In this month’s Vestige View Blog series, we are going to be focusing on one specific type of matter that we seem to always work – IP Theft / Non-Compete matters. Join us this week as we explore the benefits of examining the devices of the victim organization and just what can be gleaned from those – even though the actual evidence stolen is no longer in the victim’s possession.
Having been around technology for the better part of 30 years, I recognize I have an unfair advantage, however, I am often surprised by the fact that clients are often surprised that even when the stolen information in an IP Theft matter is no longer in their possession, that evidence remains on the client’s own devices that can be used to show what happened. When I mention this fact to potential clients I often get the response “you mean that even if I don’t have the flash drive that the person took with them – you can still tell what they took?” In short, the answer is it depends – but having worked quite literally thousands of cases, it never ceases to amaze me just how much evidence gets left behind on a computer of the activity that occurred as someone was heading out-the-door with your prized Intellectual Property (“IP”).
At the end of the day, what most clients want to know is whether their Intellectual Property was actually taken and if so, was it used and how. To affirmatively answer that question, it stands to reason that what we really want to examine is the location where the IP landed – right? In most cases this is easier said than done, as no judge, magistrate or other fact-finder is going to provide carte blanche access to the suspect’s electronic devices simply because you believe the employee data theft occurred and ask for that access. This kind of request gets even harder when the devices that you seek are those of a competitor. So what are you to do about the employee theft of data?
A Strategy Emerges
While the goal of an IP Theft / Non-compete forensic examination may be to eventually gain access to those devices used by the suspect or the competing company, we’re going to need to get there in multiple stages, as we know it’s unlikely we’ll get immediate access to that evidence—yet, all is not lost! A Digital Forensic examination of the devices that were used by the suspect at the victim organization can and often does lead to indisputable evidence that the alleged intellectual property theft has occurred.
The goal, therefore, of this initial phase in an Intellectual Property Theft / Non-Compete matter is simply to establish that there is a high likelihood that the theft actually did occur. Once the activity is examined and a case made to show exactly what occurred, getting the fact-finder to authorize further inspection becomes commonplace.
What isn’t as obvious, however, is just how many of these matters of intellectual property theft actually are proven with doing nothing more. Many times the evidence is just so overwhelming and indisputable that the client has everything they need to resolve the issue. Let’s look at some of that evidence.
The Suspect’s Work Devices
There’s a finite number of ways that someone with access to IP can take that information with them. E-mail, FTP, pod-slurping, copying to external media such as USB drives and flash media are the most common.
It used to be that the suspect would use the organization’s own e-mail system to send the data out-the-door. While that is an infrequent occurrence (yes it still happens from time-to-time), focus on the “monitoring clauses” of the organization’s Acceptable Use Policies along with several published reports on what is tracked by most IT departments, has the typical bad-guy looking for alternate means. Usually this results in switching tactics to using on-line e-mail systems such as Yahoo!, GMail and the like; which means that corporate IT isn’t going to find this kind of evidence by reviewing the organization’s e-mail system. And even if the suspect did use the corporate e-mail system, it is unlikely that they left the e-mail in their mailboxes and instead turned to the delete key for what they hope to be a clean getaway for intellectual property theft.
Of course, today it is commonplace for suspects to know that deleted information can be retrieved. However, what seems to elude these same individuals is exactly how much their interaction with the devices is, at some level, recorded. While it’s not like watching a surveillance camera of everything that occurred, to a trained forensic analyst, piecing together the activity can provide some incredible evidence to the scope of the theft, possible motivations or even where the data may be being sent. So, while it is possible for us to recover deleted content and is a regular part of our cases, the more interesting part of a Digital Forensic Analyst’s job comes from tracking those digital footprints that bad guys are so good about leaving behind.
What Can We Garner?
Intuitively you probably realize that every interaction you have with the device is recorded in some fashion. Take for example the simple action of inserting a new flash drive into the USB port of a laptop running Microsoft Windows. We’re all familiar with it…a slight delay, an audible tone and a message in the System Tray indicating that the drive is now ready for use. It’s what’s going on behind-the-scenes that is really so interesting. During that fraction of a minute between the time that you insert the device and it is made available, the Windows Operating System is busy taking down all kinds of details about that device and tucking it away for later use. These activities weren’t put in place to help out Digital Forensic Analysts. Instead, they were put there to make the overall user experience better. Returning to that ever-familiar insertion of a new flash drive, the entire “registration” process takes place specifically so that when that device is attached to this laptop in the future, settings will be remembered and applied. Additionally, the laptop will make the device available much faster – since it already has information that it needs. What’s interesting is that the Operating System and File System tuck away literally thousands of these kinds of digital footprints, all of which are available to the Forensic Expert.
Using these kinds of digital footprints (we call them Artifacts), Vestige is often able to provide:
- Dates and times when external devices (such as external hard-drives, USB flash drives, iPod/iPhones and other smartmedia) have been attached,
- The make, model and sometimes serial number of devices that have been attached,
- The names of files that have been viewed on any external media and sometimes even information about the file such as filesize and dates (creation, modified, etc.),
- Names of files and folder that have been copied to the devices,
- Other networks that this device has been attached to (physical, WiFi, or even cellular),
- Names of other computers, devices and servers that this device has come into contact with,
- Other devices that may be of interest to examine,
- Evidence of data that has been exfiltrated via FTP, Cloud storage or other on-line repository,
- Data that has been e-mailed – even if it’s been deleted and even if it’s been sent through an online e-mail system such as Yahoo!, GMail or the like,
- What, specifically, was occurring on the system throughout the questionable timeframes (there’s a lot of temporal data gathered by the Operating System that can provide an amazing level of detail into the chronological activities of the suspect),
- Software and utilities that have been installed or removed, along with dates and times of that activity,
- Internet activity, including the results of Internet searches,
- Cover-up activities, including: hiding, obfuscation, deletion and wiping activities. Incidentally, these are often excellent clues as to exactly what the suspect deemed suspicious and important,
- Evidence of the existence of certain types of data, even if the data itself has been wiped and is not retrievable, and
- Much, much more…
What Should you Do When Faced with a Potential IP Theft
There’s almost a universal belief that this kind of case isn’t going to see the light of a courtroom and that once the evidence is presented the suspect will roll over. And while that is true for the vast majority of cases, we never know which ones are going to settle and which ones are going to proceed. Therefore, it is imperative that the Electronic Evidence be preserved in a fashion that ensures its admissibility in court, should it be needed.
Fortunately, this is an accepted practice that is relatively easy and economical. In fact, it is so straight-forward and is such a rock-solid approach, that for nearly a decade now, Vestige has recommended that whenever an organization is faced with the potential of an IP Theft/Non-Compete matter, that as a standard procedure, the devices that the individual used when employed are proactively preserved–even if you don’t suspect any wrong-doing initially. Putting that into practice, any time an Executive, VP, Director, Manager or individual with access to sensitive data such as Sales & Marketing, Research and Development, Engineering, Product Development, etc., leaves, their devices should be preserved. In essence, it’s like an insurance product.
Preservation, being low-cost, quick and relatively unobtrusive gives a tremendous amount of flexibility moving forward. Once preserved, the data can be “shelved” just to see if anything develops. For example, the Director of R&D resigns – you preserve his devices. That evidence is held for some time (say 6 months or 1 year) and during that time you learn that the individual has gone to work for a competitor—now you have the devices in a pristine state, exactly the way that the individual left them when she resigned. On the other hand, if in that timeframe no suspicion ever materializes, then no harm done…you’ve spent a few dollars to preserve your rights. Like I said, a pretty inexpensive insurance policy.
Incidentally, this is something that internal resources can do – if done correctly. (If interested in setting up a program like this at your company, either internally or using an outside provider—even if it’s not us, feel free to reach out to us, as we assist in this manner as well).
Traps to Avoid
I know…the CEO just came into your office and informed you that your top sales person just left to go to another firm and there’s a mountain of evidence that he took your client lists, proprietary design documents, pricing lists and more. The CEO posits that there’s probably all kinds of evidence on his computer (good for your CEO – he’s a smart guy) and the next thing you know you’re having a partially coherent discussion with the organization’s IT Department. 10 minutes later, they’re off to the races rummaging around the system looking for more evidence to throw onto the ever-mounting pile against this sales person.
Here’s the rub. If you fail to preserve the evidence and establish some kind of Chain of Custody, even if you do find the evidence, it may end up being inadmissible. Worse yet, IT probably hasn’t done anything to protect themselves and the organization from allegations that the exact evidence that you’d like to use against the sales person was planted by the victim organization – after all, you’ve had it in for this guy for a long time now—at least that’s what the allegations will be.
Altering the Evidence
But there’s more. And it’s more subtle than the admissibility issue. Even with the best of intentions, the organization’s own investigation may end up inadvertently tampering with the exact evidence that could prove your matter. Every action that is taken during the organization’s internal investigation is recorded and is in some way altering the data on the suspect’s devices. Electronic devices are typically very good at keeping track of the “last” time something occurred, but sometimes nothing more than that. What you don’t want is for the smoking gun evidence to be the second-to-last thing that occurred, right before the activities in your own investigation became the “last thing” that happened. And believe me, this happens more times than you can imagine. In fact, it is the single most significant reason why we, as Digital Forensic Experts, may not be able to prove something in a specific case. If you’re bent on having the organization conduct the analysis, do yourself a favor – make sure it is adequately preserved prior to investigating.
To understand the difference between what Digital Forensic Experts do and what most organization’s IT professionals do, I think it’s informative to understand the role that each plays. We Digital Forensic Experts play in the deep recesses of the Operating System and File System, looking for, examining, hypothesizing and testing the minute details of what gets recorded or left behind when this action is taken or that action is taken. Successful Digital Forensic Experts have backgrounds in software and hardware, software development and networking – but we approach it from a completely different angle than the traditionalists in those areas. Details that are generally set aside by most IT professionals are precisely what is important to us.
On the flip-side, the role of most IT professionals is to keep the systems running and to find ways of preventing users from having to deal with the intricate details.
This isn’t a bad thing…it’s just a different way of looking at life. An analogy that I often use to demonstrate this dichotomy is the example of a medical doctor (MD) and a coroner. Both go to medical school, take the same classes, have the same labs and pass the same examinations. At some point in time, though, the training drastically changes. And, you wouldn’t want to consult with the coroner on that achy-back you’ve had and the family doctor isn’t going to have much to say about an autopsy. In some sense, that’s the difference between what we as Digital Forensic Experts do in comparison to traditional IT professionals.
So what? Well, here’s the importance in that. There are quite literally tens (if not hundreds) of thousands of artifacts on these devices. It is a 24x7x365 job keeping up with those, understanding them, knowing how to properly interpret those and recognizing their value within an investigation. If you’re only seeing a couple dozen forensic cases each year it’s hard to maintain that level of vigilance to ensure that you’re not missing something.
I can’t count the number of times that we have been engaged after an organization’s own internal investigation to “verify their findings” where data has been missed or misinterpreted. What’s very costly for clients is when entire cases are based upon the initial investigation and then in the eleventh hour it comes unraveled because an artifact was missed or wrongly interpreted.
Recognizing that there is a wide range of artifacts and data that get left behind on systems – even when the data (or equipment) itself is no longer in your possession – ought to open up a world of possibilities for your next potential case of this sort.
Finally, while I’m cognizant that this is somewhat self-serving, if I can leave you with two thoughts on making this happen, the first is “preserve early and often” – even if that’s something you end up doing internally. Just make sure it’s done and done correctly. It’s a very low-cost insurance policy that will provide a return on investment the very first time you avoid all of the additional legal expenses of getting evidence admitted that you could end up facing.
Secondly, really consider the ramifications of the do-it-yourself approach. Make sure the individuals that you choose know the proper protocols, understand the relevant artifacts, have the proper tools, training and techniques. Consider how they will handle testimony and whether they want to be involved in that aspect of it. But if you do decide to go in-house with it, by all means please give them the budget and support to set them up for success.
By Damon S. Hacker, MBA, CCE, CISA,
President & CEO at Vestige Digital Investigations