Publication: an ethical dilemma for digital forensics research?

First published June 2010

by Dr Chris Hargreaves, lecturer at the Centre for Forensic Computing at Cranfield University in Shrivenham, UK

Ethical issues in science are commonplace; examples such as cloning, climate change and genetic engineering are all subject to different ethical debates. Some subjects have clearly defined areas of potential ethical problems, for example in Psychology much consideration is given to the welfare of human participants involved in any experiments conducted. This would involve the consideration of concerns such as participants’ confidentiality, privacy, consent, right to withdraw etc. However, the welfare of human participants in experiments is not the only form of ethical debate and in some research areas there are other particular issues, such as animal rights, or indeed whether a particular technology should be researched at all. This article is not an attempt to identify all the potential ethical issues that digital forensics research could be subject to, but instead highlights a particular issue — the potential impact of making the results of some digital forensics research publicly available.To take a simple (and fictitious) example in the case of research into ‘evidence removal’ tools, imagine research into a product which revealed that while the software removed evidence from several locations on the disk, there were also several other locations where evidence was not erased and could therefore be recovered. From a forensic point of view these are very interesting findings and it would be beneficial to share these results so that when the use of this particular product is encountered in an investigation, evidence could be more easily recovered. However, the publication of these results also has adverse consequences. Firstly, users of that software who run it in an attempt to hide evidence of unlawful activity may then decide to switch to a more effective product that does erase the data areas in question. Secondly, the developer of the software may decide to take the published research and use it to develop updates that fix the problem so that the software now erases the locations in question. In both of these cases, the publication of the results could mean that in future, an analyst may be deprived of useful evidence.

If the research described in this example was carried out purely from a computer security perspective then there is precedence in how to address these issues. In vulnerability research, (e.g. a problem is discovered in a browser that could allow an attacker to access personal data) a common practice is to publish the results but to give the software company advance notice so they have time to fix the vulnerability prior to the results being made public. The difference in the case of digital forensics research is the clear benefit offered to investigations into unlawful activity by preventing the results from being made public.

The best course of action regarding publication is even less clear if we take into account users who are not covering evidence of unlawful activity, but are using the ‘evidence removal’ software to erase their personal information prior to selling a piece of old equipment. In the earlier example, in the course of conducting digital forensics research a problem was discovered with a piece of software potentially used by law abiding citizens to protect their privacy and their personal data. Publishing the results of the research may highlight the limitations and may help them protect their privacy. Is withholding this information from the public in order to prevent the covering up of unlawful activity acting in the best interests of society? Perhaps the paraphrasing of Asimov’s laws of robotics used in Wright (2006) is appropriate here: “A computer scientist may not injure humanity, or, through in-action, allow humanity to come to harm”?


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Furthermore, publications are an essential part of the research process. The publication and peer review of results ensures that subject knowledge expands, that existing knowledge is preserved, and that obtained data and theories are correct. It also prevents the same research being carried out multiple times by different people. There is a question over whether this field can afford such duplication of effort.

Discussion of issues such as these always seems to raise more questions than it answers. Perhaps that is the point, and that discussing this issue may help to provide some answers as to a best practice or guidelines regarding the publication or dissemination of the results of digital forensics research.

References

Wright, D.R. (2006), Research Ethics and Computer Science: An Unconsummated Marriage. ACM Special Interest Group for Design of Communication.

Click here to discuss this article.

Read Chris’s previous columns

Chris Hargreaves is a lecturer at the Centre for Forensic Computing at Cranfield University in Shrivenham, UK. Chris is involved to some extent in all of the Centre’s core activities: Education, Research and Consultancy. Chris’s main focus is research (publication list available here), but he also teaches on several of the modules within Cranfield’s MSc programme including Advanced Forensics, the newly revamped Programming for Practitioners, and also some of the new courses planned for next year. Before taking on a lecturing position, Chris obtained his PhD at Cranfield on the topic of “Assessing the Reliability of Digital Evidence from Live Investigations involving Encryption”.

Leave a Comment