December 17,
2015
Neutrality in Digital Forensics
Let’s be honest, everyone has biases about many things in
life. Whether you have a bias against
people’s behavior during a full moon or a bias for or against the police in an
investigation, biases come in all shapes, sizes and varieties. Some are politically-motivated, some are
based on upbringing, some are rooted in personal experience and some are just
ill-conceived notions of behavior or situations based upon a minimal
representative sampling. Regardless of
the origin of personal bias, let us also be clear that it has no place in
digital forensics. Period.
Neutrality in Practice
Neutrality is defined as “the state of being unaligned with or supporting any side or position in a controversy.” The “controversy”
we would generally be referring to in digital forensics is the legal case or
dispute in which we are analyzing digital evidence to prove or disprove a
theory – That’s an important distinction to neutrality in itself – to prove or disprove the theory. You see, when a claim is made, whether it be
by the government, another party involved in a divorce or a corporation, the
heart of the forensic methodology is to prove whether or not that claim is
valid through analysis of evidence.
Unfortunately, my experience (and perhaps my own bias) is that this
doesn’t always happen.
For example, an analysis by the
government showing the existence of illicit images on a computer hard drive is
in and of itself potential evidence of a crime.
However, some examiners may stop at simply finding and reporting. But there is often much more to the
story. Where did the images come
from? How did they get there? Who downloaded or transferred them? Is the prime suspect the only one who had
access to the computer? What is the
overall number of other images (i.e., legal adult images) that exist in
relation to the illicit images? All of
these things have the potential to be mitigating and/or exculpatory factors.
I’ve had this discussion with my
colleagues in law enforcement multiple times.
The argument on their side always is, that the pictures are there so the
suspect is guilty. My argument is that
if you don’t do a thorough enough forensic examination, you could be missing
key pieces of evidence that could prove that they are in fact not guilty, which is also your
responsibility as a public servant operating under good ethical
principles. I have worked these cases
from both “sides” and I can say that I did not appreciate this until I left
government work. I will also say that
the evidence and analysis much of the time shows that the suspect was, in fact,
guilty. But that doesn’t mean that we
should assume they are always guilty and start cutting corners. That’s a slippery slope from which we will all have trouble recovering.
Neutrality is key in these
examinations, but I also understand it’s difficult. As a law enforcement investigator, I was once
charged with writing a search warrant for electronic evidence and conducting a
forensic examination based upon very anecdotal information, only some of which
could be substantiated. My supervisors
were convinced that the suspect was guilty and I did my due diligence on the
case, ensuring that I was thorough and remained neutral. In the end, I found no evidence of their
guilt. Absolutely none. My supervisors were incredulous. Did I do something wrong? Not at all.
I did my job the way it should be done, but unfortunately may not be all
the time by everyone. I remained neutral
and with an open mind. Was this a waste
of time and resources? I’ll let you
decide that for yourself.
Neutrality is just as important in
non-criminal cases. Think about how much
raw emotion encircles a divorce, especially if there are children involved, yet
we must remain neutral. After all, it
could be the utter lack of evidence in an infidelity claim that turns the tide
and keeps that family together in the end!
In corporate IP theft or fraud cases, someone’s job, livelihood or
reputation is on the line. The ability
to examine the evidence presented with a neutral mindset could make the
difference between condemnation and vindication. So as you can see, neutrality is important to
everyone in all cases, regardless of the dispute.
You Found Nothing, Now what?
Whenever we are able to prove the
claim through digital forensic analysis, the client (for lack of a better term)
is generally quite happy. However, more
than once, I have conducted thorough, thoughtful digital forensic examinations
and reported back to the client and/or attorney that I’ve found little or no
evidence that supports their claim. To
say that the party on the receiving end of these reports is usually quite
surprised would be an understatement. So
now that you didn’t find anything, what are they supposed to do? There are always alternatives.
First, is there more evidence to
examine? If they are convinced that the
suspected activity is ongoing, there may be evidence elsewhere that is not
readily apparent and that has not been presented for analysis. Second, what other corresponding activity is
taking place to support the claim and is there an alternative way to get the
evidence? Cliches are cliché for a
reason, and there’s usually more than one way to skin a cat. Finally, if all other avenues have been
explored, it may be time to have a very honest conversation about the
possibility that the suspected activity is not actually occurring. This naturally takes more people skills and
less technical skills.
Cannot Be Understated
Neutrality as a standard practice
and mindset in digital forensic examinations cannot be understated. I understand the human element, especially in
government sectors. If you see
evidentiary guilt over and over again, it’s human nature to fall into a pattern
of pushing the digital forensic “easy button” and not looking at the big picture. But if you do, you are ultimately devaluing
your work, your service to the public and your reputation as a forensic
examiner.
In some ways, being a
private-sector consultant combats this naturally. Every new client and every new case is a
fresh start. We don’t assume anything,
we don’t rush to judgement, we simply let the evidence point us to the facts,
which most often leads all parties in the case to the truth. There’s no denying that we set out in every
case to make our clients happy, but not at the expense of neutrality or credibility. Simply put, it’s not worth money to sacrifice
ethics.
Author:
Patrick J.
Siewert, SCERS, BCERT, LCE
Principal
Consultant
Professional
Digital Forensic Consulting, LLC
(Virginia
DCJS #11-14869)
Based in
Richmond, Virginia
Available
Globally
We Find the Truth for a
Living!
About the Author:
Patrick Siewert is the Principal
Consultant of Pro Digital Forensic Consulting, based in Richmond,
Virginia. In 15 years of law
enforcement, he investigated hundreds of high-tech crimes, incorporating
digital forensics into the investigations, and was responsible for investigating
some of the highest jury and plea bargain child exploitation cases in Virginia
court history. A graduate of both SCERS,
BCERT, the Reid School of Interview & Interrogation and various online
investigation schools (among others), Siewert continues to hone his digital
forensic expertise in the private sector while growing his consulting &
investigation business marketed toward litigators, professional investigators
and corporations.
