Forensic IT for intellectual property

What is the extent of IP infringement and what is the overall loss to business?

IP infringement, much of which is criminal, falls into two broad categories. The first is digital IP, which relates to electronic formats that are protected by copyright. The second is physical IP, which refers to counterfeiting of brand name products—anything from pharmaceuticals to electrical goods.

At the end of 2009, the Organisation for Economic Cooperation and Development reported that the global scale of counterfeiting and piracy of tangible goods had reached a value of $250 billion. Its study estimated that digital IP infringement would add another several hundred million dollars to that figure.

What kinds of IP issues are appropriate for investigation by computer forensics?

There are many IP issues that may require the application of computer forensics. Someone may have stolen some form of technology. There may have been a theft of business plans or customer lists. Or it may be that someone is pirating some form of media such as music, films or software.

What actually happens in a computer forensics investigation?

A computer forensic inquiry will generally fall into two parts. The first is the imaging of any suspect computer’s hard drive. In many cases, where a large company is involved, it may involve the imaging of a server, which is a much bigger job. The point of the imaging is to preserve the hard drive in an evidential manner. A copy of the first image will be used for the rest of the investigation.

The second step will involve a careful interrogation of the image. That usually means conducting a search of the image using keywords supplied by the client. The point is that the image will include not only saved documents and files, but most probably deleted documents as well—or at least fragments of deleted documents. It is during the search, which may take many hours, that evidence is produced.

What kind of evidence is likely to be produced by computer forensics?

Properly examined, the image will reveal the equivalent of fingerprints of wrongful activity. Usually the incriminating information will include dates of document creation, the dates of any alterations and the dates of any deletions. It is also likely to produce a trail of communications between the infringing parties.

Can you give us an example?

In one case, our forensic consultants were called in when a team of securities traders had been lured from one company to another. By a careful analysis of link files, event logs and metadata, and by recovering unallocated emails and fragments of documents, the technicians were able to show that the leavers had used web-based email accounts to circumvent the company’s email system to discuss their plans and had stolen market-sensitive information.

Is it appropriate for a business to use internal IT people for a forensic inquiry?

Most probably not. If a business happens to have a qualified forensic technician on its staff, then it’s okay. Otherwise, you are asking for trouble. If the work isn’t carried out to specific standards, the evidence will be open to challenge. In fact, when it comes to computer forensic work, we usually work closely with our sister organisation, Bishop International, because of its long history of working with computer forensic experts.

What is the most important advice for someone considering a computer forensics investigation?

First of all, if you suspect a computer may have been used for some IP infringement, don’t do anything with it. If it’s on, leave it on. If it’s off, leave it off. Call the experts. Any use of the computer will inevitably change some aspect of its configuration and that may, in turn, affect its quality as evidence.

Is it only big brand owners that need to be concerned about IP infringement and therefore consider the expense of computer forensics?

Definitely not. One of our clients is a provincial law firm that acts for a major sports organisation. The law firm suspected that one of its secretaries had been accessing information about certain sports contracts so that she could gossip about them with her friends. A computer forensics investigation proved that the suspicions were true. If it had continued, the leaking of sensitive contract negotiations could have severely damaged the reputation of the firm.

Does the use of computer forensics apply only to the theft of internal IP?

Not at all. Sometimes employees will use their company’s computer systems to sell counterfeit or pirated goods. The UK Intellectual Property Office survey in 2009 reported that 25 percent of its respondents said they had investigated the sale of IP-infringing goods in the workplace, including the use of company resources to create and publicise the sales.

Has computer forensic work demonstrated links between IP infringement and organised crime?

Absolutely. Software piracy in particular is highly profitable. As one expert said, when a kilo of fake CDs fetches 50 percent more than a kilo of cannabis, no one should be surprised that organised crime is involved.

Graham Robinson is managing director of Farncombe International. He can be contacted at: info@farncombeinternational.com