Cyber Crime: Not Just Identity Theft

Consumers receive regular warnings about personal identity theft, software piracy and illegal downloads, but business and industry face even greater financial exposure from cybercrime — criminal activity carried out through the use of a computer.

Cyber attacks involving the theft of intellectual property (IP), confiscation of online bank accounts, the distribution of viruses or malicious code, and the compromise of a nation’s critical infrastructure information accounted for more than $388 billion dollars in losses worldwide between 2010 and 2011, according to the Norton by Symantec “Cybercrime Report 2011.”

IP theft by current or former employees can be devastating to businesses.

The connected world we live in allows access to innumerable methods for moving IP out of an organization. Cloud services and online backup purveyors provide secure locations to move IP for later access elsewhere. Portable devices such as flash drives and external hard drives can hold thousands of pages of IP and are easily loaded and transported. Mobile devices such as BlackBerrys, iPhones and other PDA’s can store IP similar to a flash drive and typically house a camera perfect for discreetly taking and storing photographs and videos. Email also can be used to transfer IP.

All this movement of IP can go unnoticed, especially when executed by a trusted employee. Foreign businesses have become more aggressive in their attempts to compete with U.S. companies, and criminal organizations seek to add to their portfolio of available information for sale on the black market.

Once theft is detected, a prompt and thorough investigation of computer systems, electronic storage devices and electronic data is necessary to determine how the crime was committed.

Unfortunately, detection usually occurs after the IP has already been transferred — often to the new employer of the individual who took the IP. Only a thorough investigation and analysis of computer systems and data can determine the specifics of the theft.

What to Do After a Theft

Several steps need to be followed to preserve evidence when an internal IP theft is detected to prevent tampering and destruction.

First, the necessary parties, including legal, security, human resources and IT must be notified of the theft.

Second, access to the IP must be controlled to prevent more breaches. This can be done through electronic and physical controls.

Third, all computers, electronic storage devices and portable devices that are or were being used by the person or persons suspected of taking the IP must be collected and locked away, and a chain-of-custody created for each item.

Finally, data from each of the devices should be preserved in preparation for investigation and analysis.

A competent computer and digital forensics expert will have the knowledge, experience and tools to properly protect, collect and preserve the evidence to execute the investigation and analysis to determine the IP theft’s specifics. Additionally, a forensic professional will be able to develop a report and testify about the methods used to preserve evidence and the findings of the investigation.

Certain considerations should be made when hiring a computer and digital forensics expert for an investigation.

Many states require a private investigator license to perform computer and digital forensics work. Also, the selected expert should have knowledge in proper handling of evidence, use of computer forensic analysis software and hardware, and operating systems that are part of the analysis. Knowledge of how devices and applications work together enhances the ability to determine what happened.

The expert also should have experience providing testimony. Written and verbal communication skills should be considered, as they may be required to develop an expert report and testify in the case. Poor communication skills can derail an excellent investigation, if the findings are not effectively conveyed.

Computer forensics certifications are available, but because there are no industry standards in computer forensics, certifications do not necessarily confer competence.

Case Study

An interesting case study in the use of computer and digital forensics in an IP theft case involves a senior engineer of an oilfield services company.

The engineer was working on advanced technology for the company and development of new products that would give the organization a competitive advantage. The engineer was provided a laptop as well as other computers by the company, and was allowed to copy his work to a portable hard drive. He took the hard drive home and worked on his personal computer.

Without notice, the engineer went to work for one of his employer’s competitors. There was suspicion the engineer took IP to his new employer. The company’s human resource and corporate legal departments were notified, and a lawsuit was filed against the former employee and his new employer.

A computer forensics expert was retained to determine if the IP was taken and if it was residing within the digital systems of the engineer’s new company. The expert was provided all computers used by the engineer, including personal computers and the computer used at his new employer. The expert was also provided the portable hard drive he used to copy his work. Forensically verifiable images were made of the hard drive, as well as hard drives from all the computers the former employee had accessed.

Forensic analysis of the hard drives was performed using industry recognized software, EnCase and Forensic Toolkit. The results showed the engineer copied substantial information to the portable hard drive the day before he resigned. It also showed the same files had been copied to his personal computers and the computer he used at his new company.

As a result, the engineer was barred by the court from working on this type of technology for a period of time. Regular third-party inspections of his current employer’s computer systems were required to ensure the previous employer’s IP was not accessible to anyone.

Intellectual property theft is a significant part of cyber crime. It is not always taken by an external party hacking into computer systems. The use of computer and digital forensics is invaluable in resolving cases of internal IP theft.