Saturday, September 27, 2008

Ethics in Digital Forensics

I just read an article in the current issue of Forensics Magazine: Digital Insider: Ethical Practices in Digital Forensics: Part 1, by John J. Barbara.
While the article is well written, I have to take issue with some of the content.
The article addresses the ethical issues of both the primary and secondary experts in a case. While he chose to use ballistics as the scenario for this article, he promises to use a digital forensics scenario in Part 2. (Not sure why he didn’t use one to start with.)
Here is a quote from the article that I take issue with:
“In shooting situations such as this, it would not be surprising for the defense to hire another examiner to reexamine the fired projectiles. What would be the legal, moral, professional, and ethical responsibilities of the second examiner should a different conclusion be determined? Certainly, he or she will report the results to the defense counsel. However, should the second examiner also notify the prosecutor and the first examiner? Would doing so violate any attorney/client privileges? Going one-step further, should the defense counsel notify the prosecutor? This scenario is not uncommon and holds the potential for legal, professional, and ethical conflicts involving both of the examiners and the defense counsel. Presuming that the conflicting testimony is presented in court, ultimately the jury would have to decide the weight given to the each examiner’s testimony. “

Before I make my comments, let me quote Mr. Barbara’s mini-bio from the article:
“John J. Barbara is a Crime Laboratory Analyst Supervisor with the Florida Department of Law Enforcement (FDLE) in Tampa, FL. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. John is the General Editor for the “Handbook of Digital & Multimedia Evidence” published by Humana Press.”

I am not picking on Mr. Barbara, but it appears he has forgotten that we use an adversarial system in the U.S. Perhaps, Florida is different, but I doubt it.

Should the second examiner notify the prosecutor and the first examiner? Not if he wants to do any more work. As far as I know, that would violate the attorney work product and the trust of the defense counsel that retained the secondary expert.

Going one-step further, should the defense counsel notify the prosecutor? Oh, you bet he will; when the time is right. If the defense counsel believes that the evidence to be presented by the expert is prejudicial based on the work of his retained expert, he will normally have the secondary expert prepare an affidavit of facts and have it served on the prosecutor in preparation for a motion to exclude that evidence. What the defense counsel must tell the prosecution and when, varies by state.

Of course I am not an attorney and I don’t play one on TV, but that has been my experience as the secondary expert in many cases.

I don’t regard either of the preceding questions raised in the article as ethical in nature. I actually would regard acting in that manner as unethical toward the attorney that has retained the secondary expert.

So, let’s get back to the core topic of ethics in digital forensics. First of all, I see no difference in the ethical code a digital forensics examiner should ascribe to than any other ethical code in forensics science.

The problem perhaps is the lack of recognition that Digital Forensics is a science.

Mr. Barbara is spot on when he says, “There are many examiners in the Digital Forensic community who are not aware that professional codes of conduct and codes of ethical practices need to be an inherent part of every examination.”

But, I disagree again when he states further along that, “Ultimately, the examiner is responsible for his or her results. Through education, training, and experience, he or she develops and enhances individual technical knowledge, skills, and abilities. This maturation process needs to include adherence to an overriding code of professional conduct or a code of ethical practices.”

Ethical practices should be part and parcel, from the very beginning of any forensic practitioner's training. Waiting until later in an examiner’s career to begin to mature into ethical conduct by adopting a code of ethical behavior puts the cart squarely before the horse.

But there is a serious problem as I see it with ethics in the Digital Forensics field: People getting into the field to make a quick buck by picking the low hanging fruit of distressed spouses, concerned employers or uninformed attorneys.

This is multiplied by the blinders being worn by state licensing boards where they are failing to recognize digital forensics as a discipline that incorporates scientific examination of evidence that requires special expertise and training, but instead think is it part of private investigation. In my mind that is a violation of the public trust, but I have been on that soapbox for a while now, so no news there.

The foundation for ethical practice is recognizing the responsibility of the examiner in performing his or her duties.. When you attend forensic courses, they will tell you that you need to be impartial. They don’t tell you that you need to be ethical or even explain what that means in the context of the forensics field.

If the examiner is working as a consultant / expert in the field, they must have a clear understanding of the impact of what they do, including some knowledge of the laws that govern the practice, and what they must do to ethically serve their clients, whether they are attorneys or private citizens.

Even in-house examiners have a responsibility to operate in an ethical manner in internal investigations, lest they inadvertently destroy another employee’s career by making a representation that is not completely correct or based in any way on speculation.

And I believe that law enforcement examiners should be of the highest ethical standard since by definition we are relying on them to protect us as part of their sworn commitment to the public they serve.

I hear a lot of comments by examiners that say, “I just find the data. Then let the lawyers sort it out.”
To operate ethically, the examiner should make sure that the evidence they find and present at least meets what I consider to be the minimal standard of a digital forensics examination: “If you can’t prove it, don’t say it.”

Presentation of digital evidence should never be on the basis of speculation. Rendering an opinion can be an explanation of why the expert believes something to be true based on examination of digital evidence, but never on speculation.

So the next time you, as a digital forensics examiner are on the witness stand and the attorney asks you, “Mr. Examiner, in your expert opinion, would it be fair to say that…..” Remember that someone’s life may be in the balance. And that is where your ethics must already be firmly engrained in all you have done and will say.

I am a member of and recommend the multi-discipline American College of Forensic Examiners.

No comments:

Post a Comment

I have moderated my comments due to spam.