The increase in the number of people using networked digital devices has led to incidences of crime that call for forensic investigations (Brown, 2015). The existence of Cyber Forensics skills has made it possible to gather evidence from such devices. The evidence collected is used in courts to establish the crime and bring Cyber criminals to justice. Cyber Forensic investigators and analysts are often entrusted with the task of finding, recording, analysing, and reporting of digital evidence. The whole process of gathering forensic evidence has a number of challenges. These challenges are categorized into five broad areas: hardware challenges, software challenges, cloud forensic challenges, legal challenges and human challenges (Karie, & Venter, 2015; Lindsey, 2006; Mohay, 2005).


Hardware challenges are linked to the needs of the modulated technology and enhancements of the hardware. Studies suggested that some criminal suspects change the hard disk within their devices before the Cyber Forensic expert can gain access to the device (National Institute of Justice, 2002; Brown, 2015). In such cases, the suspects use the write blockers to shift information between the two hard disks. The main effect is that a forensic examination of the new hard disk, may not display some of the relevant evidence. On the other hand, the evidence gathered from the new hard disk will lack consistency, and may not be apparent (Brown, 2015; Spafford, 2006).

Further, the evidence gathered from a device that was reset, may accentuate the problem since during the reset process, a small portion of the backup information is likely to have been reinstalled. For example, different mobile devices have hard disks that have enmeshed algorithm that are responsible for erasing the data automatically. Since the technology for collecting information from unused devices or devices where information was deleted by a user is still under development, there is likely to be some delays in obtaining such information. It is for this reasons that some Cyber Forensic experts have reported tremendous challenges in retrieving information from content that was deleted from the device (Spafford, 2006).


The current era of technological advancements and changes in gathering forensic evidence has resulted into the birth of Platform as a Service (PaaS) and Software as a Service (SaaS), which have brought a number of changes into the computing structure. The use of new software and new technology has brought about a number of challenges. One of the challenges is lined to the well-developed device operating system. The current operating systems have been log enabled, and now requires a Cyber Forensic expert to gather background information on the device, which includes the information on accessibility of the application, usage of the application, and the level of information provided by the specific user of the application. Even though the new development appears like a progress for the different devices, the development requires some time for it to mature (Spafford, 2006; Giordano & Maciag, 2002).

Several challenges have been reported on the application accessibility since the application and the operating system are defined differently (Giordano & Maciag, 2002). For example, any alteration made on the file content may not be tracked until it is compared with subsequent/previous file versions or, if it is compared with the modified version of the time stamp. In case the Cyber Forensic expert suspects some manipulation on the document, it would be a challenge to determine the extent of manipulation (Brown, 2015).

Further, some forms of applications and log information that are collected by the application or the operating system, could be useful as evidence in certain cases. Despite the usefulness of the application, the awareness of its use is still at an infant stage making it difficult for the Cyber Forensic experts to ensure the effective use of the application. For example, an operating system like Windows 8 will collect information on all the Wi-Fi networks that have been accessed together with the transmission of the data. The information gathered would help investigations, such as those investigations that involve theft of data or in cases of network intrusion. However, a correlation between the gathered information, from the sources, and the event violation in the gathered information is a concept under research and experimentation (Giordano & Maciag, 2002).

The high number of mobile messaging applications available across the globe uses a software that automatically erase the information that is shared. The main challenge here is that it will be complex for a Cyber Forensic expert to gather such information that was deleted. Another challenge is the encryption in different mobile devices with intention of having the information protected especially during the process of gathering data. For example, gathering data from encrypted mobile chat applications may pose a challenge in certain situations. Contrary to popular belief all mobile chat applications are not encrypted. Certain mobile chats allow a secure connection between the sender and the receiver with no option to retrieve the message after a set time period. Other sessions are simply saved as text messages in the phone storage allowing anyone with the mobile phone passcode to access all stored messages. Even without a passcode, it is technically possible for the chat server to provide chat history with the right encryption key. The decryption of devices may be a challenge to some investigations where the storage or device itself is encrypted (Giordano & Maciag, 2002).

Not handing over mobile device PIN and passwords could lead to legal consequences in certain countries. For example, not giving passwords can get someone arrested according to Schedule 7 of Terrorism Act in the United Kingdom (, 2008; Mandhai, 2017).


Cloud computing is now used by smart mobile devices. The flexibility and scalability of cloud computing poses a huge challenge to forensic investigation (Lopez, Moon, & Park, 2016). The data in these devices, maybe able to be accessed everywhere hence posing another challenge to the investigators. It is a challenge for the investigator to locate the data in a way that ensures the privacy rights of the users. The investigators require the knowledge on anti-forensic tools, practices, and tools that help ensure that the forensic analysis is done accordingly (Spafford, 2006; Lopez, Moon, & Park, 2016).

Cloud-based applications also enable users to ensure that data is accessed from various devices. For example, if one of the two devices of a single user is compromised and both devices lead to some changes in the application, it would be difficult for the Cyber Forensic expert to identify the real source of the change. High risks may compromise credentials and theft of the identity in an environment that is cloud-based and lead to changes that are unknown such as the evidence remaining unknown. On the other hand, an email viewed using a user’s smart mobile device and deleted may not be traced easily. In most cases, it would be difficult to examine severs of the mail and identify the evidence of the deleted communication (Lopez, Moon, & Park, 2016).


There have been some changes in the data protection and privacy regulations in different countries across the globe (Garrie & Morrissy, 2014). Cyber laws and regulations in different jurisdiction vary and many do not take into account, the complexity in collecting forensic evidence. For example, in the machine of a suspect, the information that is available is likely to have some personal information that could be crucial in an investigation. However, accessibility to such private information is likely to be considered as a violation of user privacy (Spafford, 2006).

On the other hand, the era of companies giving some provision to their employees to use their individual devices in accessing the official communication is likely to contribute to several challenges involved in data gathering. Accessing the email of a user, for instance, using webmail and a smart mobile device together with downloading the involved attachments is an example of theft of personal data. In the current era, collecting specific information from a user device is in itself a challenge (Kaur & Kaur, 2012).


Cyber Forensic experts are tasked with collecting and analysing the role of identifying criminals and going through all the evidence gathered against the criminals. These are well-trained professionals working for the public law enforcement agencies or in the private sector to perform roles that are associated to the collection and analysis of forensic evidence. The Cyber Forensic experts also come up with reports that are majorly used in the legal settings for investigations. Besides working in the laboratory, Cyber Forensic experts take up the role of applying the techniques of forensic investigation in the field uncovering the data that is relevant for the court (Karie & Venter, 2015).

The Cyber Forensic experts have the ability of recovering data, which was deleted previously, hidden in the mobile folds, or encrypted. The court, in most cases, calls the Cyber Forensic experts to provide testimony in the court and elaborate on the evidence reports during a given investigation. As such, the Cyber Forensic investigators get involved in complicated cases that may include examining Internet abuse, determining the digital resources that are misused, verifying the offenders’ alibis, and examining how the network was used to come up with forensic threats. There are times when the Cyber Forensic expert is expected to offer support to cases that deal with intrusions, breaching of data, or any form of incident. Through the application of the relevant software and techniques, the device, system or the platform is examined for any kind of evidence on the persons involved on the crime (Karie, & Venter, 2015).

In a forensic examination, data is retrieved from the digital devices, which are considered to be evidence required for the investigations. In most cases, a systematic approach may be used to analyse the evidence, which would be presented in the court at the time of the proceedings. At an early stage of the investigation, the Cyber Forensic expert is required to get involved in gathering evidence. Early engagement in the investigation process helps the Cyber Forensic expert to be in a position to restore all the content without causing damage to the integrity (Karie, & Venter, 2015).

There are different types of forensic cases that are handled by the Cyber Forensic experts. Some of the cases deal with intruders getting into the victim’ devices and stealing their data, other cases, are for the crime offenders who launch attacks on several websites or those who try to gain some access to the names of the users and the password so as to engage in identity fraud. A Cyber Forensic expert has the ability to explore the type of fraud committed by analysing the evidence and using the required techniques. Despite the reason behind the investigation, the experts go through the process procedurally to ensure the findings recorded or gathered are sound. After opening a given case, the items that would be seized include the digital devices, software, and other media equipment’s so as to run the investigation. In the retrieval process, the items considered essential will be gathered so as to give the analyst everything that would be required for the testimony (Karie, & Venter, 2015).

Another human-related challenge faced by Cyber Forensics is spoliation (Cavaliere 2001; Mercer 2004). Spoliation occurs when the person handling evidence fails to preserve, alters evidence, or destroys evidence that could be useful in pending ligation (Watson, 2004). Spoliation may be caused by negligent on the part of the party handling the litigation or handling evidence and intentional destroying evidence by the handler.


Elsewhere, in a literature-based study, Karie and Venter (2015) identified and categorized cyber forensic challenges into four: technical challenges, law enforcement or legal system challenges, personal-related challenges and operational challenges.

Technical Challenges were identified as vast volume of data; bandwidth restrictions; encryption; volatility of digital evidence; incompatibility among heterogeneous forensic techniques; the digital media’s limited lifespan; emerging devices and technologies, sophistication of digital crimes; anti-forensics; emerging cloud forensic challenge.

Legal Challenges were identified as jurisdiction, admissibility of digital forensic techniques and tools; prosecuting digital crimes; privacy; ethical issues; lack of sufficient support for civic prosecution or legal criminal prosecution.

Personnel-related Challenges were identified as semantic disparities in Cyber Forensics; insufficient qualified Cyber Forensic personnel; insufficient forensic knowledge and the reuse among personnel; strict Cyber Forensic investigator licensing requirements; and lack of formal unified digital forensic domain knowledge.

Lastly, Operational Challenges were identified as significant manual analysis and intervention; incidence detection, prevention and response; lack of standardized procedures and processes; and trust of Audit Trails (Vaciago, 2012; Mercuri, 2009; Bassett, Bass, & O’Brien, 2006; Liu, & Brown, 2006; Richard, & Roussev, 2006; Arthur, & Hein, 2004; Mohay, 2005).


This paper revealed several challenges faced by Cyber Forensics. These challenges can be categorized into five: hardware, software, cloud, legal and human. They can also be categorized into technical challenges, law enforcement or legal system challenges, personal-related challenges, and operational challenges. While the available literature has sufficient details on the technical aspects of Cyber Forensic investigation, the human element only seems to touch the surface. There is a huge gap in terms of understanding the emotional and cultural aspects of the stakeholders involved in the investigation process. This calls for a review of Cyber Forensics where elements of Emotional Intelligence (EQ), Cultural Intelligence (CQ) and People Intelligence (PQ) are further investigated for a better understanding.


  1. Arthur, K.K., & Hein, S.V. (2004). An investigation into computer forensic tools. Proceedings of the ISSA conference; Midrand, South Africa. Piscataway, NJ: IEEE Computer Society Publishers; 1–11.
  2. Bassett, R., Bass, L., & O’Brien, P. (2006). Computer forensics: an essential ingredient for cyber security. J Inform Sci Technol; 3:22–32.
  3. Brown, C. (2015) Investigating and prosecuting cybercrime: Forensic dependencies and Barriers to Justice. International Journal of Cyber Criminology, 9 (1): 55-119.
  4. Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident handling guide. Revision 2. National Institute of Standards and Technology; 2012 Aug.; NIST Special Publication 800-61
  5. Cavaliere, F. J. (2001). “The Web-wise Lawyer,” Practical Lawyer; 47(4): 9-10.
  6. Garrie, D. & Morrissy, D. (2014). Digital forensic evidence in the courtroom: Understanding content and quality. Northwest Journal of technology and intellectual property, 12 (2): 121.
  7. Giordano, J & Maciag, C. (2002). Cyber forensic: A military operations perspective. International Journal of digital evidence, 1 (2): 1-13.
  8. Kaur, R & Kaur, A. (2012). Digital Forensics. International Journal of Computer Application, 50(5): 0975-887.
  9. Karie, N.M., & Venter, H.S. (2015). Taxonomy of challenges for digital forensics. Journal Forensics, Sci, 60(4): 885-893.
  10. Liu, V., & Brown, F. (2006). Bleeding-edge anti-forensics. Proceedings of the InfoSec World Conference & Expo; Orlando, FL. Washington, DC: NIST Special Publication; 800–86.
  11. Lopez, E.M. & Moon, S.Y., & Park, H.J. (2016). Scenario-Based Digital Forensics Challenges in Cloud Computing. Symmetry, 8 (107): 2-20.
  12. Lindsey, T. (2006). Challenges in Digital Forensics. Retrieved on 8th May 2017 from
  13. (2008). Counter-Terrorism Act 2008. Retrieved May 23, 2017, from
  14. Mandhai, S. (2017, May 15). Cage activist faces charges for not giving up passwords. Retrieved May 23, 2017, from
  15. Mercer, L. D. (2004). “Characteristics and Preservation of Digital Evidence,” FBI Law Enforcement Bulletin 73(3): 28-34.
  16. Mercuri, R. (2009). Criminal defense challenges in computer forensics. Proceedings of the Digital Forensics and Cyber Crime Conference, Albany, NY. Berlin/Heidelberg: Springer Berlin Heidelberg Publishers.
  17. Mohay, G. (2005). Technical Challenges and Directions for Digital Forensics in 1st International Workshop on Systematic Approaches to Digital Forensic Engineering.
  18. National Institute of Justice. (2002). Results from Tools and Technology Working Group, Governors Summit on Cybercrime and Cyber terrorism, Princeton NJ.
  19. Richard, G.G., & Roussev, V. (2006). Digital forensics tools – the next generation.
    Hershey, PA: Idea Group Inc; 76–91.
  20. Vaciago, G. (2012). Cloud computing and data jurisdiction: a new challenge for
    digital forensics. Proceedings of the third International Conference on Technical and Legal Aspects of the e-Society; Valencia, Spain. IARIA XPS Press; 7–12.
  21. Spafford E. (2006). Some Challenges in Digital Forensics. In: Olivier M.S., Shenoi S. (eds) Advances in Digital Forensics II. IFIP Advances in Information and Communication, vol 222. Springer, Boston, MA
  22. Watson, L. M. (2004). “Anticipating electronic discovery in commercial cases,” Michigan Bar Journal. 83(31), 23-45.





Cyber Forensics has been defined in different terms in available literature. ISO (2012) terms it the identification, collection, acquisition and preservation of digital evidence of substantial value. A better, more broadbased definition that clarifies the legal context is credited to Easttom (2013), which defines Cyber Forensics as the identification, preservation, collection, transportation, analysis, and presentation of digital evidence according to legally accepted processes and procedures.

This paper focuses on the crucial role of Cyber Forensic investigation as related to Intellectual Property. In this context, Intellectual Property is classified as copyright, trademark, trade secrets, licensing and patents. Copyright protects the original “author” or owner the exclusive right to reproduce the work. Definition of copyright might vary across countries. The World Intellectual Property Organization clarifies that computer programs, databases, designs and architecture also counts as copyright (WIPO, 2003). Trademark is a brand name and includes a word, a name, a symbol or a a combination of these to uniquely identify the goods/ services. Trade secrets are confidential business information. Licensing refers to the legal agreement between the Intellectual Property rights owner and another party (licensee). Patents are Intellectual Property rights granted by the government to the inventor. Patents are usually for limited durations (Stephenson, 2014).


Cyber Forensics is tasked with a structured investigation that will maintain a chain of custody. In many cases, the Cyber Forensic investigation follows set procedures that are based on well-established scientific principles (Stephenson, 2014). The device in question would be isolated to ensure it cannot be contaminated accidentally. Then, the investigators prepare a copy of the storage media in the device. After copying that original media, the information will be locked in a safe facility to ensure that the pristine conditions are maintained. Then, investigation will be carried out on the stored copy of digital media.

More often than not, the investigators may apply different techniques and the proprietary software in examining and searching all the hidden files. All the unallocated disk space with deleted, damaged, or encrypted files are checked as well. The evidence found on the device is then documented carefully as a report. The evidence will then be verified and made ready for the legal proceedings. The legal proceedings involve depositions, actual litigation and discovery of the collected evidence.


Cyber Forensic has been used to deal with threats of Intellectual Property initiated internally, by former or current employees and externally, by business partners, contractors and third parties. This section reviews the motivation behind theft of Intellectual Property based on established models. There are two dominant models that explain information stealing within organizations. One is the Entitled Independent model where an insider is acting alone to steal information to help in a new job or own business. The other model is the Ambitious Leader model where a leader, someone with a larger purpose, recruits insiders to steal information.

According to the Entitled Independent model, without an interview, it would be difficult to find out the magnitude to which an insider would feel in charge of the information stolen. In a number of cases, the interviews and findings found out that 60% of the class of insiders who had their information stolen supported the hypothesis that they felt in charge of the stolen information. About three quarters of the entitled independents had their information stolen in their responsibility area, and 37% of the cases were involved partially in developing the stolen information. About 42% of the Entitled Independents had stolen the information or products despite having signed the Intellectual Property agreement with specific organizations (Moore et al., 2011).

Figure 1: Insider theft and deception (Moore et al., 2011)

Moore et al. (2011) found out that this kind of entitlement may be severe especially once the insider considers his function important in product development. In a case where the role of the insider is focused on contributing to a specific product, the insider would have a greater ownership sense regarding the information and product resulting into a huge entitlement. Different from the good management practice, individuals could get positive feedback due to their efforts and could interpret it as some kind of reinforcement provided their predispositions.

A number of cases depicted evidence of entitlement. For example, an entitled independent who stole, and marketed a copy of his employer’s critical software established a huge manuscript that detailed his innocence and considered the persons involved in the trial dead. Similarly, another insider stole the database of the client and offered the company some threats just because he was denied a raise (Moore et al., 2011).

Some dissatisfaction had a role to play in about 33% of the cases of independent entitlement. In most cases, the dissatisfaction came about from insider’s denial of requests. The requests denied in the cases studied involved benefits and raises, promotion application, and relocation requests. Some dissatisfaction also lead to threats of layoff in the organization victim (Moore et al., 2011).

Some of the things that trigger an insider into contemplating to steal information include the insider’s plan to move into the competing organization, dissatisfaction with their job, and the sense of entitlement to the products. As a result, the need to steal information became strong resulting into theft. Some organization may not be able to detect the theft. In some organization, the employee’s actions which appear suspicious may be observed and action taken (Moore et al., 2011).

The concerns over being caught when stealing could make the insider not to steal the information. This could be explained by the psychological predisposition of entitlement that makes an individual overestimate his abilities while underestimating the capabilities of other. Even though, the agreement of Intellectual Property may be in place, in any cases, a very low percentage of the entitled independents attempt to deceive the organization when they try to take the information (Moore et al., 2011).

According to the Ambitious Leader model, some leader may recruit the insider to steal some information especially for a larger purpose. Some of the cases include the specific plans in developing competing product or using information in attracting clients away from the organization victim. More than 50% of cases of the stealing Intellectual property fall in this category. About 38% of the cases involve insiders who were working with the competing organization so as to help his new employer. About 30% fall in this category. The last category of insider involves those who sell the information to competing firms. About 10% of the cases may fall in this category (Moore et al., 2011).

Figure 2: Theft planning by Ambitious Leader (Moore et al., 2011)

The cases where foreign entities were benefitted fit into the Ambitious Leader scenario. The study also showed that the loyalty to the native country was higher than the loyalty to the employer. Some insiders who stole the Intellectual Property were influenced by the Ambitious Leader. The insiders with loyalty to the foreign country were influenced by the goal to bring value to and relocate to the given country. All the cases of the Ambitious Leader involved an individual being influenced and motivated to promote the crime (Moore et al., 2011).


Cyber Forensic investigation helps establish the provisions that target the infringement of Intellectual Property. For example, the United States No Electronic Theft Act attempts to criminalize noncompetitive infringement. On the other hand, the Digital Millennium Copyright Act offers penalties for crimes like conduct, and the circumventing of the codes designed to have the copyright material protection (Moohr, 2001).

Cyber Forensic investigation helps prevent theft of copyright. For example, the Copyright Law targeted at preventing the infringement by the competitors holding copyright. The law acknowledges that the infringement by competitors for commercial reasons is a crime classified as misdemeanor. Initially, the criminal offense was applicable to only the people who infringed for reasons of profit and the economic competitors were subjected to some liability. However, the new legislation included a penalty to protect different type of copyright material and increased the criminal penalties severity, while ensuring that the quasi-copyright material is protected by the criminal provisions. In this case, the infringement of copy right for private financial gain, and commercial advantage were included in the law provision (Moohr, 2001).

The goal of the Copyright Law is to benefit the public through the promotion of the ideas and learning. To promote this law, authors are granted exclusive rights. The law protects the interest of the author as ways of having an end protection. In this case, the law provides access to the authors work when the statutory grant expires (Moohr, 2001).

The law offers some rights to the initial expression of ideas to overly restrict the access by the public. Confining the protection involves setting out limited rights and restricting the period of time for the rights, while maintaining an existence of material in the public domain. The law helps others to build on ideas freely.


From the study, it is evidenced that Cyber Forensic investigation helps prevent theft of Intellectual Property, helps establish the provisions that target the infringement of copyright, helps identify the motivation behind theft of Intellectual Property, and helps deal with the threats of Intellectual Property. Some of the reasons behind theft of Intellectual Property involve benefiting the foreign entities, stealing information especially for a larger purpose, insider’s plan to move into the competing organization, dissatisfaction with their job, and the sense of entitlement to the products. The two theories used to explain the insider’s motivation include the Ambitious Leader model, and the Entitled Independent model. Laws like the Copyright Law have been enacted to protect the authors against theft of Intellectual Property. In summary, Cyber Forensic investigators need to give sufficient importance to Intellectual Property rights when obtaining and reviewing digital evidence.


1.Easttom, C. (2013). System forensics, investigation and response 2nd ed. . Burlington, MA: Jones & Bartlett Learning.

2.ISO. (2012). ISO/IEC 27037:2012 Information technology — Security techniques — Guidelines for identification, collection, acquisition and preservation of digital evidence. Retrieved from

3.Moohr, G. (2001). The crime of copyright infringement: An inquiry based on morality, harm, and criminal theory. Retrieved October 2016, from

4.Moore, P., Cappelli, D., Caron, T., Shaw, E., Spooner, D., & Trzeciak, R. (2011). A preliminary model of insider theft of intellectual property. Retrieved October 9, 2016, from

5.Stephenson, P. (2014). Official (ISC)2® Guide to the CCFP CBK. CRC Press.

6.WIPO. (2003, June). What is Intellectual Property? Retrieved 2017, from World Intellectual Property Organization:

Translate »