Computer Forensics for the Fraud Examiner: Thwarting Intellectual Property Thieves

Welcome to the first edition of Fraud Bytes, a column on computer forensics. The fraud examiner of the 21st century has to understand emerging schemes and investigation techniques and rise to the next level - computer data analysis and examination. 

Computer forensic analysis, once reserved for law enforcement's criminal investigations, has dispersed into other areas including fraud examination. The new breed of fraud examiner needs to not only analyze the gigabytes of digital data but also dissect the fraudster's computer systems. This column will focus on tools, techniques, and emerging computer fraud trends that affect and aid the digital fraud examiner. In each issue we'll endeavor to supply practical information as we struggle to keep pace with the digital age and the technology that increases our effectiveness and exploited to commit cyber-frauds. Let's begin!

In October of 2005, the Superior Court of the State of California upheld and affirmed a jury verdict and issued final judgment against the Toshiba Corporation for theft of trade secrets from the Lexar Media Corporation.

The verdict cost Toshiba $465 million. The case stems from discoveries that at least one of Toshiba's electronic memory products contained proprietary technology created by Lexar. The amended complaint against Toshiba alleges that a member of Lexar's board of directors acted as an agent for Toshiba and facilitated the theft of the proprietary information.

Data: it's what today's corporations run on
Whether it's confidential financial information for the company or its customers, special manufacturing processes, CAD drawings, or digital source code - computerized data is at the center of businesses in America and the world. Some of this electronic data could be at risk in your entity. It's important to understand where your company data is vulnerable - not from outside threats but from insiders who may be plotting to remove data from within your own organization.

Private-sector corporations aren't the only entities that may be vulnerable to internal data theft. The Atlanta Journal-Constitution recently ran a story describing a computer security breach perpetrated by an employee of the Georgia Technology Authority (GTA). For some unknown reason, a GTA programmer without authorization allegedly downloaded to his home computer the personal information of motorists, retired teachers, and state or public school employees who participated in the state's health plan. The breach wasn't detected for three years when security personnel discovered that the programmer was logging into databases he was no longer assigned to work with. As far as they know, the former employee hasn't facilitated the use of the data for identity theft purposes. The state of Georgia still had to notify 465,000 Georgians that they could be at risk for identity theft as a result of the breach.

Intellectual property (or "trade secrets" as it is legally called) can take many forms and must be protected in a competitive market for an innovative company to maintain an edge. Theft of intellectual property through corporate espionage and enterprising employees is on the rise. According to the U.S. Department of Justice, companies suffered $250 billion in IP Theft in 2004. While much of this is related to software piracy issues, it's still a strong signal to corporations that their future profits could be slipping into somebody else's pockets.

Employees say IP theft acceptable
A survey conducted in 2004 by the Ibas Corporation, a major computer forensic and data recovery firm, found that IP theft among UK businesses seems to be motivated by a corporate culture that turns a blind eye to this risk. The survey found that:

• 69 percent of business professionals have stolen some form of corporate IP from their employers when leaving a job;
• the most commonly stolen forms of IP include e-mail address books, sales proposals and/or presentations, and customer databases or contact information;
• the most commonly used method for stealing IP is to send electronic copies of documents and files to a personal e-mail account;
• 58.7 percent think that taking IP is as, if not more, acceptable as exaggerating an insurance claim;
• only 28.2 percent of business professionals find the practice of IP theft unacceptable; and
• the most common justification for IP theft given was that personnel presume that a company document partly belongs to them because they may have created it.

Another interesting point in this survey indicates that the biggest deterrence to employees committing IP theft when leaving a company is having them sign a document that states they haven't taken any electronic copies of corporate documents or files.

The University of California at Berkeley in a recent survey concluded that 92 percent of company documents are stored in a digital format. As companies move into the paperless age the risk to this digital information and the need to protect it becomes even greater.

A series of comprehensive insider threat surveys conducted by the U.S. Secret Service released in August of 2004 and May of 2005 report that the majority of insiders who acted to sabotage were technical staff members (86 percent). These are the very persons entrusted to protect and secure the company's data. The survey also revealed that these persons were usually remotely accessing the systems without authorization through "back door" or shared accounts they had established for future use.

Of course, it's not just the "techie types" who are capable of stealing IP. The 2004 report from the Secret Service focused on companies in the financial sector. The report indicated that data fraud and intellectual property theft was more often than not accomplished by the average office worker with little computer knowledge. The typical user in a company with broad network access privileges can often use a simple text search in Windows to locate sensitive and unprotected corporate data.

A company should inform employees that customer lists within the organization are trade secrets and should be protected. Employees can sign a contract that prohibits copying of these lists and bars them from soliciting the business' customers for a period after leaving the company.

IP is more than intangibles
Intellectual property can be difficult to define. We tend to think of it as intangible knowledge created by human intellect but often it's quite tangible and exists as thought and design put to paper or stored in electronic form. The line gets blurry for employees because under the U.S. patent laws a patent application can only be in the name of an individual and not a company. People create things; companies have no intellect outside of the people who are a part of the company. However, generally patents are automatically assigned to the employer when a design is created through the employee's work. This is similar to original copyright material that begins with the author first and is then transferred to the employer. Legal decisions concerning an employee's right to a patent or copyright tend to center around the employee's scope of work. If the invention occurred outside the employee's scope of employment it's quite possible that the employee retains the patent or copyright and not the employer.

So how is company data added to the risk model in your organization? A number of companies have begun categorizing risk to data based on its importance to the company as an asset or its confidential nature. Once this risk is assigned then steps are added to the IT audit plan to ascertain the effectiveness of the protective measures taken to safeguard the high-risk electronic data. In some cases, companies are placing their high-risk data onto one very secure server that has all of the logging features and security access options in place.

Monitoring data access
In any risk management model it's important to operate by the age old axiom, "you can't manage what you can't measure." Any protection mechanism has to be able to record and monitor those who have access to the data and what they do with it. Several products both in the software market and the hardware market produce a monitoring method that can be very successful in protecting a company's IP.

Intelligent Wave Inc., a Japanese company, produces "CWAT," a "Digital Assets Extrusion Prevention System," originally created for the Japanese credit card industry. CWAT has a number of options that monitor and control both network and terminal data access. It can be set to alert and log, or prevent data from being copied to an external source such as a thumb drive or compact disk. It can also be configured to monitor outgoing e-mail for attachments that include protected data.

Vericept, another product designed to protect data loss, is a hardware device that resides on the network and monitors all network activity. It can be configured to focus on certain types of data and also can be alerted to recognize and/or prohibit certain types of data as deemed higher risk in an organization. The primary feature of Vericept is its intelligent linguistic engine that goes beyond traditional keyword filters and looks for combinations of words as they are used in written language. The data security personnel are then able to look for trends through a graphical representation that shows the extent or amount of network traffic that contains the suspicious content. Those network packets are captured, stored, and reassembled for the monitor to review and determine if there were any policy violations. The software can screen all network traffic including everything from e-mails to Internet network packets.

Encryption and steganography
Two of the biggest IP threats are encryption and steganography. Today's encryption techniques allow a measure of secrecy when transmitting data over a network. While this is a protective measure against data interception over the Internet, this tool also can be used to secretly transmit data that otherwise would be prevented because the encrypted data cannot be read by monitoring agents or software. Most network security personnel don't want to tighten controls to such an extent that all encrypted data is prevented because they want some level of encryption when communicating sensitive information.

Steganography has been defined as the science of concealing information. It allows the hiding of data inside another seemingly innocuous file such as an image or sound file. The more than 200 different steganographic software programs available over the Internet today work slightly different to produce the desired results. The programs generally function through a simple Windows interface in which the user selects the file he wants to hide and then selects the innocent file in which he wants to hide it. The steganographic program then selects bytes of data from the seemingly harmless file and removes them. The target file is then disassembled and its bytes are used to replace the removed bytes, when possible, thereby merging the two files together. The program password protects this transaction so that the only way to then reassemble the hidden file is by entering that password. The program then reconstructs the hidden file in a matter of seconds. Image files, music, and sound files are generally good couriers for this type of data smuggling because they are usually larger than some other file types and our visual and auditory senses aren't acute enough to discern the very slight reduction in quality of an image or sound recording.

One way of combating this type of IP threat is to use enterprise-wide monitoring of software installed on computers attached to the network. Sometimes this may include the use of computer forensic software to image a suspect computer to determine the extent that the program has been used in a given instance. The use of steganographic software can also be detected with certain programs designed for that purpose. The leading software manufacturer in this field is Wetstone, which has created a product called Gargoyle that's designed to scan a computer for evidence of "mal-ware" including steganography and encryption type programs. Another Wetstone product, Stego Suite, is designed to detect files that appear to exhibit known steganographic characteristics and alert the user. The Stego Suite also can be used to decrypt and recover password-protected hidden files that are the result of steganography use. Wetstone has conducted extensive research into the various programs that are used for steganography and continues to monitor the Internet for new programs to update its data sets.

Pesky key loggers
Some corporate spies will stop at nothing to obtain access to sensitive or proprietary information on a company network. Inline "key loggers" have become the tools of choice for stealing password and other information that would allow unauthorized persons access to prohibited places on the corporate network. These products are available from many sources over the Internet and can be installed inline with the keyboard connection cable to capture password keystrokes to a miniature memory module on the device. The spy can then later retrieve the device without leaving any evidence that he had installed it. Now he's armed with passwords to forbidden areas and can retrieve information as a supposedly authorized user. Often sold as "parental control devices," these key loggers have only one purpose: to secretly steal information entered via the keyboard of a targeted computer user. Ranging in memory capacity from 32 kb up to 2 mb of storage space and selling for under $100 to $200, these devices are virtually undetectable except by observing someone placing it in the back of the computer. When was the last time you looked at the back of your desktop? In most cases, if the spy placed a key logger and then later retrieved it you would never know that it was there.

Employees also greatest liability
It has been said that employees are the greatest asset of any corporate organization but employers unprepared for the prevailing permissive sentiments held by the majority of employees about intellectual property could find that those employees are also their greatest liability. In most cases there isn't a "one stop" answer to this problem; the best solution is a customized approach based on the way a company uses data within its own organization. It's not a question of if IP theft occurs but when. Com-panies must have an incident-response mechanism in place that includes computer forensics and the preservation of digital evidence should litigation arise.

Corporations spend large sums of money to protect their physical assets and often their computer networks from outside intruders but it's the inside "extruders" that can and will copy and appropriate company data if that electronic asset isn't protected.

Richard D. Cannon, CFE, CFE, is the forensic technology director for the ACFE.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on ACFE.com. ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be e-mailed to: FraudMagazine@ACFE.com