Ethical Issues Raised by Data Acquisition Methods in Digital Forensics Research

Abstract

1. IntroductionDigital Forensics (DF) is a relatively new area of Computer Science. Like forensic areas in other scientific fields, Digital Forensics seeks to discover evidence and reconstruct events based on an intimate knowledge of how computers, networks, and other electronic devices and communication systems function. As new as it is, DF is playing an increasingly important role not only in the expected area of criminal law, but now in civil law as well. With the changes to the Federal Rules of Civil Procedure in 2006, terms like Electronically Stored Information (ESI) and Electronic Document/Data Discovery (EDD) are entering the vocabulary of civil law firms with celerity.Despite its increasing importance, the DF field is still very young. At one extreme there are highly skilled researchers with strong backgrounds in computer science and mathematics pondering the esoteric inner workings of technology in order to develop new forensic tools and techniques; at the other end there is a frenzied market filled with service providers, software vendors, and other specialists offering any and every service that can even remotely be branded Digital Forensics by some contortion of logic. The EDD market itself was estimated to be 2.7 billion dollars in 2007 and projected to increase to 4.6 billion dollars by 2010 making it a quickly growing massive industry currently existing with minimal oversight (Socha 2008). While the field is moving full speed ahead it has not stopped to formally or substantively ponder the ethics which should underlie research and practice. Some certification bodies have sprung up and produced their own codes of ethics, but, aside from publishing an arbitrary list of rules primarily intended to govern certified members, no substantial discourse has been published to justify them. No substantial discourse has been published on the ethical usage of data in digital forensic research or on digital forensics in general. Our work, therefore, is novel in its application.In this paper we examine the ethical issues involved with procuring data storage media, primarily hard drives, from 3rd party sources such as eBay for use in Digital Forensic research. In Section 2, we give a background on research areas that benefit from real world data sources, outline related research making use of such sources, and briefly examine its contributions. In Section 3, we establish scenarios to frame the ethical analysis. In Section 4, we discuss the ethical issues and draw parallels to other fields with relevant similarities. In Section 5, we establish tests for determining ethical behavior. Finally, in Section 6, we conclude.2. Background and Related WorkFile Carving (FC) is a DF technique for recovering data from media where the file system information is damaged or deleted. The technique relies upon the nature of the file it attempts to recover. Many file types contain sections which are static for all files of the given type; these invariant sections often come at the beginning and ending of a file making header and footer sections. This may be as simple as the Linux/Unix magic number interpreted by the files command, or a part of the file standard denoting the start of a specific segment of the file. The general process involves reading data blocks from a drive sequentially while noting the location and type of any headers or footers encountered. In the most privative form, the file carver then goes back and carves out data between a pair of headers and footers of the same type with no intervening header or footer blocks. The more advanced versions of this concept attempt to reconstruct data where the file is fragmented on the drive, making sequential carving useless. This area of research benefits from real world data due to the complexity of file fragmentation. Simulating the fragmentation will not show all the patterns of fragmentation created over time with different usage patterns, software version, drive utilization, operating system, hardware configuration, and so on. …