Computer Forensics: Legal and Ethical Principles
Ethics comprises a set of rules to measure the performance of computer forensics examiners. Various professions term such ethics as “codes of professional conduct or responsibility.” It is imperative for every computer forensics examiner to maintain the highest level of ethical behavior when conducting investigations, preparing reports and giving testimony.
Forensics Analyst’s Roles in Testifying
When the case proceeds to trial, the forensics analyst can play either of two roles to give testimony, “expert witness” or “technical/scientific witness.” The expert witness has an opinion about what he/she has observed or found. These opinions are formed from deductive reasoning and experience based on facts found during an examination. As a matter of fact, one can be an expert witness on the basis of one’s opinion. However, a technical/scientific witness provides only the facts he/she has found in the examination—any evidence that meets the standard. In this type of proof, the court also wants to know how evidence was obtained.
Learn Digital Forensics
The examiner is advised to prepare thoroughly for either type of testimony in a computer forensics case. The expert witness must control his/her biases or prejudices, not allow them to control him/her. The expert witness can use ethics as a tool to identify and control his/her biases.
Expert witnesses participate in more than 80 percent of trials involving computer forensics. Courts acknowledge the vital importance of expert witnesses and are concerned about their ethics and challenges. The court stated these challenges in the case, Kenneth C.V. Delonda, 2006, “…the subject of expert witness’ professionalism and ethics is substantially undeveloped and there are not many definitive statements about their ethical and legal obligations…”
Although there is no universal standard for computer forensics, efforts have been made to provide legal and ethical principles to computer forensics analysts.
The U.S. Department of Justice, due to the dramatic increase in computer-related crimes, provides systematic guidance that can assist forensic examiners in collecting electronic evidence in criminal investigations. There are two primary sources of these laws governing electronic evidence, the Fourth Amendment to the United States Constitution and the Statutory Privacy Laws.
The core principles of U.S. Department of Justice regarding computer forensics include:
- The Fourth Amendment puts restrictions on the warrantless seizure and search of computers.
- The Protection Act, 42 U.S.C 2000aa, imposes limitations on the use of search warrants to examine computers.
- Stored Communications Act, 18 U.S.C 2701-12, governs how examiners can acquire contents and account records from network service providers, including ISPs, mobile device service providers, and telephone companies.
- The U.S. Attorney’s Office appoints at least one assistant U.S. attorney who acts as the computer hacking and intellectual property (CHIP) specialist, and these specialists receive proper training in computer-related crimes and investigations.
- The Office of International Affairs provides training in computer crime examinations that raise international disputes.
- The Office of Enforcement Operations provides expertise in wiretapping laws.
- The Child Exploitation and Obscenity Section spells out laws about computer-related crimes involving child pornography.
In the United States, there is another ethical guide that includes some provision regarding computer-related investigations, such as expert witnesses, opinions, and expert testimony: the Federal Rules of Evidence (FRE). Article VII of the FRE outlined six rules specifically pertaining to the opinions and expert testimony:
- Rule 701: Opinion Testimony by Lay Witnesses
- Rule 702: Testimony by Expert Witnesses
- Rule 703: Bases of an Expert’s Opinion Testimony
- Rule 704: Opinion on an Ultimate Issue
- Rule 705: Revealing the Facts Underlying an Expert’s Opinion
- Rule 706: Court-Appointed Expert Witnesses
Moreover, the FBI Computer Analysis and Response Team (CART) was constituted in 1984 to deal with the increase in cases involving digital evidence. For research and training, the CART works with the Department of Defense Computer Forensics Laboratory (DCFL).
The International Organization for Standardization (ISO) sets standards (not universal); ISO 27037, for digital forensics, was ratified in 2012.
In the United States, The Computer Fraud and Abuse Act was enacted in 1986 to help examiners conduct effective investigations.
Since there is no universally accepted standard for computer forensics, the concerned organizations have developed their own codes of ethics to maintain reliability to their members.
Organizations with Codes of Ethics
No single organization offers a definitive code of ethics for forensics examiners. To form their ethical standards, the organizations look at the standards of other organizations. The ethical guidelines of organizations can have a great impact on expert’s testimony.
International Society of Forensics Computer Examiners (ISFCE)
The ISFCE’s professional responsibility and code of ethics provides its members solid guidelines on how they should perform their duties as computer forensics analysts. As responsible investigators, computer forensics analysts must adhere to the guidelines that include particular instructions on how they should maintain their professional standing. The instructions in ISFCE’s code of ethics include:
- In all forensic examinations, the investigator should maintain the greatest objectivity and present accurate findings.
- All matters should be testified to truthfully before the court.
- The examiner shouldn’t take any action that would appear to be a conflict of interest later on.
- Examinations must be based on well-established and validated principles.
- The examiner is forbidden to reveal any confidential information without the client’s permission or a court order.
- The investigator is not allowed to misrepresent credentials or associated memberships.
In addition, ISFCE encourages members to report violations by other members. ISFCE also offers a certified computer examiner (CCE) certification. The CCE-certified must comply with the ISFCE’s ethical principles.
High Technology Crime Investigation Association (HTCIA)
For its members, the HTCIA provides ethical standards, namely, its “Code of Ethics of Professional Standards Conduct.” The HTCIA’s core principles related to testifying include:
- HTCIA members use specialized techniques and advanced technologies to uncover the “truth” so as to avoid wrongful conviction.
- The HTCIA values its members’ integrity and the truth they reveal through computer forensics best practices, involving effective techniques used to collect digital evidence.
International Association of Computer Investigative Specialists (IACIS)
The IACIS provides a clear guide for ethical behavior of computer forensics investigators. In fact, these guidelines follow the principles defined by other professional organizations. The guidelines for IACIS’s members that apply to testifying include:
- Members should maintain the utmost objectivity in all forensics investigations and present the facts accurately.
- The evidence should be examined and analyzed thoroughly.
- Only unbiased opinions should be given.
- Members must not conceal any findings that would cause the facts of a case to be distorted or misrepresented.
American Bar Association (ABA)
In computer forensics cases, the attorneys hire the forensic examiners. Therefore, the forensic examiners must be aware of the attorneys’ basic rules of professional conduct. Although the ABA is not a licensing body, it provides the basis of the codes of state licensing bodies. The United States consists of 50 states, and each state is responsible for licensing its attorneys. The ABA has two relevant documents:
- The Model Code of Professional Responsibility
- The Model Rules of Professional Conduct
The ABA’s codes are pretty lengthy, so only the relevant sections are discussed here.
Both the Model Code and the Model Rules apply restraints to the fees that experts can receive for rendering services to the attorneys.
- The Model Code disallows contingency fees to experts. Instead, they may receive only a reasonable payment for the professional services they render. Provision EC 7-28 in the Model Code bans contingency fees.
- Provision 3.4 in the Model Rule states that the expert can receive fees for preparation and testimony in court, unlike other witnesses who can be reimbursed only for their expenses.
- Provision 3.4 also prevents an attorney from falsifying evidence.
Unlike the attorney, the expert witness shouldn’t be loyal to his/her client. The expert must not become the client’s advocate and must remain independent. The expert must offer an accurate and unbiased opinion on the relevant issue instead of trying to influence the jury towards a particular point of view.
Need Some Help?
If you are aspiring for CCFE or CMFE examination, InfoSec Institute offers an Authorized Computer Forensics Boot Camp Course that teaches you the necessary skills to investigate computer crimes and computer threats.
The InfoSec Institute has been one of the most awarded (42 industry awards) and trusted information security training vendors for 17 years.
Learn Digital Forensics
InfoSec also offers thousands of articles on all manner of security topics.
In this Series
- Computer Forensics: Legal and Ethical Principles
- Digital forensics and cybersecurity: Setting up a home lab
- Top 7 tools for intelligence-gathering purposes
- iOS forensics
- Kali Linux: Top 5 tools for digital forensics
- Snort demo: Finding SolarWinds Sunburst indicators of compromise
- Memory forensics demo: SolarWinds breach and Sunburst malware
- Digital forensics careers: Public vs private sector?
- Email forensics: desktop-based clients
- What is a Honey Pot? [updated 2021]
- Email forensics: Web-based clients
- Email analysis
- Investigating wireless attacks
- Wireless networking fundamentals for forensics
- Protocol analysis using Wireshark
- Wireless analysis
- Log analysis
- Network security tools (and their role in forensic investigations)
- Sources of network forensic evidence
- Network Security Technologies
- Network Forensics Tools
- The need for Network Forensics
- Network Forensics Concepts
- Networking Fundamentals for Forensic Analysts
- Popular computer forensics top 19 tools [updated 2021]
- 7 best computer forensics tools [updated 2021]
- Spoofing and Anonymization (Hiding Network Activity)
- Browser Forensics: Safari
- Browser Forensics: IE 11
- Browser Forensics: Firefox
- Browser forensics: Google chrome
- Webinar summary: Digital forensics and incident response — Is it the career for you?
- Web Traffic Analysis
- Network forensics overview
- Eyesight to the Blind – SSL Decryption for Network Monitoring [Updated 2019]
- Gentoo Hardening: Part 4: PaX, RBAC and ClamAV [Updated 2019]
- Computer forensics: FTK forensic toolkit overview [updated 2019]
- The mobile forensics process: steps and types
- Free & open source computer forensics tools
- An Introduction to Computer Forensics
- Common mobile forensics tools and techniques
- Computer forensics: Chain of custody [updated 2019]
- Computer forensics: Network forensics analysis and examination steps [updated 2019]
- Computer Forensics: Overview of Malware Forensics [Updated 2019]
- Incident Response and Computer Forensics
- Computer Forensics: Memory Forensics
- Comparison of popular computer forensics tools [updated 2019]
- Computer Forensics: Forensic Analysis and Examination Planning
- Computer forensics: Operating system forensics [updated 2019]
- Computer Forensics: Mobile Forensics [Updated 2019]
- Computer Forensics: Digital Evidence [Updated 2019]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Digital forensics
Digital forensics
Digital forensics
Digital forensics