Let’s say that you’re the head of the IT department and that Employee A has already left your company and went to work for a competitor. Before leaving, he turned over his business laptop to you, but nothing else. You were well prepared in that you immediately had his laptop preserved after he handed it in, and you’ve hired Vestige to determine what, if anything, he may have taken. Vestige analyzes his computer and discovers he inserted several USB devices just a few days before leaving, and while discussing the results of the investigation with an analyst, you determine that the filenames recorded by the operating system as being accessed from those devices are indicative of company-sensitive material. What do you do now?
If you’ve already reviewed last week’s post, then you understand that the initial phase in an intellectual property (IP) theft investigation is to identify the likelihood that theft actually did occur. In our sample scenario, we’ve already established that. The next step is to use digital forensics technology to identify where else that data may have been moved.
Thinking Like the Thief
Put yourself in the shoes of Employee A. If Employee A copied company-sensitive information to an external drive, that drive is probably not going to be buried in a time capsule in the ground so someone can dig it up fifty years from now. In all likelihood, it is going to be used again, and if by some chance Employee A did not do anything else with the external drive but put it on a shelf, a digital forensic investigation will be able to show that as well. Yet, oftentimes what Vestige encounters in IP theft cases when an employee actually does take data is that it ends up on the employee’s personal or work devices. But how can this activity be proved?
Before I discuss this further, I do want to identify a couple common caveats Vestige runs into and their workarounds. In the scenario above, Employee A accessed files whose filenames were indicative of company-sensitive information from several USB devices just a few days prior to resigning. The problem is that the Windows operating system does not keep a log of what files were copied to external devices and when – all an examiner is left with are a group of artifacts that when pieced together can give a good indication of what (if anything) was copied. The truth of the matter is that Employee A could copy “CompanySecrets.doc” to an external device, rename it “Bananas.jpg,” and without examining the external device itself, our methods are rather limited to determine what data is inside “Bananas.jpg.” Now, there are other file system artifacts that may show this renaming taking place, but when taken at face-value, a filename is not necessarily indicative of the data behind it. That is why it is important to gain access to the device on which that file of interest is located.
E-mails are a little different. If Employee A had chosen to e-mail himself some company-sensitive attachments, Vestige is able to clearly see what those attachments were and when they were sent. Unless drastic anti-forensic measures were taken (which there would be evidence of), those sent e-mails or (if using an online service such as Gmail) pieces of them will in all likelihood still exist on the computer.
Yeah, maybe I took something on a flash drive, but I didn’t copy it anywhere else!
We get that response quite often. If Employee A went to work for a competing company, naturally, that company does not want anyone knowing what proprietary information is on Employee A’s new laptop. The same concept applies for Employee A not wanting anyone else knowing what personal information is available on his home computer(s). Yet, because Vestige has already shown that filenames accessed from those devices are indicative of company-sensitive material in Employee A’s possession, Employee A’s personal and new work devices ought to be a likely target for discovery. Still, companies and individuals often try to use their right to privacy as an excuse – or in their mind, a legitimate reason – to exclude those devices from the case. In these instances, Vestige will suggest using a protective order, specifically one that it has created and used successfully in thousands of cases, including those involving employee data theft. This protective order calls for a forensic preservation of relevant devices owned by the producing party (Employee A and his new company).The devices then have two types of analysis performed – content and artifact.The content analysis discovers relevant documents, emails and other files and is reviewed by counsel for Employee A to remove anything that they may deem privileged. The artifact analysis describes how the computer was used: files opened, files deleted, files transferred, devices attached to the computer and other relevant items.The artifact analysis is typically provided to both parties at once since it contains only computer generated data, and not conversations, memos or other user generated data.
If Employee A did copy your company-sensitive information elsewhere, the computers will show evidence of this movement. Vestige most often encounters:
- The serial number of at least one of the USB devices attached to Employee A’s laptop several days before he left your company are also recorded on Employee A’s personal and/or new work computer (indicating the same device that was used to copy data off of your company’s laptop was also connected to his personal/work computer),
- Filenames indicative of company-sensitive information are found on Employee A’s personal or new work computer, and these names match (or are close to) matching those from the list of files accessed from USB devices Vestige reported to you earlier (indicating that data was indeed copied off the removable device to the new computer),
- Cloud storage websites are accessed and files whose names are indicative of company-sensitive information have been downloaded,
- The e-mails sent from Employee A’s laptop to Gmail are found on Employee A’s personal and/or new work computer,
- Keyword searches find proprietary information, as many employees like to change filenames of IP data after taking it,
- Evidence of mass deletion activity of the storage media that was used for the transfer (examination of the external devices themselves can confirm this)
I will not spoil things and give away our blog post at the end of the month, but it will provide some success stories of evidence we have uncovered in these types of cases.
Another argument Vestige prepares for is that of when two files – one being on Employee A’s laptop when he worked for your company, and one being on Employee A’s personal/new work computer – have exactly the same name, or similar. Employee A and/or his counsel/company will claim that those files are different and in no way could possibly be the same. Again, this brings me back to my earlier point about how a suggestive filename does not necessarily mean it contains sensitive data. How do we combat that?
- Greg Kelley discussed hash values in a previous blog. Just like forensic images, files can also be hashed. If two files have the same hash value, it is mathematically reasonable to conclude they are the same file because they contain the same data – even if one file was created “X” number of years after the first, and even if the filenames do not match. Vestige encounters this often when data is copied from one device to another.
After determining that Employee A took data from your company and placed it on his personal devices or the devices allotted to him by the new employer, Vestige is often asked to use special tools to purge the data from the personal and/or company’s devices. Depending on how much data has been taken, that process can take ten minutes to several hours.
Tying It All Together
As has been one of the focuses of not only my blog posts but also those of others, the identification and preservation phases are crucial. If you were not savvy enough to have Employee A’s laptop preserved immediately after he left your company, proving IP theft could have been made increasingly more difficult. After identifying the high likelihood that Employee A took company sensitive data with him when he resigned, obtaining access to his other devices is not always easy, but is necessary to prove the extent of where your firm’s may have been used. When dealing with a competing company or privacy-orientated individual, a protective order can be used to ease the opposing side’s concern about their own confidential data being reported back to you. If Employee A did in fact copy your files to another computer and those files are found, that data can then be purged. Whether the employee took data or not, an intellectual property theft investigation will give you closure and peace of mind that your data is in the proper hands, and the proper hands only.
By Gene Snyder, GCFA, EnCE, ACE,
Forensic Analyst at Vestige
For more information CONTACT US