When you select a computer forensics firm, you are really selecting a trusted partner. Therefore, the firm you select should place a premium on ethics as well as technical expertise. Your computer forensics firm should work hard to extract and deliver only value-laden information.
A thorough computer forensics examiner will scour data looking for anomalies and patterns that signal something is amiss. For example:
- The file size doesn’t seem right for a Microsoft Word file
- Data was moved to the cloud or other devices
- Certain websites have been visited repeatedly over a date range
Patterns and anomalies such as these are signs for an examiner to dig deeper into the metadata. By the time an investigation is complete, an examiner will go through all the data on the computer. This includes everything from reports and documents to system files that regular users may not even know exist. Even files which the user deleted may be available to the investigator. An examiner looks at all available data to determine what is useful to the scope of the investigation and discards what is irrelevant. When a computer’s hard drive has over 1,000,000 files, being able to determine what is relevant and useful is very important!
With so much data available, examiners must isolate only what is relevant to the investigation. This includes protecting any private or personal information. Although the trade associations that certify and verify the expertise of examiners do recognize an ethical imperative, it may surprise the reader to know that there is no enforceable code of ethical conduct for digital forensic examiners as there is for lawyers or health care professionals.
When law firms or insurance companies contract digital forensic examiners, they hold them to confidentiality terms spelled out contractually. They require examiners to conduct investigations according to protocols that narrowly define the scope of the investigation. While terms that define negligence and malfeasance have a broad legal meaning, they are not underpinned by specific standards that govern the ethical conduct of the professional community. Associations like the International Society of Forensic Computer Examiners (ISFCE) train, test, and certify experts in the use of state-of-the-art software tools and scientific processes, but have not codified malpractice in the field. There is no governing body with power to investigate or discipline unethical examiners like you would find in medical or legal licensing. Until there is a rigorous and formal review process for computer forensics firms, consumers
How to Identify a Trusted Partner
Because digital forensics is still a field in its infancy, it is up to the consumer to find a firm that provides a balance of ethical behavior and technical expertise. Firms that act according to a high ethical standard can easily demonstrate it because they:
- Have processes for securing evidence and information for the duration of the investigation
- Exercise diligence in enforcing a code of confidentiality among all examiners in the firm
- Apply protocols in the examination process that will narrow the scope of an investigation to only that which is relevant
- Have procedures for correcting errors made in the investigation either due to a failed process or an equipment failure
- Possess wide ranging experience with sensitive matters and information, and long relationships with clients in legal practices and corporations