Marc Effron,White Elm Group, Atlanta.
Marc Effron,White Elm Group, Atlanta. (John Disney/ ALM)

The warehouses of yesterday once held a corporation’s most valuable assets in rows of files guarded by live security, visual surveillance cameras, coded entry, check-in systems and even fingerprint scanners. In a digital world, this picture is largely obsolete. No longer must we only protect from the unbranded truck backing up to the company’s document warehouse.

A comprehensive client list, file history and patent catalog for a major corporation can be contained on a single hard drive the size of your index finger. Security for these assets is controlled by any party granted access including employees, consultants, subcontractors and even potential acquirers. In larger companies, this can mean full access to a customer list by a sales team or to design patents by an engineering team. In smaller companies, it can mean even broader access across functions and levels of authority.

While current trade secret laws as well as contractual restrictions via nondisclosure and noncompete agreements serve as deterrents, they are often ignored by a departing employee intent on misappropriation. Often a company’s only effective recourse is to follow the digital trail. Whether a subject has transferred the materials through email or data storage device or even tried to wipe the slate clean using various forensic sanitizers, digital evidence in the trail can prove critical in stemming the flow of these assets for unauthorized or nefarious use.

One of the keys to computer forensic investigations is to quickly preserve the evidence. Electronic evidence is fragile and can be easily altered, even by those with the best intentions. It is crucial that the following take place with utmost urgency regarding any potential evidence devices:

• Stop using the device and do not redeploy the device to another user; •

• Preserve the data on the device with forensic tools and techniques; and

• Do not have an IT department, other employee or outside party start “looking” to find evidence prior to forensic duplication and preservation.

Understanding the types of digital footprints, or metadata left behind can provide valuable information for use in misappropriated assets.

USB Connection Metadata

Most often, time is of the essence in the case of a theft of trade secrets. The common scenario includes the departure of a key employee. From a technological standpoint, it is easy for any employee with access to download an entire hard drive full of company information onto an external device with a click of the mouse. USB hard drives and flash drives are most common and store a tremendous amount of data. Thankfully, a history of connected devices can be reconstructed from most Windows systems. Extracting the connected device listing from the operating system, including the external device serial numbers and timing of the connection, can provide valuable information in the early days of the investigation, including specifics necessary to request a TRO and obtain specific hardware evidence. For example, being able to show the court that the particular device was connected to the company-owned device on the same day as the subject’s termination and is no longer in the company’s possession may provide the court cause to obtain the specific device and sometimes other devices held by an ex-employee defendant for future analysis by the investigative team.

Browser Artifact Metadata

Those plotting to misappropriate trade secrets often avoid the use of regularly backed up and company-controlled server based email in favor of browser-based emails systems. Some of the more popular platforms include Google’s Gmail, Microsoft’s Hotmail and Yahoo Mail.

Depending on the browser used, the data will be stored differently, but typically in the cache, history and cookies. History and cookies will provide dates, times and sites visited, but cache is often most valuable, as it can contain the emails read by the subject. These off-server communications create a potential link between the activity of the subject and the intent to commit a theft.

LNK or File Path Metadata

LNK, or shortcut, files that link to an application or file and end with the extension .LNK can be created by a user in the Windows operating system. Windows-created LNK files are generated when a user opens a local or remote file or document. This provides the investigator with the folders and files accessed by the user at or near the time of the termination. LNK files typically contain information such as the original file path, the Media Access Control or MAC times of the original file, information about the volume and system where the LNK file is stored, network file path details and location as well as the size of the file.

Prefetch File Metadata

Prefetch files are useful in determining the types of applications used on a device. Windows creates a prefect file when an application is run from a particular location for the first time. Evidence of specific application use can prove that a subject ran a program such as a PC Cleaner or other forensic sanitizer to cover up the misappropriation. Even when the program has been deleted, the Prefetch file may still exist on the system as evidence. Prefetch files may also indicate that malware was run and used on a particular device.

Prefetch files also contain details on the number of times the application has been run, volume details, as well as timestamp information detailing when the application was first and last run. For Windows 8 and newer, prefect files contain up to eight timestamps for when an application was last run. This allows the investigator to build a timeline of events on a system.

Shellbag Artifacts Metadata

Shellbag artifacts appear in Windows, starting with the Vista system. Shellbags are used to store settings for shell folders that have been browsed by the user in Windows. When analyzed, the directory hierarchy can be determined using binary values and a sub key for each child shell folder. A resulting array represents the order in which the child shell folders were last accessed. In some cases, it might be a physical folder on disk; in others, it might be a network location, control panel item, user library or other.

Shellbag analysis can be useful as a forensic tool because it can give strong clues as to what shell folders were accessed and when. This is particularly useful when it comes to shell folders that have been deleted or those located on an external disk.

A rapid response to an incident, along with the analysis of certain metadata listed above, can help an investigator obtain valuable information from an electronic device in support of a theft of trade secrets claim. In any such case, it is important to harness the potential of the metadata in an efficient and expeditious manner in order to avoid wide ranging implications for the company and loss of intellectual assets.