Anatomy of an IP Theft

Matters related to intellectual property ('IP') have become so common in our e-discovery and computer-forensics practice that when we tell our staff there's a new matter requiring our attention, the general response is typically: 'Let me guess ' another company where a former employee has left for a competitor or created a startup, and allegedly stole the company's key intellectual property to get a head start.'

From that point, we delve into another adventure to hunt down the next smoking gun and, in some instances, the silver bullet.

Our collection of smoking guns is quite extensive. Here's a sampling of the wares:

• Evidence of attorneys taking firms' client lists and templates;
• Manufacturing managers taking formulas and processes;
• Sales staff taking customer lists and contracts;
• Engineers taking software programs; and
• Designers taking drawings and illustrations.

The scenarios are wide-ranging and the stakes are high.

During a recent matter in federal court in Southern California (Eldorado Stone, LLC v. Renaissance Stone, Inc., No. 04-CV-2562 JM(CAB) (2005)), computer evidence played a key role in our client obtaining a judgment of more than $20 million in trade-secret, economic and punitive damages against a former employee and the company he created to compete with our client. The evidence resulting from the computer-forensics investigation brought to light a series of lies and coverups that the defendant had propagated to his investors, co-workers, our clients and, ultimately, the jury.

The case began in August 2004, when Eldorado Stone, a leading manufacturer
of architectural stone veneer, contacted us to investigate suspicions surrounding
a former industrial engineer who had resigned in May. The company had concerns that he had misappropriated trade secrets, including core product formulas, manufacturing processes, quality-control documentation and selected training materials. The company also had received indications that the employee had plans to open his own competing business.

We immediately met with counsel and Eldorado Stone to understand the allegations, and put a work plan in place. The initial team consisted of senior management and outside counsel. The immediate focus of our investigation was the computers of former employee Alfonso Alvarez and another person in his department who resigned within days of Alvarez. Our objectives were to preserve all electronically stored information ('ESI') that might contain information relevant to the investigation. In most investigations, we go for six primary sources for key ESI to collect, preserve and analyze.

Key Steps in a Forensics Matter

Depending on a company's information systems, there might be more or less to preserve, but the ones that have led to the most useful findings for us are:

• Key and marginal player computer hard drives;
• Key player network user shares (home directories);
• Departmental network group shares;
• Corporate e-mail/calendar files;
• Network logs; and
• Network back-up tapes.

A synopsis of each of these useful data reservoirs and what we have found follows.

Computer hard drives. Information on hard drives lets us evaluate employee conduct and actions through the forensic analysis of file and folder metadata (e.g., created, accessed and modified dates, author, company, revision number), deleted files and content, use of Web mail accounts (e.g., Yahoo!, G-mail), LNK files (described later in case study), user profiles, Internet histories, recycle bins, e-mail archives, event logs and other information beyond the scope of this article.

Network user shares. User shares represent folders on the network provided to employees so that they have a private folder to store files and information that will be backed up nightly. Users commonly archive mail and files here. Because user shares are typically backed up nightly, if an employee deletes the contents during departure, the contents can be restored.

Departmental group shares. Like user shares, except they are specific to a company department, such as accounting, legal, engineering or human resources. These directories contain information that is typically one of the targets for theft, as they usually contain important and proprietary information such as designs, customer lists, marketing materials and templates.

Corporate e-mail and calendar files. Obviously, this is a big one. Most companies use Microsoft Outlook and Exchange servers for these services. Believe it or not, employees still don't know better than to use the corporate mail system to steal company IP. This sometimes leads to the inspection of the suspect's home computer. Calendars can provide evidence of meetings or phone conferences relevant to the investigation. It's important to remember that Web mail will not be found here.

Network logs. Various logs exist on the company's servers, routers and switches. These logs can provide critical information about users authenticating to access the network, accessing the network remotely, backup processes that were executed, file transfers, Internet activity and other potentially valuable information. Certain logs overwrite themselves in as little as a week, so time is of the essence when preserving this information.

Network backup tapes. These tapes can be found stored at the company and often with offsite storage vendors. In many companies, backup tapes are not well managed and are occasionally found scattered throughout employees' offices or tossed in filing cabinets. This can result from turnover, IT understaffing, or system upgrades and changes. Companies traditionally use tapes to back up user-created files, enterprise databases, corporate e-mail and any other ESI that company parties to these kinds of decisions feel is important to the business. Backups are typically conducted nightly and retained according to a recycling schedule that will determine how many daily, weekly, monthly and annual tapes will be retained ' and for how long. Backup tapes represent only a snapshot of a given day, so consider extracting data from selected tapes based on key dates surrounding the allegations.

We pick up our timeline here. We visited Eldorado Stone's headquarters in San Marcos, CA, where the laptop computers of Alvarez, and Jose Martinez, a friend and business partner of Alvarez, as well as a former Eldorado employee, had been shipped from their manufacturing facility in Rancho Cucamonga, CA, where Alvarez and Martinez worked. We picked up the computers from Eldorado and brought them to our forensics lab in San Diego to be processed and analyzed. Step one was to image the computers using hardware and software specifically designed to create an exact forensic image of the computer without altering or modifying the original.

Play It Professionally

In any case requiring computers to be preserved, the expert or company imaging the computers must ensure that no changes are made to the electronic data, the image is a verifiable bit-by-bit copy and that the appropriate documentation is completed to maintain the chain of custody.

Once the Eldorado images were created and verified, we were ready to begin our analysis. As in most IP theft cases that we investigate, we:

• Searched the drive for keywords;
• Analyzed the folder structure and metadata;
• Reviewed file types and programs;
• Recovered deleted files;
• Recovered Internet histories;
• Examined user profiles; and
• Analyzed file activity around significant dates and times.

The client gave us the budget and leeway to guide our own analysis, which was important to the end results. All but one of these analyses resulted in mostly insignificant findings that would not provide us with enough evidence to file for a TRO, proceed with actions against Alvarez, or both.

While reviewing recent activity under Alvarez's user profile, we noticed several files with the extension .CL5. A file of this type is associated with projects from software called Roxio used for burning CD-ROMs. Roxio is commonly included with the Windows operating system and default software on new computers. Upon reviewing the program files and folders associated with the Roxio application, we discovered a number of CD-burning projects. One of these projects in particular quickly caught our attention. It was a file named 'general.cl5,' and from the metadata, we could tell that this was a large file relative to the others and was created in March, about six weeks prior to Alvarez's resignation. Other projects stored in this folder were very small and were burned at a rate of only a few files at a time. Also, the file names for these other projects were very specific to the content, whereas this file was named 'general,' and contained many types and categories of information. Most important, though, was that the general project contained a folder called 'Core 56 Rancho,' which contained all the color formulas for the company's core product line made in Rancho Cucamonga ' which at the time totaled 56. The metadata also indicated that this was the only project created in 2004, and that most of the others were created more than 18 months before. The metadata also enabled us to develop the opinion that this project was created in March ' not before or after. It was later discovered that it was in late February and early March that Alvarez had begun to meet with his eventual business partners.

Upon examining the project file, we found that the burning project included more than 600 files and 27 folders of information slated to be burned to CD-ROM. No CDs were ever found or located, despite the company performing a media sweep to locate any loose media. During Alvarez's deposition, he indicated that it was common for him to back up these files on CD-ROM and that he had left all the CDs on his desk at Eldorado. Ultimately, the evidence presented at trial persuaded the jury that this wasn't true.

This was most certainly the smoking gun the company was seeking. Based on this evidence, the company proceeded with actions against Alvarez and his new company, known as Renaissance Stone USA. Eldorado filed a complaint against defendants Alvarez and Renaissance in late December 2004. Shortly after filing the complaint, Luce Forward, counsel for Eldorado, issued a notice to the defendants to preserve evidence, and specifically identified all computers used by Alvarez at home or at Renaissance.

But it wasn't until July 2006 that, in accordance with a court order, the defendant turned over images of several computers, including Renais- sance's computer issued to Alvarez, Alvarez's home computer and a computer Alvarez used at Renaissance for a short time after starting the company that was currently issued to the company's president. One of the primary objectives for analyzing the defendant's computers was to turn up evidence of the CD-ROM containing the 'general' project. We felt that this evidence would prove that Alvarez took the CD-ROM and was using the information to continue his new business. As a matter of protocol, the order provided that we could analyze the Renaissance computers but were required to first turn over documents to defendant's counsel for review prior to disclosing to Eldorado counsel.

Traipsing Down the Data Trail

Our analysis began with Alvarez's current Renaissance computer. There was little to be found on this computer. Keyword searches for information from the General project indicated that none of the files or contents of the CD-ROM could be found on his computer. But during our review of the files and folders stored under Alvarez's profile, we found that Alvarez had all Renaissance's formulas stored in Microsoft Excel files on his computer. On further review of the metadata for these formula files, we discovered that the reported author and company was someone named Luciano Lopez, and that the company was indicated as 'Home PC.' Additionally, many of these files, which according to Eldorado typically take days or weeks to create, apparently had been created within only minutes of one another.

Lopez indicated in his deposition that he had lent his laptop computer to Alvarez in May or June 2004, and that he never got it back. During his deposition, Alvarez admitted to using the computer, but said that he had used it only in July and August. Alvarez also testified that when the screen froze, he threw it in the trash. This was getting very interesting, indeed! Alvarez then indicated that he didn't ask Lopez whether he would like the computer returned to him, and that he also never tried to have it repaired. Metadata from the formulas indicated that some of these files were created on the Lopez laptop as late as October.

But here's the thing: The defendants had never disclosed this. At the deposition of the defendant's computer experts, they testified that they hadn't discovered that the Luciano Lopez laptop existed. The missing laptop represented a critical gap in the evidence and these experts' opinion that Alvarez had never read the files from the CD-ROM. Based on this revelation, we decided that more analysis of Alvarez's current computer was fruitless as evidence, and that the Eldorado CD-ROM used would more than likely have been on Lopez's laptop, and not Alvarez's computer.

During our review and analysis of Alvarez's home computer, we discovered that it had been reformatted and the operating system reinstalled during the first week of February 2005, about one month after the complaint was filed. The reformatting also removed all previous user profiles and documents. Our findings indicated that this was a complete reformatting and installation, and not just an upgrade, as the defendants portrayed it. During the defendant's computer expert's deposition, it came out that the expert hadn't reviewed the evidence and had no idea about the nature of the reformatting.

Our analysis of Alvarez's old Renaissance computer assigned to the president also produced evidence that it had been reformatted during early February 2005, and within 10 days of Alvarez's computer being reformatted. This was also not an upgrade and very damaging. Along with our other findings, this discovery made us sense foul play.

Backtracking and Rechecking

At this time, the computer evidence was significant, but we were frustrated that we still had no affirmative evidence that the Eldorado CD-ROM and general project had been used or read by Renaissance or Alvarez. Our inventory of computer evidence consisted of a CD-burning project named General, a missing CD-ROM, a laptop computer discarded in the trash and two computers that had been reformatted. Certainly, this had the appearance of a coverup and destruction of evidence.

So, we revisited the Renaissance computers many times; searching and analyzing. That's when we found the so-called silver bullet. A fragment of data was found on the president's computer (the computer Alvarez initially used for a few months after starting Renaissance) that indicated that a shortcut existed pointing to a folder named Core-56 Rancho. The shortcut was a link ('LNK') file. LNK files are commonly created by Microsoft Windows when a file is opened so that Windows can include the file in a user's recent documents. Although we weren't able to recover the LNK file itself, we decoded fragments of data indicating that the LNK file was created in September 2004. This was in or around the time that Alvarez began to transition from the Lopez laptop to his Renaissance computer.

None of the findings described above came from the defendant's computer experts; ultimately, the defendants didn't have their computer expert testify. They had offered opinions that ' based on their forensic analysis ' the files from the CD-ROM were never read or opened by Alvarez or on any of the Renaissance computers. Proving a negative in computer forensics can be nearly impossible. The findings of the hard-drive formatting and the missing laptop supported our opinion that their expert's opinions were unfounded.

During cross-examination, it was clear to me that the defendant's lead counsel failed to develop a detailed understanding of our computer analysis, and that many of the defendant's questions and hypotheticals missed the mark, or sustained objections. Despite the trial containing many technical findings and exhibits, the jury clearly followed our computer analysis. We were careful to let the jury draw its own conclusions from the facts presented.

The computer evidence was significant to the outcome of this case. The smoking guns and silver bullet left their mark.

Guidance from Those Who Have Been There

Here are some suggestions for handling the next investigation and analysis of ESI:

1. Act early. Engage an expert with computer-forensics experience early to assess the available evidence and minimize the destruction of evidence from internal IT or legal personnel accessing the computer and files, or prevent too much time from elapsing.

2. Be a team. Include the expert as a member of the team and include outside counsel, IT, a senior management representative and someone from human resources, if possible and applicable.

3. Authorize the necessary resources. Although cost is always a concern, the expert needs a budget to look around, because solely using keywords in this type of situation isn't sufficient.

4. Don't let the tail wag the dog. Experts need some leeway in determining what should be done, and often an attorney or paralegal issuing specific instructions and trying to perform the true investigative work on their own typically stifles the experts' abilities to develop independent thoughts.

5. Be courteous and professional. At all times, our team was courteous and professional to everyone ' from our own team members to the court reporter to the opposing attorneys. The jury expressed after the award that they felt that we were nice people and that we were the good guys! That's hard to top.

Remember: New technologies allow companies to protect their ESI from these types of situations, and inexpensive monitoring software is available to keep tabs on one employee or a group of employees suspected of being up to no good.

Matters related to intellectual property ('IP') have become so common in our e-discovery and computer-forensics practice that when we tell our staff there's a new matter requiring our attention, the general response is typically: 'Let me guess ' another company where a former employee has left for a competitor or created a startup, and allegedly stole the company's key intellectual property to get a head start.'

From that point, we delve into another adventure to hunt down the next smoking gun and, in some instances, the silver bullet.

Our collection of smoking guns is quite extensive. Here's a sampling of the wares:

• Evidence of attorneys taking firms' client lists and templates;
• Manufacturing managers taking formulas and processes;
• Sales staff taking customer lists and contracts;
• Engineers taking software programs; and
• Designers taking drawings and illustrations.

The scenarios are wide-ranging and the stakes are high.

During a recent matter in federal court in Southern California (Eldorado Stone, LLC v. Renaissance Stone, Inc., No. 04-CV-2562 JM(CAB) (2005)), computer evidence played a key role in our client obtaining a judgment of more than $20 million in trade-secret, economic and punitive damages against a former employee and the company he created to compete with our client. The evidence resulting from the computer-forensics investigation brought to light a series of lies and coverups that the defendant had propagated to his investors, co-workers, our clients and, ultimately, the jury.

The case began in August 2004, when Eldorado Stone, a leading manufacturer
of architectural stone veneer, contacted us to investigate suspicions surrounding
a former industrial engineer who had resigned in May. The company had concerns that he had misappropriated trade secrets, including core product formulas, manufacturing processes, quality-control documentation and selected training materials. The company also had received indications that the employee had plans to open his own competing business.

We immediately met with counsel and Eldorado Stone to understand the allegations, and put a work plan in place. The initial team consisted of senior management and outside counsel. The immediate focus of our investigation was the computers of former employee Alfonso Alvarez and another person in his department who resigned within days of Alvarez. Our objectives were to preserve all electronically stored information ('ESI') that might contain information relevant to the investigation. In most investigations, we go for six primary sources for key ESI to collect, preserve and analyze.

Key Steps in a Forensics Matter

Depending on a company's information systems, there might be more or less to preserve, but the ones that have led to the most useful findings for us are:

• Key and marginal player computer hard drives;
• Key player network user shares (home directories);
• Departmental network group shares;
• Corporate e-mail/calendar files;
• Network logs; and
• Network back-up tapes.

A synopsis of each of these useful data reservoirs and what we have found follows.

Computer hard drives. Information on hard drives lets us evaluate employee conduct and actions through the forensic analysis of file and folder metadata (e.g., created, accessed and modified dates, author, company, revision number), deleted files and content, use of Web mail accounts (e.g., Yahoo!, G-mail), LNK files (described later in case study), user profiles, Internet histories, recycle bins, e-mail archives, event logs and other information beyond the scope of this article.

Network user shares. User shares represent folders on the network provided to employees so that they have a private folder to store files and information that will be backed up nightly. Users commonly archive mail and files here. Because user shares are typically backed up nightly, if an employee deletes the contents during departure, the contents can be restored.

Departmental group shares. Like user shares, except they are specific to a company department, such as accounting, legal, engineering or human resources. These directories contain information that is typically one of the targets for theft, as they usually contain important and proprietary information such as designs, customer lists, marketing materials and templates.

Corporate e-mail and calendar files. Obviously, this is a big one. Most companies use Microsoft Outlook and Exchange servers for these services. Believe it or not, employees still don't know better than to use the corporate mail system to steal company IP. This sometimes leads to the inspection of the suspect's home computer. Calendars can provide evidence of meetings or phone conferences relevant to the investigation. It's important to remember that Web mail will not be found here.

Network logs. Various logs exist on the company's servers, routers and switches. These logs can provide critical information about users authenticating to access the network, accessing the network remotely, backup processes that were executed, file transfers, Internet activity and other potentially valuable information. Certain logs overwrite themselves in as little as a week, so time is of the essence when preserving this information.

Network backup tapes. These tapes can be found stored at the company and often with offsite storage vendors. In many companies, backup tapes are not well managed and are occasionally found scattered throughout employees' offices or tossed in filing cabinets. This can result from turnover, IT understaffing, or system upgrades and changes. Companies traditionally use tapes to back up user-created files, enterprise databases, corporate e-mail and any other ESI that company parties to these kinds of decisions feel is important to the business. Backups are typically conducted nightly and retained according to a recycling schedule that will determine how many daily, weekly, monthly and annual tapes will be retained ' and for how long. Backup tapes represent only a snapshot of a given day, so consider extracting data from selected tapes based on key dates surrounding the allegations.

We pick up our timeline here. We visited Eldorado Stone's headquarters in San Marcos, CA, where the laptop computers of Alvarez, and Jose Martinez, a friend and business partner of Alvarez, as well as a former Eldorado employee, had been shipped from their manufacturing facility in Rancho Cucamonga, CA, where Alvarez and Martinez worked. We picked up the computers from Eldorado and brought them to our forensics lab in San Diego to be processed and analyzed. Step one was to image the computers using hardware and software specifically designed to create an exact forensic image of the computer without altering or modifying the original.

Play It Professionally

In any case requiring computers to be preserved, the expert or company imaging the computers must ensure that no changes are made to the electronic data, the image is a verifiable bit-by-bit copy and that the appropriate documentation is completed to maintain the chain of custody.

Once the Eldorado images were created and verified, we were ready to begin our analysis. As in most IP theft cases that we investigate, we:

• Searched the drive for keywords;
• Analyzed the folder structure and metadata;
• Reviewed file types and programs;
• Recovered deleted files;
• Recovered Internet histories;
• Examined user profiles; and
• Analyzed file activity around significant dates and times.

The client gave us the budget and leeway to guide our own analysis, which was important to the end results. All but one of these analyses resulted in mostly insignificant findings that would not provide us with enough evidence to file for a TRO, proceed with actions against Alvarez, or both.

While reviewing recent activity under Alvarez's user profile, we noticed several files with the extension .CL5. A file of this type is associated with projects from software called Roxio used for burning CD-ROMs. Roxio is commonly included with the Windows operating system and default software on new computers. Upon reviewing the program files and folders associated with the Roxio application, we discovered a number of CD-burning projects. One of these projects in particular quickly caught our attention. It was a file named 'general.cl5,' and from the metadata, we could tell that this was a large file relative to the others and was created in March, about six weeks prior to Alvarez's resignation. Other projects stored in this folder were very small and were burned at a rate of only a few files at a time. Also, the file names for these other projects were very specific to the content, whereas this file was named 'general,' and contained many types and categories of information. Most important, though, was that the general project contained a folder called 'Core 56 Rancho,' which contained all the color formulas for the company's core product line made in Rancho Cucamonga ' which at the time totaled 56. The metadata also indicated that this was the only project created in 2004, and that most of the others were created more than 18 months before. The metadata also enabled us to develop the opinion that this project was created in March ' not before or after. It was later discovered that it was in late February and early March that Alvarez had begun to meet with his eventual business partners.

Upon examining the project file, we found that the burning project included more than 600 files and 27 folders of information slated to be burned to CD-ROM. No CDs were ever found or located, despite the company performing a media sweep to locate any loose media. During Alvarez's deposition, he indicated that it was common for him to back up these files on CD-ROM and that he had left all the CDs on his desk at Eldorado. Ultimately, the evidence presented at trial persuaded the jury that this wasn't true.

This was most certainly the smoking gun the company was seeking. Based on this evidence, the company proceeded with actions against Alvarez and his new company, known as Renaissance Stone USA. Eldorado filed a complaint against defendants Alvarez and Renaissance in late December 2004. Shortly after filing the complaint, Luce Forward, counsel for Eldorado, issued a notice to the defendants to preserve evidence, and specifically identified all computers used by Alvarez at home or at Renaissance.

But it wasn't until July 2006 that, in accordance with a court order, the defendant turned over images of several computers, including Renais- sance's computer issued to Alvarez, Alvarez's home computer and a computer Alvarez used at Renaissance for a short time after starting the company that was currently issued to the company's president. One of the primary objectives for analyzing the defendant's computers was to turn up evidence of the CD-ROM containing the 'general' project. We felt that this evidence would prove that Alvarez took the CD-ROM and was using the information to continue his new business. As a matter of protocol, the order provided that we could analyze the Renaissance computers but were required to first turn over documents to defendant's counsel for review prior to disclosing to Eldorado counsel.

Traipsing Down the Data Trail

Our analysis began with Alvarez's current Renaissance computer. There was little to be found on this computer. Keyword searches for information from the General project indicated that none of the files or contents of the CD-ROM could be found on his computer. But during our review of the files and folders stored under Alvarez's profile, we found that Alvarez had all Renaissance's formulas stored in Microsoft Excel files on his computer. On further review of the metadata for these formula files, we discovered that the reported author and company was someone named Luciano Lopez, and that the company was indicated as 'Home PC.' Additionally, many of these files, which according to Eldorado typically take days or weeks to create, apparently had been created within only minutes of one another.

Lopez indicated in his deposition that he had lent his laptop computer to Alvarez in May or June 2004, and that he never got it back. During his deposition, Alvarez admitted to using the computer, but said that he had used it only in July and August. Alvarez also testified that when the screen froze, he threw it in the trash. This was getting very interesting, indeed! Alvarez then indicated that he didn't ask Lopez whether he would like the computer returned to him, and that he also never tried to have it repaired. Metadata from the formulas indicated that some of these files were created on the Lopez laptop as late as October.

But here's the thing: The defendants had never disclosed this. At the deposition of the defendant's computer experts, they testified that they hadn't discovered that the Luciano Lopez laptop existed. The missing laptop represented a critical gap in the evidence and these experts' opinion that Alvarez had never read the files from the CD-ROM. Based on this revelation, we decided that more analysis of Alvarez's current computer was fruitless as evidence, and that the Eldorado CD-ROM used would more than likely have been on Lopez's laptop, and not Alvarez's computer.

During our review and analysis of Alvarez's home computer, we discovered that it had been reformatted and the operating system reinstalled during the first week of February 2005, about one month after the complaint was filed. The reformatting also removed all previous user profiles and documents. Our findings indicated that this was a complete reformatting and installation, and not just an upgrade, as the defendants portrayed it. During the defendant's computer expert's deposition, it came out that the expert hadn't reviewed the evidence and had no idea about the nature of the reformatting.

Our analysis of Alvarez's old Renaissance computer assigned to the president also produced evidence that it had been reformatted during early February 2005, and within 10 days of Alvarez's computer being reformatted. This was also not an upgrade and very damaging. Along with our other findings, this discovery made us sense foul play.

Backtracking and Rechecking

At this time, the computer evidence was significant, but we were frustrated that we still had no affirmative evidence that the Eldorado CD-ROM and general project had been used or read by Renaissance or Alvarez. Our inventory of computer evidence consisted of a CD-burning project named General, a missing CD-ROM, a laptop computer discarded in the trash and two computers that had been reformatted. Certainly, this had the appearance of a coverup and destruction of evidence.

So, we revisited the Renaissance computers many times; searching and analyzing. That's when we found the so-called silver bullet. A fragment of data was found on the president's computer (the computer Alvarez initially used for a few months after starting Renaissance) that indicated that a shortcut existed pointing to a folder named Core-56 Rancho. The shortcut was a link ('LNK') file. LNK files are commonly created by Microsoft Windows when a file is opened so that Windows can include the file in a user's recent documents. Although we weren't able to recover the LNK file itself, we decoded fragments of data indicating that the LNK file was created in September 2004. This was in or around the time that Alvarez began to transition from the Lopez laptop to his Renaissance computer.

None of the findings described above came from the defendant's computer experts; ultimately, the defendants didn't have their computer expert testify. They had offered opinions that ' based on their forensic analysis ' the files from the CD-ROM were never read or opened by Alvarez or on any of the Renaissance computers. Proving a negative in computer forensics can be nearly impossible. The findings of the hard-drive formatting and the missing laptop supported our opinion that their expert's opinions were unfounded.

During cross-examination, it was clear to me that the defendant's lead counsel failed to develop a detailed understanding of our computer analysis, and that many of the defendant's questions and hypotheticals missed the mark, or sustained objections. Despite the trial containing many technical findings and exhibits, the jury clearly followed our computer analysis. We were careful to let the jury draw its own conclusions from the facts presented.

The computer evidence was significant to the outcome of this case. The smoking guns and silver bullet left their mark.

Guidance from Those Who Have Been There

Here are some suggestions for handling the next investigation and analysis of ESI:

1. Act early. Engage an expert with computer-forensics experience early to assess the available evidence and minimize the destruction of evidence from internal IT or legal personnel accessing the computer and files, or prevent too much time from elapsing.

2. Be a team. Include the expert as a member of the team and include outside counsel, IT, a senior management representative and someone from human resources, if possible and applicable.

3. Authorize the necessary resources. Although cost is always a concern, the expert needs a budget to look around, because solely using keywords in this type of situation isn't sufficient.

4. Don't let the tail wag the dog. Experts need some leeway in determining what should be done, and often an attorney or paralegal issuing specific instructions and trying to perform the true investigative work on their own typically stifles the experts' abilities to develop independent thoughts.

5. Be courteous and professional. At all times, our team was courteous and professional to everyone ' from our own team members to the court reporter to the opposing attorneys. The jury expressed after the award that they felt that we were nice people and that we were the good guys! That's hard to top.

Remember: New technologies allow companies to protect their ESI from these types of situations, and inexpensive monitoring software is available to keep tabs on one employee or a group of employees suspected of being up to no good.