DFIRforGood Is A Great Start: Let’s Use It To Ask Tougher Questions

In recent weeks the DFIR community has increasingly begun to speak out under the hashtag #DFIRforGood following conference presentations by leaders in digital forensics and information security.

In a keynote delivered at the SANS DFIR Summit in July 2020, Matt Mitchell, a hacker, security researcher, and Tech Fellow to the BUILD Program at the Ford Foundation, called for digital forensics practitioners to step forward and apply their skills to working in service of civil society, creating what he called “connective tissue that allows us to rise up together.”

Later that same conference, Lee Whitfield, Senior Technical Adviser at the SANS Institute, echoed Mitchell in his talk, “Just Forensics, Mercifully”. He asked: “What happens when we see injustice that intersects with our own chosen field? Whose responsibility is it to stand up and help?”

The concept: for individual practitioners to use their considerable skills in service of people who typically can’t afford to hire them — especially at a time when digital forensics, in contrast to many other services, is in high demand.

Even before #DFIRforGood, grassroots initiatives had begun to sprout. #SharetheMicinCyber, for instance, encouraged influential white voices in cybersecurity to amplify the voices of Black* colleagues and people of color in the community. This effort followed weeks of protests in response to the death of George Floyd, a Black man, at the hands of white police officers, as well as years of protesting similar incidents.

Central to so much of the media footage surrounding both Floyd’s death and the protests is the question: “What is the truth?” Indeed, speaking about the way American press interpreted the 1983 US invasion of his home country, Granada, Mitchell observed that hearing different messages from close contacts versus news media — relative to the invasion’s impact on the local civilian population — could affect how people view truth.

He then spoke about “forensically verifiable truth that data leads us to.” Underlying both his and Whitfield’s messages was the suggestion that digital forensics is a profession at a unique crossroads in society. Not only is this about the effort to bring more rigorous scientific methodology to digital forensics. It’s also about the technologies the methodology relies upon.

DFIR vendors are at a unique crossroads at this point in world history. On the one hand, their technology is used to investigate and prosecute a great number of criminals capable of some of the worst of crimes, particularly child exploitation.

On the other hand, the technology can cast a much wider net in the effort to identify both perpetrators and victims of crimes — and the definition of “crime” itself is subjective. Just as one country’s freedom fighter is another’s terrorist, one person’s protestor exercising their freedom of speech is another person’s rioter making a threat.

Vendors throwing their considerable resources behind #DFIRforGood, then, have a different responsibility than do individual employees. It’s not only about ensuring employees have the time and resources to volunteer their knowledge, or ensuring tools are equally accessible to examiners working on behalf of defense and prosecution.

It’s also about taking a measured approach to product, marketing, and sales strategy and development:

  • Understand shifting geopolitical trends that might mean a government buyer for even an “ally” may have less than pure motivations for the tools they’re using.
  • Recognize technology’s role as both a beneficiary and a driver of inequities, and work towards more transparency to customers and the public at large.

Geopolitical trends

The past decade has seen numerous shifts in power from pluralist to populist governments. These shifts reflect a generally more fearful world population, as the effects of climate change, terrorism and war, the COVID-19 pandemic, and technological advances have introduced significant uncertainty to human lives.

Refugees from war-torn countries and climate-change-driven natural disasters have resulted in mass relocation and population imbalances in countries that receive them. Many countries’ residents have met the newcomers with fears and resentment around the refugees’ use of public services. The response has been to elect leadership that promises draconian policies in response.

These power shifts have changed the nature of allyship, which was never as cut and dried as history books positioned it. Countries’ alignments, like coalition governments, tend to gloss over “lesser” problematic aspects in favor of bigger-picture strategy around resources or geographic location. This was the case even in World War Two’s Allied vs. Axis powers, and later Cold War alliances. 

In the present day, populist governments in Hungary and Turkey threaten to undermine the European Union from within. Meanwhile, a grouping of what author Cristóbal Rovira Kaltwasser termed “competitive authoritarian leaders” around the world lead countries in which “elections take place, but where serious democratic abuses against those who oppose populism are carried out.”

Traditionally vendors evaluate prospective government and private buyers based on the existence of legal procedures and methodologies guiding the buyers’ usage. This criterion, however, conflates “legal” with “democratic.” When “legal” is also malleable depending on who is in charge, abuses are easier to justify in terms of the collective will of fearful populations.

At that point, it’s only easy to refuse to sell in countries known for human rights abuses when those countries represent a tiny minority of both global significance and profit. Larger governments with a heftier market share are harder to deny.

Of course, government agencies with deeper pockets have more resources to fight societal scourges like child exploitation and human trafficking. The problem, again, is what else they define as “scourges.” Policies can purport to address terrorism or human trafficking, but really result in adverse childhood experiences — say, homelessness tied to mass pandemic-related eviction, or refusal to deal with climate refugees, or separating parents and children at borders. These experiences substantially increase the risk of child abuse and exploitation, both immediately and far into the future.

Better vendor self-awareness recognizes that a government that ensures its own investigative agents’ job security is cynical at best. Rather than take advantage of short-term demand, good corporate citizenship recognizes its place in the context of its time. It considers its long-term implications not only for its own growth, but also for stakeholders — no matter where they exist in the world.

Technology’s role in inequities

#TechforGood has trended for some time, but the tech world’s attempts to solve some problems have resulted in what some call “technology solutionism” — a type of bias that suggests tech can fix everything, the assumption that as professor and author Ruha Benjamin is quoted as saying, “technology itself is a do-gooding field.”

Technology, however, is not neutral because the people who fund, build, and deploy it are not neutral. Perhaps the most notorious example of this is the finding that the algorithms underpinning facial recognition (a subset of artificial intelligence) are poor at identifying people of color.

These research outcomes were significant enough to lead Amazon, Microsoft, and IBM to put a hold on selling facial recognition technology to police. However, the research focused on deployment in public settings: on the street to identify suspects of crimes. In digital forensics — where the tools are purported to support impartial justice — the problem is compounded.

Consider child exploitation detection. These algorithms rely on a blend of age estimation and nudity detection. But the methods used to train the algorithms are highly opaque. Datasets are sanitized and hashed: because only certain organizations can legally “possess” the contraband images, there is no way to validate what they consisted of, or in other words, whether they include an appropriate demographic blend of ages and races, much less whether they are accurately estimating what they are supposed to.

Thus vendors can start by committing to exploring the ways in which tech isn’t neutral and owning their part in that, transparently.

One way to guard against misuse of software is for tech companies to be clearer upfront about how to use their tools. For example, many users may not understand the difference between a probabilistic algorithm and a deterministic one, much less at which stage to use them in the case-building process, or whether and how to proffer their evidence at trial.

The responsibilities don’t stop there. Another example is pandemic contact tracing. As it shifts from its previously human-driven, personal interaction form to one driven by mobile apps, it’s worth asking what might happen when these apps are applied by less than humane governments (and indeed, what we lose by “techifying” such a personal process).

Contact tracing is a small part of the overall role that digital forensics tool vendors may be playing in building what many refer to as a “surveillance state” as unprecedented quantities of data from a variety of data sources — soon to expand drastically as 5G gains a foothold — creates the kind of “intelligence” that can map virtually every aspect of an individual’s private life.

Without a better framework to effectively manage and think about “big digital evidence,” vendor features and marketing messages — not the courts — drive how data is used and what it all means, commoditizing people’s lives in terms of their intelligence value.

For example, in his keynote, Mitchell spoke about one of his first employment experiences: working on an employee monitoring team that tracked people who “never seemed to do anything wrong.”

He might have been speaking as much to vendor employees as to forensic examiners themselves when he spoke about adherence to the “idea that what we’re doing is for the best and good.” As numerous tech workers have demonstrated, that virtuous outlook can contrast sharply with the realities of office and world politics that make it hard for an individual to draw a moral line.

Towards a true #DFIRforGood movement

At the SANS DFIR Summit, Whitfield observed that the digital forensics field grows and evolves as examiners rely on one another to do work that ultimately benefits all. Likewise vendors, who incorporate digital forensics research into their products and rely heavily on users to tell them what features are needed. It’s a symbiotic relationship that excludes the true end users: the people whose lives and liberty rest on the forensic examiner’s ability to correctly interpret data and its patterns.

Mitchell’s call for “public interest technologists” — such as the researchers at Citizen Lab, who help to protect dissidents, journalists, and the networks that support them around the world — offers a path forward for vendors and third party “watchdog” organizations.

First, whether in-house or independently, digital forensics examiners are in an ideal position to scrutinize the ways in which investigative technology can be used for bad as well as for good, and to develop frameworks that hold vendors to a higher standard.

These frameworks can and should include public education that helps to demystify both the technologies and the ways in which they are used. One effort to watch in this regard is the National Institute of Standards and Technology (NIST)’s work to help develop trustworthy AI.

Perhaps most of all, however, digital forensics vendors have the opportunity to come together to take a stand not just for the good work their customers do to end child exploitation, but also against the way their customers’ policies diminish, ignore, or even create victims.

In other words, it isn’t possible to divest child exploitation, human trafficking, or terrorism from the factors — including racism — that drive and bundle them. Justice is intersectional as well as impartial. A robust #DFIRforGood movement will recognize this and take the steps it needs to ensure that true justice is served for all.

*This article adheres to guidance from the Associated Press on the capitalization of the word Black when referring to a person’s racial identity.

Christa Miller is a Content Manager at Forensic Focus. She specializes in writing about technology and criminal justice, with particular interest in issues related to digital evidence and cyber law.

2 thoughts on “DFIRforGood Is A Great Start: Let’s Use It To Ask Tougher Questions”

  1. “…especially at a time when digital forensics, in contrast to many other services, is in high demand.”

    I’m sorry, but I have to disagree, particularly given the article to which the above comment was linked; that is, an increase in cybercrime reports to IC3 does not mean that digital forensics “is in high demand”. Reporting a crime does not directly entail that someone is demanding forensic services. As a consultant for 20+ yrs, I rarely saw customers who were interested in forensic services…most have been interested in “incident response” as a means of business continuity, not finding out what actually happened and “fixing” anything.

    “…hold vendors to a higher standard.”

    Vendors aren’t going to listen to a few outside voices, and employees are likely going to be reticent to make any vocal statements for fear of loosing employment. Yes, some have…but those instances have been few and far between.

    Overall, this article doesn’t seem very clear. It starts out with:

    “The concept: for individual practitioners to use their considerable skills in service of people who typically can’t afford to hire them …”

    …and ends with:

    “Perhaps most of all, however, digital forensics vendors have the opportunity to come together to take a stand not just for the good work their customers do to end child exploitation.”

    Okay, I fully agree with the second statement, but I don’t see how the first relates to it, and I don’t see how everything between the two statements ties them together.

  2. Something else to keep in mind…

    There has been an increase in ransomware attacks during the pandemic, as well. A great many of these attacks are against organizations that have cyberinsurance, but the need for digital forensic analysis does NOT come from the impacted organization; rather, it comes from the breach coaches who assist the impacted organizations.

    As such, there is a lot of work that is available, and DFIR consulting firms are taking steps such as reducing the cost-per-engagement to the breach coaches to ensure that they continue to receive the work. This means that those consulting organizations then have to either give the actual work to the lowest-hourly-wage staff, or offshore the work all together. If they succeed in getting more work using this strategy, they’re able to make up the revenue in volume.

    However, there are no checks in place to ensure the quality of the work. The impacted organizations aren’t interested…they didn’t want the forensics to begin with, and the only reason it was done was because it was part of the policy. The breach coaches are attorneys, and don’t have the skills, nor the time, to discern quality work.

    Perhaps within the realm of child exploitation cases, digital forensics is “in high demand”. I cannot say. I’ve offered my services to law enforcement, for free, for over 20 years…but not being “in the club”, none have taken me up on it. However, for the rest of what’s going on out there, there’s little interest in digital forensic analysis services.

Leave a Comment