Saturday, August 29, 2015

How Digital Forensics Can Help: Intellectual Property Theft Cases



 August 29, 2015

How Digital Forensics Can Help: Intellectual Property Theft Cases

In the second of our series of “How Digital Forensics Can Help” articles, we’ll focus on an area that is most applicable to corporations – Theft of intellectual property.  Intellectual Property (IP) is defined as:

The legal rights that arise from intellectual activity in the industrial, scientific, literary and artistic fields.  This includes works of art, inventions, designs, trade secrets, words, phrases and symbols.



Pro Digital is not just a cool digital forensic firm, it’s also a company that was built from the ground up.  Like many companies, we have proprietary and confidential information that we would not welcome our competitors to have.  Most corporations fall into this category.  Think about your company or companies you know.  There are things that make them different and unique and many times, there’s some blood, sweat and tears (not to mention money) that has been invested over a significant period of time to help separate those companies from others who may claim to offer the same products or services.  This is why intellectual property is so important – It is information that can potentially break a company if provided to competitors.

When Should Digital Forensics Be Used in IP Theft Cases?

In keeping with the best practices of the digital forensic methodology, whenever the slightest potential of an IP theft incident has occurred, a digital forensic consultant should be called immediately.  Many times, these cases end up in some formal legal proceeding.  Also quite often, the custodian of the digital evidence is also a party to that legal action, a circumstance in which an argument could be made that there is a conflict of interest.  Even if that argument isn’t made, it’s best to call in a digital forensic consultant as soon as possible after the theft is detected to ensure they get a look at the evidence in the purest form possible. 

Some cases may require notification of law enforcement, but this can also go both ways.  In many state courts (including Virginia), theft of proprietary information can be handled both civilly and/or criminally.  That means there are remedies in the state law for both types of legal actions.  The decision of whether or not to pursue criminal charges against the suspected thief of the intellectual property is something that should be carefully considered and counseled upon with your attorney(s).  If the decision is still “up in the air”, make sure you choose a digital forensic consultant who is knowledgeable about proper evidence handling and has testified in court as an expert witness (hint: one such consultant writes this blog). 

What Types of Evidence Can Be Useful in IP Theft Cases?

Consider this brief case **example from a recent Pro Digital client:  Acme company provides specialty technical analysis services to corporations and governmental clients.  Acme has been in business for about 10 years and has developed a decent client base through their sales and marketing department over that time.  For the majority of the 10 years, Bob Bouey has been Acme’s Sales Manager, but Bob has been slacking for quite some time and has even been counseled and disciplined for his failure to acquire new customers.  Finally, Bob is fired, but he’s not dumb and saw the writing on the wall.  A few days before he was fired, he transferred the entire Acme customer database to a thumb drive and took that information with him to a competitor, who now has acquired several of Acme’s (former) clients.  Acme’s President finds out about this and files suit.



In this case, we were called by Acme to conduct a digital forensic exam on Bob’s former work computer to see if there was any digital evidence that Bob stole the customer database.  There most certainly was!  We were able to ascertain the date and time of the file transfer, the size of the file, the device onto which the database was transferred and even specific items such as the volume label of the USB thumb drive Bob put the database onto: BOBS FILES.  The FBI calls that a clue.

Cases like these are probably more common than most companies are aware of.  And this is just one example.  In the age where company perks include mobile devices, computers and other cool electronic gadgets which all store high volumes of data, it’s important to also bear in mind that these devices only help to facilitate the potential theft of information… and they all contain digital evidence when that happens.

Digital Forensics in IP Theft Case Tips

So now that you know what types of evidence are potentially accessible in your IP theft case, what should you do to help ensure the most benefit your case?  Here’s some tips about how to maximize effectiveness in IP theft cases:

·       If a problem employee is identified, start your documentation EARLY
·       Identify what digital items are most vital to the operation of your business and keep an open mind about how that may be exploited
·       If an intellectual property theft is suspected…
o   Secure and lock-down any and all equipment used by the suspected thief immediately
o   Make sure remote access is shut off, including any back doors
o   Call a Digital Forensic Consultant and schedule a meeting as soon as feasible
o   If criminal charges will be sought, notify law enforcement as soon as feasible
o   Be aware that you may be without the computer or mobile devices used by the suspected thief for the duration of the examination and litigation

Digital devices are ubiquitous in our work and personal lives.  Tech has interwoven itself into everything we do for better productivity, entertainment and communication.  Because of this, it’s also best practices when an employee or associate is thought to be unhappy at work to assume that some sensitive and/or proprietary information will be absconded at some point before their access is cut off.  By keeping this in the back of your head, you already start to increase your effectiveness in response to any suspected IP theft and set the stage for a better outcome in partnership with your Digital Forensic Consultant.

**For confidentiality, the names of the company and former employee were changed in this example**

Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Principal Consultant
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history.  A graduate of both SCERS and BCERT (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting business marketed toward litigators, professional investigators and corporations.
Twitter: @ProDigital4n6

Monday, August 17, 2015

Keep Windows 10 off Your Forensic Machine (for now)



 
August 17, 2015

Keep Windows 10 off Your Forensic Machine (for now)

With the much anticipated recent release of Windows 10 comes a number of concerns for digital forensic examiners.  Full disclosure, I’m an Apple guy.  I like Apple products very much and wish I could do all of my forensic work on OSx, but that’s not realistic, so I do the next best thing and run Boot Camp on my Macs and use Windows 7 as my primary operating system when performing digital forensic examinations (except when using tools such as Lantern and Recon).  But now I have the ever-present “you should upgrade” notification on the bottom-right of my screen every time I boot up.  No, Microsoft, I will not upgrade, not for a long, long time.  Here’s why…



As a bit of a history lesson, when I attended the SCERS course, Windows 7 was still new.  Because of that, we installed a full version of Windows XP on the forensic systems we built in the course.  Why?  First, Windows Vista was an abhorrent operating system.  Second, Windows XP was the most stable operating system available for running forensic tools and conducting forensic analysis with those tools.  We had little or no compatibility problems with EnCase, FTK and the other freeware we installed on the systems.  This taught me a valuable lesson about building forensic computer systems – go with what works!

I think it’s safe to say most digital forensic professionals are also (at least partially) tech geeks and gadget folks.  We like new tech stuff.  We like to play with it and test it and put it through its paces.  To some degree, most software development companies (Apple and Microsoft included) use this quality in users of their newer products to conduct de-facto beta testing.  Yes, you can get beta and/or developer versions of software early, but the feedback provided by that small percentage of users is not as universal as rolling out an operating system on the open market.  By doing that, the software companies get millions of tests in thousands of different environments, making it the best beta test on the market.  They then use these “tests” to update and re-vamp the software.  But there are some truisms about stability and best practices with regard to constructing digital forensic systems that should not be overlooked when seeking to upgrade to the newest operating system.

First, you will have compatibility problems.  By virtue of the fact that Windows 10 is a new operating system with nuances that are not fully realized yet by the forensic community, you will have some compatibility problems.  Add into the mix that digital forensics is a relatively small community and users of digital forensic software on a Windows platform aren’t exactly the target demographic for Microsoft research and development, along with the law of averages dictate that digital forensics won’t be much of a consideration for Microsoft when constructing their operating system(s).  Sorry friends, we’re not that important to the tech giants.

The second issue is stability.  Like I said before, Windows XP was the most stable operating system at the time I attended SCERS at FLETC in 2010, so that’s what we installed on the forensic systems.  It wasn’t until 2 years later when I attended BCERT at the National Computer Forensic Institute that Windows 7 was deemed stable enough to run most digital forensic software we were provided.  Think about the first-run of any product on the consumer market.  From iPhones to Android phones to computers to cars, the first-run of any product is subject to instability, tweaks, modifications and updates.  It can often take years to work the bugs out of any system and even after all that time, it can still be deemed garbage (i.e., Windows Vista).  The stability of any system is vital to the successful operation of digital forensic tools on that system. 

Some other considerations include functionality, system requirements and validation of the software platform on which you’re using your forensic tools.  At the very least, if you are looking to install Windows 10 on a forensic machine, consider taking the following steps:


  • Make a full backup image of your forensic machine before you upgrade

  • Consider installing the new operating system on a secondary or alternative machine

  • Research compatibility problems with your most often-used software on the Windows 10 platform and try to find additional updates and/or work-arounds

o   (Note: Cellebrite UFED for PC has already encountered and fixed some compatibility issues)

  • Test, validate, repeat



As you can see many of these suggestions take a lot of time and effort. If you don’t have the time or effort to invest in putting Windows 10 through its paces with your digital forensic tools, consider sticking with an earlier, more stable and validated version of the operating system.  Most of these issues will likely be resolved in time.  But until then and by following these tips, you’ll save yourself a lot of heartache in the short term and avoid questions should they arise in formal legal proceedings.
  

Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Principal Consultant
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history.  A graduate of both SCERS and BCERT (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting business marketed toward litigators, professional investigators and corporations.
Twitter: @ProDigital4n6