Wednesday, March 4, 2009

Ethical Practices for Digital Forensic Examiners

John J. Barbara has posted an excellent article on ethics and raises a very probing question regarding digital forensics.

"Since the examiner in the scenario is also the investigator, can we be assured that he is “disinterested” in the outcome of the case?"

That is a very important question. Considering that digital foreniscs is one of the few areas in which the officer who is conducting the investigation and making the arrest is also the forensic scientist. Is this really a good scenario to put someone in where making arrests ending in sucessful prosecution has an impact on thier job?

Ethical Practices for Digital Forensic Examiners
By John J. Barbara


  1. On the surface, as long as performance metrics are tied to cases in this way, there will always be an issue with this. However, as you've stated, "...put someone in where making arrests ending in sucessful[sic] prosecution..." - the arresting officer doesn't prosecute the case. Even if the examiner considers the entirety of the data (or "evidence") and is able to assemble the case, it still has to be considered by the prosecutor, and the suspect will still have a defense.

    I've been considering this same sort of issue on the corporate side, with respect to incident response. My thoughts are that the admins right there on-site make the best first responders, and should be trained as such. Even if all they do is incident scoping and data retention, the data that they collect (along with their documentation) would be sufficient for someone like me to come in and perform a deeper analysis. However, the question will arise with respect to that process...if a breach negatively impacts the performance review of the admin, why would you have them as a responder?

  2. Harlan, as always you make excellent points and reasoned arguments.


I have moderated my comments due to spam.