KPMG in the U.S.
David is a director in KPMG’s Forensic Technology Services practice with more than 14 years of computer forensic and network administration experience. He has a strong background and experience in enterprise-wide computer forensic investigations, incident response, electronic discovery collections, and information assurance audits. David has received over 500 hours of training in computer forensics, electronic discovery, incident response, and network security.
David has been responsible for the training of computer examiners around the world in the methodology of cyber investigations, electronic discovery, computer forensics, information assurance audits and the use of Guidance Software’s EnCase Enterprise Software. David has managed over fifty cases, including high profile matters involving attacks by Eastern European organized crime and hacktivist groups. He has performed forensic analysis on thousands of computers and removable devices in support of corporate, civil, and government investigations. David has performed court-ordered permissive seizures, data extraction, replication, emergency recovery, electronic discovery, forensic analysis, preserving evidence and providing definitive results. David was also a Research Analyst for Guidance Software’s Research and Development Department where he was involved with all areas of research, addressing deployment methods, uses of EnCase Enterprise Edition (EEE), and intrusion detection techniques.
Served as the lead Director for a recent incident at a global on-line retailer. Client experienced its largest breach in company history due to a compromise in VPN and user credentials. The client realized they needed a holistic approach to dealing with the breach including global digital evidence recovery/analysis, incident response planning, crisis management support, data analytics, and security monitoring. We assisted the client identify the point of exfiltration and confirm that over 100 million customer records had been stolen, deploy security agents to tens of thousands of security agents across their enterprise to analyze the extent of breach, digitally preserve over 100 systems located across the US and 5 international countries, engaged with client’s outside counsel to maintain privilege, become central support in the war room as well as a hub for crisis planning/management, provide 24/7 support for the duration of the crisis, work with their security monitoring team to identify and correlate various disparate logs to enhance security monitoring and monitor for attacker activity, work with the war room team to prepare for reports for Board updates, media releases, and ultimately Congress. Also assisted the client with remediation efforts including developing monitoring and analytical capabilities, implementing identity access management platform and processes, developing IR response playbook, determine next generation authentication options to eliminate passwords, support for weekly cyber threat intelligence reports and meeting, re-planning of computer forensics lab and capabilities.
A mid-size commercial bank had acquired a subsidiary. The Client had discovered that there had been a compromise of a server owned by the recently acquired subsidiary. David managed the successful preservation and investigation of the server. The team was able to discover the source of data penetration, activity of the hackers and data accessed.
Was a member of a team assigned to provide information assurance audits for one of the US Military Services. The team scanned a section of the Client’s networks for malware and possible data leaks across over 100 computer workstations, laptops, and/or servers. During the audit we were able to discover multiple sources of data leaks of confidential material residing in non-confidential networks.
Electronic Discovery (eDiscovery)
Served as project manager for an eDiscovery matter involving an industrial manufacturer under investigation by the General Services Administration (GSA). Outside counsel representing Client was an AM LAW 100 firm. The project encompassed the collection, processing, and hosting of electronically stored information (ESI) for over 500 custodians in multiple locations across both the United States and Canada. Electronically stored information (ESI) consisted of user workstations, laptops, Lotus Notes email, and network shares. Processing included file/email metadata filtering, keyword searching, secondary culling for privileged search terms, and de-duping. David was responsible creating and orchestrating detailed work plans for the collection, processing, and hosting of ESI.
Served as project manager of a large electronic discovery collection of over 1000 custodians ranging over 100 locations across the United States. The Client was a large insurance company involved in a class action litigation. The collection consisted of user workstations, network shares, and email.
In the matter Citadel Invesment Group v. Teza Technologies, KPMG was tasked with completing computer forensic analysis on data from both parties surrounding allegations of “source code” theft from a high-frequency financial trading platform. David managed the project team and successfully analyzed and processed over 9 terabytes of data and shared our results with both parties in accordance with the Court issued Protocol. KPMG performed extensive analysis of unallocated and slack space to locate deleted information. KPMG advised and worked with both parties to develop processes for the parties to review the recovered unallocated data clusters. KPMG also assisted both parties in their review of data, including the development of privilege logs and production of relevant documents.
Was a lead instructor for Guidance Software’s eDiscovery Training course. David instructed on components of the ediscovery process including identification, collection, processing, and production. The course focused on the integration of Guidance Software’s eDiscovery Suite during ESI preservation to maximize cost and efficiency. This was an advanced level course. David provided training for this course to numerous Fortune 100 companies and US federal government agencies.
Lead Computer Forensic examiner for plaintiff’ outside counsel in Beyond Systems, Inc. vs. Kraft Foods, Inc. David examined a number of linux based email servers used to send out spam email for “click ad revenue”. Through his analysis, David was able to reconstruct the customer database containing over 300 million email addresses used in email spam campaigns.
Managed an investigation proving allegations that a previous owner of a dating service company was accessing his former company’s network and company’s records without authorization. We successfully preserved and analyzed the company’s web server and database server to discover that the previous owner had created a “back door” account. Through analysis of the database and web server logs, we were able to determine the hidden account, dates/times of entry, key IP addresses used by the “back door” account, as well as legitimate user accounts logging in from the same IP addresses.
Was a lead instructor for Guidance Software’s EnCase Enterprise Phase I Training course. This course instructs on the use of EnCase Enterprise to address internal investigations and audits in a manner consistent with recognized standards. This was an intermediate level course. David provided training for this course to numerous Fortune 100 companies, US federal government agencies, and international government agencies.
EnCase Enterprise/Forensic/eDiscovery/Information Assurance Software, Windows 95/NT/2K/XP/2K3/Vista, Linux, Unix, SQL, Exchange, Forensic Toolkit, Nuix, Clearwell, various open source forensic tools.
Prior Testimonial Experience
Beyond Systems, Inc vs. Kraft Foods, Inc (United States District Court For the District of Maryland)
BS, DeVry Long Beach
EnCase Certified Examiner (EnCE); EnCase Certified eDiscovery Practitioner (EnCEP)
GIAC Certified Forensic Analyst (GCFA); GIAC Certified Incident Handler (GCIH) – SD #754225
Forensic Technology Advisory Services
Speaker, GC Symposium Dallas 2014: “Emerging Technologies in the Legal Field”
Judge, Information Technology Competition (Forensic Challenge), Cal Poly Pomona, 2013
Speaker, EnCase Users Forum Chicago 2012: “Enterprise Level Investigations using EnCase Command Center”
Speaker, The Institute of Internal Auditors, San Dieo Seminar – Fraud, 2011: “Forensic Technology – Best Practices”
Speaker, Computer and Enterprise Investigations Conference (CEIC), 2008: “Outsourcing your Case – Real World Handling”