Digital Forensics – Evidence Handling guidelines – ACPO Digital Forensic

Digital Forensics – Evidence Handling guidelines – ACPO Digital Forensic

Association of Chief Police Officers ACPO Guidelines for Computer Based Evidence

Computer based electronic evidence is held to the same rules and expectations that apply to all other evidence before a court.

The onus is on the prosecution to prove to a court that the evidence produced by them is no more and no less than it was when it was first taken into the possession of the Police at the point of seizure.

As computer and mobile phone operating systems and other programs present often alter, including create and delete files from a device and this can happen without the user being aware of it, simply by being switched on.

To comply with the ACPO principles of computer based evidence where possible a full bit copy image of the memory present on the digital device should be taken. In some cases, for example when the amount of data present prevents a full copy being made, a partial or selected copy of certain files can be considered, however, the forensic examiner should take  care to ensure that all required evidence is captured if that approach is taken.

The ACPO guidelines also require that any data is acquired using a suitable write blocking hardware unit, however, on some occasions this is not possible, for example, when the original digital device itself requires access. In these circumstances, the individual who carries out this process is sufficiently competent to provide evidence in court to explain the actions undertaken.

When providing evidence to court, the individual must display objectivity  and fairness whilst being able to explain each process completed with the digital evidence, including the acquisition and examination of it, so that a third party digital examiner/expert can repeat the same process if required and arrive at the same result as that presented to the court.

ACPO Principle 1: That no action take is taken that should change data held on a digital device including a computer or mobile phone that may subsequently be relied upon as evidence in court.

ACPO Principle 2: Where a person finds it necessary to access original data held on a digital device that the person must be competent to do so and able to explain their actions and the implications of those actions on the digital evidence to a Court.

ACPO Principle 3: That an trail or record of all actions taken that have been applied to the digital evidence should be created and preserved. An independent third party forensic expert should be able to examine those processes and reach the same conclusion.

ACPO Principle 4: That the individual in charge of the investigation has overall responsibility to ensure that these principles are followed.

ACPO_Good_Practice_Guide_for_Digital_Evidence_v5

 

DFIR Tools

  1. Write Blockers – https://www.forensicswiki.org/wiki/Write_Blockers
  2. EnCase – Guidance Software
  3. X Ways
  4. Internet Examiner – http://www.siquest.com/
  5. NetAnalysis – https://www.digital-detective.net/digital-forensic-software/netanalysis/
    1. https://www.digital-detective.net/digital-forensic-software/free-tools/
  6. Access Data FTK manager – https://accessdata.com/product-download/ftk-imager-version-4-2-0
  7. Store Mailware – https://www.ghisler.com/
  8. https://www.guidancesoftware.com/
  9. https://accessdata.com/products-services/forensic-toolkit-ftk
  10. http://www.x-ways.net/forensics/
  11. https://www.digital-detective.net/digital-forensic-software/free-tools/

Samples

  1. https://zeltser.com/malware-sample-sources/
  2. https://github.com/InQuest/malware-samples
  3. https://github.com/fabrimagic72/malware-samples
  4. https://dasmalwerk.eu/
  5. http://www.tekdefense.com/downloads/malware-samples/
  6. https://malwaretips.com/forums/malware-samples.104/
  7. https://www.reddit.com/r/NetSecAPTWatch/comments/a44b00/list_of_malware_samples/

Tutorials

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s