to their personal information. Phishing messages often try to induce the receiver to click a link to a package shipment delivery message or other seemingly legitimate hyperlinks. It acts like a harmless or subtle email designed to get victims to supply login credentials that often become harvested by the attacker for later use in efforts to compromise their target. Sometimes phishing emails spoof the sender to be someone who has already been compromised. Once compromised, often times the compromised user’s mailbox is used to relay other outbound messages to known individuals in their saved contacts. This form of attack earned its name because it masquerades as an email of someone you may know and because you know the sender, you are more likely to nonchalantly open the email and click on the attachment to learn more about the content. With a click of a mouse, BOOM you can be compromised. This is a very easy and effective scam for cybercriminals. Warning: Do not open attachments or forward chain emails!

Ransomware is often spread through phishing emails that contain malicious attachments or through drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and then malware is downloaded and installed without the user’s knowledge. The cybercriminal then holds the stolen information for ransom, thus the name! They may ask for a ransom payment in the form of digital currency such as bitcoin. Whether or not the victim pays the ransom depends on what information they have stolen or what criminals have threatened to do with the stolen information. Warning: Do not visit unsecured sites!

Remote Worker Endpoint Cyber attacks are currently the most popular because of the number of employees working from home caused by the Coronavirus. In the month of March, many workers were sent scurrying to their homes without companies placing proper cyber protection protocols. Employees are using their personal devices to conduct work and often are not fully patched, updated, and using encryption to protect their home devices against cybercriminals. Many company executives have been targeted at their homes, where they are much less likely to have commercial-grade firewalls designed to protect endpoints and company trade secrets.

IoT Devices attacks are a popular vehicle used by cybercriminals to establish a beachhead for launching lateral attacks across a home or work network. IoT devices involve extending internet connectivity beyond standard devices, such as desktops, laptops, smartphones, and tablets, to any range of traditionally dumb or non-internet-enabled physical devices and everyday objects. Embedded with technology, these devices can communicate and interact over the internet. They can also be remotely monitored and controlled. IoT Devices should be segmented and on a different network than corporate work from home devices. IoT devices pose a great threat because many of these devices lack automatic update processes and can become a beachhead for cybercriminal attacks in your home.

Cloud Jacking will increase with an estimated growth of cloud computing to be a $266.4 billion dollar industry in 2020. The idea of cloud storage makes one believe it is an improved option rather than the traditional on-premise computing storage. This will and has become a major security concern and has created a strong urgency to increase the creation of cloud security measures. Cybercriminals will up their game and cloud jack data information whenever possible. The race in on to see who does it cloud security better; the good guys or the bad guys. To protect against Cloud Jacking cyber attacks, organizations should enable two-factor authentication options, such as Google authenticator.

Two-factor authentication requires two of the three following means of authentication:

  • Something you know (A password)
  • Something you have (A key fob or cell phone authenticator)
  • Something you are (Retina Scan, Facial recognition, fingerprint)

Who’s Who Legal Investigations 2020

We are proud to announce Lee Neubecker was once again nominated by his peers as one of the world’s leading practitioners in the Digital Forensic Expert field. Congratulations Lee!

Congratulations Lee Neubecker!

Enigma Forensic’s President and CEO Lee Neubecker was nominated by his peers as one of the world’s leading practitioners in the field of Digital Forensic Experts and is listed in Who’s Who Legal Investigations 2020 publication as such.

Since 1996 Who’s Who Legal has identified the foremost legal practitioners and consulting experts in business law and investigations based upon comprehensive, independent research.

Who’s Who Legal Investigations publications said, Lee Neubecker, is a “great expert” who receives widespread plaudits from sources who note he is “one of the most visible people in the field”.

Nominees have been selected based on comprehensive, independent survey work with both general counsel and private practitioners worldwide.

Small Business and Cybersecurity Attacks

Small businesses are getting hit hard. Starting with government directed closures due to the COVID-19 pandemic and now the most recent looting and protestor damage. Small businesses are more vulnerable than ever. If you own a small business be on the lookout for cybersecurity threats and learn more on how to protect your business.

Small Businesses must on the lookout for cybersecurity threats!

Small businesses have been besieged on all fronts. First, out of left field they were struck by COVID-19 and the loss of business. Then knocked down by the most recent violent protests. All these hits create multiple vulnerabilities to yet another threat; cybersecurity attacks. Now more than ever, small businesses need to be aware of an impending cybersecurity breach. Enigma Forensics focuses on cybersecurity and would like to share what are the most common cybersecurity threats and how small businesses can protect themselves.

What are the most common security threats?

There are three common cybersecurity threats each small business owner must be aware of; Malware, viruses, and phising. Malware is an umbrella name for a software designed to attack and destroy computers, servers, and to obtain client information. Malware can be engineered in many different malicious ways. Viruses are designed as a computer program that replicates itself and inserts code into your system to modify existing programs. It basically creates havoc in your system and is extremely difficult to delete. Phising is inserted by a clicking on or opening an email that presents itself as a legitimate email. It sparks curiosity and plays on the simplest of emotions.

What are some easy tips for small businesses to protect themselves?

Enigma Forensics encourages everyone to purchase cybersecurity insurance. This can help defer costs if you are attacked. We definitely suggest to hire a professional to assess your system and identify risks. Another less costly tip is to change your passwords. Make them as difficult and unique as possible and don’t store them on your systems. Be sure to include mobile device security if you or your employees check emails on mobile devices. Train your employees to recognize cybersecurity threats and how to avoid and report them.

Enigma Forensics related articles

See the link below for The Department of Homeland Security guide

https://www.dhs.gov/sites/default/files/publications/CSD%202018%20Tech_Guide_Web%20Version_508.pdf

Cell Phone Forensics Key to Ending Looting

How can we put an end to this protest? Cell phone forensics is the key to finding out who is organizing violent protests and looting by checking social media sites. It’s that simple!

Chicago Police Superintendent David Brown recognizes social media contributed to the rise in looting

Is Cell Phone Forensics the key to ending the looting? Chicago is reeling back from the third day of unrest and violent protest. Not only are we healing from a global pandemic we are now faced with the threat of violence in all of our neighborhoods. On Monday, we witnessed the third day of violent protest. It was reported that law enforcement arrested approximately 699 people and sadly, 2 people who were shot and killed in Cicero. Feelings of anger, frustration and despair are common threads that bind all of us. The question on everyone’s mind is when is all this going to stop? The Chicago Police department is dealing with a great deal; protecting the neighborhoods and at the same charged with stopping violence. The same violence that was started by a deadly police action.

Many have heard on mobile scanners that hundreds of people driving in caravans are traveling into the city from outside Chicago. Some believe these caravans are organized on social media and are encouraging violent protest and looting. Forensic technology can stop this type of organized violent protest. Once a bad actor has been apprehended, law enforcement needs to perform remote cell phone forensic analytics to discover social media posts, connect friends and followers to thwart passing of information. This is a new age of technology and our police department needs to be able to trace violent networks of people to respond in real time as to prevent personal attacks an property damage.

Enigma Forensics is an expert cyber forensic company that offers forensic imaging of cell phone, laptop and other electronic devices. We are able to analyze the electronic footprint left behind and provide detailed tracing to assist in litigation.

More about expert technology and cell phone forensics

Mobile Device Investigation Training

https://www.fletc.gov/-program/mobile-device-investigations-program

Chicago Police Department Learn about Real Technology Behind Crime Solving Efforts

Top Counties That Should Consider Lockdown!

Chicago’s Enigma Forensics Data Analytic and Cyber Security Expert Lee Neubecker has identified top counties in the country that should consider going on lock down because of the alarming climbing numbers. Some of these counties may not know they are approaching a dangerous risky situation. Lee has been taking a deeper dive on the most recent Coronavirus stats identifying the most at risk counties. Lee was way ahead of CNBC’s report that President Trump has called for classifying Coronavirus risk county by county!

Check out this video to see if your County is on his list!

Video Transcripts Follows

The Transcripts go here!

End of Windows 7

What are some of the potential problems for an organization trying to secure Windows 7? Cyber Security Experts Lee Neubecker and Atahan Bozdag say it’s analogous to owning a home and not maintaining it, eventually something breaks and it’ll cost you a fortune to fix!

Securing Windows 7 Environments

On January 14, 2020, Microsoft announced support for Windows 7 has ended. As reported by Microsoft, “Technical assistance and software updates from Windows Update that help protect your PC are no longer available for the product. Microsoft strongly recommends that you move to Windows 10 to avoid a situation where you need service or support that is no longer available.” It’s official…it’s the end of Windows 7! We have to end our love affair with Windows 7 and move onto Windows 10. What does that mean for the end-user? Well, if you stay on Windows 7, you will deal with constant security threats, and there will be no more updates or support. If you upgrade it’ll cost you approximately $139 for a home computer, $199 for a small to large business and $309 to upgrade a workstation that needs a faster powerful operating system.

Cyber Security & Computer Forensic Expert Lee Neubecker and “Fellow Forensicator” Atahan Bodzdag break down what impact is imposed on cyber security when computers no longer receive service patch updates or support for Windows 7. They discuss the usage of Windows 7 by the Health Care organizations that are resistant to change or have application that have not been ported to work with Windows 10.

Atahan Bodzdag provides an overview of top three items that all organizations dependent on Windows 7 should be undertaking to maintain cyber security resilience.

Window 7 Security Vulnerabilities

The Video Transcript Follows

Lee Neubecker: Hi, I’m here today with Adahan Bozdag. Thank you for being on the show Adahan.

Atahan Bozdag: Thank you for inviting me, Lee.

LN: Atahan is a fellow forensicator and cybersecurity expert. He works within the healthcare sector and works internally to an organization, doing some of the things I do as an expert witness outside an organization. And today we’re going to be talking about Windows 7, the end of the life cycle of Windows 7, and some of the cybersecurity issues relating to organizations that are in Windows 7 and are trying to prevent future data breaches. So, Adahan, could you tell everyone a little bit about what Microsoft did recently as it relates to Windows 7?

AB: Well, as you said, Windows 7 end of life cycle happened. It’s was January 14, 2020. They stop patching Windows 7 environment, so it is vulnerable to any attack after the date. January 14, 2020.

LN: So then when people report their CVEs, detailing vulnerabilities on Windows 7, eventually they’re up there for the hacker world to see. and to exploit because Microsoft’s not patching that operating system.

AB: Very true. It’s a dream come true for the hackers.

LN: Yeah, well, no more data patches means what exactly?

AB: It means that you are more vulnerable to attacks.

LN: So every day the risk of cyber compromise only grows for organizations still on Windows 7.

AB: Very true.

LN: So, what is for the non-technical person out there, could you explain what this is analogous to?

AB: Well, I can give you the house analogy. You buy a house and you don’t do any upgrades. You don’t do any maintenance. Something is going to break. So this is what’s going to happen with Windows 7. Because there’s no more patch, there are no more updates, there’s no more security involved in it. At one point if you still continue using it, you will get breached.

LN: So, it’s kind of like your locks start to fall off the door at a particular time

AB: Exactly, exactly.

LN: And if you consider the contents of a health care provider, to have sensitive data like patient medical records, electronic medical records, protected health care information, or PII, all of that stuff is vulnerable to exfiltration?

AB: Yes, very, yes.

LN: So, why are people still using Windows 7, given this threat?

AB: Well, some applications are not upgraded to work with Windows 10, and what happens. So then a lot of people working in the corporate environment are resistant to change because the applications are not working with Windows 10. So those,

LN: Or they just like the cleanness of Windows 7, relative to Windows 10, which

AB: Yes

LN: It has a lot of bloatware loaded on it if you’re getting the version off the shelf.

AB: True, true.

LN: Who really needs to have all these games on their environment?

AB: Exactly. But at the same time, every healthcare company that, you know, even my company that I’m working for, we have a golden image that we create, which are stripped down from all those games and stuff like that. So we don’t use those. But, to get there, there is always an image needs to be updated in Windows 10.

LN: So what are some of the potential problems for the organization that stays on Windows 7 and just doesn’t get with the program to migrate off?

AB: Well, first thing is, APT.

LN: What’s an APT?

AB: APT is an Advanced Persistent Threat.

LN: That’s like that nation-state, Big Brother lurking on the chips of the computer device, waiting for a moment to attack, right?

AB: They can infiltrate you. They can do nothing, just sit and wait, and look at your data. And we have seen that in many breaches. The time that you found out that the company was breached, they’ve been in the system for more than six, seven months. So they were collecting data slowly by slowly, and at one point they turned the engine on, and then the doomsday attack starts. Suddenly you start losing data. Deletion happens and then, they grab everything out from your system.

LN: “So there’ ve been a lot of nation-states making threats.

AB: Oh, very much so.

LN: This could be a huge opportunity for certain nation-states to get themselves onto hackable systems and merely wait until the opportune time to strike is such that they could magnify the damage.

AB: Exactly.

LN: We have a power outage,

AB: Yes.

LN: And they were to strike at that time, that would probably magnify the damage significantly.

AB: Very, very much. And now you’ve been talking about those in your other videos about these kinds of things. The cyber realm is another way of attacking our national interests. Health care is one of them.

LN: So let’s assume that an APT gets into a health care environment, health care provider’s systems, and they’re able to access electronic medical records, EMR, patient health care information, what might they want to do with that information?

AB: Well, patient records, especially the names, social security numbers, medical records, everything is sellable in the Darkweb.

LN: And it’s worth a lot more than just giving social security numbers.

AB: It is. True. It’s like a single record may go for $35. If you got about 10,000 records, 10,000 records times about $35.

LN: It’s likewise though, that data exfiltrates, and it gets out there in the market, the health care providers are looking at potentially significant financial damages, as well as reputational damage.

AB: Yes, yes. Because when these things happen, suddenly you have to report this either to the government or to the media. And then afterward the penalties will come. And investigations cost a lot of money. Penalties are really severe And doing all of these things, and if you’re still in the Windows 7 environment you’re actually opening yourself to these kinds of attacks.

LN: Yeah so, when these data incidents happen, as you like to call them, what do you see the role of internal IT investigations versus an outside computer forensic firm like myself specializes in data breaches and EMR. What is the typical role and function of the internal versus the outside expert witness?

AB: Internal it’s you know like myself, we do the investigation internally but we would love to hire, I mean we would like to hire an outside investigation, to give unbiased information. Saying that if you go to the legal ways that you will be able to say that hey, I’m not involved with this company I’m doing this…

LN: Sometimes, there’s benefit to having an outside forensic expert that’s independent speak only to the issues that are relevant and not necessarily have a knowledge of who was in IT that got fired or any of that other stuff that isn’t really relevant to the investigation but could create risk for the health care provider.

AB: True. True.

LN: So with regard to reporting obligations, let’s say you find that there was indeed exfiltration of patient data and that information left the organization, what are the reporting obligations?

AB: Well the best way that I can tell right now is if you were at the hhs.gov or consult your attorney it will actually tell you especially the website, will tell you what are the reporting obligations. There are multiple levels. If I go into details over here, it’s not going to last.

LN: Got it. And so, we talked about exfiltration but what can happen if someone gets in and actually deletes patient medical records?

AB: Well, the first thing is in hospital systems that patient who’s going to be either going into surgery or something like that, they will not be able to get, pull out the data.

LN: And so people who have a need for critical life-saving care, might actually die.

AB: Yes.

LN: Or worse yet, if someone were to alter the medical records

AB: That is a threat

LN: And say instead of your left lung having cancer it’s your right lung and you get the wrong lung removed, that’s a real problem

AB: It’s a big problem.

LN: So if you have to say, wrap it up what would be the top three recommendations you make to health care organizations to help defend against the potential future data breach that’s from running Windows 7?

Top 3 Measures to Defend Windows 7

AB:

  1. First is implementing operate plan to leave Windows 7, immediately. That’s a given fact.
  2. Second, isolate Windows 7 legacy into VDIs which we call the Virtual Desktop Environments. Isolate them from the network.
  3. And the third, make sure that your disaster recovery is in place and you do periodic tabletop exercises.

LN: Well thanks so much, that was really informative. I appreciate you coming on the show.

AB: Thank you for inviting me again.

LN: Take care.

Microsoft Windows 7 End of Support

https://support.office.com/en-us/article/Windows-7-end-of-support-and-Office-78f20fab-b57b-44d7-8368-06a8493f3cb9

Other Related Articles

View Microsoft website here

https://www.microsoft.com/en-us/