Computer Forensics Lab and Investigations Training

Introduction

Computer forensics refers to the use of a computer expert program to collect, interpret, preserve, analyze and produce data from either volatile or non-volatile media storage devices. It is a branch of digital forensic science that is related to examining digital media in a forensic manner with the main aim of identifying, analyzing, and recovering data that is necessary for investigations. People involved in computer forensics activities methodically examine computer media storage devices for purposes of finding evidence linked to cybercrime. Despite the perceived notion that computer forensics is commonly used for investigative purposes, it has also been used in civil case proceedings and litigation cases to recover data that is crucial for criminal case proceedings (Caloyannides, 2004).

The growth of computer forensics can mostly be attributed to the increasing number of people who own personal computers and have Internet access as well as the growing number of organizations in the world that have embraced information technology systems. The easy accessibility that individuals have to acquire personal computers and the growth of the Internet as a way of life has seen cyber crimes such as hacking, fraud, and cyber-stalking increasing in magnitude. Cybercrime in its current form today has become very sophisticated as most attacks on computer programs overlook the firewalls and detection systems that have been put in place to detect and prevent cybercrime (Meyers & Rogers, 2004).

Computer forensics has therefore been seen as an important tool that can be used to investigate such crimes and also persecute the people behind cybercrime attacks. Computer forensics investigates these crimes and it allows for the presentation of evidence in a criminal court where the people responsible are persecuted for committing these crimes. Computer forensics especially in the case of cyber crimes is done in collaboration with computer investigations which involve the physical examination of the volatile or nonvolatile storage media with the main aim of recovering and presenting digital information. Computer investigations ensure that forensic detectives can be able to search and seize vital information that is useful to their investigation (Giordano & Maciag, 2002).

Investigating computers for evidence of cybercrime involves collecting computer data after which it is examined to determine the details of the attack such as the origin of the cybercrime offense and the type of content that was included in the attack. The information or evidence collected from the investigation is then presented to the court and the necessary laws with regards to cybercrime are applied to persecute the offenders of cybercrimes (Nelson et al, 2009). Computer forensics, therefore, investigates data that can be retrieved from the volatile or non-volatile storage media containing the content of the cyber attack. Computer investigators who work in collaboration with forensic analysts retrieve information from the hard drive or storage media used by the offender to carry out the cybercrime attacks and they use this information to find useful evidence which will be used in court (Nelson et al, 2009).

Problem Statement

The problem statement for this research will be to determine the need for computer forensics laboratory and computer investigations training programs for the United Arab Emirates Army. As per the introduction, computer forensics and investigations is a growing field that has mostly been attributed to the increasing cases of cybercrime in the world. In the United Arab Emirates, computer forensics is a relatively new concept in the military because of the slow growth of the Internet and the use of computer technology in the country. The country however developed law in 2006 (Federal Law No. (2) of 2006 on the Prevention of Information Technology Crimes) that would deal with cyber crime attacks within the country’s information systems. These laws were developed to respond to the increasing cases of hacking that were being done on the UAE government’s networks (First Information Security, 2011).

Apart from the law, the UAE government came up with a Computer Emergency Response Team in 2007 that would fight cybercrime in the country reducing the number of people exposed to phishing attacks and website defacement. This response team was also meant to deal with a gang of cyber-frauds who were offering bogus services to the Dubai International Finance Centre. The response team was also able to successfully thwart a hacking attempt on the Dubai e-Government computer network demonstrating that their response to cybercrime was both effective and efficient. Only recently did the judicial system in Abu Dhabi introduce special courts that would deal with cyber crimes and cyber attacks in the country. These courts were meant to speed up litigation cases and support the functions of the judicial system in UAE so as to serve litigants effectively. The judiciary to be used in these courts would include specialist judges who have been trained in the area of cybercrime and other information technology crimes (First Information Security, 2011).

The introduction of the response team and the special courts contributed greatly to the government’s effort of reducing cybercrime in the country. The presence of cybercrime units in police departments has also played a great part in prosecuting criminals found to have committed computer fraud and cyber hacking. The special cybercrime courts have led to the creation of anti-cyber crime departments that will be able to support the activities of the court. While this is a notable achievement, the United Arab Emirates Armed Forces have been left behind by this effort to contain cybercrimes in the country (First Information Security, 2011).

The military’s participation in preventing cybercrimes is limited within the country which can mostly be attributed to the various dockets of security that the armed forces of the country are involved in. Cybercrime is seen to be a prerogative of the local police and other agencies contracted by the UAE government to stop the illegal interference of the country’s information technology systems. This, therefore, forms the background for the problem statement in this study on determining whether there ia s need for members of the United Arab Emirates Armed Forces to be trained on computer forensics and investigation activities.

Literature Review

The growing use of the Internet in almost all aspects of life has contributed greatly to the increasing number of cyber-attacks being experienced in the international ICT community. The general nature of information and communication technology has presented a lot of challenges to law enforcement agencies and other organizations that are charged with preventing cyber crimes from occurring. Cybercrimes such as fraud, computer hacking, Internet money laundering, financial scams, and sabotage have continued to increase over the years as more and more individuals become involved in cybercrime. The minimal chance of being caught, detected, or prosecuted for committing cyber crimes has also contributed to the increasing cases of cybercrime as these criminals usually make it difficult for law enforcement agencies to detect their activities (Householder et al, 2002).

Cybercrime encompasses a wide variety of crimes that are committed against the information systems of a company and they cover a broad range of offenses. The board of Europe’s caucus on cybercrime has differentiated between the four dissimilar categories of cyber crimes to comprise offenses done touching the discretion and veracity of computer data systems, computer-connected crimes, content cyber offenses, and patent cyber offenses. According to Gordon and Ford (2006), cybercrime offenses that were committed against the confidentiality and integrity of computer data systems were usually committed against the information systems of companies that had confidential information. Such crimes included the illegal access or hacking of these information systems, data espionage where software is used to circumvent protection measures, illegal interception where information is retrieved between two users who are communicating, and data interference where information is deleted, altered, or suppressed (Gordon & Ford, 2006).

The content related offenses are those that are considered to be illegal and they include offenses such as pornographic material, child pornography, illegal gambling, unlawful sale of products, malicious religious content and xenophobic materials (hate speech, racism). The copyright and trademark related offences deal with infringements on the copyright materials of a company. Examples of copyright and trademark-related offences include illegal file sharing and trademark violations. Computer-related offences are those that involve the use of a computer to commit cybercrimes. Offenses that fall under computer related cyber crimes include computer fraud, phishing attacks, forgery, identity theft and misuse of devices that are connected to computer networks (Gordon & Ford, 2006).

The above mentioned cyber crimes present a major challenge for many organizations that have become more Internet based. Many companies, businesses and military establishments around the world handle confidential data that is not meant for the public’s view. They have not been spared from cyber attacks as computer criminals have been able to mitigate the existing security systems and controls to gain access to this vital information which places the organization in harm’s way. Computer forensics has therefore emerged as an important tool that can be used to deal with cyber crime attacks on organizations and individuals. Computer forensics has been identified as a scientific discipline because it entails the methodical collection of information from electronic media and hardware or software networks for the purpose of retrieving evidence which will be used against cyber criminals (Srinivasan, 2009).

Computer investigators analyze the collected information from the forensic team so as to come up with useful evidence that can be used in a court of law. According to Nelson et al (2009), computer investigations function in three steps that make up the computing security of an information system. These functions include vulnerability assessment and risk management, computer investigations and network intrusion detection activities. These functions form the basis of computer investigations where vulnerability assessment examines the exposure of the information system to cyber attacks while the computer investigations retrieve the evidence collected by the computer forensic experts to determine the origin and content of the cyber attack. Network intrusion detection activities encompass systems such as firewalls and virus detection software that are meant to identify and deal with intrusions or attacks from hackers and data stealers (Nelson et al, 2009).

Computer forensics in law enforcement agencies has been able to evolve as a discipline within the past 20 years. This field of digital science has primarily been used by police officers and other law enforcement agencies to disseminate evidence that has been presented to the courts for the persecution of cyber crime criminals. The first investigative team to be created to deal with the escalating cases of cyber crime was by the FBI in 1984 which established the Computer Analysis and Response Team (CART). This team was able to initiate cyber crime efforts through a series of international conferences that were meant to educate law enforcers everywhere on the importance of computer evidence in cyber crime (Srinivasan, 2009).

These conferences which were conducted in the US, Australia and the Netherlands led to the formation of the International Organization on Computer Evidence (IOCE) which currently plays an important role in various aspects regarding forensic evidence in cyber crimes. The FBI and the IOCE have contributed in a significant way to the development of common standards that can be used in computer forensics and investigation procedures. Many anti-cyber crime units in the world have been established with the main goal of generating evidence that will be used in cyber crime courts to deal with individuals who have been implicated in cyber crime activities (Srinivasan, 2009).

The concept of computer forensics in the military as a whole is relatively new mostly because computer forensic analysis activities were focused on detecting computer intrusions within the ICT network of the military. Computer forensics has therefore been introduced in the military in recent times to protect confidential military information from being accessed by computer hackers and other cyber criminals. According to Giordano and Maciag (2002), the information systems used in the military are seen as potential targets of cyber crimes while the connective elements of these systems are seen to be the primary sources of corroborative evidence that can be used in providing forensic evidence.

Computer forensics with regards to the military has its own definition and it is defined as the application of scientifically proven methods to gather process and interpret evidence so as to provide a conclusive description of cyber criminal activities so that the concerned authorities can be able to initiate post-attack and critical infrastructure restoration (Giordano & Maciag, 2002). Computer forensics in this definition serves as a tool for correlating, interpreting and predicting any actions that might impact on military operations. Military efforts in combating cyber crime are also directed towards making digital data suitable and persuasive for use in a criminal investigative process. The military’s role in cyber crime is therefore relegated to ensuring that cyber crimes are not committed against the military’s information systems (Giordano & Maciag, 2002).

While the westernized countries such as the United States, Europe and Australia have developed computer forensic programs for their military, the government of the United Arab Emirates has mostly taken on the role of ensuring that its citizens are not victims of cyber attacks. The government basically censors any political or religious content that might pervasively filter the country’s websites and it also regulates Internet content that is related to alcohol, drug use, online dating and gambling. Apart from censorship, the government enacted a federal law known as the Cyber-Crime Law No.2 of 2006 that was meant to deal with the increasing cases of cyber crimes in the country (Open Net Initiative, 2009).

According to the law, cyber crime is defined as any intentional act that is directed towards abolishing, destroying or revealing individual or company secrets for businesses that operate in the United Arab Emirates. The law also states that individuals found to have committed cyber crimes that defame, insult or promote sinful acts in Islamic places of worship are liable to be persecuted by the law. The Cyber-Crime law also finds people who set up websites that will be used for the facilitation or promotion of ideas that are in breach of public decency to be guilty of committing cyber-crimes and this is punishable by imprisonment (Open Net Initiative, 2009). The UAE government is therefore charged with the sole responsibility of combating cyber crimes in the various information systems incorporated in the country.

The government has contracted various law enforcement agencies in the country to help in dealing with cyber attacks in the country’s information systems. Various police stations in the country have established anti-cyber crime units that are primarily focused on addressing cyber crime offences according to the Cyber-Crime Law of 2006. In the current context, cyber crime in the UAE has not reached serious proportions but companies and individuals are however still at risk of being cyber crime victims. Law enforcement agencies in the UAE as well as in other countries around the world face various challenges in the persecution of people found to have committed cyber crimes one of which is the lack of adequate training and equipment to combat electronic crime and the lack of awareness on cyber crimes in the country.

Apart from these challenges these law enforcement agencies face various issues in their computer forensic activities such as the lack of management assistance for onsite electronic crime task forces and lack of suitable investigative and forensic tools that can be used to create a computer crime unit. To deal with such challenges and issues, computer forensic training programs within law enforcement agencies play an important role especially when they are directed towards combating this dangerous vice (Rogers & Seigfried, 2004).

Methodology

This study will involve the quantitative analysis of secondary data in the form of academic research and published works that have focused on computer forensics laboratories and computer investigations. This study aims to identify the need for providing computer forensic training to the United Arab Emirates military and it will therefore focus on assessing this need. The sample for the study will therefore be 60 military men and women serving in the various dockets of the UAE military who will be surveyed through the use of a formal questionnaire that has thirty questions based on the need for providing computer forensic training.

Computer crime in the country has continued to increase over the years which can be attributed to the growing Internet usage in the country. The military as with other organizations in the country is at risk of cyber crimes where confidential information might be accessed by hackers and other computer criminals. There exists limited data and research on whether the UAE military is involved in anti-cyber crime activities which therefore points to the need of developing training programs that will equip the Armed Forces in computer forensics and investigation techniques.

A descriptive analysis will be used for this study where data collected quantitatively will be analyzed to determine the need for training the UAE military on computer forensic and investigative procedures with relation to cyber crime. The statistics that are used in descriptive analysis are usually based on the summary of a certain data set instead of data that has been used to learn about the entire population that is under study. Descriptive statistics basically provide a summary of the sample that is being used for the research by evaluating the graphical representations of the data.

Results and Analysis

The sample population of 60 military respondents from various branches of the UAE military was surveyed on their opinions on the need for computer forensic training in the military. The sample population was evaluated on what they thought about computer forensics and investigation and whether these concepts were important in the military. The information collected from the respondents was analyzed through the use of descriptive analysis to determine whether there is a need to provide military officers with computer forensic and investigative training. The collected information was grouped into ten high order categories which included availability of computer forensic tools in the military, military knowledge of forensic theories and research, education and training on computer forensic, data acquisition, encryption services, legal justice system in the UAE, government funding for computer forensic laboratory training, computer forensic technology and evidence correlation with regards to cyber crimes.

The answers given by the 60 respondents in the formal questionnaires were grouped according to the ten categories mentioned above. This was done to ensure that a suitable descriptive analysis could be developed to assess and evaluate the respondent’s answers. In the event two or more respondent’s answers were of the same category, their responses were combined and scored as a single item in that particular category rather than as separate item. A frequency analysis conducted on the respondents answers revealed that the category for education had the most number of responses which accounted for 18 percent of the respondents while that for government funding accounted for 4 percent of the respondents. The table below demonstrates the relative frequencies for each of the ten categories based on the respondents answers.

Frequency Percentage
Education/training/certification 32 18
Technology 28 16
Data acquisition 22 13
Encryption 24 14
Computer forensic tools 18 10
UAE legal justice system 16 9
Evidence correlation 11 6
Theory/research 9 5
Funding 7 4
Other 6 3
Total 173 100

The graph below represents a diagrammatic representation of the frequency of the ten categories based on the answers given by the respondents.

a diagrammatic representation of the frequency of the ten categories

Discussion

Based on a study conducted by Stambaugh et al (2001) on the need for training law enforcement officers on computer forensic and investigative procedures, the research’s findings on education/training/certification were consistent with those of Stambaugh et al which showed that the respondents from the military valued computer forensic education and training before the other categories of the study. Based on Stambaugh et al’s (2001) study, the law enforcement community placed a lot of emphasis on education and training on computer forensics and investigative techniques. This coincided with the current study’s findings where education and training was given priority by the respondents of the study.

Technology was also viewed to be important in conducting computer forensic activities based on the results of the study. Technology, data acquisition and encryption had a high frequency percentage which demonstrated that the respondents viewed these aspects to be important for any computer forensic training program. Technology in computer forensic and investigation activities is important because of the various innovations that are developed to collect, interpret and analyze collected forensic evidence. Technology used in conjunction with data acquisition and encryption programs proves to be an important tool for computer forensic training activities because trainees are equipped with important techniques that they can use to acquire forensic evidence and also perform encryption activities on evidence that has not been decoded. Technology was also important for the respondents because it provided effective and efficient tools that could be used to analyze and interpret evidence which would be used to deal with perpetrators of cyber crimes (Roger & Seigfried, 2004).

The low percentage given to funding demonstrated that the respondents viewed funding for computer forensic programs to be focused more on the actual application of computer forensics aspects rather than on the understanding of the various concepts of forensic theories. Inadequate funding to the training programs also demonstrated that the UAE government was mostly focused on dealing with cyber crimes together with other law enforcement agencies in the country excluding the military. Adequate funding is generally important for computer forensic training programs as it ensures that the necessary educational training and research has been conducted for effective results. A framework that is directed towards training the national security organ of a country needs to be developed and suitably funded to ensure there is input from the private and public sector and also the research community that is focused on cyber crime investigations (Roger & Seigfried, 2004).

Theoretical research activities also received a poor frequency percentage based on the responses given by the respondents to the study. This was able to correlate with a previous study conducted by Whitcomb (2002) on the importance of theoretical research in computer forensic training programs. According to a study conducted by Whitcomb (2002), the use of computer forensics had basically been the focus of most efforts directed towards computer forensics training. Many forensic laboratories have concentrated on acquiring the latest technological innovations which can be used to analyze and interpret evidence that is linked to cyber crimes instead of focusing on the theoretical underpinnings that can be used to handle this type of technology.

Based on the results of this study, theoretical research is ranked at a lower frequency when compared to computer forensic tools which means that the UAE government and the military do not place a lot of emphasis on the theoretical underpinnings that make up computer forensics and investigation procedures. The lack of concentrating on fundamental computer forensic theories based on Whitcomb’s study resulted in indefensible cyber attacks against the computer forensic tools and techniques that would be used in gathering evidence. The use of the tools without any theories proved to be an exercise in futility which meant that learning forensic theories was an important activity for any agency attempting to undertake computer forensic training (Whitcomb, 2002).

The findings have been able to demonstrate that there are significant gaps on the need for computer forensic training. There is however no consensus on the correct approach which can be used to address the identified issues and needs for computer forensic training programs. This is because of the uniqueness of computer forensic training programs because it is meant to serve the needs of various important stakeholders such as the military, law enforcement agencies, the private and public sectors and the education industry. All these sectors have operated in contexts that require the confidentiality of trade information which means that there is little or no sharing of information, expressions and ideas (Rogers & Seigfried, 2004).

For computer forensic training programs to be successful especially in the training of the military, the mentality of operating in silos of confidentiality has to be done away with and replaced with one that fosters cooperation and openness of information. Many military organizations around the world operate in a cloud of secrecy that exposes them to situations of hacking or illegal access to confidential information that pertains to the national security of the organization. Reducing the silo mentality will decrease cases of cyber attacks on confidential company information and also ensure that companies have positive communication channels that are meant to reduce information theft.

Conclusion

This study has dealt with identifying the need for computer forensic training and computer investigation for the UAE military. The study has been able to highlight the various cyber crimes and attacks that are committed against the information technology systems of an organization and it has been able to provide a review on the cyber crime situation in the UAE. Computer forensics is an important component to not only dealing with cyber crimes and attacks but also on the war of terrorism. The training of the military on forensic and investigative procedures will therefore arm then to deal with terrorist threats and attacks that might be committed in the United Arab Emirates. Aside from that, forensic training will provide the military with the appropriate skills and techniques which can be used to analyze and correlate evidence of cyber crimes.

References

Caloyannides, M.A., (2004). Privacy protection and computer forensics. Boston, Massachusetts: Artech House Publishers

First Information Security (2011). UAE to create cybercrime courts. Web.

Giordano, J., & Maciag, C., (2002). Cyber forensics: a military operations perspective. International Journal of Digital Evidence, 1(2): 1-13

Gordon, S., & Ford, R., (2006). On the definition and classification of cybercrime. Journal in Computer Virology, 2(1): 13-20

Householder, A., Houle, K., & Dougherty, C., (2002). Computer attack trends challenge Internet security. IEEE Computer, 35(4): 5-7

Meyers, M., & Rogers, M., (2004). Computer forensics: the need for standardization and certification. International Journal of Digital Evidence, 3(2):1-11

Nelson, B., Phillips, A., & Steuart, C., (2010). Guide to computer forensics and investigations. Boston, Massachusetts: Course Technology

Open Net Initiative (2009). Internet filtering in the United Arab Emirates. Web.

Rogers, M.K., & Seigfried, K., (2004). The future of computer forensics: a needs analysis survey. Computers and Security, 23: 12-16

Srinivasan, S., (2009). Computer forensics curriculum in security education. Louisville: University of Louisville.

Stambaugh, H., Beaupre, D., Icove, D., Cassaday, W., & Williams, W., (2001). State and law enforcement needs to combat electronic crime. National Institute of Justice Research in Brief, US Depart of Justice.

Whitcomb, C., (2002). A historical perspective of digital evidence: a forensic scientist’s view. International Journal of Digital Evidence, 1(1): 1-10