To assess the importance and potential impact of an incident accurately computer security professionals need to understand an offender’s criminal skill, knowledge of targets, and intent. A thief who selects targets of opportunity based on insecure systems presents a significantly different threat than an individual who targets a specific organization to obtain specific information. This article compares two intellectual property theft cases to provide readers with practical investigative insights, noting costly mistakes and pointing out behaviour reflected in digital evidence. Although these cases are based on actual investigations, they have been modified to protect the innocent.