Intellectual Property Theft: How to Ensure a Defensible Investigation

Digital forensic investigations involving corporate and private entities come in a wide variety, such as: copyright infringement, theft of personally identifiable information, violation of workplace policies, wrongful termination of employment, network intrusion, wrongful death, divorce and more. Yet, the most prevalent type of investigation the Forensics Services Group handles at D4 is intellectual property (IP) theft perpetrated by an “insider.” The insider is defined as a current or former employee who is taking, or has taken, IP from their employer.

Forensic investigations are typically prompted by company owners, or their attorneys, because they suspect IP has left the building via the actions of a rogue employee. In many instances, however, the clients are not certain that IP was, in fact, taken. Often there’s no proof, no hard evidence, no confession. Just speculation due to a sudden loss of clients, plummeting sales, or the now former employee went to work for a direct competitor, or started their own competing business.

This scenario is understandably cause for concern for those invested in a company’s well-being and the natural instinct is to immediately try and find what might have been taken. However, before you (or anyone) begin poking around in the computers or mobile devices that former employee used, DON’T! This is the worst thing you can do because you could irrevocably destroy evidence.

Electronic Evidence in Intellectual Property Investigations

Considering, any evidence for the investigation in the form of paper will be non-existent, a digital investigation is a must. All of those little electronic 1’s and 0’s, gathered up as many Gigabytes are far easier to cart away in your pocket than a trunk load of printed materials, such as brochures, client lists, pricing lists, charts, diagrams, and whatever else might assist a former employee at his/her new venture.

Well-meaning managers, IT folks, company owners, paralegals, and even the attorneys might be tempted to power on the suspect employee’s computer and/or mobile device and navigate their contents. Some even take it one step further by running file recovery programs in an effort to recover deleted data. All of this is a huge must-not-do!

When there is suspected IP theft at a company, there are digital investigation best practices that should be followed to ensure an efficient and successful process.

3 Tips for Corporations Handling IP Theft Investigations

1. Think of the Suspect Employee’s Devices as a Crime Scene

The first step towards achieving a successful conclusion to an IP theft investigation is to ensure the data and devices of the suspect employee are IMMEDIATELY preserved and NOT ACCESSED by anyone. It’s best to think of the suspect employee’s data and devices as a crime scene, in which no one should tread on or touch.

The reason, every time an untrained individual accesses or—attempts to access—the data on the devices, they most certainly run the risk of unintentional destruction of data, or at best, significant changes to the data that cannot be undone. For example, changes to date and time stamps or inadvertently overwriting what otherwise would have been recoverable deleted data. The “stepped on” data might have otherwise contained the “smoking gun” piece of evidence that would have won a lawsuit.

This same concept goes for mobile devices, and certain precautions need to be taken in order to ensure that no evidence is spoliated before shipping it off to a forensic service provider.

2. Take a Deeper Dive into the Data to Determine a User’s Actions

IP theft investigations are not traditional eDiscovery projects. Rather than simply determining what information the user possesses, or with whom they were communicating, which are the results one would get from traditional eDiscovery processes, forensic examiners take a much deeper dive into the data. Skilled forensics experts analyze the data and interpret the user’s actions, and they do so for as far back in time as necessary.

A proper forensic investigation should provide company owners and/or their attorneys’ answers to some, if not all, of the following questions:

• What process(es) did the user perform in order to get IP data out of the building?
• Did the person use (a) cloud based email account(s)?
• Did the person use a cloud based file-storage account?
• Did the person perform file transfers to a home computer via remote access?
• Did the person burn CD/DVDs?
• Did they use USB flash drives?
• Was the person negotiating salary and benefits with a competitor via email?
• Was the person selling information?
• Did the person perform mass deletions?
• Did the person use a wiping program to cover their tracks?

One will not be able to answer these questions by only using traditional eDiscovery processes. A digital forensic investigation must occur to allow for a thorough review of the many artifacts hiding in various nooks and crannies to help tell the whole story. Forensic examiners search and review live files, unallocated space (where “deleted” data resides), and the Registry, where many tell-tale artifacts live, showing system and program settings, and user preferences and actions.

3. Find the Smoking Gun Using the Proper Computer Forensics Expertise

In summary, allowing untrained persons access to data and devices is not a good idea, nor is it industry best practice. A proper digital forensic investigation is best practice for handling IP theft and will garner much more detail, due to the examiner’s ability to review the difficult-to-access and uncommon places where data resides, and subsequently interpret the data.

For your next IP theft investigation, the forensic examiner should review and analyze active ESI, as well as data located in unallocated space, with special attention paid to the following:

• USB device usage and correlations to file access
• LNK files (shortcut files) and Jump Lists and their correlations to file and network resource access
• CD/DVD burn instances
• Access to cloud based personal email accounts
• Access to cloud based personal file storage
• Remote access with file transfers to home/other computers
• Anti-forensics program usage
• Internet history
• Event logs
• Registry

Having a plan or policy on recognizing threats of IP theft, and how to defensibly prepare for the investigation will make the process much easier in the long run. The first step should always be to preserve the suspect’s workstation and immediately call a digital forensic expert. During this call you can provide details about the case background, your needs and goals, and the devices to be examined. As all cases are different, this detailed discussion will enable the forensic examiner to provide an estimated range of time for project completion.