As a special feature of our blog –special guest postings by experts, clients, and other professionals –please enjoy the third part of a three part blog series by digital forensics expert Jim Vaughn, a Managing Director of Intelligent Discovery Solutions.
By Jim Vaughn
Welcome to part 3 of this three part series. Part 1 covered the BYOD concept and storage devices/areas considered for trade secret investigations, Part 2 covered forensic artifacts potentially located on devices such as Blackberry’s, iPhones/iPods or Androids, and now Part 3 will cover the design and application of protocols.
Because protocols are necessarily fact and equipment specific, this is not intended to be an out of the box protocol, but instead it is a pseudo protocol used as an attorney guide to the discussion points you will probably have with your forensic expert when drafting an actual protocol.
Let’s assume a set of hypothetical facts: Several departed employees went to work for the same competitor. These employees may have left all at once, or through a trickle effect over time that eventually raised suspicion. The former employer has raised theft of trade secrets allegations.
How do the facts play into the need to develop a protocol, or do they?
Within these facts, an effective protocol should include the means to identify, preserve, collect, review, produce (return) and remediate the data of interest. These protocol guidelines are intended to assist Plaintiffs, Defendants or Forensic Neutrals.
The Anatomy of a Protocol
What is a Forensic Protocol? For purposes of this blog I will describe it as a set of agreed upon instructions between the legal team(s) and the forensic team(s) to provide for the consistent, methodical, high quality collection, cataloging, and analysis of electronic devices.
In addition to how to produce and remediate, a typical protocol will contain instructions on how to mechanically collect your devices, instructions on how to document your devices and instructions related to the analysis of interest.
You may also desire to pre-plan and document searches of the collected data for specific keywords, investigate the usage of online repositories for storage of sensitive data, search for personal email usage and investigate the transfer of sensitive data to personal computers or other personal devices such as smart phones or tablets.
You may consider the inclusion of custodian questionnaires and/or affidavits from the individuals involved. These are designed to give the peace of mind that all new employer data sources and employee personal devices/storage areas have been identified, searched and remediated.
Your forensic expert should have a solid understanding of what questions to ask to understand the many types of data sources that could play a role in the investigation, and what company and system configurations need to be considered to execute an effective protocol.
Imaging/Collection of Data
Part 1 listed several data sources for consideration. If data collection techniques are part of your protocol, know there are several ways to collect data and the method of collection may be dependent on the source being collected. Included here are three different methods to forensically collect data from a workstation (e.g. laptop/desktop):
The hard drive will be physically removed from the workstation(s) to be imaged and attached to one side of an industry recognized forensic imaging hardware device.
If deemed better to leave the original hard drive in the workstation for imaging, then an industry standard forensic software program capable of being run from CD will be used for creating the forensic images.
If the laptop is using encryption, the login credentials will be provided so a live forensic image can be created.
For other data sources, there are specific methods and/or tools that are standard within the forensic community. Protocol verbiage may be precise as to the required tools to be used, or more general to include language that just requires it to be performed and documented in a forensically sound way. Generally speaking, the larger the collection effort and the more people involved, the more helpful precise language will be. In either case your forensic expert should quality control the forensic collections for completeness and accuracy.
Your protocol should include verbiage that will document particularities of each data source identified or collected as part of the protocol. This will include the computer/server’s make, model, and serial number, and if possible, documentation of the hard drive(s) located inside each computer. Depending on the circumstances, you may want pictures as part of the documentation.
Device Documentation/Analysis of Interest
Now that you have the evidence forensically captured, let’s look at items you may want to include in the protocol as part of the analysis. These items will help you determine certain things like when the hard drive was put into use, when the operating system was installed, users of the computer(s), what external devices were connected and what files were opened from these connected devices. Some sample wording for these activities include:
1) Investigate and document the format date of the hard drive(s);
2) Investigate and document all dates of installation (and/or reinstallation) of the operating system;
3) List all Windows accounts, including all administrator accounts, system accounts and user accounts, and include documentation of the following information for each account:
a) When the account was created;
b) When the account was last accessed (used);
4) Investigate and document the existence of any type of external device connected to any hard drive (e.g., thumb drives, CD-ROMs, DVDs, external hard drives, etc.);
5) Investigate and document the dates, types of software, manufacturers of any software, and name(s) of any software used to potentially wipe, erase, or shred data on any computer hard drive(s);
6) Investigate and document the dates and name(s) of any software used to perform virus scans, and whether such programs were used; and
7) Investigate and document the existence of any link file(s) that show files being opened from any remote location, CD/DVD or an externally connected device.
In summary, this blog post was designed to help lawyers and clients understand the pros, cons and challenges when considering the use of protocols. I hope it has helped you gain a better understanding of how to approach trade secret investigations from a technical perspective, causes you to ask a lot of technical questions, and to use your forensic expert as your “geek speak” translator.
Mr. Vaughn is a digital forensics expert who has given testimony in nearly 65 cases involving topics such as evidence preservation, documentation of events, and computer forensic methodologies. In addition to being an EnCase Certified Examiner (EnCE), Mr. Vaughn is certified by the International Association of Computer Investigative Specialists (IACIS) as a Certified Forensic Computer Examiner (CFCE). Mr. Vaughn has extensive experience working on litigation and consulting matters involving computer forensics, e-discovery and other high technology issues. He serves his clients through the litigation or consulting lifecycle by assisting them with important issues like data scoping, preserving, gathering, processing, hosting, review and production, as well as deeper diving issues uncovered through the use of computer forensics. Mr. Vaughn can be contacted at firstname.lastname@example.org. Please note that each case may be unique and this single blog post is not intended to fully cover everything related to trade secret investigations or constitute advice, legal or otherwise. It is always best to consult a qualified person to assist with any investigation.