Computer (Digital) Forensic Case Studies
Evidence of Trade Secret Wiping Detected
In what started as a tortious interference case, K&F was provided with the former employee’s laptop computer that he improperly took with him at his departure. We were asked to search the drive's contents for documents meeting certain search criteria of trade secrets.
Our efforts uncovered numerous deleted files and e-mails evidencing considerable usage of the machine after the former employee’s departure despite his representations to the contrary. In fact, the recovered data evidenced date markings in e-mail chains extending up to just prior to the computer's production. Interestingly, the active data and file system depicted only occasional usage of the machine over the two years prior to its production.
One of the deleted items recovered was the log file of a wiping program memorializing the names of files that were of considerable interest to the litigation. The timing of the file wiping as memorialized in the log file coincided to the submission date of the opposing party's interrogatory answers claiming that those files did not exist.
Apparently, all of the evidence items that were recovered had not only been deleted prior to the computer’s production but the entire drive had been reformatted and its state returned to that captured in a system backup performed years prior. The system clock was then changed to a few different dates during the intervening period and minimal operations performed in order to provide a view of limited usage.
As a result of our findings and the former employee’s feeble explanations, like the wiped data was of no substantive value, the Court granted our client’s motion for sanctions, entered a default judgment in favor of our client’s counterclaim, and dismissed the opposing side’s claims with prejudice. (back to top)
Weekend Inspection & Search
A former employee accessed the computer network of his former employer without permission and was detected while downloading a number of company documents to a computer at his new employer.
K&F was retained to examine personal computers, network servers and other storage devices for instances of the former employer’s documents at the new employer and then remove them in accordance with a court ordered protocol.
Over a weekend we examined nearly 200 machines using our proprietary hashing programs that compared a hash library of nearly 200,000 documents of the former employer to document hashes on the machines of the new employer. The process identified about 20 machines, including servers of the new employer that contained thousands of instances of the former employer’s documents.
More detailed examinations of the machines having documents with matching hashes revealed that the matches were comprised of both proprietary and non-proprietary documents. Interestingly, even the non-proprietary documents were stored in file paths matching those of the former employer that included unique folder names like clients, completed projects and current employee names of the former employer. (back to top)
Court Ordered Search
In a trade secrets case, the Court granted K&F 90 days to access more than 13 terabytes of the defendant’s computerized data to search and produce evidence of purloined trade secrets.
In that effort we forensically imaged 20 computer hard drives, restored 80 backup tapes and then searched and examined millions of documents and over 9 million e-mails with attachments for active, deleted and modified versions of trade secret documents and information that had been retained and used despite the defendant’s representations to the contrary. (back to top)
Stolen Trade Secrets
As the recompetition for a large, multi-year government contract approached, an ambitious competitor enticed the incumbent's program manager to switch companies.
After leaving the incumbent for an unspecified opportunity, K&F examined the computer of the former employee and found that four thumb drives had been used to copy pricing data along with other staffing and management plans of the incumbent for the follow-on contract.
Web based e-mail communications were also retrieved from the Windows swap file that revealed weeks of exchanges between the former employee and management at the new employer regarding the recompete and a presentation meeting about the recompete's capture strategy that was planned a few days after the departure of the former employee.
After examining imaged hard drives of the new employer's management team, K&F determined that files of interest had been shared on several other thumb drives between the former employee and the new company management. K&F was also able to determine that critical media such as personal computers of key personnel, external storage media like hard drives and the shared thumb drives, and network servers containing files of interest had not been preserved despite specific and expressed instructions in a preservation letter.
The jury awarded the incumbent all of its requested damages related to trade secrets. (back to top)
Falsified Hard Drive Detected
In a wrongful termination case the terminated employee developed a counter claim for uncompensated overtime for work performed at home on his personal computer. The employee was asked to deliver his computer for forensic examination in order to validate his claims.
K&F detected numerous anomalies in the hard drive artifacts that suggested a recently constructed device with a prepared presentation.
At deposition the former employee was questioned about K&F's findings. With each explanation subsequent anomalies became harder and harder to explain. Finally, the employee admitted that this was not the original drive on which he had performed his work. In fact, he had been so concerned about the forensic examination that the original drive had been physically mutilated, deformed and then melted with a blow torch. (back to top)
Expert Withdraws Opinions
In a trade secrets case the former employer's expert had opined that the former employee had created CDs of company proprietary data prior to returning the computer.
K&F reviewed the expert's report and the evidence he had considered. K&F determined that the expert had misinterpreted the CD drive activity and that other artifacts related to the files in question actually confirmed that the files had not been copied at all.
At deposition and when questioned about the meaning of the other artifacts and the meaning of CD drive activity, the expert withdrew his opinions. (back to top)
Key Evidence Destroyed
After examining the hard drive of a laptop used by a former employee at its new employer, K&F detected that a key pricing model of the former employer existed on a USB flash drive and had been viewed from the new employer's laptop.
When the flash drive was produced it was completely filled with vacation photos. K&F was able to confirm that, while taken several years before, the photos had been placed on the flash drive in the time between the device's production request and its actual production.
In addition, when other computers were produced, K&F was able to confirm that the same USB flash drive had been used on those computers as well and the pricing model viewed. Most important was that while the new employer had developed its own pricing model, the timing of the former employee's view of the former employer's pricing model was while developing bids on new projects while using the new employer's pricing model. (back to top)