Every so often, it’s nice to hear from people who know what their talking about. Today, we’ve got part of this blog’s "Five Questions" feature. 

I posed five questions for Frank Rudewicz, Managing Director of UHY Advisors FLVS, Inc.  UHY provides forensic litigation and valuation services which are particularly useful for things like electronic discovery, trade secrets and case investigation. 

I’ve worked with Frank for a number of years and those in Connecticut may know Frank from his prior company, Decision Strategies.  Frank spent 14 years with the Hartford Police Department and FBI and has built an impressive resume in the field of trade secrets and investigations.  He also received his J.D. from University of Connecticut.  Thus, his experience both as a police officer and as a lawyer provides a good foundation for the services he and his company offers.

I asked him recently to provide readers of this blog some additional insights into the area of forensic litigation.

1. Intellectual Property Theft seems to be a "hot" issue. If an employer suspects a current employee is stealing data, when should they contact an outside forensic expert?

When one has a reasonable anticipation that intellectual property ("IP") is being compromised, one should begin a dialogue with a data security/forensic expert. This dialogue may touch on topics such as:

  • determining whether one’s suspicions are justified,
  • whether the suspected IP compromise is internal or potentially an external threat masked as an internal compromise (i.e., an external party who obtain an employee’s user name and password),
  • methods to audit, monitor, and document the suspicious activity,
  • develop a timeline documenting the suspicious activity,
  • investigate method of intrusion, if applicable,
  • define triggering events to begin data preservation.

2. From a technical perspective, what are some steps that an employer should take around the time it is terminating an employee to preserve data?

  • Physically secure all computing equipment (including mobile messaging/cellular device) and digital media (USB flash drives, external hard drives, etc.) of terminated employee before termination
  • Secure terminated employee’s network home directory and other network file shares that the terminated employee had access
  • Disable terminated employee’s network user account, verify terminated employee is logged out of any online systems, and notify any third party application/database/website provider to revoke terminated employee’s access.
  • Reset the terminated employee’s access code to voicemail system; consider reviewing/preserving any voicemail messages before system purges the same; configure auto forwarding of new calls either to HR or administrative mailbox.
  • Before re-provisioning any computer equipment that belonged to the terminated employee, consider performing a forensic image of the equipment and wiping the equipment before re-provisioning
  • If terminated employee has administrative access to any corporate computing systems, change all administrator passwords immediately.

3. Is there a common item that employers overlook in trying to capture data when an employee leaves?

Blackberry messages, instant messaging, voice mail captures.  [Employers should consider conducting]  a software inventory and Web browsing history of the terminated employee’s computer to highlight other areas of interest. For example, are there FTP sites that the terminated employee visited, which may indicate potential risk that the employer’s data was compromised.

If the terminated employee is savvy, file extensions may have been renamed to hide relevant information. Absent a file signature analysis, these files may be overlooked.

4. What is the hot item in forensic litigation consulting?

Data Landscape Modeling

5. What types of questions should a company or lawfirm ask when considering hiring a forensic firm like yourselves?

  • Are they licensed?
  • Do they have written policies and procedures to ensure "forensically sound" evidence?
  • How do they charge?
  • Does your staff carry current industry digital forensic certifications such as EnCE?
  • Do you use full time staff to perform forensic analysis or do you use contractors (use of contractors may break chain of custody)?

Watch for more Q&A in the upcoming weeks.