INTELLECTUAL PROPERTY THEFT INVESTIGATION REPORT

By Edwin Amuga

Executive summary
ACME Construction company is facing possible intellectual property theft by a rival company in the vehicle market. The company is set to lose millions of dollars worth of business if the theft goes through. A rival company is secretly stealing construction designs of vehicles and heavy machines through one of the senior employees at the ACME Company Drew Patrick, who apparently has given his rival company his computer access details to steal data in exchange for a promised managerial position in the company. An investigation has been initiated to examine the exchanges through IP peer-to-peer traffic, R&D databases access, corporate emails, access to domain name servers, chat messages, and access to dynamic host configuration servers, Drew’s computer hard drives, HTML, firewall packet capture logs, hidden data and temporary files, and intrusion detection system. This report seeks to identify evidence that may be used for legal action against the suspected company and Mr. Drew Patrick.
Investigation resources, knowledge, and skills
Investigation resources include photograph devices to be used in IP cybercrimes and mark specifications, safely seizing devices and moving them into repositories, the use of tools such as the access data forensic toolkit image for hard drive cloning, to have two image copies with matching hashes, original disk and one image lockup in a forensic safe, careful all documents scrutinization, the use of IsoBuster or any other deleted file recovery tools, all email search for IP and proprietary sale details to third parties and assessing discovered IP value and preparation of reports according to legal standards such as attaching printouts of the findings (Wang & McDaniel, 2018).
Methods
An investigation was launched against the suspicion that Mr. Drew has colluded with a rival company for industrial espionage and possible data and intellectual property theft. A forensic investigation team initiated an investigation into the claims by the human resource manager. The team captured relevant computer systems log files and created Mr. Drew’s computer hard drive copy. The corporate emails, physical access logs, dynamic host configuration, and domain names servers investigation was done was in the log files.
The investigation found that Drew’s computer Western Digital Hard Drive 500GB of serial number NB4973556F was sized for maintenance of chain of custody. The forensic toolkit software was used to duplicate the hard drive in Drew’s computer so that the original hard drive image was preserved. Furthermore, the original and the copied image of the hard drive was created for them to ensure similarity. Since the OS of the image was Windows-based with the structure of a new technology file system structure. Autopsy and windows Forensic tool chest was therefore used to analyze the hard drive. The files needed for further analysis such as SQL, email, HTML, chat, and Excel were set aside using the sort and index functions.
Findings
After further analysis, findings showed that many Microsoft outlook emails with references to the propriety information were exchanged between drew and an unknown source. Several emails in these were not email accounts of ACME Corporation and some promised information regarding the design of the equipment. Some of the emails sought assurance about the promised managerial position. AOL instant messenger chats revealed several chat conversations that contained information suggesting that Mr. Drew was in possession of propriety documents. Microsoft SQL database revealed there was log connection with a remote SQL server with information on propriety. Some of the discovered files had been encrypted and the forensic investigation team was not able to decrypt them. Microsoft excel examination showed that there were many excel files with xls and csv extensions on the hard drive containing the list of parts and specifications on the construction of proprietary equipment. An examination into HTML recovered internet web browser cache showing a proprietary information broker search in the dark web and the creation of an email address contructionseller@darkweb.com for the transaction with potential buyers. YouTube was also searched as revealed by internet cache for the sale of intellectual property and selling on the dark web. Browsing history recovered also showed picture illustrations on how to encrypt SQL database files. Internet search engine searches showed that the user had sought information on how to exploit SQL database vulnerabilities. Hidden and temporary files slack space examination showed the existence of hidden files in the slack space and temporary internet files as the user searched on ways to advertise stolen data and how to hack SQL servers and the information found was read using the notepad.
Discussion
Legal concerns
It is clear there is an intellectual; property theft in the ACME corporation by one of the senior managers. He intends to sell them to a rival company in exchange for a managerial position in the company. There are a number of laws that protect intellectual property rights including copyrights, proprietaries, trademarks, and patents that can be the basis for a lawsuit against damages (May 2015). As a cyber-security practitioner, consultations with an attorney are underway to organize assess and organize the evidence and reduce defenses such as lack of intent to steal property, lack of ownership and law protection over the materials stolen, and unclean hands defense such as waiting for years to launch a suit to increase damages. These could result in the accused suffering huge fines, long jail term imprisonments, stolen property seizure, business license loss, and possible lost profits and financial damages recouping.
Chain of custody maintenance
As the investigation was continuing, a chain of custody was maintained by limiting the number of individuals handling evidence, confirming all names, ID numbers, and dates on the documents, insuring all the evidence by proper marked and sealed packaging, and obtaining signed and secure receipts on the evidence transfer (Wang & McDaniel, 2018).
Recommendations
Further data and metadata analysis should be done to gain further insight into suspect actions and intentions. Answers to some questions on investigations should be provided to the attorneys and company managers (Halbert, 2016). A strong digital forensic examination should be done to reach places that are uncommon and difficult to access where data lurks in the dark such as the registry on system and program information settings, live files, and user actions and preferences. An extensive investigation should include software forensics for program code analysis for the determination of evidence for the authorship of programs through machine or object code analysis.

References
Halbert, D. (2016). Intellectual property theft and national security: Agendas and assumptions. The Information Society, 32(4), 256–268.
May, C. (2015). The global political economy of intellectual property rights: The new enclosures. Routledge.
Wang, S. Y. K., & McDaniel, J. J. (2018). Piracy and Intellectual Property Theft in the Internet Era. In Advanced Methodologies and Technologies in System Security, Information Privacy, and Forensics (pp. 59–70). IGI Global.