Part one of this article talked about how you can help attorney's meet their professional obligations by providing advice on the preliminary steps that need to be addressed to preserve electronically stored information in employee theft cases.

Only after these steps are completed can the actual data on the computer be analyzed using specialized forensic software. It is useful for the attorney to understand the typical types of information that can be gleaned from a forensic examination in an employee theft situation. The hard drive can be examined for any existing active files that are of proprietary nature. An examination of the file structure and file names are made since this can often demonstrate culpable conduct on the part of the employee. For example, the employee may have copied a key marketing memo by viewing the document on the network and then doing a save as to his local computer. To disguise the fact this proprietary information was copied, the saved file was named "vacationplans.doc" and was placed in a series of nested files that make it appear the file is personal in nature, e.g., C:/Documents and Settings/JoeSmith/VacationPlans/WisconsinDells _2010. When, during the course of the examination the examiner locates the memo using key word search techniques, the fact that the file was saved with this file name and in this file location provides evidence of culpable activity on the employee's part.

If the employee was a little more sophisticated than the average employee, he might understand that you can change the extension of the file name to disguise it. Thus, “vacationplans.doc” might be renamed “plans.dll.” A cursory look at the file name would lead you to ignore the file as some type of system file. If you looked at the file in Windows Explorer you would find the icon was changed and you would no longer see the typical Microsoft Word icon next to the file name. The employee would know that if he wanted access to the file he would only need to rename the file and change the extension back to the original. Using forensic software, however, this attempt to hide the document would easily be discovered. Every file type has standard header information as part of its metadata that is unrelated to the extension or the icon that appears in Windows Explorer. The forensic software can be used to identify all files by type, and this will enable the examiner to show that the file named "plans.dll" was in fact a Microsoft Word document that is a copy of a proprietary memo that was originally found on the employer’s network. Again, this is evidence of culpable conduct which is even stronger than the mere existence of a file on the local hard drive or the fact that it is hidden in a series of nested folders and renamed. You might be able to explain away that fact you "accidentally" made a copy of a file to your local computer, but if you rename it and change the extension you would be hard pressed to claim this was an innocent act.

Assume after the employee decided to steal information, and as part of the planning process, he created shortcuts on his desktop to key documents on the corporate network. He wanted to be sure he could find the documents quickly when it came time to copying them to a thumb drive. These links will be identified during the course of a forensic examination. Even if the employee copied the files to a thumb drive, and not to the actual hard drive of the employee’s computer, the links will remain; and they will point to the location on the employer’s network where the original files reside. Thus, the presence of the link files when looked at in conjunction with the source files on the network server will serve as evidence that the employee had targeted these key files.

The lawyer should be told that if the files were copied to a thumb drive, there is additional information that can be found in a forensic examination that will corroborate the fact that a thumb drive was attached to the employee’s computer. A registry analysis will identify every external device that was attached to the computer by the date the device was connected, the time the device was connected, and the name and serial number of the device that was connected. It won’t tell you who was on the computer at the time or which files were copied, but it will provide some evidence that can be followed up in further discovery that can establish the theft.

In a typical situation it’s common that external memory devices were attached the day or night before the employee quit, which by itself is circumstantially suspect. It is useful evidence to include in an affidavit or in testimony in support of a motion for a temporary restraining order. The registry analysis will provide the necessary information to identify the devices that were attached, and requests for production of these devices to the employee can follow in the course of further discovery. An expedited order to produce could be obtained as part of the requested injunctive relief, and if upon forensic examination of the thumb drive the suspect files are found you’ve established employee theft.

A registry analysis can also provide evidence of suspect software being installed and then uninstalled. Someone who wants to copy large volumes of information may simply want to copy the entire hard drive. This is particularly true if the employee uses a laptop. They are more likely to keep local copies of key information on a laptop. Since they can take the laptop off site they may be tempted to simply copy the entire hard drive to an external drive or another computer using software like Norton Ghost. They may try to cover their tracks by using software like EvidenceEliminator or Evidence-Blaster. While they may succeed in overwriting deleted data making the deleted files unrecoverable, the fact that they installed and then uninstalled evidence wiping software a day or two before they quit will remain in the registry. This raises the interesting question of what type of evidence is worse, the forensic recovery of deleted files showing proprietary information was on the employee’s computer but deleted, or the presence of unauthorized evidence elimination software that could only be present for the purpose of spoiling the evidence. If you are lucky you may get both.

The attorney should be advised that another common way to steal information is to e-mail it as an attachment. Some employees are foolish enough while using their work account to e-mail documents directly to a personal e-mail account. Others may think that by sending the information to a legitimate recipient, while blind carbon copying their personal e-mail address, they will hide the fact they’ve transmitted something to themselves. Since experience shows that employees will do this, the e-mail server and any e-mail related evidence that remains on the employee’s computer should be examined. More often the employee thinks that by using web-based e-mail they can avoid detection. They sign on to a Hotmail or Yahoo account and forward information home thinking no one at work will ever know what they did. Using the Internet, however, leaves forensic tracks and an Internet usage analysis will disclose the use of web based e-mail, information about the e-mail, the names of the files that were attached, and possibly cached copies of the attachments if they were opened in the browser for review before sending.

Some employees don’t understand that deleting a file, or even emptying the recycle bin, does not mean a computer file cannot be recovered. Be sure to explain that unless the original data has been overwritten with new data, a file can be recovered using forensic software tools. Thus, another important aspect of a forensic examination is the examination of deleted but recoverable files. In many instances the entire file can be recovered. In some cases only portions of a file can be recovered. However, even file fragments provide information about the original file. Employees who copy information from the network to their local hard drive, then copy files in bulk to a removable storage device, and then delete the files on their local computer, have not eliminated evidence of what they have done. By restoring the files you can determine from the metadata when they were originally created, when they were last modified, and when they were last accessed. In addition, given that each file has an individual hash value, and assuming the files were not modified in any way that would alter the hash value, it is possible to correlate the deleted information with the original files on the network server and on the computer or external drive to which they were copied.

Finally, don’t forget that in this day and age of telecommuting employees, home computers may be a rich source of evidence. Advise the attorney that a preservation letter followed by a motion seeking an order requiring preservation should be issued immediately. In many cases, particularly if insufficient evidence is obtained by analyzing the work computers, an analysis of the home computer is warranted. Evidence pointing to the use of home computers can be obtained by reviewing network logs indicating the dates and amount of time an employee was connected to the employer’s network. If the dates are suspicious or the amount of time connected seems suspect, a legitimate basis to compel production of the home computer can be made.

There is much more that a forensic examination of a departed employee’s computer can disclose, but the foregoing examples give a good idea of the types of information that can typically be obtained through computer forensics. The vast majority of attorneys don’t have this basic knowledge and they need to be educated. They need to be shown that early analysis of ESI can give them much more evidence to use when seeking injunctive relief. Because electronic data is by nature volatile, preservation concerns must be at the top of your list when working with an attorney on a new employee theft case. Explaining what you can get through early computer forensic analysis and e-Discovery should help you and the attorney understand the issues and take the necessary preliminary steps to build a strong case—one strong enough to support a winning motion for a temporary restraining order.

Bruce A. Olson is President of ONLAW Trial Technologies, LLC, a consulting firm offering trial technology, e-Discovery, and computer forensics services. Previously, he was a shareholder in the Milwaukee-based law firm of Davis & Kuelthau, s.c. A trial attorney and nationally recognized legal technologist, Olson is AV rated and Board Certified by the National Board of Trial Advocacy. He is co-author of "The Electronic Evidence and Discovery Handbook: Forms, Checklists and Guidelines," published by the American Bar Association. He received the prestigious TechnoLawyer of the Year 2002 @Award form TechnoLawyer, and was Chair of ABA TECHSHOW 2004, Vice Chair of ABA TECHSHOW 2003, and served on the TECHSHOW Board of Directors from 2000-2004. He can be contacted at (920) 750-8083 or bolson@onlawtec.com.