Thursday, October 30, 2008

Computer Forensics - Ethics

I noticed that my blog is getting a lot of hits from Google searches for ethics in computer forensics. Mostly from schools and colleges, so I suppose that people are getting some homework assignments about this topic.  In doing my own research on the topic, it seems, and I cannot prove this of course, that the computer forensics curriculum at colleges for the most part are using classical ethics courses.

While there is nothing wrong with classical ethics courses, they really are not very practical when applied to a discipline like computer or digital forensics. At least not without a lot of extra explanation.

So let me explore this topic from a slightly different angle: practical application to this specific discipline.

Experts in general are sometimes accused of being biased because it is believed that they have a vested interest in the outcome of a case. On the prosecution side, the suspicion of bias can be contributed to the fact that the expert is on the payroll of the side they are testifying for. On the defense side, the accusation of “hired gun” is sometimes used to show that an expert is biased because they are getting paid to testify.

In reality, both sides are getting paid to testify, making that a weak argument for bias, in my opinion. However, that argument has been used to some effect in trying to sway juries against an expert, especially a private expert. Someone charging 150.00 to 500.00 an hour to testify seems expensive. All things are relative in that respect I think. The doctor that removed a kidney stone for me got 2500.00 for a 30 minute procedure, making his hourly rate 5000.00. Now that seems high to me!

Providing expert services is something that is sorely needed in the digital forensics arena for the simple fact that to the layman, it can sound like a pretty arcane science, with its own specialized language, tools and methods. It is not something that just anyone can do. Much like the doctor that removed my kidney stone. I wouldn't want someone who was just “interested” in medicine to do that kind of thing for me.

If the primary concern in ethical behavior in experts is whether or not they are biased, then that is what we should explore here. Especially since every code of ethics I have seen in this field states clearly that the expert should be a neutral party.

In every case I have worked, civil or criminal, I have not once gotten the impression that the expert on the other side was biased in any sort of classical sense. In particular, if we define bias as attempting to present or withhold facts in such a way as to unduly influence the outcome of a case.

The role of the expert is to find and present all the facts to the client, independent of the impact on the case. Nothing should be deliberately obscured or omitted that might be either exculpatory or incriminating. It is not the role of the expert to judge the plaintiff or defendant, nor is it the role of the expert to be an advocate. Advocacy is the job of the person's legal counsel.

Bias is only one of the ethical challenges facing any expert, including those in the area of computer forensics.

Most ethics statements will include something along the lines of the expert not having a stake in the outcome of the case. Simply put, an expert should never be working on a contingency basis, since this clearly puts the expert in the position of having to “win” to get paid. If your fees depend on making sure your side wins, then you are definitely biased and no amount of explanation will make that go away.

Perhaps one of the most important aspects of ethical behavior for an expert is one of the harder ones to judge; competency. From the outside, it is difficult to tell if the expert is really qualified until they are engaged and performing the work. However, anyone who puts their self out as an expert and attempts to do things above their competency level, is not only in danger of being unethical, they are in danger of being sued or worse.

The problem with a field like computer forensics is the lack of universally accepted standards that anyone can view and at least have an idea of the level of competency of the expert. Other experts require some sort of professional licensing specific to their field: Certified public accountants, doctors, professional engineers, lawyers etc. where they have had to pass some sort of board certification prior to being allowed to practice. Of course it was not always that way for those professions in the early days, before such boards and licensing bodies were formed. And that is the state of computer forensics today.

Without such minimum safeguards, pretty much anyone can say they are a computer forensics expert. They might not get qualified if they ever get to court, but most cases never make it that far.

Let's be honest and admit that it doesn't take much to pull the wool over a computer novice's eyes with a few well placed buzz words. Or simply the possession of a computer forensics software package. The danger here is that once the “expert” is retained and allowed to work on a case, by the time they are exposed by a a qualified opposing expert, the damage is already done.

The point here is that the minimum of ethical behavior in an expert is to not overstate their qualifications to get a case, nor to overstep their competency by taking a case where they cannot provide the level of expertise that the client expects and deserves.

From a personal standpoint, as an example, I specialize in post-mortem forensics, not incident response. So I will not take incident response cases because they are simply outside my expertise, even though I have over twenty five years of IT experience and have done my share of network security, intrusion detection, firewall programming and such. However, incident response is above that level of expertise when practiced as a forensic discipline.

If a client's needs represents an area of expertise I would not be comfortable testifying about in court, I simply won't take the case. In my mind, that should be the bar an expert sets for what cases they will accept or reject.

A final word on bias: Working hard for your client by providing the highest level of service you can is not bias. Properly doing the work, accurately and completely presenting the facts, backing up your findings with appropriate research in the field and testifying as well as you can, on behalf of your client in court, is what is expected of anyone who says they are an “expert.”

No comments:

Post a Comment

I have moderated my comments due to spam.