MS Access system - ...
 
Notifications
Clear all

MS Access system - IP theft case, how to identify if stolen  

  RSS
urq82
(@urq82)
New Member

Hi,

I am working a case where, among other things, a business system based on MS Access has been identified to have been copied to a USB drive by a former employee, close to the day he left. The former employee have now started a new business - a direct copy of his previous employers business. It is suspected that the copied MS Access based system is used in the new business (a small printing business).

It is believed to be an Access 2007 or 2010 based development. I don't have all the details right now…

Can someone point me to how to best go about proving that the system is a copy (or based on a copy)? Since it is believed to be the data base structure and business logic that is unique (not the data per say), this is not part of my normal forensics work! Is there a way to document the data base setup that could be used for this purpose?

Is there perhaps a way to identify specific meta data that can be helpful? I have the name of the software developer - would that (or other similar data) be part of the meta data somewhere?

BTW - I have searched this forum and others without finding any information that could help!

Appreciate any help you can give on this matter!

Quote
Posted : 05/09/2015 9:40 pm
jaclaz
(@jaclaz)
Community Legend

I am not sure to understand.

You have a copy of the "original" and a copy of the "presumed stolen" *whatever*?

In which form do they come?

A "business system based on MS access" is a tadbit "vague" does it comprises databases, one (or more) executables, .mde's, what?

The "it is believed to be the data base structure and business logic that is unique" seems to lead to a plagiarism/copyright infringement (independently from whether the *whatever* is an actual copy).

Just as an example if the former employee used the software and took notes of the procedures he could well have re-built the same functionalities through different coding.

Of course if some binaries are the same it is easy to prove that it was stolen, while if the functionalities are the same it is to be seen if the "business logic" in itself is so unique to be protected by Law.

Otherwise you will need to decompile the whole thing *like* (if it's a MDE or a ACCDE)
http//www.everythingaccess.com/mdeconversion.asp

jaclaz

ReplyQuote
Posted : 06/09/2015 12:42 am
P_R_H
(@p_r_h)
Junior Member

Do you have the USB drive? How have you identified a copy was made?

ReplyQuote
Posted : 09/09/2015 5:08 pm
urq82
(@urq82)
New Member

Hi all,

You asked for more info.

This is a civil law case in Sweden. To prove IP infringements in this type of case, the method available is to get a court order for what is called an "intrångsundersökning" - something like a civil matter search warrant, performed by LE officers. The target data sources will be aquired and analysed by LE staff. For this action to be successful, the request for Intrångsundersökning needs to be as accurate as possible, considering the type of IP material involved.

In this case there are only digital data sources involved.

Background
The analysis is based on hard drives being acquired and analysed in Encase. OS is Win7. LNK, USB, Shellbag and Jumplist analysis have been done, also including data from several versions of Volume Shadow Copies. Regripper and IEF have been used as well - also to verify findings in Encase.

File copying have been identified onto two different USB drives - same day as the suspects were asked to leave the premises prematurely. No auto-defrag had kicked in so there were plenty of material to work with. The actual USB drives were not returned to the employer - so these are suspected to have been connected to new computers at the suspects new company.

One finding in this analysis of copied files to USB was an MS Access Data Base - *.accdb.

What I wanted to find out is is if there is similar meta data available in .accdb as in Microsoft .docx / .xlsx (example below).

User 1
User 2
3
2012-11-07T232900Z
2013-08-25T221800Z

I still have not found an answer to the meta data question. What I have found so far is that the .accdb file format is not based on Office Open XML!

I will update this thread when I get more info.

ReplyQuote
Posted : 09/09/2015 7:10 pm
PaulSanderson
(@paulsanderson)
Senior Member

On this sort of case I have had success in the past by identifying errors (names/addresses incorrect) in the source database and seeing if the same errors are found in the copied DB.

ReplyQuote
Posted : 09/09/2015 7:41 pm
jaclaz
(@jaclaz)
Community Legend


One finding in this analysis of copied files to USB was an MS Access Data Base - *.accdb.

What I wanted to find out is is if there is similar meta data available in .accdb as in Microsoft .docx / .xlsx (example below).

<dccreator>User 1</dccreator>
<cplastModifiedBy>User 2</cplastModifiedBy>
<cprevision>3</cprevision>
<dctermscreated xsitype="dctermsW3CDTF">2012-11-07T232900Z</dctermscreated>
<dctermsmodified xsitype="dctermsW3CDTF">2013-08-25T221800Z</dctermsmodified>

I still have not found an answer to the meta data question. What I have found so far is that the .accdb file format is not based on Office Open XML!

I will update this thread when I get more info.

So it is Access 2007 or later, and it is a "plain" database (if you prefer a simple list of given fields).

But I still miss the info do you have the "source" .accdb file AND the "target" (i.e. the supposed copy) or not?

Or are you trying to acquire the "target" through your strångely nåmed wink legal procedure?

I.e. supposing that actual metadata do exist, how can you check them until you have also the "target" of the supposed copy?
Isn't - given that you have evidence that a given .accdb file was copied and that that "source" file was containing protected intellectual property - enough to obtain the LE to seize files from the ex-employee's computer(s)?

BUT, as PaulSanderson said, independently by any metadata, if you have the "target" you can perform checks on the actual data.

If the ex-employee was even a little bit "smart" (or expert in the matter) he would have converted the database file into another format (or exported and re-imported the data in a new file) and would have thrown away the actual USB drive(s) used.

Let's say that what he uses now is a sqlite database (usually a .db3).

A .accdb contains data (let's say that what was stolen was the list of all customers with their e-mail addresses, post address and telephone numbers), if there are typos (or double spaces or other peculiarities) in the contents of both the .accdb and the .db3 file, you can prove your point without any actually "digital" fingerprint, the analysis and comparison is more "linguistics".

BTW (and OT) this is exactly how since the dawn of time creators of maps (geographical and road maps even before anything digital was made) attempt to protect their IP, by introducing intentionally a certain number of errors (a typo in the name of a location, a non existing road or a non existing torrent) to avoid unauthorized duplication, the so-called map-traps
http//www.gislounge.com/map-traps-intentional-mapping-errors-combat-plagiarism/

jaclaz

ReplyQuote
Posted : 09/09/2015 8:57 pm
PaulSanderson
(@paulsanderson)
Senior Member

I haven't looked at accdb files and don't know what format they are - if you post a hex dump of the first sector then someone might be able to help.

Cheers
paul

ReplyQuote
Posted : 09/09/2015 10:33 pm
thall
(@thall)
Member

Have you tried looking at the internal table structure, any IP would most likely consist around this rather than metadata such as last author.

I have previously worked on an IP theft case where names and addresses were copied across and contained spelling mistakes, I have used fuzzy matching on name/address fields with the following software

ReplyQuote
Posted : 09/09/2015 10:39 pm
urq82
(@urq82)
New Member

Some more details.

jaclaz - Yes, through the strangly named D legal procedure the objective is to identify IP infringement, incl. the said data base. And yes, there are more items contained in the data base that would be used for fingerprinting (such as typos as you mention).

The reason for the need is that when the LE search takes place, the IP owner wants to make sure of that all options of proving the origin of the database is considered. The suspect is unlikely to have changed e.g. the Created Date of the original database - from testing I have verified that this meta data remains also after e.g. Compact & Repair actions. For this meta data to change requires a new build and this is probably not realistic for the suspect (he is not a computer expert…).

If someone is willing to help out further, I have attached four items available for download. This is from a new test database that is basically empty, what it contains is shown in the two jpg-images. The test .accdb file is there (492KB) and the last file contains a dump from approx FO 174738 – 176801

Test .accdb https://drive.google.com/file/d/0B1pdUeZa_ArtTWpBQ3VKd0ZxNXM/view?pli=1
Jpg-image 1 https://drive.google.com/file/d/0B1pdUeZa_Arta21JV1lTcTB4UGc/view?pli=1
Jpg-image 2 https://drive.google.com/file/d/0B1pdUeZa_ArtYTQ2X3BKaEgyWVE/view?pli=1
Dump https://drive.google.com/file/d/0B1pdUeZa_Artal9CZ2E3cmxLQTA/view?pli=1

The meta data I have identified start out from FO 174750 (Title·Author·Company·Subject·Keywords·Comments·Manager) and next sequence starts at FO 176404 (DateCreate·DateUpdate·Id·Lv·Name·ParentId·Type). The text based properties are easy to identify, it is the date and time properties that I have failed so far on identifying.

Ideally I would like to get an Enscript (for EnCase 7) to display the meta data of an .accdb file - for use in future cases (and to share with the community)!

On a final note I wish to thank you all for taking the time to consider my post and for making this forum such a useful source for information by sharing your experience!

ReplyQuote
Posted : 11/09/2015 2:41 pm
athulin
(@athulin)
Community Legend

Can someone point me to how to best go about proving that the system is a copy (or based on a copy)?

Apart from the metadata kind of thing (already covered), the structure and content of the database could be a very strong indication. That is

Names of Tables
Content of tables, to some extent
Indexed columns
Data Relationship structures and dependencies
Macros or … are there stored procedures in Access? Don't know.
Reporting forms and structures.

And if the original db had connections with external entities (Sharepoint, say)
there may remain traces of those.

Don't know how much a restructure changes things – but the order of records may also be significant.

Similarly, any external structures that use the database. Say, external reporting software, or tools for entering data. If input logic is complex, input tools are likely to have been copied as well.

This is probably one of those questions where you need to find a tame AccessDB programmer or administrator, who really knows all the details about the software.

ReplyQuote
Posted : 11/09/2015 8:41 pm
MDCR
 MDCR
(@mdcr)
Active Member

Can someone point me to how to best go about proving that the system is a copy (or based on a copy)?

Macros or … are there stored procedures in Access? Don't know.

There are queries, which are sort of like SP's.

There are also system tables that you may want to compare with the "branched" database.

http//www.opengatesw.net/ms-access-tutorials/Access-Articles/Microsoft-Access-System-Tables.htm

ReplyQuote
Posted : 22/09/2015 12:30 pm
Bunnysniper
(@bunnysniper)
Active Member

Can someone point me to how to best go about proving that the system is a copy (or based on a copy)? !

Did you have a look at the MFT to check if the Access DB files where copied onto the already identified USB device? This might be enough to get a "Swedish Serach Warrant", having evidence of USB devices and a copy process together with a time stamp.

And far from any Forensics the data theft might have (ab)used the data and already sent advertisments (SPAM!) or printed letters to existing customers. This might be a piece of evidence, too.

best regards, Robin

ReplyQuote
Posted : 22/09/2015 5:54 pm
Share: