A leading public research university came to suspect that a faculty member, in the weeks before departing for a position at an overseas institution, had moved federally-funded research data and university-owned intellectual property out of the institution's environment. Routine offboarding had surfaced indicators of unusual data activity, but the university lacked the forensic record needed to determine what had actually left, where it had gone, and who was responsible. Outside counsel engaged Law & Forensics to conduct a privileged forensic investigation led by named, court-tested experts.
The situation
Insider research-IP theft at a university carries obligations that ordinary commercial matters do not. Federally-funded research often comes with sponsor reporting and compliance expectations, and the data at issue may sit at the intersection of grant terms, export controls, and the institution's own IP policies. The university needed more than a suspicion — it needed a defensible, attributable account of how the data and IP had moved, one that could withstand challenge if the matter proceeded to litigation and that could be explained candidly to federal sponsors and university leadership.
The data also lived in more than one place. The faculty member had worked across university-issued devices, personal devices used for research, and cloud accounts that synced material outside the institutional perimeter — so any credible picture of the exfiltration had to span all of those sources rather than rely on a single system.
Our approach
Law & Forensics built the engagement around forensic imaging, trail reconstruction, and attribution, with named experts engaged from the outset and prepared to testify.
Forensic Imaging and Preservation. The team forensically imaged the relevant university-issued and personal devices and preserved the faculty member's cloud accounts, establishing a sound, documented chain of custody so that every later conclusion rested on defensible evidence.
Reconstruction of the Access-and-Exfiltration Trail. Through artifact analysis across the imaged devices and cloud sources — file system and metadata review, account and synchronization activity, removable-media and transfer indicators — the firm reconstructed how the at-issue research data and proprietary IP had been accessed and moved, and where it had gone, including toward infrastructure associated with the overseas institution.
Attribution and Named Expert Testimony. The firm tied the reconstructed activity to the departing faculty member rather than to ambient or incidental use, and packaged its findings so that named, court-tested experts could explain the attribution clearly to counsel, to the university, and, ultimately, in the ensuing litigation.
The impact
The investigation gave the university a defensible understanding of how and where its research data and intellectual property had moved, attributed to the departing faculty member, in a form it could use to brief federal sponsors and its own leadership and to support the litigation that followed. Because the work was led by named experts and documented to evidentiary standards from the beginning, the firm's analysis and testimony held up under scrutiny, strengthening the university's position as the matter advanced.
Just as important, the engagement let the institution move from suspicion to a clear, explainable account of what had happened — protecting its standing with the federal sponsors whose support its research depended on, and preserving the integrity of the IP at the center of the matter.
