Case Studies

Case Studies – Cybersecurity

BOGUS TAX RETURNS AS RESULT OF EMAIL PHISHING

Protecting Cloud-Based Programs from Phishing Scams

Problem

An employee at a small CPA firm in Houston received an email asking for their Office365 credentials. The email appeared to be from Microsoft, so the employee provided his credentials using the link in the email. Soon after, he noticed emails would appear and disappear randomly along with strange and unexpected activity on other online accounts. He uses a cloud-hosted tax program and realized a random user account was created on the portal that was filing bogus tax returns.

Solution

Pathway Forensics reviewed the employee’s Office365 portal and enabled audit logging to check for malicious activity. Pathway’s cyber experts checked to see if there were forwarding rules set up on the employee’s mailboxes and worked to enable multi-factor authentication (MFA) on the accounts in Office365 for an additional layer of protection in addition to the new account password. We also worked directly with the cloud-hosted tax software company to enable MFA on the employee’s account as well as the account activity notifications that would alert him of new user accounts and changes to existing ones.

Results

The CPA firm employee was able to stop the bogus tax returns from being deemed legitimate and now has multiple layers of authentication and alerts to help prevent future security incidents.

Services Employed

Incident response

Investigation

Remediation

Multi-factor authentication setup and enablement

After-Hours Ransomware Infects All Network-Based Servers

Responding to Cyber Threats to Keep Business Running As Usual

Problem

A US-based industrial construction company experienced a severe after-hours network outage that crippled the entire business operations, including all email and computer network resources. The company’s internal IT department responded to the outage and quickly determined that all network-based servers had fallen victim to rapidly spreading ransomware, which also rendered the onsite backups inoperable.

Solution

The company employed Pathway Forensics engineers, who quickly responded to the attack, both physically onsite at the client’s offices and virtually through secure channels to a Security Operations Center. After immediately investigating and triaging the ransomware event, Pathway analysts and engineers went to work by first isolating the infected servers, then rerouting critical business applications and email traffic through an alternative secure network infrastructure.

Results

The redirection of network and email traffic allowed the business to continue with primary operations while Pathway engineers restored the company data and rebuilt a much more resilient IT system and network infrastructure.

Services Employed

Incident response

Investigation

Remediation

Title Company Falls Prey to Wire Transfer Fraud

Responding to Sophisticated Phishing Attacks

Problem

A title company – through its normal course of business – performs millions of dollars in financial transactions every year via wire transfers. After several transfers failed to reach the correct client, the company began to investigate the transfer process and learned that they had become a victim of fraud, with losses totaling more than $700,000.

Solution

Pathway Forensics was engaged to conduct the investigation and mitigate any digital threats that might still be lurking on the company network. During the investigation, our analysts quickly noticed that a broker’s email account had been compromised during a sophisticated phishing attack in which malicious actors set up forwarding rules to an unknown outside address. We also learned these actors would observe email activity within the company and wait for wire transfer instructions to be ordered. At that time, they would interject into the conversation – acting as the broker’s manager – and then change the transfer routing information and account.

Results

Upon completing the investigation, Pathway remediated the forwarding rules and reviewed all other email configurations for indications of compromise. All effected employees’ accounts were reset and two-factor authentication was implemented as an additional layer of protection. We documented our findings in an official report that the client shared with law enforcement to begin an official criminal investigation. 

Services Employed

Investigation

Remediation

Case Studies – Digital Forensics

Man Charged with Capital Murder

GPS Evidence Helps Prosecutors in Capital Murder Case

Problem

The District Attorney’s office needed assistance in conducting a forensic examination of family electronic devices to provide evidence of the suspect’s activity related to the victim’s murder.

Solution

The State District Court approved use of Pathway Forensics to provide digital forensic examination of all of the seized electronic devices within the time frame to comply with the trial date. Pathway obtained the digital devices from a variety of law enforcement agencies.

Pathway’s analysis found travel logs from several GPS devices used by the suspect to follow the victim. Examination of the cell phone devices recovered numerous active and deleted text messages which provided information sent by the suspect. Examination of laptops found a cell phone backup that contained useful information for a cell phone that had been reset. In addition, phone company records were compiled and correlated to text messages, emails, and travel logs.

Pathway generated exhibits for trial, including video of the travel logs on the GPS devices. We also met with Defense Counsel and provided material in the case. Finally, we provided expert witness testimony during the trial that helped the government convict the suspect of capital murder.

Results

Pathway worked with the Assistant District Attorneys and law enforcement personnel to provide courtroom video presentation of the GPS travel logs depicting the dates, time, and roads used by the suspect while preparing for the murder. A Pathway examiner testified at trial to the GPS travel logs. The suspect was convicted of capital murder and is being held on Texas death row at the date of publication to this website.

Services Employed

Forensic Data Preservation

Forensic imaging of GPS devices and laptop

Verification of forensic images provided by law enforcement

Compiled phone company records

Forensic Analysis and Reporting

Detailed analysis of travel logs from the GPS devices plus video of journeys recovered from GPS device showed numerous trips to victim’s house during middle of night

Videos used as exhibits in court

Examination of mobile devices and recovery of active and deleted text messages sent by suspect

Generated excerpts from phone records for time period of interest for exhibits during trial

Departing Employee Data Exfiltration Investigation

Investigation and Remediation Effort Protects IP from Competitors

Problem

A US-based energy services and equipment company had departing employees recruited by a competitor. Shortly after, the competitor began to outbid them on key contracts using pricing and schematic models that appeared to be derived from their proprietary templates.

Solution

The company employed Pathway Forensics to work with HR, IT, and outside counsel to identify and collect computer and online account data related to the former employees, and investigate their activity prior to and after their departure. Pathway’s analysis indicated several key schematics and sales model templates that were exfiltrated via webmail, removable media, and cloud services in the few weeks leading up to the employees’ departures. Pathway provided expert witness testimony that helped the client win a temporary injunction hearing. We also created and executed a file remediation plan for the client to ensure the exfiltrated intellectual property was contained and deleted securely.

Results

Pathway worked with the client’s HR and IT teams, along with outside counsel, to ensure the client’s intellectual property was removed from all sources outside the client’s control and provided expert witness testimony to help secure a favorable settlement and recovery of damages resulting from the use of the client’s proprietary information.

Services Employed

Forensic Data Preservation

Forensic imaging of desktop and laptop computers

Forensic collection of online cloud storage and webmail accounts

Forensic Analysis and Reporting

Detailed analysis of user activity and artifacts of data exfiltration

Forensic reports and exhibits used in hearings

Expert witness testimony

Secure Data Remediation

Tracing sources of exfiltrated data and planning remediation protocol agreement

Secure deletion of exfiltrated intellectual property

High-Tech IP Taken by Former Employees

Keeping Source Codes Protected from Inside Threats

Problem

Quantlab, a high-tech company in Houston, Texas, invested many years and millions of dollars in developing valuable source code. Three employees abruptly left the company, leaving behind a mole. Six months after leaving, the departing employees started a competing business. Quantlab suspected the former employees took the proprietary code with them to the new company.

Solution

Pathway Forensics was hired to preserve and analyze devices retrieved from multiple sources, including the former employees’ new company and their personal items. Our experts examined more than 125 pieces of evidence, and our analysis proved Quantlab’s suspicions were merited. We found evidence the former employees and the mole not only took their employer’s source code, but also took intentional steps to cover their tracks, thus spoliating evidence in an attempt to avoid justice. We provided evidence and expert witness testimony in the evidentiary hearing that led to death penalty sanctions being imposed.

Results

After documenting our findings in more than 300 pages of expert reports, declarations, and affidavits, plus offering expert witness testimony over two days in a federal court trial, Quantlab received a favorable verdict and was awarded more than $40M.

Services Employed

Digital forensics

eDiscovery

Expert witness testimony

Case Studies – Additional Consulting Services

Chemical Company Outsources Ops Improvements

Utilizing external experts to optimize internal skillsets and processes

Problem

A global chemical company wanted to make improvements within their IT Security and Forensics department, specifically focusing on processes and procedures along with staff training. They decided hiring an outside expert would yield the best results.

Solution

Pathway Forensics was contracted to assist with forensic toolset selection and procurement, hardware recommendations, forensic lab processes and procedures, internal process development for new internal legal cases, documented workflows with training guides, and forensic training of the company’s full-time staff. During the process, Pathway also assisted with an internal investigation, collecting data from six custodians from one of the company’s locations in China and performing a routine, high-level investigation. When reviewing the data loss prevention logs, we discovered many alarming log entries that indicated data exfiltration of confidential, business-critical documents.

Results

The internal team not only has the right tools, resources, and workflows in place, but by observing Pathway’s investigative process, they now have a better understanding of the types of red flags to look for in future investigations. Additionally, they consult Pathway regularly whenever questions arise, getting an immediate answer and continuing to expand their own expertise.