Tuesday, May 1, 2007

All the King's Horses

Have you ever been asked to tamper with evidence? Asked to destroy it? Compromise the chain of custody? Lie about your findings? Ignore exculpatory evidence?

I have several books(by several I mean at least a dozen) on the subject of digital forensics - both popular literature and those used in education and upon reflection I realized something. Not a single one of them mentions the moral and ethical challenges of working in digital forensics and evidence handling with more than a passing comment. These challenges exist in every science so this is not exactly a new idea, however what's different is the fact that many corporate IT staffs are being asked to conduct digital forensics work and corporate forensics officers are asked to conduct examinations objectively. The last time I checked, administrative assistants weren't being asked to determine the chemical composition of the yellow #2 pencils at their desk so, why is IT being tasked with science(if digital forensic science is indeed a science)? Worse yet, why is there no protection for the forensics teams? How can we be expected to remain objective and provide complete reports with the threat of unemployment hanging over our heads?

I entitled this entry All the King's Horses because I recently read Vonnegut's short story with the same name. If you haven't ever read it, the story is about a group of American soldiers being held captive by a Communist Guerrilla chief Pi Ying. As the story progresses, the reader finds out that the Colonel's family(wife and 2 sons) are also captives. In order for the Americans to gain their freedom, Pi Ying plays Colonel Bryan Kelly in a game of macabre chess. The Americans are the chess pieces on the white team and Pi Ying has wooden pieces. If an American piece is overtaken then the person representing the piece is executed, and if Pi Ying loses a piece, all he loses is a piece of wood. The game reaches a point where Kelly could win the game, if only he could remove the Black Knight from the middle of the board. The only way he can do this is by sacrificing one of his sons(whom he had chosen to be his knights). This sacrifice would allow him to save the lives of everyone else on the game board. Kelly eventually makes the choice to sacrifice his son.

Imagine this scenario as it relates to digital forensic science. You are Colonel Kelly and your son is your set of ethics and morals. Pi Ying is the corporate officer/lawyer of choice. The pieces you must contend with are individual ethical challenges you face at each turn. Eventually, you get backed in to a corner where you must choose to sacrifice your son or the game is over.

Now for a real example or two.
After leading a long and arduous incident involving a team of roughly 10 people I was called in to see the director of HR. I was asked a series of questions regarding the incident, and as the conversation progressed I realized what was going on. I was being prodded to provide information as ammunition in firing the two network administrators that were "responsible" for the incident occuring. I remained responsive, but tried my hardest not to contribute to what was happening. In the end it didn't matter, the two network administrators lost their jobs because of what I consider an organizational problem. I on the other hand, while a little bitter was able to walk away from the situation with my ethics intact.

During another incident involving a data breach I was sitting in the IRT meeting with some administrative types. I was asked if I could just ignore the fact that I was in posession of disk images from breached systems and make them disappear. My answer? "No."

Now, we all know that business people skipped the day they taught ethics but science is founded on adherence to a strict ethical code in order to keep the science pure. I tend to be a pretty hard nosed individual when it comes to violating ethics regarding science, but I know that others simply can't afford to be as hard nosed, so I wonder, has anyone had a situation like the above where your ethics were challenged?

Our positions as digital forensic examiners puts us in a unique position of close proximity to the law. As such, we are at a high level of risk. So, as a member of a few forensics related organizations, I wonder what people think of the idea of having these organizations protect their members when the ethical code of the organization (which we must adhere to) is challenged in the course of employment - whether as a retained expert or as an in-house examiner. What greater benefit could an organization possibly provide than to protect its members?


A few links on the subject:
Philosophy of science
Adventures in Science&Ethics


Keydet89 said...

Our positions as digital forensic examiners puts us in a unique position of close proximity to the law.

I see where you're going with the rest of your post, but the above statement is one that I am concerned about.

How does performing incident response within a corporate organization put the examiner in "close proximity to the law"?

Is this due to the use of the term "forensics", which according to WikiPedia refers to "the application of a broad spectrum of sciences to answer questions of interest to the legal system"? Perhaps the term is being misused, then.

That aside, I find it interesting that the question of ethics comes up, but I suppose that in reality, there are those who have a different view of the world, one where lying, cheating, and stealing is the norm.

hogfly said...


I believe incident response puts us in close proximity to the law for at least two if not more reasons, and don't get me started on definitions *cough taxonomy cough*. ;)

1) Even in corporate settings, internal threats that create incidents lead to legal situations - wrongful termination, discrimination etc.

2) The follow up to the response is the forensic examination. When the forensic examination reveals that sensitive data does exist on a system that was compromised, we are now discussing whether or not it was accessed, and if so, consultation with legal counsel is a must, as is reporting the findings accurately because of state law that requires notification. If a lawsuit ever comes of that situation, then the reports are open to discovery.

Keydet89 said...

One of the things I recently discussed with someone else is that there is a difference between LEO and corporate investigations. I'm seeing a definite dividing line between the two, even in instances in which an IR investigation could become a legal one...in those situations, all collected data is turned over to law enforcement...corporate IT staffs do not present the evidence in court (though, with preparation, they may be called to provide testimony as witnesses).

This distinction was pointed out in the decision for the Heckencamp case...specifically, a sysadmin accessed Heckencamp's system in order to determine whether or not that system was being used to attack a mail server. This was deemed acceptable to the court, as the sysadmin was not acting as an agent for the police, nor under color of law.

Yet another distinction is that IT departments are not accredited, whereas many law enforcement labs (for example, federal RCFLs are accredited).

Again, while a corporate IR investigation _could_ end up going to court as a wrongful termination suit, there is a distinct point at which IT staff stops performing any work on their own, and law enforcement takes over. This is an important distinction to keep in mind...even for consultants supporting an IT dept, those consultants are not officers of the court, nor working under the color of the law.


Keydet89 said...

A quick point of clarification with regards to your item 2...

Yes, many IR policies and plans do recommend coordination with corporate counsel, and when sensitive data (as defined by HIPAA, Visa PCI, state notification laws, etc.) is potentially exposed, counsel must be consulted. However, this not in the capacity of an officer of the court...this is done initially to protect the organization.

Yes, suits may be brought later, but as I stated above, there are distinctions, ones that I believe are fairly definite.

My point is that while corporate IT investigations may ultimately go to court in some capacity, the investigations themselves are NOT conducted under color of law. Therefore, "best practices" are expected to be followed, and ultimately when (if?) the case is turned over to law enforcement, they will do the best they can with what they have. Law enforcement, however, is held to a different (and much more stringent) standard than those conducting corporate IT investigations.


hogfly said...

You are absolutely right about corporate investigators not acting under color of law but remember I said in "close proximity to the law". Your points are very valid, but using the Heckencamp incident as an example, if the sysadmin's reports were falsified because someone above him told him to do it, it puts him in a situation where his ethics are potentially challenged.

That's the crux of what I'm getting at. Not that all situations end up becoming legal ones, but that the morals and ethics of corporate investigators are challenged, and sacrifices do get made in order to keep jobs or the like.

Or, let's say he turned over disk images to law enforcement and his report was inconsistent with the findings of the LEO. If I'm not mistaken the SA was called to testify. Imagine him being questioned on the stand and the internal scandal being revealed. When asked "why did you falsify xyz?", what would his response be? "I did it because I didn't want to lose my job?"

In my own personal experience, in wrongful terminations ending up in discovery, or in data breaches requiring notification, Law Enforcement is not always brought in and internal teams and legal counsel handle the situation. If a lawsuit were filed as a result of the breach I doubt LE would be called in.

Keydet89 said...

..."close proximity to the law"...

I'm still struggling with that in a lot of ways...but okay... ;-)

...sacrifices do get made...

That's true in any job, though.

I agree, too, that a great deal of corporate incidents, be they breaches requiring notification or otherwise, never cross a LEOs desk.