Thursday, June 17, 2010

Publication: an ethical dilemma for digital forensics research?

by Chris Hargreaves

Chris Hargreaves
About the Author

Dr Chris Hargreaves is a lecturer at the Centre for Forensic Computing at Cranfield University in Shrivenham, UK.

Ethical issues in science are commonplace; examples such as cloning, climate change and genetic engineering are all subject to different ethical debates. Some subjects have clearly defined areas of potential ethical problems, for example in Psychology much consideration is given to the welfare of human participants involved in any experiments conducted. This would involve the consideration of concerns such as participants’ confidentiality, privacy, consent, right to withdraw etc. However, the welfare of human participants in experiments is not the only form of ethical debate and in some research areas there are other particular issues, such as animal rights, or indeed whether a particular technology should be researched at all. This article is not an attempt to identify all the potential ethical issues that digital forensics research could be subject to, but instead highlights a particular issue -- the potential impact of making the results of some digital forensics research publicly available.

To take a simple (and fictitious) example, in the case of research into ‘evidence removal’ tools, if research into a product revealed that while the software removed evidence from several locations on the disk, there were also several other locations where evidence was not erased and could therefore be recovered. From a forensic point of view these are very interesting findings and it would be beneficial to share these results so that when the use of this particular product is encountered in an investigation, evidence could be more easily recovered. However, the publication of these results also has adverse consequences. Firstly, users of that software who run it in an attempt to hide evidence of unlawful activity may then decide to switch to a more effective product that does erase the data areas in question. Secondly, the developer of the software may decide to take the published research and use it to develop updates that fix the problem so that the software now erases the locations in question. In both of these cases, the publication of the results could mean that in future, an analyst may be deprived of useful evidence...


No comments: