Maryman- Digital Forensic Services

Digital Forensics Incident Response (DFIR)

CASE STUDY

DFIR Case Study for Breach of Client information

Tags
Digital Forensics, Incident Response, DFIR, Breach, Accounting Firm
Data Breach of Client Information

Background

The corporate counsel for an accounting firm contacted Maryman to assist with a live breach incident. They had been contacted by the local sheriff’s office, who received word through a task force that some of the clients of the firm had their tax returns fraudulently filed. While law enforcement was being brought in, corporate counsel engaged the Maryman firm to proceed with independent analysis.

Scope

The Maryman team was engaged to perform the preservation of the accounting servers, systems, and log files; investigate how the environment was breached; and determine the full list of affected individuals.

Preservation

Working alongside law enforcement, the Maryman team proceeded to triage and preserve all systems, servers, workstations, and email systems within the organization.

Analysis and Findings

Working alongside the IT staff of the firm, it was quickly discovered that the Virtual Private Network (VPN) of the environment had been accessed by an unauthorized individual using stolen credentials. We were able to follow those credentials to the accounting systems and applications, establishing a narrow window for which the compromise occurred. We were able to determine the method that the attackers were able to exfiltrate the filed tax returns of the individuals using the print-to-PDF capabilities, and luckily the accounting system had very detailed logs pertaining to individual activities for individual user accounts.

A triage of the other systems within the organization revealed that no other systems were breached by the attackers. The attack was isolated to only the VPN and the accounting server system.

Next Steps

We were able to draft our forensic report, which was provided to law enforcement for further investigation into the attack group that executed the breach.

Outcomes

The client had over 20,000 individuals that could have been impacted by the attack. However, careful timeline analysis and log examination was able to reduce and limit the list of affected individuals to about 150, which is less than 1% of all records! A breach notification to all 20,000 would have been catastrophic to the client for both reputation, regulatory fines, and litigation costs. Reducing the set enabled the client to control the narrative for the breach, reduce cost for notifications and remediation, and reduce the impact of the breach on individual confidence in the firm.

Our Mission

To provide our clients with solutions that are conducted with complete confidentiality and proven expertise, replacing questions and liabilities with answers and value. To be responsive to the unique and individual needs of our clients and consistently deliver quality professional services at reasonable costs.

Request a
Consultation Today

818-290-3775

Maryman- Digital Forensic Services
© Copyright 2001 – 2023. Maryman PI Number: CA PI # 26012 | Privacy Policy | All Rights Reserved.
Maryman- Digital Forensic Services

Founded in 2001, Maryman is a professional services firm with 100+ years of experience in digital forensics, specializing in the  full range of investigative and litigation support for cyber matters. Headquartered in Los Angeles, we serve our clients nationwide with local response and global reach across all continents.

Our Services

Digital Forensics Incident Response (DFIR)

Cyber Investigations

Electronic Discovery (e-Discovery)

Expert Witness Testimony Services

Email Forensics (Device & Cloud Accounts)

Mobile (Cell Phone) Forensics

Contacts

joe.greenfield@maryman.com
818-290-3775
  • 16000 Ventura Blvd. Suite 1204 Encino, CA 91436
  • *Office visits are by appointment only
© Copyright 2001 – 2024. Maryman PI Number: CA PI # 26012 | Privacy Policy | All Rights Reserved. Developed by TLG Marketing
Scroll to Top