Forensics is not just a word for cops

Last year, two employees of AdvantaCare Health Partners resigned and launched their own start-up. Prior to leaving, they copied patient databases, confidential business plans, and other trade secrets, and used this information to compete with AdvantaCare. Before leaving, they tried to conceal what they had done by deleting copied files.

This case, which is common at companies with valued intellectual property (IP), was resolved through computer forensics. With IP theft, or compromised customer privacy data stored electronically, an effective computer forensics examination will identify those responsible.

IP theft typically involves technically-savvy insiders who steal digital information. So, without an effective computer forensics process, it is nearly impossible to detect and investigate something such as insider source code theft.

But this investigation was purely reactive. The insiders only raised suspicions when they started their own firm.

Another case, however, is an excellent example of how to get it right.

Chip design firm Broadcom recently announced the prosecution of seven former employees for the attempted misappropriation of critical intellectual property. The investigation began when Broadcom grew concerned over the sudden resignation of several technical employees.

The company immediately launched an enterprise computer forensics investigation, which according to its complaint, quickly uncovered "a well-orchestrated, international scheme to steal from Broadcom trade secrets... worth millions of dollars."

Broadcom's court filings describe recovered emails where the former employees solicited co-conspirators still on the inside to provide copies of chip designs for use by the new start-up.

Broadcom successfully stopped this scheme in its tracks and mitigated what could have been crippling losses thanks to an effective proactive computer forensics investigation that went beyond automated controls to uncover a serious fraud.

By employing best practices technology, Broadcom successfully preserved and documented the evidence to enable prosecution.

Enterprise computer forensics can quickly uncover any deleted or hidden data, web-based email, instant messaging and normally undetected P2P file sharing. A corporate security team without this capability is at a severe disadvantage when investigating internal IP theft.

Additionally, companies victimized by IP theft must be able to pursue all available legal remedies, such as the Federal Computer Fraud and Abuse Act of 1986.

Broadcom invoked this law to successfully secure an injunction preventing the new startup from engaging in competitive activity and froze most of the liquid assets of the main perpetrator.

But courts do not grant such relief without a strong, compelling case supported by the sort of solid and verifiable evidence that computer forensics provides.

In the past, corporate security teams shied away from computer forensics because of legacy manual processes that, for large enterprises, did not scale and were highly disruptive of operations.

Now network-enabled IT forensics technology allows the analysis and collection of evidence over a network from distributed locations and, as the technology operates in a live environment, without disrupting operations.

With enterprise computer forensics, detailed, remote and non-invasive searches of multiple systems anywhere on a WAN are now routine. The virtual elimination of the need to travel or conduct system-wide searches means that investigation costs are cut by up to 95 percent.

Many organizations are placing enterprise computer forensics into their core security and controls processes, including the detection and investigation of IP theft.

John Patzakis is vice-chairman and chief legal officer of Guidance Software, Inc.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.