Digital Forensic Analysis in Corporate Investigations

Services such as cloud based storage and encrypted messaging services like WhatsApp have made it easier for insiders to plan and execute intellectual property theft. It is now crucial to investigate all potential sources of evidence including the cloud, smart phones, and web based email.

In other cases, the suspects have stolen data which they had access to on a daily basis leaving few if any artifacts behind.  Traditional digital forensics techniques may fail to identify evidence of IP theft in such cases. In these cases, we may use stochastic forensics to identify unusual access patterns. In any given case, there will be thousands of access logs to sift through. Normal access events follow a Pareto distribution whereas an unusual access event such as copying a large amount of data will leave a completely different pattern. These unusual access events can be identified using the right tools and algorithms to reconstruct a timeline of events surrounding the IP theft.

If you suspect a current or former insider of intellectual property theft you should contact a digital forensic examiner right away and treat the suspect’s data as a crime scene. In many cases we have encountered, the company’s internal IT department turned on the suspect computer and began investigating the contents. This type of activity can lead to claims of spoliation and damage your case. A digital forensic examiner will take proper measures to prevent changes to the original data.

Our Investigation May Show Evidence that the Suspect:

  • Attached external storage drives such as USB devices. We can then compare the time stamps of when the USB device was attached to file access times of suspect file (IP) on the hard-drive
  • Accessed personal email such as web based email or web based personal storage (cloud storage) and correlate those access times to file access times on the computer.
  • Remotely accessed the suspect computer or company server
  • Printed relevant documents to the company’s printer
  • Accessed the company’s internal network with a personal computer while onsite
  • Utilized Anti-forensic techniques to hide their tracks such as a wiping program
  • Communicated with other suspects or with a potential employer/competitor on or about the time of the IP theft.
  • Utilized packet capturing software

Pro-Active Forensic Imaging

We also offer pro-active forensic imaging whereby we image a departing employee’s computer  and preserve the image for later use if needed. In many cases, an employee is long gone before the company  realizes the damage that has been done. A pro-active forensic image of the employee’s company devices is a cost-effective way to preserve critical evidence before it has been altered or deleted and overwritten.