Hearing about an employee’s departure from one company to transfer to another seems to be an almost daily occurrence. When an employee leaves Coca-Cola for Pepsi, or vice versa, Coca-Cola has reason to fear that its intellectual property or work product has made a move as well.
So how can a company protect itself from intellectual property theft? In addition to having a solid non-compete agreement in place, a company should consider hiring a forensic examiner when there are concerns that a departing employee has exported, deleted or otherwise stolen a company’s intellectual property. The nature of this investigation will depend upon many factors, including the size of the company, the company’s security policies, the employee’s position and the company’s vertical. From a technical standpoint, for example, a manufacturing facility may not have the same data points, concerns or work product as a software company. Without getting into the never-ending list of techy details, which any forensic examiner should be keenly aware of, let’s navigate through a typical investigation into potential intellectual property theft.
The initial investigation sources are usually the employee’s workstation, mobile device and external device(s). This should not be a simple peek into the employee’s active files or company email, however. Along with a thorough examination of the active files, your forensic expert should consider and investigate deleted files, external device artifacts, cloud-sharing artifacts, webmail artifacts and especially operating system artifacts. This is by no means an exhaustive list, and the expert should consider personal accounts and devices as well. For example, can the employee use home computers or personal email accounts for work purposes? Does the company have a “BYOD” (Bring Your Own Device) policy? Even without these policies, many items in the office environment can easily be used to transfer data to personal devices, from a printer’s memory card slot to a Bluetooth connection made with a phone.
Furthermore, some investigation points are less tangible than typical workstations and servers. Many companies now allow employees to remotely access internal company data while outside of the internal network or otherwise allow employees to work on remote systems. An employee’s workstation can be used to access file servers, of course, but it can also be an entry point or dummy terminal to remotely access virtual machines, remote desktop sessions, terminal service sessions or outward-facing data repositories such as SharePoint. Not all data sources will come from off-the-shelf solution or software suites such as Microsoft Office and may come from an internal and proprietary solution. These company-created databases, programs or processes may not be apparent without a detailed interview of the internal IT staff or other employees.
Let’s consider some typical artifacts you may find on an employee’s workstation, as well as those items that are commonly overlooked. While it is important to examine the active data and user files, the operating system files also contain a wealth of information that will help define a timeline and paint a narrative of the employee’s activity on the system.
Some of the information that can be found in the operating system files:
While this information is readily available to a skilled examiner, most of the sources of the above information will typically have one or more backups as well. Thus, even if the currently used operating system files do not contain all necessary information, the backup or alternate versions of these files may.
Another commonly overlooked item would be Shadow Copies, which are also referred to as Volume Shadow Copies or Volume Shadow Copy Service (VSS). VSS can backup certain files, folders or entire volumes either automatically or manually. There is no obvious indicator that a VSS is utilized, so it is up to the investigator to properly examine the media and files contained within. These Shadow Copies and alternate operating system files are especially important when investigating the activities of a custodian who is suspected of actively trying to cover his or her tracks by deleting personal history and erasing certain files. Most software used for sanitizing or “wiping” computer systems will miss these alternative data sources.
Finally, it is important to go into forensic investigations without expecting a single report or set of reports to cover all of your needs, as there is no “standard” investigation that will provide all information about a person’s activities on a computer. Rather, the investigation should be an ongoing process that evolves and encompasses newly found data points and other information uncovered throughout the process. This iterative process requires an expert who can navigate a maze of information while not forgetting to check behind closed doors for relevant data or, even more importantly, to not skip past these doors altogether.