Responding To Alleged Intellectual Property Theft: Mitigating Business Risk With Computer Forensics

Friday, May 17, 2013 - 11:06

Sometimes, departing employees take things with them that they should not. Sometimes, disgruntled employees send or leak sensitive information to competitors. Confidential communications, financial information, and/or work product from Company A is found on work computers at Company B. I have consulted with clients regarding these types of events numerous times over the years. While it happens in every industry you can think of – in organizations both large and small – the motivation may change from one instance to another. In some cases, people feel entitled to information or to the work product they helped create. There are also those that use information as leverage to get a new job, with some even encouraged to take data by the competitor who is offering them the position. Others may be unhappy or upset. They want to harm a business either by leaking sensitive information or even by publishing innocuous information that has been intentionally edited to portray someone or something negatively. 

There are two things to contend with in responding to these events – the sheer volume of data we have access to and the ever-growing means available to access it. Organizations today generate copious amounts of data, and only some of that data is physically housed at corporate headquarters. There has been a huge rise in telecommuters working from home, sometimes using personal computers to do company work. Social networking is now being used more freely to communicate with clients. The impetus to stay connected, and the resulting usage of tablets and smartphones for work purposes, means even more devices are now capable tools for boosting employee productivity. Corporate email is moving from the office to the cloud and administered by third parties to free up internal resources. For a business, these changes often represent efficiency in action. However, along with that, they also represent additional avenues and means for data to leave organizations and for employees to take or transmit proprietary information. This article is intended to be a basic framework for responding to potential intellectual property theft, or, for some readers, things to consider when designing security policies and procedures that will help address improper usage of proprietary data. 

Company Policy

Minimizing the threat of data being leaked or stolen starts with the company’s own infrastructure, equipment, and policies regarding usage. What are employees expected to use the computers and networks they have access to for? What is not permitted? Is Internet browsing restricted? Is Internet access monitored and/or logged? Are employees permitted to use USB or peripheral storage devices? Can employees install software on the computers that they are assigned? The answers to these questions will vary from one organization to another depending on the business itself and corporate culture – however, these questions should be asked and answered thoughtfully when drafting or updating a security policy. Perhaps employees in the marketing group need access to USB storage devices and should be allowed to copy data to external hard drives, but should all departments have the same access? Is access to web-based email permitted? If so, who needs it, and under what circumstances would corporate email not be used? 

Any organization should have an Acceptable Use Policy to clarify and communicate what types of activity are acceptable when using company equipment. It should state clearly that company resources are to be used for company business, and it should also indicate what procedures are in place to enforce company policies. For example, if a corporate policy states that using external hard drives is not permitted, and this policy is enforced and implemented via software, this would mitigate risk of data leaving the organization via unauthorized storage devices. If personal email access is permitted while Internet access is also monitored and/or logged, the policy may discourage events like employees sending confidential company information to their personal email accounts. 

In addition to policies regarding the use of company resources, policies should also exist to properly handle employee exits. What devices has the employee had access to? Has their email been subject to backup and, if so, are backups running as they should? Should the employee’s computer be secured and stored before it is recirculated for use? Perhaps a forensic backup of their hard drive should be created “just in case.” Has the employee returned all the devices that were assigned to her (including computers, tablets, phones, and storage devices)? 

Data – Assess Where It Lives

If there is an event that merits investigation, first determine where the data “lives” and ascertain the project scope. Data sources that may be relevant to an internal investigation are numerous, and each should be discussed and assessed for relevance. These may include employee laptops/desktops (aka workstations), file and email servers, storage media, cloud backups, personal email accounts, home computers, smartphones, and other portable computing devices.

Often this list seems intuitive. However, it is always a good idea to involve IT to make sure nothing is overlooked and no assumptions are unnecessarily made. An excellent example is email. Where does the email live? Sometimes we assume all email lives on the email server, but perhaps it is on a user’s computer – or is it on both? At an office, common configuration is for desktop computers to pull from the email server when the users open their email. Therefore, the email messages users see onscreen while working at their computer do not necessarily reside on the computer’s hard drive. What they are seeing may in fact be email messages that physically live on an email server. For laptop users, it is also somewhat common for email messages to physically reside on the laptop – this way, messages are accessible even if the user is traveling or not working at the office. However, this is not always the case, and even within the same organization, there may be exceptions. Still other issues arise: How does the email program communicate with the email server? Are the email messages on this or that device “complete,” or does the device only download email headers instead of complete messages? Does the organization use an archival system? Some industries are regulated and require that all inbound and outbound communications be preserved for a period of time. In those cases, the archive system may be the best data source for preservation. Taking the time and determining precisely where the data lives will help avoid unnecessary time and expense associated with haphazard data collection efforts.

Data – Collect And Preserve

Preserving data is the next step. At a minimum, consider creating a forensic image (or bitstream copy) of any desktop or laptop computer that is central to the investigation. A physical forensic image is a verifiable and complete duplicate of the hard drive, including the empty, unused space. These details are important and distinguish forensic images from just “copies” or clones. Copies do not preserve metadata, such as date information. As a result, a simple copy may appear as if all of the files were created recently since the original date information may be lost. A forensic image preserves not just date information, but it also contains empty or unallocated space, which is where deleted files and their remnants can exist. Creating a forensic image for desktop or laptop systems to be used by key custodians is the standard in most forensic investigations.

Not all data sources lend themselves to physical imaging. For these data sources, a targeted collection of specific files/folders can be performed. A targeted collection, also called a “logical image,” refers to an image file that contains only a select set of files/folders from storage media. In contrast to a full physical image, a logical image can be created where a physical image may not be feasible, such as from larger server disks. Like physical images, the integrity of logical images can also be independently verified by third parties.

In addition to retrieving it from computers, data can generally be collected from smartphones, tablets, netbooks, CDs, DVDs, and other peripheral devices. When ascertaining the devices to be collected, consider whom you want to perform the data collection. Larger companies with information security staff may already have team members trained in computer forensics. However, for many, engaging a computer forensic expert to at least preserve the data in a proper, defensible manner is usually one of the least costly parts of an investigation. 

Analysis – Search And Review

Forensic analysis might yield signs of data exfiltration or intellectual property theft. Below are just some of the items a typical computer forensic analysis may include:

  • Removable devices: Analysis can help determine what USB or other external storage devices may have been first connected, as well as most recently connected, to a given computer. Similarly, artifacts can be created that help show what files/folders on a USB drive may have been accessed and when (see link files below). Because of their prevalence, small size, and ease of use, USB drives are frequently used to copy and move data.
  • Internet history analysis: Often, analysis of databases and Internet history artifacts can show what websites were accessed and when. If out-of-band communications or file transfer/cloud backup services are among the results, it may provide new information to help direct an investigation.
  • Analysis of shortcuts or link files: On a Windows-based system, link files are artifacts that are created when a user opens files or folders. These link files contain information about the file or application that was opened, and can help pinpoint the source of a file, whether it exists on removable media, and when a file may have been moved or copied.
  • Analysis of system registry/.plist files: On a Windows-based system, the system registry is a database that stores hardware and software configurations and options. From the standpoint of an investigation, the registry can help determine key information. A few examples include when the operating system was installed, which files were recently accessed, what USB devices may have been used recently, and what printers may have been connected to the computer. Corresponding artifacts on Mac-based systems may include “.plist” files, preferences directories (folders containing configuration options), and log files.
  • Analysis of cloud backup/sync software: Several programs are available for syncing or backing up data to the cloud. Some examples are Carbonite, DropBox, SugarSync, YouSendIt, Mozy, and Sharefile. Looking for the installation and usage of these programs on a workstation may prove to be valuable. After all, the only thing easier than sending files one by one to your Gmail account may be having those files sync automatically to whatever device you want.

Leveraging corporate policies (and backing them up with actual security procedures) is the first step in lowering risk of data exfiltration. When security events do occur, the responses to them should be targeted, precise, and expedient – and led by a team consisting of counsel, IT security, and, many times, outside expertise. 

Jonathan Karchmer is a Senior Manager in the Costa Mesa office of iDiscovery Solutions (“iDS”). Mr. Karchmer has over 12 years of experience in litigation and consulting matters involving computer forensics, e-discovery collection, processing, hosting, document review, and project management, as well as being a testifying expert. 

Please email the author at with questions about this article.