Back to Insights
Litigation Support

Digital Forensics in Trade Secret & IP Litigation: Preserving Evidence Before You Sue

By THOR Security Group

In the competitive corporate landscape, intellectual property (IP) and trade secrets are an organization’s most valuable assets. Unfortunately, the threat of IP theft is frequently internal.

When a key executive, developer, or sales manager resigns to join a competitor or launch a rival company, they often take proprietary information with them—proprietary source code, customer databases, sales pipelines, or product roadmaps.

Filing a lawsuit or requesting a Temporary Restraining Order (TRO) requires proof. To secure that proof without alerting the suspect (giving them time to destroy evidence), counsel must execute a rapid, quiet, and legally defensible digital forensics preservation plan.

The Fatal Mistake: Accessing the Device Internally

When a company suspects data exfiltration, the immediate reaction of the IT department is often to log into the departing employee’s laptop, open their email, check their recently accessed files, and inspect USB connection histories.

This is a critical mistake that can destroy your legal case.

  • Modifying Metadata: Every time a file is opened, the operating system updates metadata (like “Last Accessed Date”). Logging in alters these values, making it difficult to prove when the suspect accessed the files versus when the IT department did.
  • Admissibility Challenges: Opposing counsel will argue that because your IT staff accessed the laptop without write-blocking hardware, the evidence was altered, and the files could have been planted or manipulated.

Standard Forensics Indicators of Exfiltration

A certified digital forensics examiner does not guess. They look at specific, immutable artifacts left behind in the operating system:

1. Registry Shellbags & LNK Files

Windows operating systems track folder access and window positions using “Shellbags.” By analyzing these artifacts, a forensic examiner can prove that a user navigated to specific confidential directories, even if the files inside were deleted. “LNK files” (shortcuts) prove a specific document was opened from an external source (like a USB drive).

2. USB Registry Entries & Setupapi Logs

Whenever a USB drive is inserted, Windows logs the device vendor, product ID, serial number, and exact timestamp of connection. A forensics audit maps this history to show that a storage device was connected hours before the employee’s resignation.

3. Shadow Copy & Cloud Sync Logs

Examiners check Google Drive, OneDrive, and Dropbox synchronization logs to see if massive folder syncing took place. Additionally, Volume Shadow Copies can be restored to retrieve deleted logs or files that the employee attempted to wipe using CCleaner or file shredders.

The Pre-Litigation Checklist for Counsel

If you suspect an employee has stolen trade secrets, follow these steps before filing suit:

  1. Secure the Device Immediately: Instruct IT to retrieve the suspect’s laptop, phone, and tablet. Power them down (do not connect them to Wi-Fi, which could trigger a remote wipe) and secure them in a locked cabinet.
  2. Do Not Touch the Hard Drive: Do not let internal IT boot the system or log in.
  3. Retain a Forensics Firm: Engage a third-party forensic examiner to create a certified bit-stream clone of the media using write-blockers. The examiner will generate cryptographic MD5/SHA-256 hashes of the clone to prove it is a perfect copy.
  4. Acquire Cloud Logs: Secure server-side logs immediately—Microsoft 365 audit logs, Salesforce export logs, and VPN access histories—before log retention policies (often 30 to 90 days) overwrite them.

A digital forensics report translates technical data into a timeline narrative that a judge can understand:

“On October 12th at 11:42 PM, USB Serial Number 4c535… was connected. Within four minutes, 42 gigabytes of source code files were copied. Seven hours later, the employee submitted their resignation.”

This level of detail is what secures Temporary Restraining Orders (TROs), wins injunctions, and protects your business’s proprietary intellectual property.

If you suspect trade secret theft or need to preserve digital evidence, explore our Digital Forensics capabilities or contact us for immediate assistance.

Need assistance implementing these controls?

Our fractional CISOs and security consultants are ready to help secure your organization.

Contact a Advisor or call 312.529.0672