Preserving Forensic Artifacts Following Incident Detection - Dear Mary – Incidents + Investigations Cybersecurity Advice Column

Karla Ballesteros, Kaitlin Clemens, Samuel Fishel, Robyn Lin, Sadia Mirza, Stephen Piepgrass, Ronald Raether, Jr., John Sample, Whitney Shephard, Casselle Smith, Ashley Taylor Jr., Edgar Vargas, Daniel Waltz
Troutman Pepper
Contact
LinkedIn
Facebook
X
Send
Embed

Troutman Pepper

‘Dear Mary,’ is Troutman Pepper’s Incidents + Investigations team’s advice column. Here, you will find Mary’s answers to questions about anything and everything cyber-related – data breaches, forensic investigations, how to respond to regulators, and much more. ‘Dear Mary’ goes beyond our articles, podcasts, webinars, and other content we produce because here, we respond directly to your questions with concise, practical answers. We promise they will be interesting, informative, and hopefully a little fun.

Drop us a line with any cyber-related question you would like answered – whatever may keep you up at night – and we’ll do our very best to provide a practical, actionable answer. Of course, our answers will be somewhat general in nature and should not be considered legal advice – always consult with an attorney (preferably one of ours!) before acting on anything you read here.

Thank you for reading!

Dear Mary,

One of our employees recently fell victim to a phishing attack, allowing unauthorized access to their email account for a brief period. To be safe, we reset everyone’s passwords and terminated all active sessions. We’re now in the process of hiring a law firm to determine if we need to notify anyone about the incident. It’s taking a little longer to get them engaged, but I’m hoping to have this done soon. In the meantime, is there anything else we should be considering?

– Not Entirely Clueless in Connecticut


July 10, 2024

Dear Not Entirely Clueless,

It sounds like you’re on the right track with containment (i.e., securing your environment) and seeking legal counsel. The law firm will likely recommend hiring a forensic firm to assess the extent of the incident (e.g., whether any data was accessed or taken). One critical step is to ensure your team preserves any relevant logs or artifacts, as these will be critical for the forensic analysis. Different logs provide varied information and have different retention periods, so it’s important to halt any rollover or deletion processes. By maintaining comprehensive logs, you can better determine the scope of the compromise, potentially reducing the number of notifications required. Without such logs, you may face uncertainty and difficulty in deciding who to notify and on what basis.

Text Dear Mary in a black script font

Written by:

Troutman Pepper
Troutman Pepper
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Troutman Pepper on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide