In June 2018, there was a blog article posted that discussed a “secret” tool that was used to pull down user e-mail data from Office 365, known as the “Activities” API. The blog author and other digital forensics contributors had a debate around the ethics of forensic examiners and organizations having this “secret” tool and not making it known to the forensic community and whether it was appropriate to keep the tool secret. A direct impact, as illustrated from LMG security blog, was around Business E-mail Compromise (BEC) and as to whether you could prove there was a breach or not, rather than assuming a breach based on lack of evidence and the organization having to deal with consequences of the assumed breach.
https://lmgsecurity.com/exposing-the-secret-office-365-forensics-tool/
https://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/
Unfortunately, Microsoft has seemed to end access to the Activities API with weeks of the issue being discussed publicy. Which may be a consequence in it of itself.
https://lmgsecurity.com/rip-office365-magic-unicorn-tool/
Not just for the above scenario, but in general, do you feel it is ethical for forensic examiners and organizations to share or not share newly identified forensic artifacts and information (not custom developed tools) with the forensic community at large? Does it depend on how the information was identified? Should competitive advantage be considered?
