With the highly competitive nature of companies today coupled with almost constant movement of the work force, there may come a time in the near future where your company, or an employee of your company, is accused of stealing intellectual property from your opponent. In those IP theft cases, it is important to preserve and possibly forensically analyze your devices to learn what happened so that you can best protect your interests and, if need be, the interests of your employees.
The first step in this computer forensics analysis, as always, is to get your hands around the data, secure it and preserve it properly. It is a challenge to get the proper information as you are, in effect, questioning one of your own employees. However, while you may later fight over whether the data is confidential trade secret or not, the important thing is to understand on what devices the data resides and preserve those devices. You might be dealing with the employee’s computer, network folders to which he had access and his mailbox. More importantly, though, you want to understand what CD/DVDs were used, USB drives (be they thumb drives or portable hard drives) and cloud storage accounts such as DropBox.
Why capture this data? Sometimes employees, despite being told over and over not to delete things, decide to take matters in their own hands and think that they can outsmart the forensicator by downloading some applications that claim to clean up their tracks. The problem is that they are wrong. Those applications leave behind plenty of traces as to what they did, when they did it and more. Of course, finding evidence of a cover-up or spoliation of data is often as bad as or worse than stealing the actual data.
Once you have the data captured, the next question is what to do with it. Do you want to have it independently analyzed by your own computer forensics expert? Do you want to let it be analyzed by the opposing party’s expert? Those two questions are really based on what legal strategy you and your counsel wish to pursue. However, I can provide some things to consider.
The first question is whether you want to have the computer independently analyzed by a forensic expert for potential intellectual property theft. Of course, there is a cost for that analysis. Vestige has worked with clients that feel the analysis can be handled by either their IT staff or maybe they have a forensic person on staff. First of all, while IT may know computers and how to set them up, maintain them, design systems, etc., they rarely know forensics. I believe the analogy has been made before, but you do not go to a pediatrician to perform an autopsy. While the pediatrician and the coroner may have taken many of the same classes to obtain their degrees, at one point their paths veer. IT is generally in-place to keep the network and systems running and getting them back up-and-running when there is a problem. On the other hand, the forensic analyst is most concerned with all of that evidence that the IT professional just trampled on. Second, whether it is internal IT or internal forensics, the chances that they have experienced the same number of cases as an outside forensic consultant is minimal. Vestige deals with well over 200 matters a year and each matter adds to our experience; this in turn provides us with information on additional places to search for artifacts. Finally, the independent expert does not come to the table with any preconceived notions as to the nature of the case and those involved which may lead to some bias. Of course, there is a cost for hiring an independent forensic expert and all costs should be weighed as a business decision.
The goal for the independent analysis of the potential intellectual property theft is two fold. First, you want to know if the story you are being told by your new employee is correct. Did they ever access data from your opponent? If they have a USB drive on which they took items from the computer in use at the previous employer, does it have the previous employer’s confidential information, or is it all just personal? Was that USB drive plugged into one of your computers? If it was, when did it happen, how many times and did a transfer of data occur? What items were or were not opened? Were any personal email accounts, cloud accounts or other repositories of electronic data which may contain your opponent’s confidential data accessed? And finally, was any data deleted, scrubbed or otherwise obfuscated? Second, when you find out what happened with your computers, you are in a better position to defend your company or your new employee without the benefit of your opponent knowing what happened.
Analysis by Opposing Party Expert
When one is on the defensive side of an IP theft, there usually is an expert hired by the opposing party who has already completed analysis on the device used before your employee left their previous employer. That expert may be internal or may be independent. Either way, it is an option to allow that expert to examine your devices. A couple of benefits to doing so may be cost and efficiency. The other expert already has in mind what was found in examining the previous employer’s computer. They can get right to the point and look for the resulting data on your devices. Another benefit is cost. Quite often I hear “if you want your expert to look at the data, fine, but you are paying for it.” Of course, depending on what was found and what it takes to settle the dispute, those costs may be shifted back to you.
The fear, however, is that this is not your expert and what will that expert tell your opponent. Request a CurriculumVitae from the opposing expert. Do some research on the expert and the company employing the expert. The computer forensic industry is not a large one, chances are if someone you know in your locale has had computer forensic work done, they may have worked with this expert. You can also request some protection on the reporting of the results. You can request that some of the results are provided to you for screening (namely for potential privileged information or confidential trade secrets of your own) prior to your opponent getting the results.
One other thing to keep in mind is that if you are using your own forensic expert and that expert doesn’t provide the opposing party the “smoking gun” that they think or believe exists, you may get wrapped up in more time and effort spent having your expert defend the work that they did. This situation would not occur if you let the opposing side’s expert perform the analysis. If you don’t like those results, you can always ask to have the data examined by your own expert at that time.
As we have discussed, there are definite advantages to getting your hands wrapped around your data and your new employee’s data when accused of stealing your opponent’s confidential information. Early data identification and preservation is key. Then having computer forensics analysis performed can provide many benefits whether the analysis is performed by your own expert or your opponent’s expert.
Next week we will provide some case studies to put into real life terms how Vestige has helped previous clients and how we can help you. Names will be sanitized to maintain our client’s confidentiality.
by Greg Kelley, EnCE, DFCP, Chief Technology Officer at Vestige Digital Investigations