Hacking Exposed
Page 34
EXPERT STATUS
In the preceding chapter, we talked about experts in the creation of reports. Specifically, we discussed what kind of reports should be created when you are deemed an expert for a certain capacity. You cannot simply deem yourself the expert; an expert must be retained by whatever attorney is litigating the case, and in some special cases by the court itself.
Expert Credentials
An expert witness, by definition, is a person who has more knowledge of some field than an ordinary person. What qualifies an expert is his or her ability to demonstrate his or her proficiency in his or her specialized area through statements and prior work history and training. No special class or certificate is necessary to become an expert. However, if challenged by the opposing party, the party presenting the witness must show to the court that the witness is a qualified expert in the field about which he or she is being asked to testify. This is typically demonstrated through a series of questions regarding the expert’s educational and occupational history and previous cases for which the expert may have testified. The ultimate arbiter as to whether a witness qualifies as an expert is the presiding judge.
Nontestifying Expert Consultant
A nontestifying expert consultant is an expert who works for the attorney and whose work under advisement of the attorney is considered privileged. As an expert consultant, you will be asked to investigate and review confidential documents in the suit so that you can render an opinion to the attorney. You, at times, may also be asked to communicate with the chosen testifying expert witness to give specific information or evidence for his or her review. You may also be asked to write declarations and affidavits in support of some work you have done. Typically, nontestifying expert consultants are exempt from being deposed or called to testify, as they have not been designated as testifying experts. Their existence is usually shielded by counsel and nothing requires that a nontestifying witness be identified as a person with knowledge of relevant facts. As such, the nontestifying expert can conduct his or her work in complete anonymity. However, a nontestifying expert may be asked to testify if the party requesting the testimony can show the court that the witness has firsthand knowledge of the facts at issue. Since most consulting experts learn the facts of a case through the eyes of others, they are rarely required to testify.
Testifying Expert Witness
A testifying expert witness is an expert who is employed by the attorney to review evidence and render an independent opinion based on his or her expertise in the area. As stated in Chapter 14, no privilege is implied for any work or communication that an expert witness carries out in relation to a lawsuit. As a testifying expert witness, any document you are shown and conversation you overhear or are a part of is open for questioning. Also, any document you create—from an electronic document, to an e-mail, to a doodle on a napkin—is considered work product. Any work product you create can be requested for production by opposing counsel, so be aware of this when you are creating your notes. Attorneys will generally ask their testifying experts to refrain from drafting any notes that include legal conclusions or the work product of the attorney. Reports are not to be prepared until a specific request is issued from either counsel. At times, your opinion as an expert will harm the client’s case. For that reason, your client may not want an expert report until it is specifically requested by opposing counsel. If it is not requested, counsel will likely try to de-designate you as an expert, not calling you to testify at deposition or trial.
Court-Appointed Expert
Sometimes a judge will appoint an expert to act as an independent expert for both parties. This happens often in criminal cases and smaller civil cases, where neither party has the knowledge or finances to find an expert on the subject. In addition, when a discovery dispute exists between the parties, a court will often designate an independent expert to look into the conflict and determine whether an alternative solution exists. As an expert for the court, all of the rules applied to an expert witness apply, but in addition you are required to be subjective as you are employed and paid by the court, not by either attorney.
Expert Interaction with the Court
As an expert representing a party, you cannot directly address the court or file motions stating your opinion. Instead, your ability to make written statements to the court is limited to affidavits and declarations in support of motions and expert reports such as those covered in Chapter 14. Other opportunities for you to make statements to the court do exist. Through testimony elicited by counsel for either party, you can state your opinion on the record at trial or at deposition. In addition, as previously discussed, if an expert report is prepared, it will likely be entered into the court record.
PART V
PUTTING IT ALL TOGETHER
CASE STUDY: NOW WHAT?
Even if you have a mastery of the technical fundamentals behind an investigation, it doesn’t mean you have a clear picture of how to conduct an end-to-end investigation. Mr. Blink studies all the forensic techniques he can get his hands on. He knows the registry inside and out. Decrypting files? He’s the expert. Disk wiped? Not a problem, as he is an expert with an electron microscope. In this case study, however, Mr. Blink learns that there’s more to forensics than just knowing a few clever techniques.
Mr. Blink Becomes an Investigator
Mr. Blink is known around the company for his interest in forensics. He’s always playing with various internals of the operating system, learning all the ins and outs. After an employee quit his job, Mr. Blink’s manager tells the CTO that he thinks the ex-employee may have taken some files with him and sent some harassing e-mails to other employees on his way out. Knowing that Mr. Blink has an interest in the technical aspects of forensics, the CTO hands Mr. Blink the ex-employee’s laptop and asks him to find out what happened.
Time to Understand the Business Issues
Quickly realizing that technical skill alone won’t crack the case, Mr. Blink draws up some questions for the CTO: What are we looking for? What types of files do we think he took? What kind of evidence do you need to take this issue to the next step? How can I ensure that everything I do is within the law?
By understanding the type of investigation he is undertaking, and understanding what type of evidence is common in this investigation, as well as the facts unique to this matter, Mr. Blink cracks the case. He shows exactly how the files were copied off the computer, how the former employee sent the threatening e-mails from home, and exactly which USB devices the files were copied to and what happened to them after they left the company.
As stated in Part I, forensics is a process that involves business, legal, and technical issues. By understanding how these issues interplay in the specific type of case at hand, Mr. Blink has become the most effective forensic investigator he can be.
CHAPTER 16
IP THEFT
Computer forensics, including the tips and techniques described throughout this book, are becoming increasingly important in safeguarding company assets. Computer forensics specialists are routinely working hand-in-hand with Certified Fraud Examiners and other investigators to identify and recover assets that have been stolen or otherwise misappropriated, as well as in support of efforts to halt their illegal use.
In the digital age, intellectual assets, more often than physical assets, drive much of the economy. Increasing product innovation in the last decade has resulted in an explosion of new products and industries. Protecting the ideas behind these efforts is a critical part of today’s corporate strategies and a critical component of today’s IT professional. The growth of patent filings over the past decade is indicative of the increasing importance of intellectual property in our daily lives and to the businesses that provide the services and products to which we are now accustomed.
Intellectual assets (i.e., intellectual property) comes in many forms and can seem like an obscure and ill-defined concept. However, intellectual property has become the lifeblood of every ne
w economy. Most things that are essential to our daily lives involve various intellectual property rights, including patents, copyrights, trademarks, or other trade secrets that help make one business more successful than another. From the clothes we wear and the cars we drive, to the foods and medicines we depend on to survive, intellectual property is all around us.
WHAT IS IP THEFT?
With the increased development of intellectual property over the past two decades, a new threat has arisen: intellectual property (IP) theft. Although IP theft is nothing new, the advent of the digital age has compounded the risks companies face from IP theft; it is now possible to fit hundreds of thousands of pages of electronic information onto something the size of a stick of gum. Whereas computer access was once limited to select employees within a corporation, today most employees have computers, or at least access to computers, including access to company networks. In addition, through the proliferation of e-mail, notebook computers, camera phones, Blackberrys, wireless communications, USBs and other portable storage devices, and CD and DVD burners, vast amounts of electronic information can be moved easily from one location to another with literally a push of a button. IP theft involves every industry, from health care to the energy sector, and information is at risk every day because employees can easily access, obtain, copy, and transport information.
As IP typically involves rights to the exclusive use of an invention, product, idea, or other creation through a patent, copyright, trademark, or other protective measure, it can be of significant value to its owner. Many companies and individuals jealously guard IP as it can be the key to their success. Musicians and record companies guard their music from unlawful reproduction through the Internet. Movie studios spend untold millions trying to guard their movie productions and prevent the unlawful copying and sale of movies on DVDs or other electronic media. While these are obvious examples, small companies can also have significant IP that needs protections, including customer lists, proprietary processes, and even marketing and advertising plans—any information that can be used as a business advantage. Since IP is valuable, it has become a target for theft, like other things of value.
Once IP is stolen, it is up to the IP owner to determine how, when, and what IP was stolen. IP theft can take many forms. From the copying (theft) of music and movie productions to the theft of technical design plans for the latest electronic gadget, IP theft involves stealing something of value that rightfully belongs to another.
Each company’s IP is individual and unique, depending on the industry, the market, the company, and the individuals involved. Some IP is in the form of physical plans and drawings, some is in the form of software code, a list of customers, or an individual’s ideas or know-how. The unlawful copying of a video, the illicit use of proprietary software code, the improper copying and distribution of a customer list, and the infringement on a company’s or an individual’s patent, copyright, or trademark are all forms of IP theft. The following types of IP theft are discussed in this chapter:
• Customer data
• Technology
• Trade secrets and other proprietary information
IP THEFT RAMIFICATIONS
While not all IP has clearly definable value, a significant proportion of the value of many companies today rests in their IP. As such, IP theft can have a detrimental impact on a company’s success. As the digital age blossomed, companies began turning their attention to the value of their IP and in protecting that IP. At the same time, related IP theft and the accompanying investigations and litigation also increased proportionately. In many ways, the theft of customer data, technology, or other proprietary information may be difficult to measure because it may not have an immediate or direct impact on a company. Unlike the theft of cash or other physical assets, IP theft, as well as the results of IP theft, can be more difficult to see. Eventually, however, the loss of customers, the company’s competitive position, and loss of profits can be unmistakable signs of stolen IP.
IP is typically a source, and sometimes the key, to a company’s competitive advantage in the marketplace, and its ultimate success. Stolen IP can be used by a company’s competitors to equalize the playing field or gain unfair advantage, or by former employees interested in establishing a foothold in the market through competing interests. The impact to the IP owner can be negligible, but it can be worth hundreds of millions to billions of dollars.
Loss of Customers
One the most common results of IP theft is loss of customers, as the IP owner may encounter new competition that did not previously exist, or, if a customer list was stolen, a competitor may use the list to woo customers away from the original company. Competing products may emerge, offering capabilities, functionality, and other features similar to those of the company whose IP was stolen. Often, and typically through the judicial process, it can be determined that the new competition, and the resulting loss of customers for the IP owner, was a direct result of the IP theft.
Manufacturing enterprises are particularly vulnerable to IP theft because of the significant amount of corporate secrets and know-how that can be involved in a manufacturing process. An undetected theft of IP related to manufacturing processes may give another company an advantage over time, yielding greater efficiencies in its operations and ability to compete more aggressively on price for the same customers.
Loss of Competitive Advantage
The ramifications from IP theft may not be direct or immediately noticeable. IP theft can result in a slow and gradual loss of competitive advantage. As a company’s trade secrets are stolen and used by competing interests in the marketplace, a company may lose the competitive advantage it once held in its industry. Ultimately, a company’s inability to compete effectively also results in the loss of customers and revenue, but the effects can be more gradual and difficult to ascertain, much more so than the direct loss of customers and revenue through pirated music or DVDs.
Unfortunately, as far as competitive advantage is concerned, the answer to the questions “What has value?” and “What needs protecting?” is the ubiquitous “It depends.” What drives competitive advantage for a business can be veritable laundry list of contributions to the overall value and success of the business—from engineering designs, CAD drawings, and product development cycles on the manufacturing side, to customer lists, competitive analysis, and marketing analysis on the sales side.
Monetary Loss
Because IP typically has value, and the objective of IP theft is typically to capitalize on that value, IP theft can and often does result in a significant monetary loss to the original IP owner. As the digital age has grown, the abilities and means of individuals to steal valuable IP has increased as well. Although precise estimates are impossible to ascertain, the US Department of Commerce estimates that more than of $250 billion in IP is stolen from US companies each year.
While not all IP theft results in a monetary loss, and sometimes the monetary loss can be difficult to quantify, the intent of IP theft is typically no different than the intent in stealing physical assets (such as cash), and the objective is to rob the company of something that is considered valuable. Given this fact, many companies go to great lengths to protect their IP and are willing to expend significant sums in pursuit of those who have misappropriated or otherwise misused their IP. As evidenced in Figure 16-1, the number of patent-related lawsuits filed in federal courts in the U.S. over the past decade have increased substantially.
TYPES OF THEFT
When IP theft is suspected, the first step is to determine what IP is owned by the particular entity, how is it maintained, and what level of security exists to prevent unauthorized access to the IP as well as its misappropriation. While many companies believe that they understand what IP is most valuable in their organizations, in reality, most companies have not undertaken a detailed analysis of their IP and the relative contribution it provides to the company’s overall success.
As mentioned, each
company or entity is different, and IP can take many forms. Like most other aspects of business, as well as our personal lives, much of that IP has been converted to, maintained in, and stored in digital form. Whether it is valuable customer data, customer lists, proprietary designs, or other valuable information, it is likely held in some electronic format within the company. Any investigation must focus on what IP exists, how it is stored and/or protected, and who has access to it.
We describe three types of IP and recommend steps for securing and evaluating the computer and other electronic information when IP theft is suspected.
Figure 16-1 Number of patent cases filed—U.S. District Courts
Theft of Customer Data
Customer data can take many forms—a hospital’s patient records, a university’s student records, or an electronic store’s customer purchase records. This data typically contains confidential and proprietary information about individuals who have entrusted the company to keep the information protected. The information may include key attributes of a person’s identify (such as Social Security number and date of birth) or information regarding bank account or credit card numbers. Some of the information may be of relatively little use to the perpetrators, but some information may put the individual customers at great risk. As such, the protection of customer data, and the apprehension of those who perpetrate the theft of IP, has garnered greater attention in recent years.