Digital forensics

Intellectual Property Investigations

Dimitar Kostadinov
January 2, 2018 by
Dimitar Kostadinov

This article serves to provide guidelines for the conduct of intellectual property (IP) investigations.

What is Intellectual Property?

"Intellectual Property" is a term, a collective reference of sorts, which encompasses four main types of intangible assets: copyrights, trademarks, patents, and trade secrets.

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

This image is a derivative of "Copyright, Patent, or Trademark?"

by BusinessSarah used under CC 2.0, and it is licensed under CC 2.0 by D.K.


The Digital Millennium Copyright Act

According to this law, eight broad categories of works qualify for copyright protection:

  • Literary works (software falls under this category; however, only its visual representation is protected – i.e., the source code – and not the ideas or processes)
  • Musical works
  • Dramatic works
  • Pantomimes and choreographic works
  • Pictorial, graphical, and sculptural works
  • Motion pictures and other audiovisual works
  • Sound recordings
  • Architectural works

"Definition of Copyright" by

NY - / CC BY-SA 3.0

Although there is a formal procedure to obtain copyright that goes through registration with the U.S. Copyright Office, the copyright as a right arises the very moment the work is created. Consequently, if you can prove in court that you are the author of a work, then you will be copyright protected. Nevertheless, exceptions do exist; for instance, a work is deemed "for hire" when is created by an employee for his employer during the working hours of the former.

The periods of copyright protection are: 70 years after the death of the last surviving author, provided that the identity(s) of the author(s) is (are) known. In cases when that is not the case, the copyright protection lasts 95 years from the date of first publication or 120 years from the date of creation.

In a nutshell, the DMCA envisages:

  • copy-prevention of widespread digital media such as DVDs and CDs;
  • limitation of ISPs' liability in events of their network being used by criminals to violate the copyright;
  • permission to copy licensed software for the purposes of backup, maintenance, and testing;
  • lastly, it explains how the copyright principles are to be applied to the constantly growing sphere of webcasting.


These are words, slogans, or logos used to identify a company or company's products or services. As with the copyright, trademarks do not need to be registered to gain legal protection; nonetheless, an official recognition could be given to your mark if you decide to register it with the United States Patent and Trademark Office (USPTO). The acceptance of a trademark as such hinges on two main criteria:

  1. It should not be similar to another trademark, and
  2. it should not be descriptive of the goods and services that the applicant offers. In the United States, trademarks enjoy a 10-year initial period of protection, and it can be renewed unlimited times.


Simply put, they protect inventions. A patent will leave the exclusive rights regarding an invention in the hands of its owner for a period of 20 years, but after the end of that period, the invention becomes part of the public domain. An invention as such should possess three inherent prerequisites:

  1. Must be new
  2. Must be useful
  3. Must not be obvious.

In the technology domain, patents covering hardware devices and manufacturing processes have been issued for many years now. There is still uncertainty, however, on how patents for software inventions would hold up to the scrutiny of most courts.

Trade Secrets

The knowledge of details related to a particular intellectual property could be per se critical for a business, as a great deal of damage would ensue if a competitor knows what makes the product or the service of the company in question so unique and successful. Good examples of such cases are the secret formula for Coca-Cola or the KFC's secret mixture of herbs. In cases like these, the most appropriate tool to protect such intellectual property is perhaps through the use of instruments within the realm of trade secrets – e.g., to not disclose, to not register and/or to preserve the secret by bounding employees by means of a nondisclosure agreement (NDA). In fact, the trade secret protection is the preferred method of intellectual property protection chosen by many software companies, most notably Microsoft.

What Do You Need to Know about IP Investigations?

Here are some steps of a probable forensic investigation related to an IP case (a real-life, and proven, forensic approach used by Chuck Easttom, the author of the CCFP Certified Cyber Forensics Professional All-in-One Exam Guide:

  1. Photograph devices that may be used in IP cybercrimes and mark their specifications.
  2. Seize the devices by moving them in a safe manner to a repository.
  3. Use a tool, such as the AccessData Forensic Toolkit Image, to clone the hard drive so that you can have two image copies accompanied by matching hashes.
  4. Lock up the original disk and one of the image copies in a designated forensic safe.
  5. Carefully scrutinize all documents – PDFs, Word files, Excel spreadsheets, and diagrams – to spot signs of stolen IP. Such a sign may be a corporate logo marked confidential.
  6. Use a specific tool to discover deleted files (e.g., IsoBuster).
  7. Search all email files for sale of IP to third parties, among other things.
  8. Assess the value of the discovered IP. Prepare your report in accordance with legal standards (e.g., attach printouts of your findings). Clearly, state your conclusion on the matter of IP infringement/crime!

More recommendations:

IP investigations differ from traditional investigations in the eDiscovery phase. Forensic experts must immerse themselves in the data (and metadata) to gain insight into a suspect's actions and intentions. A proper forensic investigation should provide company owners and/or their attorneys with answers to some, if not all, of the following questions:

Source: Intellectual Property Theft: How to Ensure a Defensible Investigation by John Clingerman

The strongest quality a digital forensic examiner should display when it comes to IP investigations is the ability to reach to difficult-to-access and uncommon places where data lurks in the dark, and subsequently analyze it. Examples of such places are:

Source: Intellectual Property Theft: How to Ensure a Defensible Investigation by John Clingerman

Special attention should be placed on unallocated space (and look for signs of "deleted" data), the Registry (information on the system and program settings), search and inspect live files, and check user preferences and actions.

On Windows-based platforms, one can find recent documents at %AppData%MicrosoftWindowsRecent or shell:recent (Run Dialog Box). This can be important regarding forensics, especially in IP cases, as it would allow you to find out which documents have been accessed last on that machine.


While browsing through pages of documents, the digital examiner should look for watermarks, since he could trace any uniquely watermarked copies of files back to the source. Placing watermarks onto documents happens in a secretive fashion through a technique dubbed steganography.

Go the Extra Mile in IP Investigations:

Software forensics – It involves the analysis of program code. Object or machine language code, to determine of or provide evidence for the intent or authorship of a program. Program
code and object code testify about the authorship of a program, as well as its functionalities. As a general rule, vendors keep their proprietary code secret to preserve their IP intact. Instead, they release an object code or an executable version of their software product.

≥Other Specifics Related to IP Investigations≤

In contrast to criminal investigations, IP investigations are conducted a bit differently. To begin with, the significance of the evidence collection phase is not as prominent as usually is, since defendants produce most of the evidence during proceedings. Then, the plaintiff will make arrangements to designate an expert who will examine the evidence and report his findings. Every piece of evidence must have the so-called 'probative value' – i.e., to be of relevance to the case under consideration. To illustrate the true meaning of this term, let us say that visiting legal pornographic websites would be per se immaterial in the context of a case concerning theft of intellectual property.

The Markman hearing is particularly important in patent litigations. During this procedure, the parties and the court determine the definitions of significant terms existing in the patent. There may be a discrepancy between the definitions the court has adopted and those commonly used in industry.

Unfortunately, the discovery process in the IP investigation can take lots of time due to the fact inter alia that defendants tend to overproduce evidence or submit 'raw' evidence. For instance, they may hand in numerous lines of source code that comes with no direction, notes, or hints whatsoever. Self-explanatory, the expert needs to spend some time to understand what functionalities the code has and if it violates the plaintiff's IP rights. By way of illustration, a proper examination of a terabyte of undocumented code could take up even six months.

Security professionals need to conform their policy and technical actions to the letter of the existing laws. In the past, state laws governed trade secrets, but the U.S. Congress passed the Defend Trade Secrets Act of 2016, which allows owners of a trade secret to sue in federal courts in cases of its misappropriation. Moreover, the act increases prosecutorial damages and recovery mechanisms based on enforcing trade secret laws.

It is advisable forensic experts to become familiar also with the targeted digital assets, as well as IT policies and practices. For example, perhaps it will be useful for him to know inter alia whom employees and contractors have access to confidential data. "Insiders" are the most common perpetrators of IP thefts. They are current or former employees who are stealing (or have stolen) IP from their employer. If access to IP is limited to certain individuals, this may (or may not) help you identify the perpetrator, and shed light on his actions and motives.

Consider whether restricting employee access may further IP protection, or such a measure is rather impractical in light of their duties and corporate objectives. Employers, employees, and other third parties should not access the suspect's device in an attempt to carry out a digital investigation all by themselves. Every time an untrained person accesses or attempts to access the data on devices, he intentionally or not jeopardizes the data and device itself. Even slight alterations, such as changes to date and time stamps, may be detrimental to the success of the IP investigation, let alone severe cases of spoliation of digital evidence such as overwriting recoverable deleted data.

IP investigations are often conducted on the mere suspicion that a company's intellectual assets may be stolen, rather than due to the existence of real proof, hard evidence, or confession. IP losses often remain hidden or less visible. In this regard, their impact on a company is similar to reputation damage, devaluation of trade name, or loss of contract revenue. Signs such as plummeting sales or unexpected loss of clients are a cause for alarm in this situation. Unlike customer information, the company is always the owner of the IP. For that reason, shareholders and stakeholders have an intrinsic interest to recover the IP without undue delay.


Source: U.S. Department of State

Reference List

Baker, P. et al. (2010). Official ISC2 Guide to the CISSP CBK, Second Edition.

Clingerman, J. (2017). Intellectual Property Theft: How to Ensure a Defensible Investigation. Available at (23/12/2017)

Decipher Forensics LLC. Are you the victim of Intellectual Property Theft? Available at (23/12/2017)

Deloitte Development LLC, (2016). All ri5 insights on cyberattacks and intellectual property. Available at (23/12/2017)

Digital Private Investigations Blog (2016). Available at (23/12/2017)

Easttom, C. (2015). CCFP Certified Cyber Forensics Professional All-in-One Exam Guide.

Forster, S. (2017). Intellectual Property Theft - Restricting Internal IT Involvement. Available at (23/12/2017)

Forster, S. (2017). Protecting Intellectual Property - The Importance of the HR Department. Available at (23/12/2017)

Intellectual Property Office (2013). Intellectual Property Rights in the USA. Available at (23/12/2017)

Iwaya, A. (2016). How Do You Get the "All Recent Files" List Back in Windows 10? Available at (23/12/2017)

Legal Line. Intellectual property investigations. Available at (23/12/2017)

Sari, K. (2017). Digital Forensics to Prevent Data Theft. Available at (23/12/2017)

The USPTO. Intellectual Property (IP) Policy. Available at (23/12/2017)

US-CERT (2008). Computer Forensics. Available at (23/12/2017)

Westover, B. (2013). How to Clone a Hard Drive. Available at,2817,2421302,00.asp (23/12/2017)

Wikipedia. Intellectual property. Available at (23/12/2017)

Whitman, M. & Mattord, H. (2017). Principles of Information Security. Available at (23/12/2017)

Learn Digital Forensics

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

WIPO. What is Intellectual Property. Available at (23/12/2017)

Dimitar Kostadinov
Dimitar Kostadinov

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.