Source code ch.06: Pre-filing investigation & reverse engineering

Source Code & Software Patents: A Guide to Software & Internet Patent Litigation for Attorneys & Experts
by Andrew Schulman (
Detailed outline for forthcoming book

Chapter 6: Pre-filing investigation of software/internet/mobile products & services: Examining the product/service, without source code

6.1. Background and introduction to notice pleading, FRCP Rule 11, Local Patent Rules, and likely forthcoming legislation

  • 6.1.0 Conventional wisdom about software products & source code (the “Catch 22” or “chicken-and-egg” problem)
  • 6.1.1 Notice pleading and FRCP now-defunct Form 18 (Patent Infringement)
  • 6.1.2 FRCP Rule 11 in patent litigation; with a brief history of Rule 11; proposed changes to Rule 11 in HR 2655
  • 6.1.2B Fee awards for “exceptional” cases under 35 USC 285, for “objectively baseless” infringement contentions brought in bad faith (see article)
  • 6.1.3 Local Patent Rules and proposed legislation
  • 6.1.4 Application of Rule 11 and Local Patent Rule 3-1 to software/internet patent litigation
  • 6.1.5 Comparison to other instances where plaintiff’s burden is reduced, or presumptions are reversed
  • 6.1.6 Evidentiary doctrines of solely or “peculiarly” possessing information
  • 6.1.7 Selection of cases

6.1.1 Notice pleading and FRCP Form 18 (Patent Infringement)

  • Iqbal, Twombly, and In re Bill of Lading
  • General background on heightened pleading (PSLRA, Lerach, etc.; see Scott Dodson book on heightened pleading)
  • Rule 84 forms (including Form 18) are removed in Judicial Conference Aug. 2013 proposed FRCP amendments

6.1.3 Local Patent Rules and proposed legislation

  • Initial/preliminary Infringement Contentions
  • Proposed legislation: HR 3309 heightened pleading requirements (but not in Leahy S. 1720?)
  • Early element-by-element details of accused products
  • While pre-filing investigation (including “dead ends”) is protected work product (see Hricik, Patent Ethics: Litigation at 181), results will go into initial infringement contentions

6.1.4 Application of Rule 11 and Local Patent Rule 3-1 to software/internet patent litigation

  • Post-discovery source code and “pinpoint” code citations
  • Impact of post-discovery source code on pre-filing reverse engineering: “Catch 22”?
  • Possible bases for the “Catch 22” view of software patent litigation
  • Another basis for the “Catch 22” idea: Misreading of means-plus-function case (Network Caching v. Novell)
  • Results of the “Catch 22” view of software patent litigation
  • A software-specific “policy lever”?; but software patents are not confined to the “software industry”

6.1.5 Comparison to other instances where plaintiff’s burden is reduced, or presumptions are reversed

  • Presumption for products by process under 35 USC 295
  • Software as flour barrels: res ipsa loquitur for high tech?

6.1.6 Evidentiary doctrines of solely or “peculiarly” possessing information

  • Who generally knows more detailed facts about infringement, plaintiff or defendant?
  • Cases where D knows less than P about what D is doing: end-users, “mom and pops,” “covered customers”
  • Cases where P really knows almost nothing about what D is doing: see 6.1.5 above

6.1.7 Selection of Cases

  • Northern District of California
  • Eastern District of Texas
  • Cases from Other Districts
  • Cases from Court of Appeals for the Federal Circuit
  • Summary of cases

6.2. General issues of policing/monitoring the market to detect software patent infringement

  • Demand letters
  • “Pre-filing discovery” (see Scott Dodson on “New Pleading”)
  • Searching for infringement (contrast freedom-to-operate searches)
  • “Infringement detection” using “Big Code” methods, e.g. old CodeClaim project  (article written in terms of finding non-patent prior art, but applicable to finding potential infringement)
  • Turning patent claims into “signatures” to locate potential candidates for closer inspection
  • Using patent citations as a source of “candidates” for further investigation (vendor D’s patents  X and Y cite our patent, and vendor D makes product Z, which it asserts is protected by patents X and Y, therefore Z is potentially worth closer inspection)
  • Law of private investigation in IP cases (“IP, PI”): straw purchases of tightly-controlled products, duty of candor, Model Rules 8.4(c), 4.1(a); NY bar IP exception
  • Fear and uncertainty over reverse engineering products under clickwrap license and DMCA

6.3. “Acquire the target”: Get and run the product

  • 6.3.0 Where & how to acquire products, for further inspection
  • Standalone PC programs
  • Mobile apps: acquiring IPA and APK files for inspection
  • Simulator versions of mobile apps
  • Setting up monitoring of web-based products/services
  • Server side of web-based products
  • 6.3.0. 6 Open-source products, and products based on open source
  • Debug versions and software development kits (SDKs)
  • Older software
  • Older web-based products
  • Firmware (embedded software)
  • “Look somewhere else”
  • 6.3.1 Products/services not reasonably accessible
  • 6.3.2 “Acquiring” a method or process
  • 6.3.3 Future and outdated products
  • 6.3.4 Expensive products
  • 6.3.5 Products with negotiated purchases (with a brief digression on pre-filing negotiations, C&D letters, “you might be interested” letters, and other pre-filing interaction between patent holder and to-be-accused infringer)
  • 6.3.5B Straw purchasers, using private investigators
  • 6.3.6 Too many products & “representative instrumentalities”
  • 6.3.7 Standards as proxies for products
  • 6.3.8 Relying on the inventor as a substitute for getting the product
  • 6.3.9 Relying solely on marketing materials instead of getting the product
  • 6.3.10 Getting the case off on the wrong foot by not inspecting the accused product
  • 6.3.11 Exhausting publicly accessible sources of information
  • 6.3.12 Inspecting the accused product is not merely to satisfy rules

6.4. Try to acquire source code pre-filing

  • 6.4.1 Open source
  • 6.4.2 Other publicly available source or quasi-source code

6.5. Reverse engineering the product or service

  • 6.5.1 Using reverse engineering as a litigation tool
  • 6.5.2 Reverse engineering “or its equivalent”: element-by-element analysis
  • 6.5.3 Is reverse engineering or its equivalent “required”? (Exhausting publicly-accessible sources of information; what is publicly accessible?; how much effort need be expended for something to no longer be publicly accessible?)
  • 6.5.4 Exception for reverse engineering when “impractical”
  • Disproportionate expense
  • Technical inaccessibility
  • Impracticality of reverse engineering when source-specific information is required
  • Impracticality from non-technical restrictions on reverse engineering: clickwrap; DMCA; Innovatio case re: Wireshark “interception”/recording to detect infringement; whether or not to “jailbreak” mobile devices
  • 6.5.5 Exception for reverse engineering when “unnecessary”
  • Information available from indirect sources
  • Representative instrumentalities
  • 6.5.6 Application to software of the pre-discovery reverse engineering requirement
  • Application of reverse engineering pre-discovery requirement to software seen as somewhat unusual
  • Application of reverse engineering pre-discovery requirement to software seen as inapplicable to software when source code will later become available
  • 6.5.7 What can be learned pre-discovery by reverse engineering software products & internet services?
  • 6.5.8 General points about static vs. dynamic reverse engineering: “Freudian vs. behavioralist”; dynamic RE only sees the particular tested configurations; danger of over-generalizing from dynamic RE
  • 6.5.9 Typically need an expert or technical consultant to do this work, but some attorneys have demonstrated ability e.g. to use Fiddler (example of Josh Rubin in Specht v. Netscape)

6.6 Static reverse engineering: examining the product files

  • 6.6.1 BOX: Know the baseline (ideally, this would be done with “Big Code”; old CodeClaim project; GitHub; searching JavaScript code)
  • 6.6.2 Locate the executable files, including e.g. mobile app IPA and APK files
  • 6.6.2B BOX: Staying away from “jailbreaking”
  • 6.6.3 Possibly expand or decompress the files
  • 6.6.3B De-obfuscation, see e.g. Android APK deobfuscation (; JavaScript deobuscation, JSNice (
  • 6.6.4 (Usually) ignoring boilerplate standard files (see NSRL)
  • 6.6.5 Acquire any available “debug” versions of the product files
  • 6.6.6 Full-text search of product binary/object code files
  • “Strings” (see article)
  • Using a text-search utility (grep, findstr)
  • What are promising-looking strings in pre-filing patent-infringement investigation?
  • Avoiding “tunnel vision” in pre-filing text search
  • What if there are zero “hits”?
  • [!] What if the files are compressed or encrypted?
  • 6.6.7 Structured inspection of product binary/object code files (“dump” utilities)
  • Get a utility such as dumppe, otool, elfdump
  • Generate text for each code file
  • Look for API names
  • Look for claim terms and “synonyms”
  • 6.6.8 Function/method names inside product code files
  • DeMangling/undecorating C++ names
  • Objective-C code (products based on Apple OSX/iOS)
  • Look for API groups
  • Look for callback functions
  • Create a product map
  • 6.6.9 Source code-related paths and filenames inside product code files
  • Source and object filenames
  • Object pathnames
  • Locating third-party library path/filenames
  • 6.6.10. Source-code fragments inside product code files
  • Assertions
  • Logging strings
  • Embedded code such as SQL, JavaScript
  • 6.6.11 Other text inside product code files
  • Error messages
  • Resources: menus, dialog box options, etc.
  • 6.6.12 Using text gathered from product code files, in preparation for filing and initial infringement contentions
  • 6.6.13 Quasi-source: Is some of the source code publicly accessible?
  • JavaScript code
  • Decompilation
  • Java
  • Flash ActionScript
  • Microsoft .NET
  • Disassembly (usually a last resort in pre-filing investigation)
  • Open source
  • Sample code (SDKs, etc.)

6.7 Dynamic reverse engineering: run the product, with instrumentation

  • 6.7.0 A warning about dynamic RE (and testing generally, as opposed to static examination): it will only tell you what happened in the particular tested configurations, cannot show what “always” happens, and shouldn’t be used to draw negative conclusions (e.g. “this never happens”)
  • 6.7.0b Unless if dynamic RE based on all configurations, e.g. sampling of vendor’s back-end log files
  • 6.7.1 Triggers
  • 6.7.2 Displayed text
  • 6.7.3 Using & avoiding browser features
  • “View Source” can be misleading
  • URL in address bar can be misleading
  • Browser “Developer Tools”
  • 6.7.8 Network monitoring & capture (“packet sniffing”)
  • Capturing network activity with Fiddler & Wireshark
  • AJAX
  • HTTPS (secure HTTP) traffic
  • Decompressed (GZIP) traffic
  • Network traffic not seen by Fiddler
  • Wireshark
  • Auto-response
  • Searching network captures
  • Keep & date the capture files
  • Mobile devices, proxy servers, and Fiddler proxy
  • Bluetooth, BLE, Zigbee, etc. monitoring with Android developer option and Wireshark btsnoop import, and/or with TI dongle/packet sniffer
  • 6.7.9 Non-network monitoring
  • Running the program under OS-activity monitors, e.g. using Android adb logcat
  • Application diagnostic output and logging
  • Logging for mobile devices, without “jailbreaking”
  • Setting the logging level, e.g. OSX write profile; iOS mobileconfig files
  • API-level logging
  • Debuggers
  • Running mobile apps on desktop simulator
  • (Gently) poke at the server; feeding inputs, collecting outputs
  • Repeat
  • 6.7.10 Using dynamic RE results: the focus on tools above puts the cart before the horse, because the point is to use monitoring/sniffing tools not to generate data, but to help answer specific questions
  • Know the baseline: what does “normal” look like?
  • Do log before & after some event of interest, then diff (with normalization of e.g. timestamps) to identify changes associated with the event
  • Sorting and counting data bytes in log files to identify patterns
  • Writing ad hoc scripts e.g. in Awk to plow through voluminous log files
  • Feeding input to generate implicit model; see “Stealing Machine Learning Models via Prediction APIs” here; article

6.8   Has someone else already examined the app?

6.9 Concluding points on pre-discovery investigation


Print Friendly, PDF & Email