In a world where an organization’s trade secrets can be compromised with a few clicks, identifying whether or not intellectual property (IP) theft took place can be a complex process for many reasons.

Since many IP theft perpetrators are internal staff, asking internal IT staff to investigate may uncover issues of bias or conflicts of interest. Additionally, IT staff may not have the experience or training necessary to properly preserve the evidence gathered. Relying upon an experienced digital forensics firm will address both of these complexities given their expertise and unbiased third-party standing.

How digital forensics relates to IP theft

The virtual nature of digital assets simplify the IP theft process and also complicate any investigation into wrongdoing. Plus, these analyses cannot be understood within the standard criminal investigation framework. All gathered materials should be shared with a digital forensic specialist. What the forensic analyst is trying to determine is whether the materials have probative value (i.e., possessing relevance for the case in question). Digital forensics is a unique way to handle the potential IP theft investigations.

Preservation is a key principle in IP theft investigations just as it is with any other crime scene: everything ideally stays as it was at the time of the crime, as indicated by security training firm, the InfoSec Institute. Access to all devices should be stopped and all access should be blocked when IP theft is first suspected or discovered. Experienced analysts then systematically categorize and collect data to better understand whether a crime occurred. Key materials can be damaged or destroyed if someone without a forensics background attempts to access the digital evidence. If someone intrudes without proper credentials, the evidence is essentially contaminated which may lead to halted investigations, lost lawsuits, and the failure to return the IP to the rightful owner.

Evidence handling best practices for IP theft digital forensics

Properly handling evidence is critically important in IP theft investigations. This concern is addressed by the Computer Forensics guidelines of the American Bar Association and the Digital Forensics Standards and Capability Building sub-practice of the National Institute of Justice (NIJ). The NIJ and the Scientific Working Group on Digital Evidence (SWGDE) also developed and released standards detailing how to carefully and properly work with digital evidence.

Best practices to handle digital evidence include:

  • Label everything. List who gathered the material and location of its storage. Everything should be timestamped and dated.
  • Verify competence. Competence within forensics is necessary for any individual to access digital evidence. Everyone should understand it is only accessible to knowledgeable parties.
  • Know custody. Maintain a chain of custody for the obtainment, retention, and movement of all digital and physical artifacts.
  • Assign responsibility. Any time that an individual possesses digital evidence, they have full responsibility for it. That truth should be built into the way it is handled.
  • Display extreme care. For digital, as well as physical evidence, you need to diligently follow protocol and take every precaution to care for the evidence. If a device falls or gets wet, it may compromise the outlook of the case.
  • Restrict access to authorized individuals. Implement strong access controls for storage and consistently monitor access.
  • Deviate as necessary, but only when necessary. It is generally inappropriate for a digital forensics professional to turn off a device and check its temporary memory. However, shutting it down is critical and advisable if the device is reformatting the disk and destroying the evidence.

How to evaluate an IP theft forensics report

While every case is a bit different, this framework offered by Daniel B. Garrie and J. David Morrissy provides a general path forward to understand and incorporate the documented findings of forensic experts:

Assess how the data was gathered. To evaluate a forensics report, think first about the collection method. Specifically, was data collected through live acquisition or through copying a hard drive via bit-by-bit image. The latter tactic is typically a more reliable strategy since there are fewer variables in motion, resulting in lower probability of a problem; but the way acquisition proceeds should be customized to fit the case. The format of the digital image is also a key concern.

Check the report to be sure it is granular enough for replication. It is important to establish that another expert could arrive at the same conclusions—and exactly how they would do so. The report should provide detailed steps of the process; and forensic images should be accessible to any additional specialists as needed. Garrie and Morrissy noted that when reports are not backed up by digital images that can be replicated, they “should be granted little credence, and only reviewed in extraordinary circumstances.”

Look for a standard structure. A typical forensic report begins with a short summary, a list of investigative tools, along with how they function and any preconceptions about them. Next, the first article of evidence is reviewed. This article might be Employee A’s personal laptop, for instance. Once introduced, the evidence found on that device is summarized, and analysis of any relevant areas of the device is conducted. For example, that might include analysis of USB registry, Internet search history, and email history. Details of any subsequent devices or accounts then follow in the report. Finally, the forensic investigator should provide recommendations pertaining to next steps and whether or not to continue with the investigation.

Verify that it contains tools and assumptions. The report should state all of the utilized tools for the investigation, along with the specialist’s assumptions related to all tools that are used. The report reviewer should be made aware of this basic information on tools and anything that might be believed about them since any preconceptions could influence findings. Forensic tools are used to back up some of the conclusions within forensic reports, so they must be understood.

Proving IP theft

Digital forensics data from mobile apps, social media platforms, and digital devices can be fundamental in solving criminal cases. Data that is drawn from these electronic settings are diverse but may include locations, dates, and times. By having a basic understanding of the way forensics serves these courtroom scenarios and some of the related best practices, you can move forward with a better grasp of the role of forensics in these cases.


Source: ForensicMagazine