Welcome to McCann Investigations. Your choice for investigators today.

Safeguarding customers’ confidential information is important to any business, but it is especially important for companies that collect and store non-public customer financial information. There are regulations and compliance issues regarding your organization’s information and every year, security systems become more complex. Uncovering and addressing IT security issues before an incident occurs can be vital.

McCann Investigations offers a comprehensive suite of services that guarantees your organization an improved Intranet AND internet network security environment. Starting with the assessment phase, we will help you identify vulnerabilities in your network and provide you with an action plan to address them. Once the assessment phase is complete, we can help validate your remediation efforts by performing external and internal penetration testing. To ensure that your security efforts maintain a positive direction, we also offer security awareness training so that your users can do their part to ensure the security of your information assets. All of McCann Investigations services can be utilized in your regulatory compliance with:

  • The Sarbanes-Oxl Act, Section 404
  • Payment Card Industry Data Security Standard (PCI DSS)
  • The Gramm-Leach Bililey Act (GLBA)
  • The Health Insurance Portability and Accountability Act (HIPAA)

At McCann Investigations, we make a detailed, comprehensive evaluation of your IT security and network security while identifying issues requiring your attention and suggesting solutions that empower you to take positive action. We’ll show you how implementing these solutions can help ensure the confidentiality, integrity, and availability of your information assets and ensure peace of mind for your employees, management, and board of directors. We provide a wide range of services, including:


  • Comprehensive Security Assessments
  • Internal and External Network Network Breach Assessments
  • Social Engineering Testing
  • Internal Controls Assessments
  • Policy Review
  • Risk Assessment Facilitation
  • Security Awareness Training
  • Business Continuity and Disaster Recovery Planning

Once complete, you’ll receive a written report that identifies all vulnerabilities in your network security and offers practical solutions that can be implemented within your organization. We’ll also help you prioritize those solutions, giving you a step-by-step process through which you can reach your IT security goals. Other benefits include:


  • Assessments that touch all aspects of your operation, incorporating physical, administrative, and technical components of your IT security processes.
  • Utilization of up-to-date vulnerability databases
  • Experience in a wide range of clients and industries

Let the professionals at McCann Investigations help you resolve the issues that can affect your IT security systems and processes.


IT Security Assessments

Timely identification and remediation of network vulnerabilities is something every organization needs done before hackers or disgruntled insiders exploit the weaknesses. The process of identifying vulnerabilities, evaluating the risk, remediation, and reporting for IT security is called vulnerability management. By using a formal vulnerability management process, organizations are able to more efficiently find and fix security vulnerabilities within their network, improving network security.

Our experts test for network security weaknesses while providing suggestions for improvement. Testing allows client management to be confident knowing what vulnerabilities may exist and provide the opportunity to develop a plan to address any issues.

Certified security professionals are proficient in network security techniques and system exploits with knowledge on multiple network platforms. You receive written descriptions of each vulnerability identified with specific backgrounds, consequences, and remediation instructions. These are further analyzed and reported with prioritization and understandable suggestions.

Internal Network Security Breach Assessments: IVA

The Internal Network Security Breach Assessment can be performed in conjunction with the External Test and includes an in-depth analysis of the customer’s internal network security. It is estimated that approximately 80% of security breaches occur from inside the internal network. This Network Security Breach Assessment will analyze the risks to internal devices and suggest specific hardening techniques to resolve any concerns that are identified.


External Network Security Breach Assessments: EVA

Vulnerabilities that may exist between a customer’s external network and the Internet. This service simulates various electronic attack methods that could be launched against an Internet access point.

Wireless Network Security Assessment: WNA

Wireless technologies do not have the physical access restrictions used in traditional wired environments. They make it possible for someone in the lobby, the parking lot, or across the street to have access to a network carrying sensitive financial or corporate data, personnel or customer information, competitive data, or trade secrets. Our assessment will help you to identify insecure wireless implementations that put your organization at risk. MGI utilizes wireless equipment and tools to locate and assess wireless networks and rogue access points. We will review policies and procedures, architecture, configuration, and monitoring procedures for alignment with industry best practices.

  • Discovery of all wireless access points and clients–MGI performs a site survey to discover all existing wireless access points and clients. MGI will also note any external wireless network whose signal range enters your premises. Optionally, MGI can map all access points to a floor plan, if available.
  • Validation of wireless network perimeter–One of the reasons wireless security is so complex is wireless networks are not limited to the physical boundaries of your buildings. Using directional antennas, MGI maps the actual perimeter of your network that is vulnerable to war drivers. We also provide advice on how to limit unnecessary exposure to the outside world.
  • Vulnerability and penetration testing of access points– Using a variety of tools, MGI will sniff and capture ongoing wireless traffic and attempt to compromise the utilized encryption and break into wireless access points and clients.
  • Configuration review of access points and wireless clients– MGI will review the configuration of wireless devices. We validate the configuration by comparing it against a random sampling of access points and clients to check that deployments are consistent with these guidelines.


Penetration Testing

Penetration testing is a method of probing and identifying security vulnerabilities in your network and the extent to which they could be exploited by a hacker. These tests are typically performed using automated tools that look for specific weaknesses, technical flaws, or vulnerabilities to exploit. The results are presented to the system owner with an assessment of their risk to the networked environment and a remediation plan highlighting the steps needed to eliminate the exposures.

Vulnerability management and penetration testing work hand in hand to close any potential openings available to corporate attackers. Together, vulnerability management and penetration testing enhance security and lessen the probability that the criminals could penetrate your systems.

We perform these tests using an evolving process that includes cutting-edge tools, mimicking the activity of a determined hacker.  Instead of a “canned” approach to testing, we tailor our procedures according to your specific needs and concerns, helping to increase the cost-effectiveness of this service.  The depth of the penetration testing can be established at your discretion – from basic attempts of unauthorized access and web-site defacement to full-scale denial-of-service.

Each penetration test includes a detailed report of any identified vulnerability, classified by the likelihood it could be exploited and by the impact that it might have on the company’s network.  The data from these periodic Network Breach Assessments and/or penetration tests could be compiled throughout the year and presented in consolidated format in an annual report.

Please note that the Network Breach Assessment is more thorough than the Penetration Test, as it considers a wide array of internal components.  It may be advantageous to perform Penetration Testing subsequent to addressing issues identified during a Network Breach Assessment.


Social Engineering Testing

The human element of your company’s security may be tested, along with your fixed information systems.  These tests are tailored to your objectives and highly customized to fit your situation.

The weakest link in any security program is an organization’s people; attackers take advantage of this weakness through social engineering. Social engineering is a term that describes the non-technical intrusion into an organization that relies on human interaction, often involving tricking people in order to break normal security policies. Similar to traditional “con games” where one person is duped because they are naturally trusting, attackers will use any technique to gain unauthorized information. Social engineering techniques include everything from phone calls with urgent requests to people with administrative privileges to trojans lurking behind email messages that attempt to lure the user into opening the attachments.  MGI will attempt to by-pass the people who enforce your security through a variety of means, such as the following:

  • External Social Engineering – MGI will perform Social Engineering phone calls to individuals within the organization. Targets will include individuals from the help desk, IT department, human resources, finance, and other departments within the organization. The objective of these calls will be to induce the users to divulge sensitive information over the phone in violation of company policy.
  • Targeted Email “Phishing” Attacks – Emails will be sent to individuals and groups within the organization in order to attempt to entice the user to click on an external link that will either attempt to gather sensitive information or deliver a malicious payload onto their desktop system which could include browser and operating system buffer overflows, Trojan horses, and keystroke loggers.
  • Malicious Portable Media – USB Flash drives and CD-ROM drives with enticing labels such as “Salary” will be left in public areas such as hallways, restrooms, and break rooms. The media will contain simulated malicious code that will attempt to grab sensitive host information such as the network configuration, list of running processes, and a password hash dump.
  • Sensitive Document Disposal Audit – “Dumpster Diving” – MGI will search internal trash receptacles and external dumpster and disposal areas for sensitive documents or storage media that is disposed of in violation of company policy.


Digital forensic reports can be produced for investigative purposes, separately from reports designed for litigation or electronic discovery. Oftentimes, McCann Investigators report on facts for internal review and investigation. Who used this laptop and for what purpose? Who hacked the server? Was the hacker based inside our organization or did the attack come from outside the network? Our reports for internal use contain clear reporting with answers, can highlight important details that might otherwise be overlooked, and can use IT forensics to pinpoint security flaws in your network.

Data can be destroyed in an attempt to cover up a crime or to cover traces when someone does not want you to follow the digital footprint. People can attempt to destroy the physical drives by deleting the data and physically damaging the drives by dropping them, burning them, putting them in water, or exposing them to magnets.

Data recovery involves many different methods to recover data from a drive. Data recovery methods can recover deleted data from drives as well as recover data from drives that have been damaged. Data can be recovered from many different drives, including computer hard drives, usb keys, cell phones, and even copy machines.

Computer forensic data recovery  (when someone has intentionally made recovery difficult) is not something that the novice IT professional should attempt. When the data needing to be electronically discovered is relevant to a criminal or civil matter, it is important that a certified computer forensic professional who is certified in expert data recovery handles the computer forensic recovery process. You do not want your information to be unusable in court.

Cases handled by McCann Investigators have included:

  • Recovery of financial information on a drive smashed by a blunt object
  • Recovery of client files on a drive that was accidentally thrown into a pool
  • Recovery of Auto CAD files on a drive that was exposed to heat, smoke, and water

McCann Investigations can help you with your data recovery, electronic discovery, and computer forensic needs. Contact us today!

An expert witness is a very powerful source of evidence in court. Reports on data electronically discovered by computer forensics methods are important because they provide strong evidence in court documents and in overall analysis in an active lawsuit or settlement. An expert witness can present the digital forensic facts of a case and detail how the conclusions were reached. A professional report will provide essential evidence to support your side in litigation or in discussions surrounding difficult issues. Depositions often times become a “he said, she said” contest, in which the judge may discount the deposed parties, negating the often important facts disclosed in the deposition. In our experience, documented forensic facts will hold more weight than testimony alone, and an expert witness with properly obtained evidence is an undeniably powerful tool in the courtroom.

Once a computer forensics investigation is complete, the next step is to prepare the findings for presentation in court. Our expert witnesses will testify as to the accuracy of the data, the methods used to acquire it, and how it impacts the case. Our expert witnesses have testified at hundreds of trials and have the necessary poise and expertise to handle intense cross-examinations and scrutiny from the bench. We prepare you to ask the right questions, and our experts will deliver the answers you need to win your case.

Once a McCann Investigator has obtained a forensically sound image of the device and the data has been culled, the next step in the process is analysis.

Computer forensic analysis begins with our Enterprise Review System. Our Enterprise Review System is designed to facilitate an intuitive and efficient review for projects of any size. Our clean, web-based user interface and highly scalable, enterprise-grade technology platform allows users to:

  • Be up and running within minutes – with no plug-ins and minimal training
  • Focus on documents rather than complex functionality
  • Review files in TIFF, native, and PDF
  • Search with powerful full-text and keyword functionality
  • Customize tagging for content capture, analysis and workflows
  • Rapidly reduce ESI volume through advanced culling filters directly on Enterprise Review System
  • Search and manage files in any language with Unicode and foreign language support
  • Create production sets for litigation, audits and investigations in multiple formats

After a McCann technician acquires a digital forensic image of the device in question for computer forensic purposes, the next step is culling. McCann experts will determine what types of files—documents, images, etc—can be recovered from the data. We gather information from email servers and their mailboxes, file servers, home directories, and shared folders, as well as data pertaining to the type and location of data, electronic storage policies, and back-up procedures. Aside from the content of the device, our specialists also extract metadata that identifies the file’s creator. This includes when it was modified and when it was sent.

After the computer forensic images have been culled and the non-essential program files, duplicates, and other non-essential data discarded, the relevant digital forensic information is uploaded into the MCCANN e-Discovery program, which is a very in-depth and forensically sound resource. The client, other counsel that may get involved, and professional researchers can then use the same recovered data for analysis.
Attack Identification
Data Breach Analysis
At McCann, we specialize in finding hidden and encrypted documents using thorough investigative techniques that adhere to state and Federal regulations for civil and criminal cases. We have a solid understanding of Macintosh, Windows, and Linux operating systems, and we use our expertise to examine all networks, hard drives, and backup drives, protecting all hardware, software, and data from being compromised during the search.

Data imaging is focused on recovering “non-spoiled” evidence for the purpose of support in negotiation, internal investigation, civil court, or in a criminal court. A critical step in a professional e-investigation is imaging, or creating an exact replica of the device and data being considered as digital forensic evidence. This is similar to how a physical crime scene would be photographed to collect evidence and leads. The experts at McCann use well-respected technology, such as EnCase, and standards to ensure that any evidence found will be permissible in a trial situation.
Once the data is obtained, it is duplicated using a write blocking device and our hard drive duplicator, and then software imaging tools like EnCase, FTK Imager or FDAS step in. The media is then verified by the SHA or MD5 hash functions. Imaging Procedure will vary depending on if device is powered on or off, scenario, scope of case, imaging for “us” or opposing side, operating system, time constraints, directives in court order, etc. Imaging of data have some similar steps. These include starting the chain of custody; recording type, brand, model, serial number of device and storage media inside device; photographing devices and storage media inside devices; verifying accuracy of date and time of device; and verifying information collected. Each type of ESI source, such as laptops, desktops, servers, hosted drives, mobile phones, and smart phones all have unique steps in the imaging process.
The laptop imaging process creates a forensically sound bit-by-bit copy of the drive to a set of digital forensic image files that contain drive checksum values throughout the forensic image as well as MD5 and SHA1 hash values for the drive image. The forensic image is verified and compared against original hash value, checked for errors and loaded to check for partitions, file systems, and encryption. The internal calendar and clock of the laptop are noted, and the drive is re-installed back into the laptop.
The desktop imaging process creates a forensically sound bit by bit copy of the drive to a set of digital forensic images. The number and type of storage devices in the desktop is determined. The hard drive(s) is/are removed from the desktop, and the type, brand, model, serial number of the drive(s) is/are recorded and photographed. The drive is then hooked up to a high-speed forensic imaging device which determines existence of any hidden areas of hard dive such as DCO or HPA and creates a forensically sound bit-by-bit copy of the drive to a set of digital forensic image files that contain drive checksum values throughout the forensic image as well as MD5 and SHA1 hash values for the drive image. The digital forensic image is verified and compared against original hash value, checked for errors and loaded to check for partitions, file systems and encryption. The internal calendar and clock of the desktop are noted and the drive is re-installed back into the desktop.
The server hard drive imaging process creates a forensically sound bit by bit copy of the drive to a set of digital forensic images. The RAID type and configuration is determined with the number and type of storage devices in the server. The hard drives are removed from the server one-at-a-time, and the position, type, brand, model, serial number of each drive is recorded and photographed. One-at-a-time, the drives are then hooked up to a high-speed computer forensic imaging device and a forensically sound bit-by-bit copy of each drive is created to a set of digital forensic image files that contain drive checksum values throughout the forensic image as well as MD5 and SHA1 hash values for the drive image. The digital forensic images are verified and compared against original hash value, checked for errors and loaded (virtually rebuilding RAID configurations in the forensic software where necessary) to check for partitions, file systems and encryption. The internal calendar and clock of the server are noted and the drives are re-installed back into the server.
Hosted drives:
The hosted drive imaging process creates a forensically sound bit by bit copy of the drive to a set of digital forensic images. Determine type of hosting, hosting environment, server hardware, version of client and server host and operating system. The most accurate and efficient method of access is determined depending on hosting environment. Forensic imaging software is run from hosting account with proper permissions and access for scope of imaging. Forensic imaging software is run on requested data to create a forensically sound copy of the requested files and data with necessary hash values. The digital forensic images are verified and compared against original hash values, checked for errors. Appropriate chain of custody is started for the collected data.
Flash drives or other small medium:
If storage device is being removed from camera, phone or other device) and photograph. The type of storage media is determined. The media is removed from the device if necessary, and the type, brand, model, serial number of the media is recorded and photographed. The media is then hooked up to an appropriate hardware write-blocker (via adapter or reader if necessary). Forensic imaging software is run to create a forensically sound bit-by-bit copy of the media to a set of forensic image files that contain checksum values throughout the forensic image as well as MD5 and SHA1 hash values for the image of the media. The forensic image is verified and compared against original hash value, checked for errors and loaded to check for partitions, file systems and encryption. The internal calendar and clock of the device are noted and the media is re-installed back into the device if necessary.
Mobile and Smart phones:
The mobile imaging process creates a forensically sound bit by bit copy of the drive to a set of forensic images. The phone is examined for existence of internal storage, flash storage and SIM card. If SIM card exists, it is removed and cloned with the exception of provider network information to prevent connection to the provider network which keeps phone secure and prevents remote wiping and prevents incoming calls, messages, voice mail, etc. which could overwrite deleted information on the device. Flash storage devices are removed and imaged according to “Flash drive and small medium” procedure. If the phone does not have a SIM card, it is then placed inside a faraway container which prevents wireless signals from reaching the phone. The phone is then hooked up to a mobile phone forensic imaging device using appropriate cable or connection method. The phone is imaged in 1 or more ways depending on supported access methods which may include direct access, software query, file system dump or physical image. The images are verified and compared against original hash values, checked for errors and loaded to verify data.
Atypical scenarios can include “hostile imaging” (not dissimilar from some of the issues encountered at Noble), physical access issues (such as security or not having proper authorization to areas of hardware needing to be imaged), encryption, employees finding out about imaging and “forgetting” company laptop at home that day, unexpected drive types or sizes requiring specialized hardware or software for imaging, slow or older hardware that can significantly increase imaging time, missing hardware, failing drives or media, court orders or other agreements preventing looking at or verifying collected data that is later found out to be invalid, encrypted, wrong custodian, etc. after access is granted, last minute changes that change the scope or hardware needed for imaging process. Start chain of custody on laptop.