IT forensics is the discipline of finding and presenting evidence, in a legally acceptable form, from digital data and information.
IT forensics, the process of collecting data and analysing as part of a legally admissible investigation, is a relatively new science, but one that is gaining some attention in the Middle East. It is being used for criminal investigations, domestic cases and corporate internal investigation, often looking into fraud, corruption and regulatory breaches. The work involved may range from forensic data collections in support of email and document reviews for evidence to more serious investigations involving user analysis, such as document access, deletion/wiping analysis, Internet activity recovery, and much more.
“With cyber threats looming large, it’s absolutely essential to track what users are doing with their privileged access,” explains V Valasubramanian, Marketing Manager (IT Security) at ManageEngine. “When something goes wrong, records on who did what serve as forensic records and help fix accountability issues.”
A number of major organisations that provide forensic services have evaluated the security landscape in the Middle East and as a consequence have realised that there is a big opportunity to provide services in the region.
“For example, McAfee has opened a cyber defence centre in the region and Dell has moved its solution centre to Dubai,” says Paul Wright, Manager of Professional Services and Investigation Team, Middle East, India and Africa, AccessData.
Many other organisations have followed suit, including FireEye, which is launching a forensic lab in the UAE, focusing on targeted attacks.
“We have also seen educational institutions investing in research and development of computer forensics,” adds Ravi Patil, Technical Director, MMEA – Trend Micro. “However customers in the region rely on companies and resources in the west for the best of breed experienced forensics experts,” he adds.
Jess Garcia, Principal Instructor, SANS Institute, highlights that digital forensics and incident response services are typically classified as either proactive or reactive.
“Proactive services help organisations get ready for the worst by putting in place forensic readiness processes, capabilities, functions, labs etc. Reactive services help organisations address an incident when it has already happened, to answer questions and limit the impact of the incident by trying to stop it before it’s too late, or at least determining its scope so it can be properly eradicated. There are indeed several good companies that offer such services in the region,” he notes.
So the solutions are on offer, but who are the customers? It appears that more and more organisations across the Middle East are ready to collect and use digital evidence for intelligence purposes, civil and criminal prosecutions and even as a deterrent. One of the growing areas appears to be the financial industry, with forensic capabilities growing as financial institutions strengthen their governance, risk and compliance practices. But the largest sector investing in IT forensics appears to be governments.
“IT forensics in the Middle East is more often adopted by government sectors; however, most of the governmental institutions have in-house teams allotted to work on this. Also, maturity levels vary from one country to another within the local region,” says Sherif El Nabawi, Director, Security Consulting Services — META; MANDIANT, FireEye. “In the Middle East, countries have now started investing in IT forensics.
But it’s not just the big boys that are aware of, and are looking into, IT forensics, as Steve Wilkinson, EMEA Incident Response and Forensics Principle Architect for McAfee, part of Intel Security, highlights.
“Digital forensics is being used in all business areas in the Middle East, just because a crime involves digital evidence does not mean it’s only the big firms which are suffering.”
“When I gave my first forensic talks in the region almost ten years ago, just a few knew what I was talking about. These days almost every organisation knows what forensics is and is interested in it. Adoption in organisations is a little more uneven in the region though: some companies and governments are very advanced, while others have done nothing yet,” Garcia adds.
In order to properly carry out an investigation, organisations will need to have processes, procedures, infrastructure, and most importantly a good DFIR team in place.
Asif Iqbal, member of the (ISC)2 UAE Chapter, Security and Forensics Researcher and Investigator and Founder of Athena Labs, a security, fraud and forensics laboratory in the UAE, breaks down an investigation’s stages.
“The basic forensics investigation process consists of three stages which are: one — acquisition of digital evidence sources (imaging); two — analysis of the acquired evidence sources and three — reporting of the found evidence,” he explains.
The final consideration has to be when organisations should involve forensic investigation. Rick Baker, Head of Forensic Technology, Deloitte Corporate Finance believes the answer is as soon as you think there may be a problem.
“A fundamental principal of investigation is the sooner you secure the crime scene (digital or otherwise) the more likely it is that your investigation will be successful. This is even more important in digital investigations where data is routinely overwritten and subsequent user activity (including IT staff) can contaminate the digital crime scene,” he explains.
“There are many circumstances where an unassuming dispute or information security incident may become more serious. If the evidence for these has not been collected to begin with, it will be too late to do so later in the process,” continues Wright.
“Therefore, it is essential from the outset to consider the importance of digital evidence and to be ready to collect it for a wide array of events. By planning ahead, organisations can implement a security infrastructure that allows them to both proactively seek out threats that have circumvented alerting tools and respond quickly and decisively when a compromise is discovered,” he concludes.
Do organisations need their own in-house forensic capabilities?
In-house forensic capabilities have their benefits, but according to the experts it’s often a combination of both in-house teams and outsourcing that provide the best option.
“In the day-to-day operations of a forensics solution focusing on HR applications and malware detection, building up in-house capabilities can be very useful. However when it comes to legal proceedings, it is advisable to engage with a security provider with some technical merit, as it can eliminate any doubt that the forensic gathering of technical information was executed properly,” notes Nicolai Solling, Director of Technology Services at Help AG.
Asif Iqbal, member of the (ISC)2 UAE Chapter, Security and Forensics Researcher and Investigator and Founder of Athena Labs, a security, fraud and forensics laboratory in the UAE, explains that in-house benefits can include insider knowledge and investigation and information control. He also notes that it has its disadvantages, which include cost, the chance of bias, and availability and flexibility of the in-house team.
“The majority of organisations will use outsourced services for investigations involving digital evidence,” continues Steve Wilkinson, EMEA Incident Response and Forensics Principle Architect for McAfee, part of Intel Security.
“The high cost of setting up and maintaining the capability in-house, means it is more cost effective in most cases. With that said, it is essential that organisations provide basic training to those staff who will be responsible for dealing with incidents, to give them the core knowledge required around evidence handling and the basics of digital evidence seizure,” he notes.
For those that want an in-house team, Sherif El Nabawi, Director, Security Consulting Services – META; MANDIANT, FireEye recommends that they at least start with external assistance, as this will allow the firms to build internal capabilities.
“Usually, it takes six months to a year for firms to build their own team internally considering the team has undergone proper training, hence it is critical that an organisation invests in a mix of services and internal skill development,” El Nabawi explains.
IT forensics – legal and privacy concerns
Rick Baker, Head of Forensic Technology, Deloitte Corporate Finance offers his advice on legal and privacy issues when it comes to IT forensics in the Middle East.
“Anyone practicing computer forensics should be acutely aware of his or her regional data compliance laws. We invested a significant amount of time researching this and produced a white paper on the subject. Although there are only a few pockets in the region that have the robust European Union-style data privacy laws (Dubai International Financial Centre, Dubai Health City) it is still very easy to breach legislation if you (and your client) are not sufficiently aware. There is more to data compliance than data privacy and any forensic technology investigation plan should match the IT landscape and the legal issues of the case.
“Another key regional legal difference is the approach to expert witness evidence and electronic evidence in the local law courts. There are differences in the level of experience and training required, the evidence is provided in Arabic reports, some local legal practitioners insist that digital evidence is not admissible and the judges are not bound by precedent. This all obviously makes the production of computer forensic evidence in local courts quite challenging.”
