Posts Tagged ‘ethics’

Computer Forensics Ethics, Inculpatory & Exculpatory Evidence

Friday, May 1st, 2009

I’ve been wanting to do a post on ethics since I started the blog, but my spare time has been somewhat overrun with the recent rush of licensing issues. A recent article from John J Barbara of FDLE over at DFI News addressed the issue of Ethics in Computer Forensics, and in particular, the ethical requirement for a Forensic Computer Examiner to search for exculpatory evidence as well as inculpatory evidence.

For those new to evidence in general, inculpatory evidence is that which supports a charge or accusation of wrongdoing, whilst exculpatory evidence is that which would cast doubt or prove innocence. In the computer forensic world, perhaps the best known example of exculpatory evidence is a virus which downloads content, or rootkit allowing surreptitious access by a third party to a computer. Although it is rare to find these in an examination, it’s well within the realms of possibility, and so must be ruled out before the examination is complete. EDIT: I meant to say that it must be ruled out in certain cases where it is applicable, for example, those cases where possession or distribution is an element of the crime.

Barbara refers to the Code of Ethics of the California Association of Criminalists, however there are more widely accepted ethics statements in the computer forensics community. One of the first is from IACIS (of which I am a member) and is displayed on their site at

The portion covering impartiality is fully 2/3 of the code:

# Maintain the highest level of objectivity in all forensic examinations and accurately present the facts involved.
# Thoroughly examine and analyze the evidence in a case.
# Conduct examinations based upon established, validated principles.
# Render opinions having a basis that is demonstratively reasonable.
# Not withhold any findings, whether inculpatory or exculpatory, that would cause the facts of a case to be misrepresented or distorted.

One of the issues that Barbara raises is the impartiality of examiners who also happen to be investigators. Computer Forensics is still an evolving discipline in the law enforcement world, despite having been around in some sense for over 20 years. In the USA in particular, because of the prevalence of local law enforcement – vs countries such as Australia where local law enforcement responsibility is vested in the states – many agencies don’t have a dedicated computer forensic analyst who solely performs examinations. Most local police examiners are investigators who also conduct examinations, and often conducts exams in support of their own cases.

This potential dual role aspect is why it is so important for examiners to follow the code of ethics. When a detective is pursuing a suspect, they tend to focus their energy on finding the evidence of guilt. Many people may have heard of the 48 hour rule. Basically, if you don’t catch your perp in the first 48 hours after a crime, your odds of success drop dramatically. Forensic examinations however take time. Pressure to achieve results in a given time period can result in missed evidence. I have personally experienced pressure from investigators to only search for inculpatory evidence and leave it at that.

I have more than once refused to produce final results without a search for exculpatory evidence. (I have however given progress reports in time sensitive cases before completing the case.) Why? Notwithstanding the importance of being ethical, and the ethics requiring your impartiality and completeness: If you miss something on a case, you shoot your credibility in the foot.

The computer forensic community is still relatively small, we all know people who know people. If you make a mistake on an examination, or give bogus evidence in court, someone will make a note of it. It’s commonplace to request background info on your opposition examiner from your colleagues in the field. Your mistakes will come back to haunt you and potentially end your career. An examiner is only as good as their reputation.

Although I may work for one side in a case, I remain at all times impartial with regards to my evidence. I have told detectives that there is evidence of innocence or a lack of evidence, and (in other cases) I have told defendants that there is evidence of guilt. This is what the ethics requires.