A partner at a large law firm that was representing a world-renowned scientist who was accused of stealing intellectual property from his previous employer notified us regarding this sensitive case. The case was filed in federal court and contained several declarations by a forensic expert. Several depositions had already taken place, including the defendant's. During our initial consultation we were informed that it was our client's belief that the plaintiff was simply "abusing the process" to prevent the defendant from taking a position at a competing firm. There were no non-competes in place and he could legally work wherever he wanted. The plaintiff was trying to obtain an injunction alleging theft of intellectual property. We were given a copy of all court papers filed, including deposition transcripts and two expert declarations. As investigators, our approach to case material differs from a legal review. Our review of the material did not reveal any evidence that theft of intellectual property was even suspected before the case was filed alleging such an act.

The documents showed that the plaintiff did not even perform a forensic analysis on the computers that were assigned to the defendant before they filed the lawsuit. What was very troublesome, however, was the fact that the expert declarations were so swayed, they bordered outright fraud. For example, one of the expert reports stated that the defendant stole his emails because the forensic evidence showed that the "OST" file in one of the computers he used was ‘modified’ the day before he left the company. The expert further theorized that it showed that he had made a copy of his emails and in fact took them before his departure. He continued, stating that he cannot think of any reason why anyone would create such a file other than for the purpose of stealing it. Obvious to anyone who understands how "OST" files are ‘created’ and ‘modified,’ this is an absurd statement. "OST" files are created by MS Outlook connecting to an "Exchange Server" automatically during installation and configuration of the Outlook client, not by the user. Furthermore, the ‘last modified’ date simply shows the last time the contents of the "OST" file changed. This change can be triggered when a new email is received or sent, an appointment is entered, and the contact list is updated, etc., thereby changing the last modified date of the file. If we entertain the notion that he created that file to steal it, however ridiculous that may be, the ‘creation date’ would be the relevant metadata field. Neither one of the forensic reports showed any evidence that the defendant misappropriated any intellectual property. At this point we did not even need to look at the forensic evidence to see that something outrageous was taking place. The plaintiff's expert made it clear that his examination was still continuing and he would provide further evidence as it became available. We also interviewed the defendant to understand the IT landscape of the plaintiff's network and the computers he left behind. We asked him all the tough questions as if we were investigating him and trying to understand what was stored on the computers, his usage patterns, his actions before his departure, etc.


At this point we knew that we were dealing with an extraordinary situation. We shared our impressions and findings with the counsel and discussed the need for a strategic plan on how to deal with the plaintiff's forensic expert. His reports were keeping the case alive and exhausting the defendant's resources very rapidly. This, in our opinion, was the motivation behind the lawsuit, which seemed to be designed to force him to give up working for his new employer.


Our suggestion was to keep our involvement secret for the time being and see how far the plaintiff's expert would go with his arguments. At a critical point, our client would ask for copies of forensic evidence files to be examined by his expert, still not revealing our identity. We then would do our own analysis and go over the evidence in preparation for the deposition of their expert. As we suspected, his declarations got worse and worse to a point that we simply could not believe he would make such statements. As a result, we investigated who he was and checked his credentials. Also, it did not escape our attention that all of his declarations were filed by the plaintiff's counsel electronically and were not signed by the expert. The counsel was simply attesting that he had received them from the expert and filing them attesting to their authenticity under the penalty of perjury. In our computer forensic careers, we had never seen such an outrageous act by anyone. Once the critical point was reached, we advised our client to ask for the copies of the forensic images. After initial resistance they had to turn over the forensic images of the two computers that were examined by their expert. When we examined the computers ourselves, we could show that all of the expert declarations (a total of six) filed by the plaintiff's expert were total fabrications. We addressed every single allegation, providing solid scientific evidence and documentation that they were total fabrications. However, we told counsel not to submit our report to court at that point, but rather to depose the plaintiff's expert first. The plaintiff played a variety of games trying to prevent their expert from being deposed, cancelling deposition dates while pushing the court for summary judgment to stop the proceedings, etc. We simply took the position that their entire case was based upon the expert's alleged findings and he had to be deposed first. The court eventually ordered the plaintiff to produce their expert.

We sat down with the counsel and educated him on all aspects of the forensic issues raised by the plaintiff's expert. We equipped him with supporting documents and wrote all of the questions he should be asking. We also educated him on several possible ways that the expert could answer the question and provided follow-up questions to each potential answer. Our expert report also served as a blueprint for the deposition.


Deposition of their expert was a total disaster for the plaintiff. Their expert denied writing the reports and stated that he had never reached such conclusions. Every “proof” presented in the expert declarations alleging our client was stealing intellectual property turned out to be total fabrication, generated by the plaintiff's counsel. The case was dismissed on a summary judgment by the district judge and the plaintiff was ordered to pay all expenses incurred by the defendant.

Back to Case Studies