Digital forensics

Computer Forensics: Intellectual Property Investigations and the CCFE

Jennifer Jeffers
March 29, 2018 by
Jennifer Jeffers


The characteristics of cybercrime are always shifting, just like the laws that are passed to handle cybercrime. When something goes awry in the digital world, new amendments are added to strengthen the laws and make them more effective. But, because the Internet is vast, with so much multimedia and written content, lawmakers sometimes have trouble developing ways to keep up with issues surrounding intellectual property (IP). These creations of the mind—whether they be inventions, literary or artistic works, symbols, names, or images—need to be legally protected as forms of property and yet they exist in a virtual and ephemeral state. Any “product” resulting from an individual’s own mind and creative spirit must be honored for both their personal and monetary value and are therefore guarded under IP rights. Although owners of these rights can prevent unauthorized use of their creative property through various methods like copyrights, patents, trademarks, trade secrets, and right of publicity, there is no guarantee these boundaries will be respected by online society.

This inherent challenge has given rise to a new form of investigative process known as IP forensic analysis. Investigative experts in the field are often asked to perform valuations of copyrights, patents, and such for various purposes like litigation, taxation, licensing, and regulatory compliance. Through the digital forensic process, these analysts must offer findings in areas such as economic damages, royalty rates, or intercompany transfer prices that have come up as a result of computer crime or misuse. They must also use these findings to draft reports outlining and detailing any forensic evidence.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

What is an Intellectual Property Investigation?

Between the two worlds of corporate and private entities, there are a wide variety of digital forensic investigations; however, none is quite as prevalent as IP theft committed by someone inside the organization. These investigations usually happen at the request of company owners or their attorneys, who suspect IP has been taken from the premises but have no real evidence or any sort of confession. What they do have is some speculation as to why their organization is experiencing problems with clients, sales, or competitors who seem to be gaining the advantage. Of course, this is of grave concern in a competitive environment because it affects revenue and overall viability of a company. This is where an IP investigation becomes useful, as it enables a business to take action on an important front where they technically have no power. In this way, the digital forensic process becomes a lifeline for a company struggling to reign in control of their IP.

How Are Intellectual Property Investigations Handled Differently Than Criminal Ones?

Tracing the movement of intangible assets is challenging at times because there is no paper or object to analyze, just a lot of little electronic binary numbers on a screen. While this reality makes stealing digital IP much easier for the perpetrator, it can make locating evidence a bit trickier for investigators. The unique nature of this situation also distinguishes it as being quite different from a regular criminal investigation. Any evidence collected must be shared via a designated expert who can examine it with authority and report back with a sense of what it really means. Every bit of evidence must have probative value, or relevance as it pertains to the case. Fortunately, the field has developed some effective methods for handling IP theft investigations:

Device as a Crime Scene

Just as a murder scene must be cordoned off to protect sensitive blood or fiber evidence, an IP theft investigation requires that any crime-related electronic device (even mobile ones) must also be preserved for inspection by the authorities. Once an IP crime is suspected, access to all associated devices should be shut down and the “crime scene” guarded against any intrusion. Investigators can then apply a methodical process to identifying and harvesting data that may be useful in determining that a crime has been committed. Any untrained individual who attempts to access this sensitive device’s data runs the risk of inadvertently damaging or destroying critical evidence. Such a move can lead to “stepped-on” data that otherwise may have led investigators to a more legitimate conclusion, thereby restoring IP to the originator or even winning a lawsuit.

A Deep Dive into Data

A successful forensic examination of IP theft must go beyond merely determining user movement and communication contents—like that of an eDiscovery phase—it must dive deep into the data to suss out a more detailed account of exactly what transpired during the crime. A proper digital investigation should be able to address these essential questions about the perpetrator’s actions:

  • Did they copy data onto CD/DVDs?
  • Did they perform any mass deletions of data?
  • How did they remove IP data from the building?
  • Was a USB flash drive used? If so, when and where?
  • Was a wiping program used to cover their movements?
  • Did they use a cloud-based email or file-storage account?
  • Did email communications indicate discussions with competitors?
  • Did they perform file transfers to a home computer via remote access?

The level of understanding can only come from a deeper probing of all the nooks and crannies of the digital landscape. In a forensic investigation of this kind, the amount of detail found can make all the difference in the outcome of the overall criminal case.

Experts Only

Due to its sensitivity, allowing untrained individuals access to digital evidence is strongly discouraged, nor is it considered a best practice in the forensic world. Aside from just having the technical and computing knowledge to secure digital evidence, professional investigators need to know how to prepare the entire process for success. This includes properly “preserving” workstations, collaborating with other legal entities, and securing all physical hardware.

Why Are These Types of Investigations Often Lengthy?

Because IP investigations must dig deeper into existing data than an eDiscovery phase, the overall process can be lengthy. Experts in the field are expected to access even the most hard-to-reach places where data lurks, effectively analyze it, and report back with integrity. All of the areas they must explore, including event logs, program usage, internet history, cloud access, disc usage, USB misuse, anti-forensic programs, watermarks, digital signatures, email accounts, and remote access are areas of concern. To achieve these ambitious goals, investigators must use software forensics to analyze program or object code to better determine the authorship of IP.

Aside from the time it takes to gather this digital evidence, the effort can slow down even further when it reaches the courtroom. When defendants submit raw evidence in the form of extensive code, an overall lack of direction or focus can erupt amongst those who must interpret its meaning. Numerous lines of source code are easier to decipher when they come with some direction, notes, or clues about what to look for. When experts have to comb through this dense data with no guidance, essentially trying to determine whether the source code violates any IP rights, the investigation can drag on. For example, a proper study of one terabyte of unclear code can run up to 6 months. 

A Real-Life Example of Intellectual Property Investigation

To better visualize how prevalent (and sometimes unexpected) an IP dispute can be, just think about Mike Tyson and his famous eye tattoo. When this same design was used to decorate the face of a strait-laced dentist in the 2009 movie, The Hangover, things got a little contentious between the LA-based tattoo artist who crafted the design and Warner Brothers Pictures. Although the artist had, in fact, copyrighted the design after etching it around the prize-fighter’s left eye, the Hollywood heavy-hitter believed their actions fell under the guise of “fair use.” This is a great example of how dodgy an IP case can be, because it’s hard to know where the truth falls. The judge agreed that the artist did have a legitimate claim to the design; however, the release of the movie would not be delayed as a result. Of course, Warner Brothers subsequently settled with the artist for an undisclosed amount based on the merits of his complaint and the judge was never forced to make an actual decision. But the fact that such an untouchable company would pay any amount to one individual with a complaint is testament to the strength of IP law and its regulatory prowess.

If this had been a digital investigation, it would have been necessary to prove certain actions on the part of both Warner Brothers and the artist. And, in many ways, the case itself might have been easier to figure out. Looking at the digital trail of communications regarding the tattoo, how the design was obtained, and whether Warner Brothers was aware of copyright infringement would have factored in significantly and likely offered a great deal of clarity. As it was, the judge was forced to work on the surface merits without any real digital evidence to rely on. In many ways, the complexity of IP legal disputes can be simplified through a digital forensic investigation, where judgements can lean on data instead of interpretation.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.


As the Internet continue to grow and evolve, it will become increasingly important to protect the intellectual property of the people who use it. Continuing to establish the legal boundaries of the virtual world is vital work of the digital future, as it promises to keep the world’s biggest and most popular computer network fair and equitable for all.

Jennifer Jeffers
Jennifer Jeffers

Jen Jeffers is a freelance writer who creates educational and historical content for the internet as well as InfoSec narratives for the deep web. Her work blends the creative with the factual to offer readers articles that are both entertaining and edifying. Although she has a strong aversion to mathematics, she is willing to research and learn about almost anything in the name of continuing education. Follow her blog The Raven Report, a history collection for the dark romantic at