At some point during a forensics investigation, digital forensics practitioners may encounter evidence or information that puts them in a difficult position, challenging their ethics and professional conduct. For the most part, these dilemmas can be resolved by following an approach where they recognize, classify, and manage these issues while respecting the boundaries and obligations they have as a professional.
However, differences amongst individuals, cultures, social classes, and organizations create challenges in establishing what is ethical and what is not. Abiding by a set of consistent professional ethics and code of conduct relating to digital forensics helps to define the moral principles that provide guidance to avoid potential misconduct.
Whatever the cause of illegal, immoral, or unethical behavior, it’s the responsibility of every digital forensics practitioner to do everything in their power to be objective, honest, truthful, and demonstrate due diligence during an investigation. That said, perhaps the best way to illustrate the importance of ethics is to explain what it is not. First and foremost, ethics should not be regarded as aspirational, meaning that it should be something applied consistently and not intermittently. Ethics establish a minimum standard of acceptable conduct for all activities performed by all digital forensics practitioners.
Ethics are concerned with the norms of conduct and follows the same rigors of logical reasoning as those of the scientific digital forensics discipline. While some might view ethics as being prescriptive and prohibitive, they provide reasonable guidance for acting in good faith. Although ethics are not law, conduct outside of these guidelines can lead to harm, liabilities, damages, or other consequences.
Digital forensics practitioners possess specialized and unique knowledge which, if not governed or used appropriately, has the potential for misuse and abuse. When practitioners fail to uphold a minimum level of standards, the resulting impact can lead to digital evidence being overlooked, disregarded, spoiled, or disclosed.
Principles of ethical reasoning provide an appropriate means of sorting out the good from the bad. Typically, ethical guidelines are created to be broad and vague and don’t outline every prohibited act to prescribe what proper behavior is.
Personal ethics are those values that individuals, or groups of people, regard as desirable and commonly apply to their behaviors. These principles reflect general expectations without having to formally articulate them and include:
1. Concern and respect for the well-being of others
2. Honesty and the willingness to comply with the law
3. Fairness and the ability not to take undue advantage of others
4. Goodwill and preventing harm to any creature
Largely, people are motivated to abide by these principles because:
• They want to have a clear conscience and desire to act ethically under normal circumstances;
• It is their nature to ensure their actions and behaviors do not cause injury or harm to others;
• They are obligated to follow laws and regulations of countries and regions; or
• Social and material well-being depends on how one behaves in society.
A professional is any individual who performs a specific activity, such as a digital forensics practitioner, within the context of a business environment. Examples of basic ethics principles people are expected to follow in their professional career include:
• Impartiality and objectivity;
• Openness and disclosure;
• Confidentiality and trust;
• Due diligence and duty of care;
• Loyalty to professional responsibilities; and
• Avoidance of potential or apparent conflicts.
Published in 1992 by the Computer Ethics Institute (CEI), the Ten Commandments of Computer Ethics was developed as a standard set of principles to guide and instruct people on the ethical use of a computer system. These commandments have been widely quoted and referenced since the original publication as the minimum standards for human conduct when using computer systems.
Ten Commandments of Computer Ethics:
1. Thou shalt not use a computer to harm other people.
2. Thou shalt not interfere with other people’s computer work.
3. Thou shalt not snoop around in other people’s computer files.
4. Thou shalt not use a computer to steal.
5. Thou shalt not use a computer to bear false witness.
6. Thou shalt not copy or use proprietary software for which you have not paid.
7. Thou shalt not use other people’s computer resources without authorization or proper compensation.
8. Thou shalt not appropriate other people’s intellectual output.
9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.
Business ethics is the application of the general principles discussed above to the behavior portrayed within a business environment. Following a minimum standard of ethical business behavior is expected, both by the organization and by the public, to facilitate aspects of business, including improved profitability, nurturing of business relationships, improved employee productivity, and reduction of risk (i.e., strategic, financial, operational, legal, and other).
Organizations must conduct themselves ethically because they need to exist in a competitive global landscape and demonstrating these values brings about credibility. Generally, organizations should act ethically to:
• Protect the interests of themselves, the business community at large, and public interest;
• Meet the expectations of and build trust with stakeholders, shareholders, and investors; and
• Create an environment whereby employees can act consistently with the organization’s values and principles.
A business code of conduct policy is a management tool for setting out an organization’s values, responsibilities, and ethical obligations. This governance document provides the organization with guidance for handling difficult ethical situation relating to business conduct. To be truly effective, the business code of conduct needs to be embedded throughout the organization so that employees know exactly how it applies to them.
Like how organizations have a mission statement, sometimes referred to as a vision statement, aligned to their business goals, they should also develop such statements to promote an ethical culture.
Most education and training available today is focused on the technical aspects of the digital forensics discipline, such as how to examine a hard drive or conduct network traffic analysis. Within the academic curriculum, there is little time spent on the business side of digital forensics which includes teaching ethics and conduct.
Perhaps the reason there is this notable absence in academic curriculum is because the code of ethics that exists does not encompass the digital forensics community as a whole. While there are professional organizations that have established their own codes of ethics, as discussed in the section below, these values and principles are specific to a single entity and are not universally translated to demonstrate the level of competency expected of a digital forensics practitioner internationally.
Above we discussed personal, professional, computer, and business ethics that can be used to establish a set ethics that can be used in the digital forensics profession. While the following are not structured in the manner of a code of ethics, these values and principles should be consistently applied by digital forensics to demonstrate how practitioners can conduct themselves in an ethical manner.
Certifications and Professional Organizations
Internationally, there are several professional organizations that have established ethics, or codes of conduct, which certified digital forensics practitioners are expected to adhere by. Even though these ethics put forward by these professional organizations can have a positive effect on the behavior, actions, and judgment of individuals, many organizations do not mandate that their employees become certified. Holding a professional digital forensics certification can be viewed as a deterrence to professional misconduct at the risk of losing the accreditation due to a violation of the code of ethics defined by the certifying body.
Ultimately, digital forensics practitioners are held accountable for acting ethically and according to their organization’s policies (e.g., business code of conduct), their associated professional organizations, and applicable laws where they live and conduct business. While there are professional organizations in addition to those specified below, the following are examples of certifying bodies and their respective codes of ethics to which accredited individuals must adhere.
Digital Forensics Certification Board (DFCB)
The Digital Forensics Certification Board (DFCB) exists to promote public trust and confidence in the digital forensics profession. Specifically, the Digital Forensics Certified Practitioner (DFCP) designation offered by DFCB is a professional certification to enhance professionalism and distinguish individuals who have a broad comprehension of the common body of knowledge (CBK) within the digital forensics industry.
Within the DFCB Code of Ethics, it is stated that a certificant shall:
1. Not engage in, or pressure others to engage in, any conduct that is harmful to the profession of digital forensics including, but not limited to, any illegal or unethical activity, any technical misrepresentation or distortion, any scholarly falsification or any material misrepresentation of education, training, credentials, experience, or area of expertise;
2. Demonstrate, at all times, commitment, integrity, and professional diligence;
3. Avoid any action that could appear to be a conflict of interest;
4. Comply with all lawful orders of courts of competent jurisdiction;
5. Show no bias with respect to findings or opinions;
6. Express no opinion with respect to the guilt or innocence of any party;
7. Not disclose or reveal any confidential or privileged information obtained during an engagement without proper authorization or otherwise ordered by a court of competent jurisdiction;
8. Examine and consider thoroughly all information (unless specifically limited in scope by court order or other authority) and render opinions and conclusions strictly in accordance with the results and findings obtained using validated and appropriate procedures;
9. Report or testify truthfully in all matters and not knowingly make any material misrepresentation of information or otherwise withhold any information that, in so doing, might tend to distort the truth;
10. Accept only engagements for which there is a reasonable expectation of completion with professional competence.
International Association of Computer Investigative Specialists (IACIS)
The International Association of Computer Investigative Specialists (IACIS) is a global non-profit organization that promotes educational excellence in the digital forensics profession. Specifically, both the Certified Forensics Computer Examiner (CFCE) and Certified Advanced Windows Forensics Examiner (CAWFE) designations offered by IACIS are professional certifications for individuals to demonstrate their knowledge of core competencies and practical skills in the field of digital forensics.
The IACIS Code of Ethics states that “members must demonstrate and maintain the highest standards of ethical conduct” by doing the following:
• Maintaining the highest level of objectivity in all forensics examinations and accurately presenting the facts involved.
• Thoroughly examining and analyzing the evidence in a case.
• Conducting examinations based upon established, validated principles.
• Rendering opinions having a basis that is demonstratively reasonable.
• Not withholding any findings, whether inculpatory or exculpatory, that would cause the facts of a case to be misrepresented or distorted.
• Never misrepresenting credentials, education, training, and experience or membership status.
International Society of Forensics Computer Examiners (ISFCE)
The International Society of Forensics Computer Examiners (ISFCE) is a non-profit organization that promotes a community of competent digital forensics practitioners. Specifically, the Certified Computer Examiner (CCE) designation offered by ISFCE is a professional certification that sets a high ethical standard based on the recipient’s knowledge and practical experience within the digital forensics discipline.
Within the ISFCE Code of Ethics, a Certified Computer Examiner (CCE) will at all times:
• Demonstrate commitment and diligence in performance of assigned duties
• Demonstrate integrity in completing professional assignments
• Maintain the utmost objectivity in all forensics examinations and accurately present findings
• Conduct examinations based on established, validated procedures
• Abide by the highest moral and ethical standards and abide by the Code of the ISFCE
• Testify truthfully in all matters before any board, court or proceeding
• Avoid any action that would knowingly present a conflict of interest
• Comply with all legal orders of the courts
• Thoroughly examine all evidence within the scope of the engagement
Within the ISFCE Code of Ethics, a Certified Computer Examiner (CCE) will never:
• Withhold any relevant evidence
• Reveal any confidential matters or knowledge learned in an examination without an order from a court of competent jurisdiction or with the express permission of the client
• Express an opinion on the guilt or innocence of any party
• Engage in any unethical or illegal conduct
• Knowingly undertake an assignment beyond his or her ability
• Misrepresent education, training or credentials
• Show bias or prejudice in findings or examinations
• Exceed authorization in conducting examinations
Principles for Digital Forensics
Currently, there is no universally adopted code of ethics that governs the ethical behavior and conduct of digital forensics as a single community; and just because there isn’t one today doesn’t mean that creating one is a simple task. Perhaps the biggest reason no such code of ethics exists for the entire digital forensics community can be attributed to the challenges that would be faced in establishing one at an international level. Some obstacles that could be faced during this process include:
• What behavior and conduct would the code of ethics cover?
• What values and principles would the code of ethics address?
• What agency or organization would govern and enforce the code of ethics?
• To whom would the code of ethics apply (e.g., just digital forensics practitioners or all individuals involved with digital evidence)?
Despite these questions, it might be fair to say that, from the code of ethics illustrated in the section above, there are key values and principles to which digital forensics practitioners must ensure their behavior and conduct adheres. That said, digital forensics is a profession and as such should follow a similar minimum level of values and principles as required for professional ethics, which is discussed in the section above.
On this basis, the subject matters to follow should be consistently applied, at all times, by digital forensics practitioners as fundamental values and principles of ethical behavior and conduct.
One of the main goals when performing an investigation is to establish factual conclusions based on credible evidence. As part of an investigation, there could arise times when the subject is known to or familiar with the practitioner. It is the responsibility of the practitioner to maintain the utmost fairness during an investigation to draw conclusions based on factual and credible evidence. This means that practitioners should avoid any action that would appear to be a conflict of interest and otherwise create potential bias in establishing their evidentiary conclusions.
Investigations are not “witch hunts” and should be conducted using the utmost fairness and obligation to report factual conclusions based on credible evidence. While analyzing evidence, practitioners may encounter specific findings that need to be assessed further before factual conclusions can be drawn, such as paying special attention to inculpatory (indication of guilt) or exculpatory (indication of innocence) evidence. It is crucial that practitioners take into consideration the totality of all evidence gathered during an investigation before arriving at factual conclusions.
The work of a digital forensics practitioner comes with a high level of trust. From time to time, they can come across extremely sensitive and confidential information that needs to be kept confidential and communicated on a need to know basis. When these types of information are discovered, human nature tends to kick in and the desire to disclose details of these occurrences comes about. As a digital forensics practitioner, it is required that evidence not be disclosed or revealed without proper authorization (e.g., court order).
Due Diligence and Duty of Care
Legal admissibility of evidence requires practitioners to follow a consistent investigative process model that respects the digital forensics best practices of well-established principles, methodologies, and techniques. Informed decision making during an investigation must be carried out in accordance with applicable laws, standards, and regulations to avoid potential negative consequences. With this in mind, digital forensics professionals must consistently demonstrate their behavior and conduct is honest, prudent, and in compliance with laws and professional norms.
Certifications and Accreditations
Internationally, there are many professional organizations that have established certifications and accreditations specific to the digital forensics profession. Predominantly, these certifications are provided by professional organizations with an industry-wide perspective on the digital forensics profession; however, there are a small number of certifications provided by merchants who sell digital forensics products and services.
It is important to keep in mind that while professional certification provides the assurance that an individual meets the required level of knowledge in digital forensics, these accreditations do not provide the in-depth level of education that formal academic programs teach. Refer to Appendix B, “Education and Professional Certifications,” for a list of digital forensics certifications.
Ethical values and principles are a useful way for sorting out what is considered good and bad behavior or conduct. While there is no code of ethics that universally applies to the digital forensics profession, the morals originating from the combination of personal, professional, computer, and business values and principles can be leveraged to establish a code of ethics to adhere by.