Forensic data collection: getting it right in the GCC

Forensic investigations of company data are increasing in the region, but companies need to understand how to manage the initial stage of the investigation, data collection, while keeping within the law, writes Rick Barker, director & head of Forensic Technology (MENA) Deloitte & Touche (ME)

Tags: BahrainComputer forensicsData governanceDeloitte & ToucheKuwaitQatarSaudi ArabiaUnited Arab Emirates
  • E-Mail
Forensic data collection: getting it right in the GCC Rick Barker is director & head of Forensic Technology (MENA) Deloitte & Touche (ME).
More pics ›
By  Rick Barker Published  July 14, 2013

The scoping exercise can identify key evidence stored on file servers, on portable devices, within email vaults, in backup archives, hosted with external vendors, in different jurisdictions, within ad hoc migration sets, on retired servers/systems/PCs, deleted, locked within encoded or encrypted systems and much more. The collection plan must be adjusted accordingly.

The cost of the collection phase, including travel expenses and logistical efforts of technical staff visiting different sites also needs to be considered, and it is advisable to limit collection visits to the minimum amount.

The scope of the onsite collection should be quite broad to minimize the risk of needing to return. It is often possible to collect the full sets of data (such as a whole file server) just as easily as it is to collect the required subsets (such as user folders stored on the file server). The same broad collection approach applies to imaging computers. The computers assigned to the whistle-blower, the implicated staff, their assistant, and also colleagues who may be witnesses or co-conspirators, should be collected where possible.

It may also be useful to collect (‘bag and tag’) back-up tapes and other electronic media that may not be required initially. Just because the data has been collected does not mean that it needs to be processed or reviewed. However, collecting it in the first instance may save on having to re-collect and prevent the data’s accidental loss or deliberate destruction.

An initial computer forensic analysis by the technical team can help to focus or accelerate the review. This usually involves identifying who has been trying to hide data, recovering recently deleted or encrypted material, detailing which files and devices have been used, and determining which data is missing.

The scoping exercise can be more important in the GCC where document management is not always as thorough as in other regions. It is not uncommon in large disputes or arbitrations for the client’s team to claim that the documents do not exist or that they can’t find them. The assessment of the IT systems by forensic specialists then needs to be expanded to scan the network for the missing documents or text search the scanned paper documents to find the critical material.

It is common in the GCC for companies to allow employees to use their own computers and mobile devices. However, employment contracts are not then also updated to allow the company to access company data stored on these items. The physical act of collecting electronic items from an office environment in order to image them, when those devices are subsequently found to be privately owned, can lead to hysterical and unfounded cries of theft by their owners.

Where the data from an individual’s personal device does require processing, the challenge of sorting personal data from company data is compounded by employees using their personal email addresses for business purposes and the lack of business email signatures. The issue of personal property and email accounts mixed with business data would ideally be identified early in the scoping exercise and the plan adjusted accordingly.

Covert or remote collections appear to face less legal constraint in the GCC than in other jurisdictions; however, this is somewhat undermined by poor network connectivity and the tendency of employees to take their laptops home for personal use. In theory remote collections that can be executed via the Internet are a useful alternative in the GCC when access to the site is limited or hazardous. Firms selling data interception tools in the GCC appear to be quite optimistic about how widely their tools can be used. However, there are some local laws, particularly in relation to telecommunications and in the new cybercrime legislation, which need to be considered before commencing wholesale monitoring of employee communications.

Less of an issue in collections but more of a consideration in review is the mix of languages in the GCC with Arabic obviously featuring prominently. Forensic technology tools have come a long way in respect to language handling and recognition so this should no longer be an issue when using professional vendors.

Getting the forensic data collection right ensures a firm foundation for subsequent review, findings and legal action. With so much at stake, companies and their legal advisors can’t afford to make assumptions or make avoidable mistakes.

Rick Barker is director & head of Forensic Technology (MENA) Deloitte & Touche (ME).

This is an edited extract of the whitepaper “Forensic Data Collection in the GCC” by Deloitte & Touche (ME). The full whitepaper is available at

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code