August 27, 2013 Articles

Using Computer Forensics in Trade Secret Cases: Five Things Your Forensic Computer Expert Wishes You Knew New

By Sheryl Falk

We live in a world where we can access, copy, and transfer huge volumes of information with a click of a button. This presents a tremendous challenge for employers who entrust their employees with confidential technology, customer data, and other secret business information. With a mobile work force and the ease of moving high volumes of information, companies that rely on trade secrets are especially vulnerable to employee theft. When departing employees have access to valuable intellectual property or other types of confidential information, more and more employers are proactively investigating the potential theft of their trade secrets and initiating litigation to recover those secrets.

A trade secret investigation often starts with a review of the departing employee’s computer. A forensic computer expert can help uncover evidence that the employee has accessed, transferred, or copied data. Forensic tools can assist in the recovery of deleted files. They can analyze web browser and social media history, the location of online storage applications and the connection of external devices, and the content of registry files to see if programs have been installed or run. Even after an employee has tried to delete emails, documents, and other computer files, an expert may be able to recover data that survives in nonuser generated files to get to the truth of the employee’s actions. To increase your chance of an effective trade secret investigation or litigation, keep these strategies in mind.

Properly Preserve the Evidence

When you receive the employee computer, resist the urge to simply turn it on and look at the employee’s email, “my documents” folder, and desktop to quickly assess the employee’s actions. The very act of turning on the computer may change the data and potentially cause data to be overwritten, which may harm the investigation. The computer and any computer storage devices should be provided to a forensic expert with the tools and training to make a forensic copy of the computer. This is often referred to as making a complete bit-for-bit copy. It will include all of the unallocated or free space, allowing a forensic expert to recover deleted data. Your forensic expert will create a chain of custody document to memorialize the facts around the receipt, imaging, and storage of the computer.

Failure to follow the proper imaging protocol may jeopardize a case. A few years ago, a client was concerned that a group of five departing employees had stolen valuable trade secrets. Before sending the computers to the forensic expert, the IT department copied each computer using an IT program. The IT department did not have the right tools or training to make a forensic copy, however. As a result, the IT department’s act of copying the computers actually changed the metadata. This made it impossible to assess the last time the employees had actually accessed the confidential data, complicating the trade secret case. So avoid the impulse to turn on the computer. Turn it over to the expert, with a proper chain of custody, and allow the expert to make a forensic image of the computer.

Define Your Computer Expert’s Role

When you hire a forensic expert, you face the choice of how best to work with the expert—as a testifying expert, consulting expert, or neutral expert. Your communications and work scope will differ with each type of expert, so you need to decide at the beginning how you will use the expert.

The traditional testifying expert role requires an expert who can advocate your position and accurately and persuasively convey his work to the court and jury. Generally, all information and communications shared with the testifying expert will be discoverable. If you expose your testifying expert to information that could hurt your case, your expert could be required to testify about that harmful information. Likewise, your expert will be obligated to produce your written communications and directions, so be careful what information you email to your testifying expert. Do not place your testifying expert in the unenviable position of producing emails that may hurt or complicate your case.

It may be beneficial to retain a consulting forensic expert. The benefit of working with a consulting expert is that you can deal in a level of candor because her work is not discoverable. This may be useful if you need to try and figure out the meaning of the forensic data, even if the answers do not benefit your case. The consulting expert can be exposed to information that may be harmful to your case and then help you test an opponent’s claims to frame the best possible explanation or theory. In that instance you will first want to use a consultant expert—as well as a second expert with a limited role to be your testifying expert.

Another option is to use the expert as a neutral expert. This choice is gaining popularity as courts expect parties to work together to produce and analyze computer information. Parties have discovered that it is cheaper to share the cost of a neutral expert to perform an agreed-upon protocol. In a case where you have basic cooperation with your opposing counsel and need straightforward analysis of a computer to locate trade secret information, you may want to use your expert as a neutral. That means limiting your communications and jointly directing the expert with opposing counsel. The most important thing to remember with neutrals is that you must clearly specify what you are interested in and what you need as a deliverable. Without that guidance from counsel, they will not be as effective.

Understand how you will use your expert and be mindful of the restrictions you may face in communications and scope of work.

Don’t Limit Your Computer Expert’s Investigation to Search Terms

At the beginning of your investigation, it will be important to communicate the case facts and issues to the expert. The time you invest educating your expert pays off with faster and more responsive information. A typical computer can include several hundred thousand or even a million files. Developing a game plan will focus your expert on the questions you need answered.

Many lawyers mistakenly assume that the best plan to search a computer is to use search terms. The main problem here is that common search terms can yield thousands of results, which require costly review and may not lead to useful information. While specific and precise search terms such as names or email addresses may quickly yield responsive information, it is unlikely that one can anticipate the precise words or phrases that an employee or witness would have used. For example, in one spoliation case, the smoking gun evidence was a deleted email in which the defendant planned to “nuke” his work computer. This direct evidence of spoliation would not have been located through the use of search terms. Also remember that without understanding the context of information, your expert could easily miss documents in a keyword document review.

A better way to proceed is to help your expert understand the case facts and issues. Educate your expert on the critical technologies, competitors, suspected coconspirators, and dates. The expert can then assist you by suggesting additional sources of potentially responsive information, such as applications used to create data, log files, and link files. Most of these forensic artifacts and logs will not match a keyword, but they will show activity in critical time periods. Cooperate on a plan to identify responsive information and you stand a much greater chance of locating the evidence you need in a cost effective manner.

Place Appropriate Limits on What the Computer Expert Can Access

There are constant advances in the forensic tools available to experts. But just because an expert can obtain certain information does not mean that you should direct the expert to do so. For example, during the course of the computer analysis, the expert may locate links or references to online storage as well as the password to access the online storage. It could be tempting to access the user’s online Quicken account, for example, or an online storage account, such as Box or DropBox, to see if the employee stored trade secret documents. But such access without authorization from the employee or the court could be illegal.

This situation might also come up in the context of an employee’s personal computer. An expert may be able to remotely access the personal computer that the employee used to access the company’s network. But if the employee owns the computer, it would be illegal to access the computer remotely without either the employee’s consent or a court order allowing the expert to legally access the information.

As an officer of the court, the lawyer retains the responsibility to ensure that the forensic investigation stays within legal and ethical bounds. If an investigation reveals online storage or other computer or storage devices with relevant information, this evidence could support a request to the court, or for consent from the opposing party, to produce the discovered online data or other computers.

Do Not Rely on the Computer Expert’s Testimony

Once you’ve identified the presence of confidential company information on an ex-employee’s computer, you may be ready to rush to the courthouse to get a TRO. But often attorneys make the mistake of assuming that the computer expert can testify that the data located on the employee’s computer contains trade secrets. While the computer expert can describe for you in great detail what activities went on and what data were located on the computer, the expert generally will not be able to testify as to the meaning of the data reviewed, copied, or transferred.

It would be unfair to the expert—and risky for your case—to question your expert on the stand about the confidentiality or secret nature of the data on the computer. Of course, your expert can testify if there is a “Confidential” watermark or other written indication of data’s confidentiality. One recent case involved a former employee’s computer file named, “Stolen Company Information.” But you rarely get so lucky. Simply put, your computer expert’s job is not to determine the confidential or secret nature of the data located. You will need to find another witness to testify on that element of the case.


Most of the time, a trade secret case is made through evidence located in the forensic analysis of the departing employee’s work computer—or if you are lucky, through the personal computer produced by agreement or court order. That makes it all the more critical to partner with a qualified forensic examiner to develop a game plan that will help you locate the evidence you need to support your case.

Keywords: woman advocate, litigation, trade secret, evidence, forensic expert