|Dusting for Digital Fingerprints: Investigating Intellectual Property Theft|
With 70% of the world's intellectual property within the United States, US-based companies continue to dedicate extensive resources to research and development, achieving substantial value and benefit from their intellectual property. Given the high degree of emphasis companies place on their intellectual property, a dangerous trend has emerged, illustrated by recent studies conducted by the American Society for Industrial Security (ASIS) and the Federal Bureau of Investigation (FBI) that demonstrate that over one-third of surveyed Fortune 2000 and middle-market companies have no formal program for safeguarding intellectual property and spend less than 5% of their budgets on security.
As the regularity and intensity of intellectual property theft continues to escalate, with losses impacting US companies now calculated by ASIS at over $150 billion per year compared to a loss of $45 billion in 1999, the protection of intellectual property and the assets that house them has become a critical business issue. Although distinct and effective measures can and should be taken to safeguard such sensitive information, today's technologically advanced world in which information is shared globally in a matter of seconds has changed the nature of how companies create, identify, maintain, and thus must safeguard and protect, intellectual property.
At the core of this paradigm shift is the realization that relying on previously accepted safeguards and security practices can no longer thoroughly protect intellectual property. The introduction of information systems and computer technology into business environments, especially as intellectual property is now commonly stored in the form of data and transmitted invisibly through the Internet, has changed the fundamental requirements that underlie any attempt to secure intellectual property and prevent against its theft. In light of this established reality, the perpetration of intellectual property theft has become more prevalent due to inadequate or incomplete security measures. As such, when the theft of intellectual property does occur, responding to, investigating, and prosecuting such illicit activities has the added dimension of encapsulating electronic information that, by its very nature, is volatile and difficult to thoroughly capture.
With the continued increase in the value of intellectual property, which now regularly surpasses the value of physical corporate assets, proactive steps to prevent the unauthorized disclosure of intellectual property become critical. Just as information systems and computer technology have simplified and enhanced the ability to engage in the theft of intellectual property, that same technology can be leveraged to perform computer forensic analysis and greatly enhance the ability to investigate and secure evidence against those responsible for the theft.
Know Your Enemy
Although companies often perceive the need to prevent "hackers" from stealing intellectual property by fortifying their networks against external attackers, the real threat continues to arise from employees, former employees, and other direct members of a company's workforce. With more than 75% of intellectual property theft being perpetrated by inside employees or contractors, as continuously modeled by ASIS and FBI studies, the most devastating thefts of intellectual property come from individuals who are deemed trusted insiders.
In evaluating the threat posed by insiders, the theft of intellectual property regularly results from one or more of the following four main scenarios:
As a company's inside workforce generally possesses a strong understanding of what is the most valuable intellectual property for the business, where it is located, and how it is protected, companies must recognize the need to prevent against the theft of intellectual property and respond accordingly and appropriately should it occur.
- Insiders are ignorant and are not aware, or do not comprehend, the extent and gravity of the security practices, policies, and controls the company has in place
- Insiders are careless, having not taken into consideration how their actions, in opposition to well defined security practices, policies, and controls, would negatively impact the company's ability to safeguard its intellectual property
- Insiders disregard security, aware that their actions enhance the risk of intellectual property theft, however, choose to act in a manner that abandons security practices, policies, and controls
- Insiders are malicious, acting for financial gain or simply personal gratification, intentionally seeking to corrupt, destroy, or steal intellectual property from the company
Reacting to Intellectual Property Theft
A security program to protect intellectual property must strive to reduce risk to an acceptable level while maintaining the confidentiality, integrity, and availability of the intellectual property itself and the systems governing it. Critical to the protection of intellectual property is the adoption of the concept of defense in depth, in which multiple layers of safeguards and security controls are integrated and managed, however, a certain degree of intrinsic risk will always remain.
Although proactive security is the most mature and effective manner to safeguard a company's intellectual property, minimizing the likelihood that it will be stolen, the reality of risk management dictates that it is impossible to achieve a level of security that can, with 100% certainty, neutralize all forces seeking to successfully engage in the theft of intellectual property. As such, and in response to the theft of intellectual property, the initiation of well-orchestrated and thoughtful reactive measures to investigate the theft of intellectual property will ensure electronic evidence is preserved and a sustainable posture for internal or legal action is established.
At the core of a company's response to the theft of intellectual property is the initiation of computer forensics to identify, gather, analyze, and preserve electronic evidence. It is through the review and evaluation of relevant electronic information that computer forensic analysis pieces together the who, what, when, where, and how of intellectual property theft and computer-based misconduct. While a company's internal IT staff or other technology professionals may be willing to engage in such computer forensic analysis, the nature of the forensic analysis process coupled with the requirements by law enforcement agencies and the court system, necessitates that computer forensic investigations are performed by external independent entities equipped with authorized forensic technology and trained to observe forensic protocols. Without the proper training, experience, certifications, and forensic tools, the strong likelihood exists that electronic evidence will be inadvertently destroyed or altered, impeding its admissibility and/or degrading its reliability.
Electronic evidence, by its very nature, is qualitatively different and richer than its paper counterparts. Disclosing chronological history and deep contextual insight, when isolated, preserved, and analyzed properly, electronic evidence has the capability to shed tremendous light on the perpetrators of and abuses surrounding intellectual property theft. However, the complex and distributed technology infrastructures and network environments companies' employ often result in the electronic evidence commonly central in investigating intellectual property theft residing in multiple locations.
As the investigation into intellectual property theft is regularly time sensitive, both in terms of legal constraints and relevant electronic information that may be inadvertently overwritten, corrupted, or destroyed, a focused scope will translate directly into an efficient and economic investigation that will produce results in a timely manner. In order to best focus investigative efforts and concentrate computer forensic analysis, the following constitute the primary and most common locations of electronic evidence pertaining to the perpetration of intellectual property theft through computer-based means:
The transmission of email messages is the most commonly used technique to perpetrate intellectual property theft. In doing so, perpetrators leverage email and the files that can be attached to them to transmit sensitive information between co-conspirators or to oneself so that email can be later retrieved outside of the company's immediate control. It is important to note that email-based electronic evidence is not limited to the corporate email data, which may reside on the email server and workstations, but also includes personal email accounts and web-based email systems.
The availability and ease of use of web-based email systems, such as Hotmail and Yahoo! Mail, offer a free and semi-anonymous manner in which intellectual property can be misappropriated from a company's network environment without relying on a corporate email platform. While records of such transactions would not be recorded onto a corporate email server, relevant electronic evidence is frequently forensically recoverable from the computer system itself that was used to access the personal and/or web-based email systems.
Deleted Files & Slack Space
A common misconception is that when information or a specific file is deleted, it is permanently erased from the hard drive. In reality, the act of deleting a file does not actively remove the information itself, although it may appear invisible to the computer user. Over time and with continued computer usage, data that has been deleted may be overwritten and partially fragmented, however, computer forensic techniques and tools exist to recover some or all of the deleted data even if significant time has elapsed.
During or after the perpetration of intellectual property theft, attempts may be made to cover one's tracks and erase evidence of wrongdoing. By leveraging the ability to forensically recover data that has been deleted or file fragments that were automatically recorded to the unallocated space and file slack space of a hard drive without the user's knowledge, an array of electronic evidence surrounding intellectual property theft can often be identified and extracted. In order to best preserve electronic evidence so that deleted and volatile data may be preserved and recovered, computer usage must cease or be kept to a minimum once the theft of intellectual property is suspected so that automated processes do not inadvertently destroy relevant electronic information prior to the formal forensic preservation of the hard drive and data contained within.
Removable Storage Media
Technological advances have continued to decrease the size and increase the portability of hard drives and electronic storage media. For a nominal cost, hard drives can now be purchased in the form of a USB or firewire flash drive, as well as other peripheral storage media, that weigh less than a car key, are smaller than a stick of gum, and store over 2 gigabytes of data. Acting similarly to a regular hard drive, such peripheral storage media need only to be inserted into a computer system's USB, firewire, or other similar port and intellectual property can be easily transferred.
When investigating intellectual property theft, it is important not to omit any potentially pertinent removable storage media that may have been used as a transportation vehicle or contain information pertaining to the malfeasance. Regardless of the specific type of removable storage media, be it a flash drive, CD-ROM, or floppy disk, computer forensic analysis can be performed on them in much the same way that computer forensic analysis can be performed on a computer's internal hard drive.
Log Files & Audit Trails
Throughout the course of normal operation, servers, workstations, and network devices contained within a company's network environment generate logs detailing the activities that took place on that particular system. Such log files, in addition to demonstrating accountability and enforcing authentication mechanisms, often contain extensive information that is identified when forensically analyzed surrounding the manner in which technology resources have been communicated with and used locally or from a remote location. As intellectual property theft regularly leverages the use of one or more components of a company's technology infrastructure, log files can be used to precisely track user activity and directly isolate the misconduct perpetrated.
User & Computer Created Files
Through the normal use of computer systems and the applications and functionality contained within, an extensive array of files are consciously generated by the user and transparently and automatically produced by the computer. Specifically, user created files are often created manually and include text-based documents, spreadsheets, databases, address books, and multimedia files. Computer created files include history files, printer spools, temporary files, configuration files, and system files and are often created as a routine function of a computer system's operation. As both user created and computer created files may be produced when intellectual property theft is perpetrated, the computer forensic analysis of such information should not be overlooked.
While not necessarily viewable on a printed document, metadata describes various characteristics of an electronic file, including when and by whom it was created, accessed, modified, transmitted, and/or printed. Metadata often yields information and insight relevant to intellectual property theft by showcasing the history of an electronic file. Specifically, even if an electronic file has been deleted or overwritten, certain data remains on the computer system's hard drive, such as directory entries, pointers, or other types of system-based metadata relating to the electronic file in question. The forensic analysis of metadata can also be used to define supplementary investigative avenues, confirm a user's knowledge of a particular electronic file and its contents, and construct a timeline of events surrounding the theft of intellectual property.
Backup Tapes & Archival Media
By tradition, companies back up and archive the data contained within their computer systems on a regular pre-defined schedule to facilitate the ability to restore sensitive information in the event of data loss or technical difficulties. The data archived onto backup tapes or similar media frequently contains the full contents of email accounts, database files, and log files, in addition to standard user created files. As such, backup tapes are a valuable resource and present the opportunity to look back in time to identify electronic evidence surrounding the theft of intellectual property that may no longer directly exist and would not be forensically recoverable on the computer system itself.
As companies continue to incur excessive losses of intellectual property, this threat is being combated through the use of computer forensics to identify, gather, analyze, and preserve electronic evidence. Using advanced tools and proven methods, computer forensic analysis is being leveraged to support companies in investigating and prosecuting those responsible for intellectual property theft. As intellectual property theft is being perpetrated through the use of computer technology, electronic evidence resides in a variety of sources, each one potentially providing further validation and verification of the who, what, where, when, and how of the abuse.