Smoking Gun or Blowing Smoke? Five Tips to Make Sure That Computer Forensic Evidence of Trade Secret Theft Is What You Think It Is

3 minute read | July.17.2013

Today’s hackers and ex-employees steal secrets with USB drives, personal email accounts, and computer networks, making computer forensics critical in detecting trade secret theft.

A computer forensics expert can tell if files were copied or downloaded, what websites were browsed and for how long, and whether emails were created or deleted contemporaneously with other suspicious activity.  This electronic evidence is valuable, but isn’t worth much if evaluated improperly.  Companies presented with forensic evidence must review it carefully, and in context, to determine whether suspicions of trade secret theft are founded or not.

Could that computer forensic evidence have an innocent explanation? We’ve put together five practical tips for ensuring that when you evaluate forensic evidence, you don’t shoot yourself in the foot.

(1) Make Sure It Wasn’t the IT Guy.  Before jumping to conclusions, you need to verify that the user actually did it.  The user isn’t always responsible for all computer activity.  For example, company IT departments often automatically and remotely perform system and email backups, which can appear as a massive file transfer by the user.  These backups, antivirus software, or other automated programs can often be the cause and should be considered.

(2)  Check the Ex-Employee’s Computer Usage History.  If an ex-employee deleted a bunch of computer files the day before leaving his job, that activity may be suspicious.  But always make sure to examine the user’s deletion history and look for patterns.  Did he delete the same volume of data on a daily or weekly basis?  Were these the same types of files (either file names or file extensions) that he typically deleted?  Deletion activity is not always nefarious.

(3) Make Sure the Ex-Employee Didn’t Have a Legitimate Reason to Download Files Remotely.  Where there’s smoke, there’s fire, right?  Forensic information is only meaningful in context.  To get the facts straight, it’s important to know whether the ex-employee routinely worked remotely, had job responsibilities that made access to source code or password-protected databases necessary, or was authorized to use the networks he accessed.  This type of information is critical in understanding whether computer activity is suspicious or ordinary.

(4) Correlate Stolen File Sizes With Storage Device Sizes.  You need to use common sense when evaluating computer forensic data.  Sometimes forensic artifacts don’t conclusively show that data was transferred, but do support the inference.  For example, artifacts may show that a portable hard drive or USB drive was connected at the same time files were rapidly accessed on the computer, suggesting that the files were copied.  But don’t stop there; compare the size of the file you suspect was stolen with the size of the removable storage device, and make sure the device actually has enough capacity!

(5) Don’t Read Too Much Into Incomplete Forensic Data.  While forensic evidence provides valuable information, it also has limitations and can raise just as many questions as it answers.  For example, a computer may store webpage fragments, providing a snapshot in time of what the user viewed, but not the entire story.  Or in the case of jumplists (lists of files recently accessed), the target files may not be recoverable.  Similarly, a file’s metadata (information about a file’s history, including author and creation date) may suggest that the user last accessed the file on a particular date and time, but this data also could be based on unrelated events such as you turning on his laptop and digging around to investigate. So while this is powerful information, at times it can only give you inferences of wrongdoing.  Be careful not to overstate its meaning.