computer forensic

One common misconception of an examiner’s analytical responsibilities is that he or she is to only analyze submitted evidence to the extent of the investigative request. This is far from the truth. Indeed, if this is all that an examiner does, then most probably, technical support personnel can be trained to do the task. The role of an examiner is aptly defined and described in the preamble to the Code of Ethics of the California Association of Criminalists:

“It is the duty of any person practicing the profession of criminalistics to serve the interests of justice to the best of his ability at all times. In fulfilling this duty, he will use all of the scientific means at his command to ascertain all of the significant physical facts relative to the matters under investigation. Having made factual determinations, the criminalist must then interpret and evaluate his findings. In this he will be guided by experience and knowledge which, coupled with a serious consideration of his analytical findings and the application of sound judgment, may enable him to arrive at opinions and conclusions pertaining to the matters under study. These findings of fact and his conclusions and opinions should then be reported, with all the accuracy and skill of which the criminalist is capable, to the end that all may fully understand and be able to place the findings in their proper relationship to the problem at issue. In carrying

Ethical Practices in Digital Forensics: Part 2 https://www.forensicmag.com/article/2008/10/ethical-practices-digital-fo...

1 of 5 4/29/17, 7:55 PM

out these functions, the criminalist will be guided by those practices and procedures which are generally recognized within the profession to be consistent with a high level of professional ethics. The motives, methods, and actions of the criminalist shall at all times be above reproach, in good taste and consistent with proper moral conduct.”

The second sentence states that the examiner is to use “…all of the scientific means at his command to ascertain all of the significant physical facts relative to the matters under investigation.” This can generally be ascribed to the examiner following the scientific method, performing whatever testing is necessary to try to resolve the issue at hand, and adhering to a code of professional conduct and/or a code of ethical practice. Acceptable behaviors for research scientists were described in 1942 by R.K. Merton as “universalism, communalism, disinterestedness, and organized skepticism.” They also apply to forensic examiners. Although some would argue it is difficult to agree upon specific behaviors for a code of professional ethics, others would agree that a consensus could probably be reached regarding those for a code of professional conduct. Regardless, some sort of code needs to be in place to lend guidance to examiners.

ETHICAL PRACTICES IN DIGITAL FORENSICS The following scenario will put into perspective the need for such a code for Digital Forensics examiners:

An examiner in a digital forensics unit is also a sworn investigator. He receives a complaint from a woman who saw child pornography on her husband’s computer. He goes to the victim’s house, has her sign a “Consent to Search” form, and seizes the computer. After acquiring the hard drive, he recovers twenty-five pornographic pictures from unallocated space which depict children engaged in sexual acts. From the “User Account,” he recovers several hundred pornographic pictures and movies, all of which depict adults engaged in various sexual acts. He exports all the pictures and movies to a DVD and turns it over to the prosecutor for court purposes. Subsequently, he arrests the subject and charges him with possession of child pornography.

1

Ethical Practices in Digital Forensics: Part 2 https://www.forensicmag.com/article/2008/10/ethical-practices-digital-fo...

2 of 5 4/29/17, 7:55 PM

From the perspective of the examiner/investigator and the prosecutor, there has been a violation of the law; the possession of child pornography is illegal. However, the subject’s attorney states to the prosecutor that the subject does view and save adult pornography, but not child pornography. He claims that the subject received the child pornography pictures as an attachment to an email which he subsequently deleted. From his perspective, the possession was not by intent and that there are mitigating circumstances. To assist the prosecutor, there are a number of additional tasks that the examiner/investigator could perform. Reviewing the pictures recovered from allocated space could determine if there are any date/time stamps still associated with the picture(s). If so, this could be probative information to either support or disprove the subjects claim. Examining the “User Account” could indicate whether there is a sharing program and if so, which folders/files are being shared and where are they located. The “Registry” could provide information regarding if any external devices, such as a USB drive, have been attached to the computer. The subject’s email account could yield information as to whether or not there are similar emails present and if so, examining their headers could provide an IP trail back to the source. Searching for viruses could indicate that the computer was compromised. And so on.

Since the examiner in the scenario is also the investigator, can we be assured that he is “disinterested” in the outcome of the case? After all, he found evidence of a crime and it was located on the subject’s computer. From his perspective, case closed. However, has he provided all of the significant physical facts relative to the investigation to the prosecutor? Having found the child pornography, should he not attempt to determine its source? Everyone is presumed innocent until proven guilty (or pleads guilty). Even though the subject in the scenario is charged with an insidious crime, he himself could be a victim. It is possible that a more thorough forensic examination may conclude that no determination could be made as to the source of the child pornography pictures (subject downloaded the pictures, received them via an email, they were put onto the computer via another methodology, etc.). At that juncture, it would be up to a judge and/or jury to decide guilt or innocence based upon all the facts in the case. Regardless, from an ethical and

Ethical Practices in Digital Forensics: Part 2 https://www.forensicmag.com/article/2008/10/ethical-practices-digital-fo...

3 of 5 4/29/17, 7:55 PM

professional perspective, every examiner has the responsibility to not only examine the evidence for probative data, but should also provide potential exculpatory evidence to the prosecutor “to the end that all may fully understand and be able to place the findings in their proper relationship to the problem at issue.”

Reference

R.H. Brown. The Wisdom of Science. Cambridge, GB: Cambridge University Press. 1986.

1.

John J. Barbara is a Crime Laboratory Analyst Supervisor with the Florida Department of Law Enforcement (FDLE) in Tampa, FL. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. John is the General Editor for the “Handbook of Digital & Multimedia Evidence” published by Humana Press.

Ethical Practices in Digital Forensics: Part 2 https://www.forensicmag.com/article/2008/10/ethical-practices-digital-fo...

4 of 5 4/29/17, 7:55 PM

0 Comments Forensic Magazine Login1

Share Sort by Best

Start the discussion…

Subscribe Add Disqus to your siteAdd DisqusAdd Privacy

Recommend

Ethical Practices in Digital Forensics: Part 2 https://www.forensicmag.com/article/2008/10/ethical-practices-digital-fo...

5 of 5 4/29/17, 7:55 PM