Computer Forensics in IP Theft Litigation and Investigations
THE GREATEST THREAT to a company’s intellectual property often comes from its own employees and contractors. In a 2009 study, the Ponemon Institute reported that 59 percent of surveyed former employees admitted taking company data, and 67 percent admitted using or planning to use their former employer’s sensitive information to obtain a new job or benefit their new employer. With insider access, a company’s prized trade secrets and stores of customer personal information may be copied and transferred to a competitor or to an identity theft ring.
Furthermore, the specter of evidence spoliation – the destruction or alteration of relevant documents – hovers over litigation and investigations. Electronically stored information (ESI) is at once ephemeral and resilient. Although easily changed and destroyed, including by way of routine system processes, ESI can persist in other forms, in fragments and copies located in numerous places, and often it is subject to recovery and reconstruction. The penalties for spoliation, and the expense surrounding the litigation of such issues, can be substantial.
To address these common problems, one must be familiar with the legal and technical issues involved in computer forensics. This field concerns the preservation, recovery and analysis of electronic files, storage devices and data systems.
Forensic evidence often has an important impact on a fact finder, and properly understanding, developing and presenting such evidence can make the difference between winning and losing a case. For this reason, an overview of common forensic inquiries and their place in modern litigation can be very helpful.
DON’T PANIC
A company confronted with a potential data theft or loss should resist the impulse to immediately start poking around employee computers. Don’t panic. A forensic examination must be done correctly from the beginning or the results may be spoiled.
Every time a computer is turned on, untold bits of information change. Memory is accessed and erased, files and logs are updated, old data is pushed out and substantial system data is altered. The tell-tale marks of fraud as well as data integrity and chain of custody can be threatened without proper controls.
As a first step, the company should secure the equipment and data and call in experts. When done properly, the investigation will preserve and capture data from relevant systems and repositories. It also will follow the data to create a clear picture of the breach or loss, thoroughly document the process, and help generate a timeline and narrative of the target’s activities that can guide the company and counsel to pursue the appropriate remedy. In contrast, in several cases parties that have failed to preserve data subject to an internal forensic examination have been sanctioned.
TRADITIONAL INFORMATION REPOSITORIES
Typically, the initial focus of an investigation is on traditional repositories of information:
Servers. These computers make detailed records of access and activities in other supported computers or programs. Server records can evidence who (meaning, for example, which user, IP address or networked computer) accessed particular files or websites, what requests were made of the server and which operations were performed on files, when these actions were taken, where the information ended up and how it got there.
This information may be particularly helpful in narrowing down a list of suspects and determining the chain of events leading to data loss. Even where overwritten, copies of such data may be retrievable in system restore points or backups.
Desktop and laptop computers. Once suspects are identified, a company generally will want to make a forensic (bit-for-bit) copy of relevant computer hard drives, using special software with write protection so as not to disturb the underlying data. The expert will then “hash” the recovered files to create a digital fingerprint that matches the original data set, verifying that they are identical, authentic, and follow the data.
The hard drive may contain detailed information about the target’s communications and actions. It is now commonly known that pressing “delete” does not really mean that a file is destroyed. However, even where steps have been taken to bypass the “recycle bin” and conceal the accessing, copying or deletion of data, the investigator may often recover files from user-inaccessible sectors containing “unallocated,” “slack” and “swap” space on the disk. The quicker a party acts to preserve and recover data before the system has a chance to overwrite it, the better the chances of a positive result.
Individual computers also create their own logs, records and registries that track user and file activity at a granular level. Such file system and embedded “metadata” (internal information about the file) can reveal the circumstances of a file’s creation and use, its author and the dates of its creation, last access, last alteration and printing, and who opened, received, modified, moved or printed the document.
Other Windows registry entries, such as “.lnk” files that create a shortcut to recently opened documents and programs, may provide powerful evidence of user activity. Computer hard drives may also reveal data on a user’s internet access, which in turn can focus an investigation and flesh out target profiles, as well as yield entire messages and documents.
While some web-based products (such as YahooMail) leave behind more data than others (such as Gmail), even limited information may be sufficient to establish ownership of an account and seek further records.
Even where a file is not recoverable, there may be evidence of deletion or alteration. Information as to actions taken or not taken by the user, the absence of expected data, or the presence of unexpected data, may say a great deal about the target. File search history, for example, may provide clues about efforts to cleanse a hard drive, as may the running of destructive disk cleanups and defragmenting programs, or the downloading of large amounts of data.
Such forensic findings can be powerful circumstantial evidence of a cover-up, spoliation, dishonesty and consciousness of guilt, and can provide new directions for the investigation.
USB devices (e.g., flash drives, thumb drives, external hard drives). In theft of trade secrets cases, USB devices in particular are likely repositories of protected information. A Windows-based system generally records at least the first and last time that a particular USB device is used on that computer, providing evidence of what devices were used, as well as date restrictions on searches. Identified devices that are unaccounted for may warrant further investigation.
Files found on USB devices may be matched with company data to show wrongful possession. Where the USB device is missing or incomplete, moreover, changes in file metadata found on servers and PC’s can point to unauthorized activity. For example, the rapid, sequential change to the “last access dates” of a group of files can indicate their mass copying to another device or archive. The examiner would then look for confirming evidence, such as systems registries showing the contemporaneous use of a USB device that could have received the copied files.
The examiner would also seek to rule out potential alternate causes for the observed changes, including automated virus scans or text searches, which could cause similar file behavior. Ultimately, where the target has been careful not to leave behind a “smoking gun,” these cases must be made through an aggregation of evidence and inferences. A proper forensic examination will ensure that likely sources of evidence are not overlooked or compromised.
NON-TRADITIONAL SOURCES OF DATA
A complete investigation cannot overlook new technology. While cell phones have long been the subject of scrutiny for contact and call information, PDAs such as Blackberries, iPhones, and Android devices, and netbooks such as iPads, which integrate many different office and social functions, are now ubiquitous.
These devices are a gold mine of forensic information, and they can yield particularly strong evidence of activity, association and usage. They are intimately connected to their owners and encourage an informality of use that can lead to revealing content.
In addition, while recording an expanded range of information compared to conventional computers and cell phones – including location, keystrokes, content tracking and social networking information – these devices also may contain information similar to that on PCs. And, like USB devices, these units can function as portable memory sticks with considerable capacity.
An investigation should not ignore information generated by social media, on sites such as Facebook, LinkedIn, Twitter or Foursquare, which may be found on company and personal computers. Many companies have established their own Facebook pages or commissioned Twitter feeds and blog postings. Such company information may be subject to preservation obligations.
Individuals often use these resources to communicate and coordinate their activities. Forensic work establishing ownership and access to such sites, as well as the data they throw off, can provide evidence of a person’s contacts, locations, activities, plans and communications.
BE MINDFUL OF SPOLIATION
It’s commonly observed that it’s not the crime but the cover-up that causes the most damage. Forensic investigation is used to show how a litigant or target of inquiry has attempted to cover up by destroying relevant evidence. The obligation to preserve evidence is triggered as soon as a person reasonably anticipates litigation, and the penalties for spoliation can be severe, but often the first reaction of someone suspected of misconduct is to destroy the evidence.
While the excuses advanced for such behavior are varied (indeed, they are a source of entertainment and outrage for many courts), the forensic examiner, even if unable to recover the deleted evidence, is often able to show that it existed, or that likely repositories of information were not preserved intact.
Nor does spoliation occur only through bad faith conduct. For corporations, the greatest danger likely lies in the failure to implement a proper legal hold, leading to inadvertent data destruction. Opposing counsel may conduct a “gap analysis” (comparing various party and non-party productions to look for documents that should have been produced) and demand explanations for perceived anomalies, thus building the case for a spoliation claim.
Litigants must structure their approach to their data and their opponents’ data with a heightened awareness of spoliation. The key battles in a spoliation fight can play out in the examinations of opposing experts, each espousing different views of the significance of forensic evidence. The importance of counsel experienced in such matters then becomes paramount.
TEAMWORK AND DIRECTION
Counsel overseeing a forensic investigation should foster an inventive and collaborative atmosphere, taking care to troubleshoot the expert’s methodology and conclusions. The investigative team has to unearth evidence of theft and professionally document its findings so they may be proved in court. Counsel, for its part, must be sufficiently versed in the technology and techniques to ask the right questions and guide the investigation, while balancing the costs and benefits of particular actions. Without controls, investigations can run off the rails, leading to wasted time and expense or counterproductive results.
Early involvement of the forensic team can ensure that vital materials in the opponent’s possession are preserved and produced. Too many times, we are called in too late to affect what discovery is conducted, thereby limiting the evidence available to analyze and our ability to ensure it is done properly. It is more effective to establish procedures in anticipation of IP theft, and to strengthen one’s document preservation capabilities, than to have to scramble to deal with an emergent situation on the fly.
JOHN E. DAVIS is counsel with the Corporate Litigation practice at Pillsbury Winthrop Shaw Pittman LLP, in the New York office. A member of Pillsbury’s Privacy, Data Security and Information Use team, he focuses on complex commercial matters, with particular expertise in counseling clients on their electronic discovery and records management obligations and in directing investigations of data theft and data loss.
john.davis@pillsburylaw.com.
ALEXANDER PARACHINI, a summer associate at Pillsbury, contributed to the writing of the article.
