Welcome to part 3 of this three part series. Part 1 covered the BYOD concept and storage devices/areas considered for trade secret investigations, Part 2 covered forensic artifacts potentially located on devices such as Blackberry’s, iPhones/iPods or Androids, and now Part 3 will cover the design and application of protocols.
Because protocols are necessarily fact and equipment specific, this is not intended to be an out of the box protocol, but instead it is a pseudo protocol used as an attorney guide to the discussion points you will probably have with your forensic expert when drafting an actual protocol.
Let’s assume a set of hypothetical facts: Several departed employees went to work for the same competitor. These employees may have left all at once, or through a trickle effect over time that eventually raised suspicion. The former employer has raised theft of trade secrets allegations.
How do the facts play into the need to develop a protocol, or do they?
Within these facts, an effective protocol should include the means to identify, preserve, collect, review, produce (return) and remediate the data of interest. These protocol guidelines are intended to assist Plaintiffs, Defendants or Forensic Neutrals.
The Anatomy of a Protocol
What is a Forensic Protocol? For purposes of this blog I will describe it as a set of agreed upon instructions between the legal team(s) and the forensic team(s) to provide for the consistent, methodical, high quality collection, cataloging, and analysis of electronic devices.
In addition to how to produce and remediate, a typical protocol will contain instructions on how to mechanically collect your devices, instructions on how to document your devices and instructions related to the analysis of interest.
You may also desire to pre-plan and document searches of the collected data for specific keywords, investigate the usage of online repositories for storage of sensitive data, search for personal email usage and investigate the transfer of sensitive data to personal computers or other personal devices such as smart phones or tablets.
You may consider the inclusion of custodian questionnaires and/or affidavits from the individuals involved. These are designed to give the peace of mind that all new employer data sources and employee personal devices/storage areas have been identified, searched and remediated.
Your forensic expert should have a solid understanding of what questions to ask to understand the many types of data sources that could play a role in the investigation, and what company and system configurations need to be considered to execute an effective protocol.
Imaging/Collection of Data
Part 1 listed several data sources for consideration. If data collection techniques are part of your protocol, know there are several ways to collect data and the method of collection may be dependent on the source being collected. Included here are three different methods to forensically collect data from a workstation (e.g. laptop/desktop):
The hard drive will be physically removed from the workstation(s) to be imaged and attached to one side of an industry recognized forensic imaging hardware device.
If deemed better to leave the original hard drive in the workstation for imaging, then an industry standard forensic software program capable of being run from CD will be used for creating the forensic images.
If the laptop is using encryption, the login credentials will be provided so a live forensic image can be created.
For other data sources, there are specific methods and/or tools that are standard within the forensic community. Protocol verbiage may be precise as to the required tools to be used, or more general to include language that just requires it to be performed and documented in a forensically sound way. Generally speaking, the larger the collection effort and the more people involved, the more helpful precise language will be. In either case your forensic expert should quality control the forensic collections for completeness and accuracy.
Your protocol should include verbiage that will document particularities of each data source identified or collected as part of the protocol. This will include the computer/server’s make, model, and serial number, and if possible, documentation of the hard drive(s) located inside each computer. Depending on the circumstances, you may want pictures as part of the documentation.
Device Documentation/Analysis of Interest
Now that you have the evidence forensically captured, let’s look at items you may want to include in the protocol as part of the analysis. These items will help you determine certain things like when the hard drive was put into use, when the operating system was installed, users of the computer(s), what external devices were connected and what files were opened from these connected devices. Some sample wording for these activities include:
- Investigate and document the format date of the hard drive(s);
- Investigate and document all dates of installation (and/or reinstallation) of the operating system;
- List all Windows accounts, including all administrator accounts, system accounts and user accounts, and include documentation of the following information for each account:
a) When the account was created;
b) When the account was last accessed (used);
- Investigate and document the existence of any type of external device connected to any hard drive (e.g., thumb drives, CD-ROMs, DVDs, external hard drives, etc.);
- Investigate and document the dates, types of software, manufacturers of any software, and name(s) of any software used to potentially wipe, erase, or shred data on any computer hard drive(s);
- Investigate and document the dates and name(s) of any software used to perform virus scans, and whether such programs were used; and
- Investigate and document the existence of any link file(s) that show files being opened from any remote location, CD/DVD or an externally connected device.
By Guest Author for TradeSecretsLaw.com