In four recent blogs, we explained how metadata can identify who authored, edited, or accessed a file – evidence that may be critical in proving or defending a claim of theft of trade secrets, click here to view Part I, Part II, Part III or Part IV of the metadata series. Metadata was our good friend in securing a $20-million-plus-sanctions victory for our client in a 42-day theft of trade secrets trial.

If you suspect a theft of your trade secrets, your legal, technology, and human resources personnel should keep in mind another possible good friend.  Our other good friend was evidence about the devices that defendant used to store and transmit the stolen files.  Those devices included our adversary’s server, laptops, external hard drives, and thumb drives.  We focused on these devices when we realized that the defendant failed to produce documents that we obtained from third parties, but that had been sent to or from the defendant.  When we brought the defendant’s systematic failure to produce and related issues to the court’s attention, the court directed the imaging of the defendant’s server and the laptops of its two key executives, and our expert got to review the image.

That imaging broke open the case.  Perhaps most important, the imaging established that the defendant had destroyed evidence by scrubbing the server and the two key laptops shortly before they were to be imaged (i.e., destroying evidence), see metadata series, Part IV.  That spoliation was a major factor behind the judge’s decision to enter a multi-million-dollar sanctions award against the defendant.

The imaging also revealed damning information about how the defendant had subverted the imaging exercise.  Defendant’s forensic expert testified that the defendant had collected thumb drives and external hard drives for imaging by simply asking the defendant’s employees if they had any electronic storage devices that could be relevant to the case, without any independent effort to determine the identity of the storage devices actually connected to the defendant’s network at the relevant periods.  This was tantamount to investigating a wrongdoing by relying on the honor of the wrongdoer.  That process resulted in the defendant producing a grand total of three removable devices for imaging.

There’s no excuse for relying solely on the memory and good faith of people to determine what devices might be relevant in such a situation.  Technology can do it for you.  When the defendant’s server and the two key laptops were imaged, the image revealed 51 instances of various removable storage devices (external hard drives and thumb drives) being inserted into the server and/or two key laptops at critical times.  Specifically, a forensic software known as Encase detects each time a removable storage device is inserted into a computer or server, along with a host of other information about the inserted device and dates and times of related activity.  The 51 “instances” meant that some combination of these external devices were inserted on a total of 51 different occasions into the server and/or two key laptops.

The Encase data was a bombshell.  Why had the defendant produced only three removable devices for imaging?  Where were the other 48 thumb drives and external hard drives that had been inserted into the three key devices?  And why were the same two unproduced and unimaged devices both inserted into the laptops of the two executives on key dates in the case?

The defendant’s failures were magnified by the omissions of defendant’s forensic expert.  Why had defendant’s forensic expert not examined this Encase data?  And why had defendant’s forensic expert not reviewed that part of our expert’s report detailing the Encase data about these 51 records?  We suspected the expert failed to do these things because the defendant and/or defense counsel would not authorize the expert to do these things, presumably in the hope of preserving some shred of deniability.  The judge wasn’t buying our adversary’s willful ignorance.  When defendant’s expert admitted on cross-examination to ignoring this part of our expert’s report, the judge was incredulous.  In the end, defendant had no explanation for its failure to conduct a reasonably diligent search for the external storage devices that had been connected to the defendant’s network prior to their destruction of evidence.  The judge’s answer was the multimillion-dollar award of sanctions against the defendant.

Whether you’re playing offense or defense, your legal, technology, and human resources personnel need to understand the potential power of such imaging.  Electronic images travel from one device to another via thumb drives or external hard drives that can store files by the hundreds of thousands.  Inserting an external device into a server or a computer may seem innocuous and it may or may not be the act of a misappropriator, but it may lead to the disclosure of evidence that has been altered or destroyed.  The use of such external storage devices is both detectable and potentially revealing.