Back to Articles



Nobody leaves empty handed

Digital Forensics and Intellectual Property Theft


What to do if you suspect your company’s intellectual property has been stolen

Protecting intellectual property (IP) is critical to building, maintaining and growing a successful company.

Whether your business is high tech or low tech, big or small, the theft of intellectual assets can cause

harm to revenue, reputation and company infrastructure. Intellectual property is a business asset and

includes the intangible results of a company’s creativity and innovation. It’s just as important to protect

and secure your intellectual property as it is your company’s physical assets.


In the past fifteen years, one of the fastest-growing threats to businesses today is the misappropriation

of IP. With the proliferation of smart phones, flash drives, cloud data storage, and document scanners,

businesses must protect themselves both against competitors and hackers obtaining documents from

the outside, but also to secure their networks from inside actors such as disgruntled co-owners or

employees who might walk out the door with a company’s IP. When a claim is made that IP has been

used without authorization in the creation of a new company, product or service, the claim must be

investigated and documented by qualified analysts the moment the theft is suspected. There certainly is

technology which can track the movement of data from one business’s system to a competitor or a bad

actor, but all evidence must be properly handled and recorded to effectively support or dispute the

claim. When a claim is made or if you believe that IP has been used without authorization (especially in the creation of a new company, product or service by a former employee or co-owner), the claim must be investigated and documented by qualified analysts the moment the theft is suspected.



What steps should you take when IP theft is suspected?

The first step in an electronic IP theft investigation is to ensure that all data and devices including mobile

phones, laptops and tablets of the suspect are identified, IMMEDIATELY preserved and not accessed by

anyone. Lock the devices up into secure storage to ensure that they won’t be tampered with until a

forensic professional can take custody of them and begin the investigation. Each time an HR or IT

professional takes a peek or conducts any searches from on the devices, they run the substantial risk of

unintentionally destroying or overwriting of data, calling into question the integrity of the evidence. If the suspect’s computer is on when you find it, keep it on. If you turn it off, you could lose important evidence that’s stored in the computer’s memory. If you find it turned off, leave it off.

As part of this initial lockdown, be sure to turn off any remote access to the devices and remove the

device from your network. Your organization should be without the use of these devices for the

duration of the investigation so they won’t be able to be reassign the devices to another employee

until the investigation is complete.

As soon as possible, contact a computer forensics specialist to take custody of the devices, oversee and

conduct the investigation into the IP theft. You should also contact an attorney, and obtain legal advice

as to your business’s rights to recover data or seek other legal or injunctive relief.



What can computer forensics professionals discover during an IP theft investigation?

The use of an experienced (and licensed in some states) computer forensics examiner is crucial,

regardless if you are the plaintiff or defendant.

After proper preservation and collections techniques are performed, investigators may be able to

answer and determine the following:

What process was utilized to get the data out of the company environment?

What files were recently opened? What files were recently deleted?

Did the person still have admin or VPN credentials to remote in to the network?

Was cloud storage recently installed on the device? Did the person use a cloud-based


Was an external device used? Flash drives, external hard drive?

What was the USB activity? When was the last time a USB device was connected and what was

the serial number or brand of the USB device?

Are there LNK files (shortcut files) and how do they connect to files and folders on a device or


Did the person use a company or personal email account?

What does the person’s Internet history reveal?

Did the person burn DVDs/CDs?

Did the person print off data?

Did the person perform mass deletion or utilize a wiping program to cover their tracks?

What does the device’s event logs say about activity that could confirm IP or refute theft?



A proper digital forensic investigation must occur to allow for a thorough review of the many artifacts

hiding in various nooks and crannies to help tell the whole story. Forensic examiners search and review

live files, unallocated space (where “deleted” data resides) and the registry, where many tell-tale

artifacts live, showing system and program settings, and user preferences and actions.

Only a qualified and expert forensic examiner has the proper tools and techniques to find your smoking

gun. Contact our team at Forensic Pursuit the moment you suspect the theft of your company’s

intellectual property or to learn more about how we can help you in the future.


Melinda Redenius is Chief Business Officer at Forensic Pursuit as well as an ACE certified computer forensics analyst and Private Investigator Ms. Redenius brought 15 years of paralegal litigation experience with her prior to joining Forensic Pursuit in 2010. 888-498-3420 Denver-Dallas-NY-LA-Nashville-Albuquerque


© 2017 Forensic Pursuit. All rights reserved.