Nobody leaves empty handed
Digital Forensics and Intellectual Property Theft
What to do if you suspect your company’s intellectual property has been stolen
Protecting intellectual property (IP) is critical to building, maintaining and growing a successful company.
Whether your business is high tech or low tech, big or small, the theft of intellectual assets can cause
harm to revenue, reputation and company infrastructure. Intellectual property is a business asset and
includes the intangible results of a company’s creativity and innovation. It’s just as important to protect
and secure your intellectual property as it is your company’s physical assets.
In the past fifteen years, one of the fastest-growing threats to businesses today is the misappropriation
of IP. With the proliferation of smart phones, flash drives, cloud data storage, and document scanners,
businesses must protect themselves both against competitors and hackers obtaining documents from
the outside, but also to secure their networks from inside actors such as disgruntled co-owners or
employees who might walk out the door with a company’s IP. When a claim is made that IP has been
used without authorization in the creation of a new company, product or service, the claim must be
investigated and documented by qualified analysts the moment the theft is suspected. There certainly is
technology which can track the movement of data from one business’s system to a competitor or a bad
actor, but all evidence must be properly handled and recorded to effectively support or dispute the
claim. When a claim is made or if you believe that IP has been used without authorization (especially in the creation of a new company, product or service by a former employee or co-owner), the claim must be investigated and documented by qualified analysts the moment the theft is suspected.
What steps should you take when IP theft is suspected?
The first step in an electronic IP theft investigation is to ensure that all data and devices including mobile
phones, laptops and tablets of the suspect are identified, IMMEDIATELY preserved and not accessed by
anyone. Lock the devices up into secure storage to ensure that they won’t be tampered with until a
forensic professional can take custody of them and begin the investigation. Each time an HR or IT
professional takes a peek or conducts any searches from on the devices, they run the substantial risk of
unintentionally destroying or overwriting of data, calling into question the integrity of the evidence. If the suspect’s computer is on when you find it, keep it on. If you turn it off, you could lose important evidence that’s stored in the computer’s memory. If you find it turned off, leave it off.
As part of this initial lockdown, be sure to turn off any remote access to the devices and remove the
device from your network. Your organization should be without the use of these devices for the
duration of the investigation so they won’t be able to be reassign the devices to another employee
until the investigation is complete.
As soon as possible, contact a computer forensics specialist to take custody of the devices, oversee and
conduct the investigation into the IP theft. You should also contact an attorney, and obtain legal advice
as to your business’s rights to recover data or seek other legal or injunctive relief.
What can computer forensics professionals discover during an IP theft investigation?
The use of an experienced (and licensed in some states) computer forensics examiner is crucial,
regardless if you are the plaintiff or defendant.
After proper preservation and collections techniques are performed, investigators may be able to
answer and determine the following:
What process was utilized to get the data out of the company environment?
What files were recently opened? What files were recently deleted?
Did the person still have admin or VPN credentials to remote in to the network?
Was cloud storage recently installed on the device? Did the person use a cloud-based
Was an external device used? Flash drives, external hard drive?
What was the USB activity? When was the last time a USB device was connected and what was
the serial number or brand of the USB device?
Are there LNK files (shortcut files) and how do they connect to files and folders on a device or
Did the person use a company or personal email account?
What does the person’s Internet history reveal?
Did the person burn DVDs/CDs?
Did the person print off data?
Did the person perform mass deletion or utilize a wiping program to cover their tracks?
What does the device’s event logs say about activity that could confirm IP or refute theft?
A proper digital forensic investigation must occur to allow for a thorough review of the many artifacts
hiding in various nooks and crannies to help tell the whole story. Forensic examiners search and review
live files, unallocated space (where “deleted” data resides) and the registry, where many tell-tale
artifacts live, showing system and program settings, and user preferences and actions.
Only a qualified and expert forensic examiner has the proper tools and techniques to find your smoking
gun. Contact our team at Forensic Pursuit the moment you suspect the theft of your company’s
intellectual property or to learn more about how we can help you in the future.
Melinda Redenius is Chief Business Officer at Forensic Pursuit as well as an ACE certified computer forensics analyst and Private Investigator Ms. Redenius brought 15 years of paralegal litigation experience with her prior to joining Forensic Pursuit in 2010.
Forensicpursuit.com 888-498-3420 Denver-Dallas-NY-LA-Nashville-Albuquerque