Pro Digital Forensic Consulting: information security

Showing posts with label information security. Show all posts

Saturday, August 29, 2015

How Digital Forensics Can Help: Intellectual Property Theft Cases

August 29, 2015

How Digital Forensics Can Help: Intellectual Property Theft Cases

In the second of our series of “How Digital Forensics Can Help” articles, we’ll focus on an area that is most applicable to corporations – Theft of intellectual property. Intellectual Property (IP) is defined as:

The legal rights that arise from intellectual activity in the industrial, scientific, literary and artistic fields. This includes works of art, inventions, designs, trade secrets, words, phrases and symbols.

Pro Digital is not just a cool digital forensic firm, it’s also a company that was built from the ground up. Like many companies, we have proprietary and confidential information that we would not welcome our competitors to have. Most corporations fall into this category. Think about your company or companies you know. There are things that make them different and unique and many times, there’s some blood, sweat and tears (not to mention money) that has been invested over a significant period of time to help separate those companies from others who may claim to offer the same products or services. This is why intellectual property is so important – It is information that can potentially break a company if provided to competitors.

When Should Digital Forensics Be Used in IP Theft Cases?

In keeping with the best practices of the digital forensic methodology, whenever the slightest potential of an IP theft incident has occurred, a digital forensic consultant should be called immediately. Many times, these cases end up in some formal legal proceeding. Also quite often, the custodian of the digital evidence is also a party to that legal action, a circumstance in which an argument could be made that there is a conflict of interest. Even if that argument isn’t made, it’s best to call in a digital forensic consultant as soon as possible after the theft is detected to ensure they get a look at the evidence in the purest form possible.

Some cases may require notification of law enforcement, but this can also go both ways. In many state courts (including Virginia), theft of proprietary information can be handled both civilly and/or criminally. That means there are remedies in the state law for both types of legal actions. The decision of whether or not to pursue criminal charges against the suspected thief of the intellectual property is something that should be carefully considered and counseled upon with your attorney(s). If the decision is still “up in the air”, make sure you choose a digital forensic consultant who is knowledgeable about proper evidence handling and has testified in court as an expert witness (hint: one such consultant writes this blog).

What Types of Evidence Can Be Useful in IP Theft Cases?

Consider this brief case **example from a recent Pro Digital client: Acme company provides specialty technical analysis services to corporations and governmental clients. Acme has been in business for about 10 years and has developed a decent client base through their sales and marketing department over that time. For the majority of the 10 years, Bob Bouey has been Acme’s Sales Manager, but Bob has been slacking for quite some time and has even been counseled and disciplined for his failure to acquire new customers. Finally, Bob is fired, but he’s not dumb and saw the writing on the wall. A few days before he was fired, he transferred the entire Acme customer database to a thumb drive and took that information with him to a competitor, who now has acquired several of Acme’s (former) clients. Acme’s President finds out about this and files suit.

In this case, we were called by Acme to conduct a digital forensic exam on Bob’s former work computer to see if there was any digital evidence that Bob stole the customer database. There most certainly was! We were able to ascertain the date and time of the file transfer, the size of the file, the device onto which the database was transferred and even specific items such as the volume label of the USB thumb drive Bob put the database onto: BOBS FILES. The FBI calls that a clue.

Cases like these are probably more common than most companies are aware of. And this is just one example. In the age where company perks include mobile devices, computers and other cool electronic gadgets which all store high volumes of data, it’s important to also bear in mind that these devices only help to facilitate the potential theft of information… and they all contain digital evidence when that happens.

Digital Forensics in IP Theft Case Tips

So now that you know what types of evidence are potentially accessible in your IP theft case, what should you do to help ensure the most benefit your case? Here’s some tips about how to maximize effectiveness in IP theft cases:

· If a problem employee is identified, start your documentation EARLY

· Identify what digital items are most vital to the operation of your business and keep an open mind about how that may be exploited

· If an intellectual property theft is suspected…

o Secure and lock-down any and all equipment used by the suspected thief immediately

o Make sure remote access is shut off, including any back doors

o Call a Digital Forensic Consultant and schedule a meeting as soon as feasible

o If criminal charges will be sought, notify law enforcement as soon as feasible

o Be aware that you may be without the computer or mobile devices used by the suspected thief for the duration of the examination and litigation

Digital devices are ubiquitous in our work and personal lives. Tech has interwoven itself into everything we do for better productivity, entertainment and communication. Because of this, it’s also best practices when an employee or associate is thought to be unhappy at work to assume that some sensitive and/or proprietary information will be absconded at some point before their access is cut off. By keeping this in the back of your head, you already start to increase your effectiveness in response to any suspected IP theft and set the stage for a better outcome in partnership with your Digital Forensic Consultant.

**For confidentiality, the names of the company and former employee were changed in this example**

Author:

Patrick J. Siewert, SCERS, BCERT, LCE

Principal Consultant

Professional Digital Forensic Consulting, LLC

Based in Richmond, Virginia

Available Globally

About the Author:

Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia. In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history. A graduate of both SCERS and BCERT (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting business marketed toward litigators, professional investigators and corporations.

Email: ProDigitalConsulting@gmail.com

Web: www.ProDigital4n6.com

Twitter: @ProDigital4n6

Thursday, July 2, 2015

Digital Device Seizure Tips for Attorneys & Legal Staff

July 2, 2015

Digital Device Seizure Tips for Attorneys & Legal Staff

As a private digital forensic practitioner, our clients come from several different areas. Pro Digital markets our services to private investigators, information security professionals, human resource practitioners and our biggest segment of clientele, attorneys involved in litigation practice, both civil and criminal. As a natural first step in the digital forensic process, attorneys offices and legal staff will often obtain possession of laptop computers, cell phones, tablets, etc. and call a digital forensic practitioner for advice, to retain services and consult generally. What unfortunately happens in the meantime is that the digital device may be manipulated, "examined" or otherwise used by folks in the attorneys office in between device acquisition by the staff and data acquisition by the digital forensic practitioner. Because the government has been (and still is) pretty much at the forefront of digital forensics, this doesn't happen very much in prosecutor's offices and other government sectors, but it does happen in private legal practice quite a bit. To help close this gap, I'm offering a few easy tips for digital device seizure and secure storage for attorneys and their staff when cases arise necessitating a digital forensic examiner.

Computer Seizure & Secure Storage

1) Note the date, time and person from whom you received the computer

This tip may seem simplistic, but it's the first step in the chain-of-custody. This also helps answer some questions the digital forensic examiner may have right off the bat. As with most things, if it's not documented, it didn't happen, so initiating the documentation chain from the beginning is a great first step.

2) Ask the client about the system (and document their answers)

Does the computer have a password? If so, what is it? Is the hard drive encrypted? How big is the hard drive? Is the computer still currently in use? How many users have access to the computer? All of these questions are important and may serve to provide valuable information not only for the examiner, but for evidentiary purposes later in the litigation process.

3) DO NOT turn the computer on and start looking through the file system

This is extremely important to prevent spoliation of the data. Every time you turn a computer on, settings are changed, file dates and times are updated and the data starts traveling down the dirty road toward being tainted. Curiosity is a very powerful human instinct. For the sake of acquiring the best possible data, please try to quell your curiosity.

It's also important to note that doing this may put YOU in the hot seat because you are now a witness. As we already know, it's inappropriate (at best) for attorneys and their staff to be witnesses in clients cases, so the best way to prevent this is to not even put yourself in that position.

4) Secure the computer in a locked area with limited access

This may also seem simplistic, but think about how desperate the other side is in your case. In divorce and custody cases, the opposing party may have a large sum of money and/or child custody on the line. In criminal cases, there may be evidence on that computer that implicates someone else. There are very few avenues a truly desperate person won't go down to preserve their way of life or their freedom, up to and including breaking into your office to steal or destroy the computer that contains the digital nail in their coffin.

Securing these items in an area that not everyone in your office has access to (or even is aware of) is the best practice for digital evidence storage. Documenting all of these things in the file goes hand-in-hand with secure storage and is also highly advisable.

Mobile Device Seizure

Many of the same rules above pertain to mobile devices as well, particularly with regard to documentation of when, where and from whom you received the device and secure storage. There are a few additional considerations and some marked differences, however.

1) Immediately put the device into airplane mode and make sure all network connections (wi-fi, bluetooth, etc.) are turned OFF.

This is also extremely important to prevent any unwanted destruction of data and to preserve the data on the device in the best possible form for subsequent data acquisition. Will this in effect change some settings and data on the device? Yes. But it's also the most effective and universally accepted way to prevent unwanted destruction of the data on the device.

2) Make sure to obtain any pass code information for the device from the person you received it from.

This is absolutely imperative for certain devices. So imperative that if we don't get it, we aren't getting the data you need from certain popular mobile devices. While it may be true that you can just call the client later and get this information, it will make the digital forensic examiners job a little easier to have this information from the start.

3) Don't manipulate (or "examine") the device to try and get answers to your questions immediately.

This tip is very similar to the one with regard to computers, but it seems that the ease of use of mobile devices makes quelling your curiosity much more difficult. The bottom line is, the data isn't going anywhere (especially if you followed steps 1 and 2), so turn it off, lock it up and don't play with it. We'll find out what's on the device soon enough and you won't have the added heartache of being a potential witness in your case.

Once all of these tips have been followed, you can confidently call in your digital forensic expert to obtain possession of the device(s) involved in your case and/or perform the forensic data acquisition. Some of these tips may be seem overly simplistic to the point of being obvious, but I share them because I've repeatedly seen where there may be a gap in knowledge about what legal professionals should do with these items when they're received in the office and before they call the digital forensic expert.

By following these simple tips, you help increase the effectiveness of your digital forensic expert and take a huge step forward in properly obtaining the data that could be the proverbial smoking gun in your case.

Please share these tips with friends and contacts in the legal community and, as always, please don't hesitate to call with any questions.