This month we’ve been talking about Intellectual Property Theft/Non-Compete forensic cases, and in this last entry we’ll discuss success stories of a few cases Vestige has worked.  I’m sure many of you are wondering about real world scenarios in which we were able to locate key pieces of evidence showing individuals stealing data from their company, well you’re about to read about a few. I’ve selected a few different types of cases to show you how various artifacts and data located on Computers, USB Devices, Cell Phones, etc. have come into play in these types of cases.

Case Study 1:

This first computer forensics case study I’m going to discuss involves not only a computer, but a cell phone as well, and how the information located on the cell phone was able to help our client.

In this situation an employee left Company A (our client) and was going to work for a competing company, Company B, which was in direct violation of his non-compete agreement. Once Company A discovered he was going to work for a competitor, they immediately removed his access from their computer systems and called us (he was finishing his last day of employment). After speaking with us, they sent us the employee’s Laptop and Blackberry device for imaging and analysis. Some people might ask, what information would be useful from the employee’s cell phone? Well, considering how much cell phones have become such an integral part of people’s personal lives, they have also become an integral part of people’s work as well. Most companies nowadays allow their employees to sync their work email and contacts with their own personal cell phones and tablets. These phones can not only contain vital communications (between coworkers or emailing information to personal email accounts), but it is possible they may also contain data that someone may not expect, which is something we found in this case.

At the time of the employee leaving, Company A was working on a new product that was nearing release. The employee had direct access to the systems that contained manufacturing information for the new product, which could prove to be very damaging to Company A if he brought the information with him to Company B. In most cases, one would expect to find signs on the employee’s computer that he/she was stealing information, but in this case, the most vital piece of information was located on the employee’s Blackberry. During the analysis, pictures were found of the manufacturing information for the new product on the employee’s Blackberry that were comingled with his own personal pictures! The employee not only had these pictures on the Blackberry device, but he had also made a copy of the data and had taken it with him. Had we not located the pictures and the artifacts that he made a copy of the data to take with him, he very well might have gotten away with it.

After reporting the results to our client, they were armed with all the information they needed. Had we not analyzed his Blackberry, the pictures containing the manufacturing information could have very well gone unnoticed, especially the fact that the employee made copies to take with him.

Case Study 2:

The next case we’ll discuss involves a former director level employee (worked at the company for over 10 years) who stole customer and channel partner lists.  The client in this case got an anonymous tip that someone was attempting to sell their customer and channel partner information, so they started an investigation into the individual. They contacted and hired Vestige in order to determine if the employee took anything with him when he left the company.

After analyzing the individual’s computer, we determined that the company’s contact database was parsed an unusual number of times prior to the individual leaving the company. In addition to that, we also located an Excel spreadsheet that was created right around the time of his departure that contained client contact information. Around the same time the Excel spreadsheet was created, we located internet history information displaying he had accessed his own Yahoo! and Gmail accounts. There was no direct artifact information showing that he emailed this contacts spreadsheet to himself, but the fact that the document was created and he accessed his email shortly after was a big indicator that he was up to no good. Armed with this information, the client was able to get a court order to access his personal computer for analysis.

Once we started analysis of his personal computer, we ran some keyword searches for some contact names found in the Excel spreadsheet created on his work computer. We located a similar document on his personal computer that was slightly modified from the one created on his work computer. At the same time the file was created on his personal computer, we found evidence that he downloaded a file from his Yahoo! email account, quite the coincidence wouldn’t you say? Once we reported this information to our client, it was more than enough to help them stop this individual from selling their customer information and stop any damages from occurring in the future due to this individual’s actions.

Case Study 3:

This next intellectual property theft case I’m going to discuss will show you the value of Email Communication, and how our ability to recover deleted emails provided them the information they needed to pursue the individuals.

In this IP Theft scenario, Email correspondence was the star of the show. Employee A had left the company and started working for a competitor. Employee B in this situation was still working for our client at the time. Our client received an email from Employee A’s personal email account that contained trade secret information. This email was originally sent from Employee B’s work account to Employee A’s personal email account. When Employee A was forwarding this email to her new work account at the competitor, she accidentally CC’d the email to her old work account (our client). Once our client discovered this email, they did some investigative work and discovered records that hundreds of emails had been sent from Employee A’s work email to her personal email account. At this point, our client only had records that emails were sent, not the actual emails themselves, which is where the beauty of computer forensics comes into play.

After others made attempts to recover the deleted emails only to come up short, Vestige was hired. Shortly after receiving the computers, we immediately began work on recovering deleted emails from the system. Now you may be asking yourself, “if the client couldn’t recover the deleted emails on their systems, how can we?” and the quick answer to that is in the email stores saved on the computer by Microsoft Outlook. When you use Microsoft Outlook on your computer, all your emails are being stored locally in a database. When a user deletes emails and then empties the “Deleted Items” folder, the email is not immediately purged from the database and can be recovered by forensic means. In this case, we were able to successfully extract out deleted emails from Employee A’s computer. The deleted emails we were able to recover contained company information being sent to the employee’s personal email account, which was a gold mine of information. Once we reported this information to our client, they were able to put the wheels of justice in motion towards stopping further activity.

Case Study 4:

Not all cases will show information being copied off of a computer, but paying attention to the little details on a computer system can go a long way. In this case, we didn’t locate any data being moved to an external drive, but we did locate a number of files being accessed on the computer during the same time a USB Drive was attached to the system prior to the individual leaving the company. Once our client was armed with this information, we gained access to the individual’s personal computer and the USB Drive that was attached to the work computer. After obtaining the USB Drive and the personal computer, we located various pieces of client data that had been taken from the work computer. In this instance, we were asked to search for and wipe all company information from both the personal computer as well as the USB Drive. After searching for and locating all the company data, we wiped it from the computer so it could no longer be recovered and used. After performing our analysis and wiping all the company data from the individual’s personal devices, our client felt at ease knowing that their data was protected.

Case Study 5:

In this case, we were hired by the defense to help counsel sort out what occurred.  Counsel is hired to protect their client but one of the first things that attorneys will say is that they can only protect their client from actions of which they are aware.  That does not mean that counsel expects their clients to lie to them.  Quite often the case is that the client’s memory is not clear or that they just don’t recall what they did.  In this matter, we were asked to get to the bottom of what USB devices may contain data from the previous employer (including deleted data) versus just personal data.  Furthermore counsel wanted to know which USB devices were plugged into their client’s personal computer and new work computer.  The goal was to determine if any active or deleted old company confidential information was in the hands of counsel’s client and then determine if that data may have been further leaked to other areas.  Once our analysis was complete, counsel was able to report back the breadth of exposure of possible confidential information and hold back those devices that were not relevant in the case.

Data Destruction Cases

At this point I’ve talked about a few cases in which we found evidence of an individual taking information, but what if the individual wiped the data from their devices? Well we’ve worked a bunch of those cases too and have a few examples, so read on:

Case Study 6:

The first case I would like to discuss involves an individual leaving his company to go and work for a competitor, so naturally they are nervous he took company secrets with him. So who are they going to call you ask? Vestige of course! After receiving the computer, we started our investigation and one of the first few things that we noticed was that a wiping program called Window Washer was installed and run around the time the individual left the company. Window Washer is a tool designed to delete user history on a computer in order to help protect the user’s privacy, but it can also be used to hide the activity of a user. Window Washer by default merely deletes the information, which can be recovered using forensic means, however, it can also be set to wipe the data as well rendering it irrecoverable. In this situation, the user altered the default settings of Window Washer to wipe the data removed by the program. Furthermore, the user configured Window Washer to remove other artifacts that, by default, were not enabled in the program.  We were able to determine this activity through thorough testing of the same version of Window Washer installed on the system and reviewing the default settings. Through our testing, we were able to prove that the user altered the default settings of the program to wipe the data, showing malicious intent.

Case Study 7:

In this next case, multiple individuals left our client and went to work for a competitor, but when they returned their computers, the hard drives had all been wiped. The first thought that comes to mind is, “how can we recover any data from the devices once they’ve been wiped?” The answer to that lies in the artifacts located on one of the computers that happened to be a Mac. During the reinstallation of the Operating System on the Mac, it recorded logs of the entire reinstallation process. These logs displayed information that the user had changed a setting to wipe the hard drive prior to installing the new Operating System. After confronting the employee’s they turned over USB Drives that they used at the company. One of these USB Drives contained artifacts from a Mac computer that were created after the individual turned his Mac over to the company, which told us they he had an additional Mac that he hadn’t told us about. Once this Mac was turned over and analyzed, we located various pieces of client data the individual had taken from his work computer and transferred to his Mac from the USB Drive. So even though we didn’t start out with much information, we were able to help our client find out the truth of what the individuals were up to. Once armed with all the artifact information we located in this case, our client was able to get a favorable resolution.

In Closing

So as you can see, Vestige has encountered a variety of ways people try to steal information from a company and possibly try to hide their tracks. The reason why Vestige is so effective in intellectual property and employee data theft cases that we work is because we truly understand how technology works and how it all ties together. Being able to see patterns and tie together artifacts in cases has helped us and our clients countless times. Even in the cases where we prove theft of company information has not occurred, it is still very helpful to our clients because it gives them peace of mind that their intellectual property is safe.


Leave a Reply

Your email address will not be published. Required fields are marked *