February 13, 2015
As you may or may not be aware, I recently posted another
article about the use of the iP Box (and similar devices) in digital forensics
when attempting to hack into evidentiary devices. If you haven’t read it, I would encourage you
to check it out here before reading this article further: http://prodigital4n6.blogspot.com/2015/01/read-this-before-you-use-ip-box.html
I received a number of different responses to this
article. Some were very positive and
complimentary of my conclusions. Others were very critical. And while I can take criticism, it crosses
the boundaries of decency to essentially call me incompetent, untrained, pro-
or anti- *insert opposing party here* or otherwise ignorant of the facts. This brought to mind a much bigger threat to
the field of forensics, ego. For the
purposes of this discussion, two of the several definitions of ego would be
appropriate. They include:
1)
conceit; self-importance
2)
the part of the psychic apparatus that
experiences and reacts to the outside world and thus mediates between the
primitive drives of the id and the demands of the social and physical
environment.
The two definitions are certainly not mutually exclusive and,
as the author of this article, I don’t want to tell you which one is most
appropriate, so I’ll just let you keep reading and see if you can figure out
which is.
Background
One of the places I posted my past article was on a list
serve dominated by forensic examiners and other practitioners in law
enforcement. Throughout the years, I’ve
trained some of the most ego-driven law enforcement officers in the field
dozens of times – the tactical officer – and I can say with certainty that,
having been involved in both the tactical and technical worlds of law
enforcement, the technical side is generally far less ego-driven than the
tactical side. However, there are the
rare occasions when the two subsets are present in the same person, as is the
case with yours truly.
Whenever I train tactical officers, patrol officers and/or
very young & eager officers, I ask in the first hour of the course, what is
the one thing that will get in the way of you learning anything during this
training? (hint: it’s a three-letter word& we all have one). Most don’t get it. I’ve found the ones that do either have been
through the course(s) previously or are older, more seasoned officers. But after I tell them that ego is the thing
that will stand in their way, I also ask them to lock their ego in the trunk of
their car at the first break for the duration of the training and to be
receptive, engaged and cooperative. You
see, not only can you not learn as much if your personal beliefs about what you
already know and have experienced are always on your mind, but you may actually
rebel against any new, unconventional ideas that may be presented during your
training based upon what you believe to be true, better, etc. It’s the training equivalent of “can’t teach
an old dog new tricks”.
As a trainer, it’s even more important for me to put my ego
in check because if someone in the class who may be more experienced presents
another point-of-view, then I have to realize that bit of information may be
very helpful to the rest of the class, despite the curriculum I know quite well
and have studied, honed, etc. It’s a
challenge to remind one’s self to put your ego in check every time you step in
front of a new group to teach tried & true tactics, principles, concepts,
etc.
Forensics vs. Ego
So why exactly do I propose that ego and forensics have no
place together? Because at the heart of
forensics is the truth. Let us not
forget that across the forensic science spectrum, the goal is to prove or
disprove a hypothesis of a case. We
go where the facts steer us. We don’t
let emotion, ancillary facts, opinions about policies of a particular service
provider, a left turn in an investigation or an article by a measly blogger
deter us from seeking the truth. The
problem is, I’m not sure all forensicators keep this firmly and foremost in
their minds when performing their jobs and this is somewhat supported by some
of the responses I received to the above-referenced article.
Digital and crime scene (physical) forensic professionals
are investigators at heart. They take
pieces of a factual puzzle and put them together to get a clearer picture of
what went on at the crime scene, on the computer/device, etc. Unfortunately, my experience suggests there
are a lot of both forensic and non-forensic investigators who catch a case and
almost immediately develop a theory of that case. They then work to prove their
theory instead of working to see where the facts may lead them. This isn’t investigation, its ego-driven
patty-cake. It’s a phenomenon where
people who are supposed to be professionals are proving themselves right to
make themselves feel better. It’s lazy
and ultimately not in the interest of justice.
Do they get it right sometimes?
Sure! But the scarier thought is,
how many times do they get it wrong and we don’t know about it?
Forensic examiners are, unfortunately, no different. We all have egos, me included. We all have life experiences and opinions
(like this article) and practical expertise to draw upon. No one is proposing that we shouldn’t use
those things to help make us better examiners and investigators and instead
choose to operate in a vacuum. But when
the past experience and personal beliefs start to border on potential tainting
or destruction of evidence to help prove our case, then we’re done-for. It’s only going to take one sloppy,
ego-driven examiner wiping crucial data off of a device in a careless attempt
to access the data before the whole house of cards comes crumbling down. I certainly don’t want to see that happen to
anyone on any “side” of any case.
Wrapping it Up
The bottom line is, when we talk about forensics, we’re
talking about facts leading to truth --
Raw data that leads us to an investigative conclusion, NOT an
investigative conclusion that happens to be supported by some data. Digital forensics has the potential in any
case to make a huge impact and be the most cut-and-dried forensic evidence you
can get your hands upon. It’s certainly
more “reliable” than other, more subjective evidence areas like forensic
psychology or forensic interviewing. But
if we don’t respect the impact our practices, procedures, findings and
expertise have on even the smallest case, we start to take for granted the
opportunity we’ve been given to work in this field. And that will damage the integrity of the
practice as a whole.
No one wants more child victims. No one wants to see a murder or rapist back
on the street two months after having committed the crime (yes, defense
attorneys included). So let’s all make
the personal choice now, if you haven’t already, to adhere to the best
practices of handling evidence, data preservation, complete data analysis and
transparency in procedure and reporting.
Put your ego in the trunk of your car whenever you conduct a forensic
examination. Go where the facts lead you
and look at the whole picture. If the
data is there, we’ll find it and report it.
If the larger picture surrounding the data is relevant, we will report
that too. One-sided and ego-driven work
often leads to bad discovery later down the road and law enforcement and
private practitioners alike value their professional integrity too much to want
to make that an issue.
In the end, ask yourself, why do anything that might put your
professional integrity in jeopardy?
Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Owner, Lead Forensic Examiner
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally
Twitter: @prodigital4n6 Google Plus: +ProdigitalConsulting
