Digital Forensics – Evidence Handling guidelines – ACPO Digital Forensic
Association of Chief Police Officers ACPO Guidelines for Computer Based Evidence
Computer based electronic evidence is held to the same rules and expectations that apply to all other evidence before a court.
The onus is on the prosecution to prove to a court that the evidence produced by them is no more and no less than it was when it was first taken into the possession of the Police at the point of seizure.
As computer and mobile phone operating systems and other programs present often alter, including create and delete files from a device and this can happen without the user being aware of it, simply by being switched on.
To comply with the ACPO principles of computer based evidence where possible a full bit copy image of the memory present on the digital device should be taken. In some cases, for example when the amount of data present prevents a full copy being made, a partial or selected copy of certain files can be considered, however, the forensic examiner should take care to ensure that all required evidence is captured if that approach is taken.
The ACPO guidelines also require that any data is acquired using a suitable write blocking hardware unit, however, on some occasions this is not possible, for example, when the original digital device itself requires access. In these circumstances, the individual who carries out this process is sufficiently competent to provide evidence in court to explain the actions undertaken.
When providing evidence to court, the individual must display objectivity and fairness whilst being able to explain each process completed with the digital evidence, including the acquisition and examination of it, so that a third party digital examiner/expert can repeat the same process if required and arrive at the same result as that presented to the court.
ACPO Principle 1: That no action take is taken that should change data held on a digital device including a computer or mobile phone that may subsequently be relied upon as evidence in court.
ACPO Principle 2: Where a person finds it necessary to access original data held on a digital device that the person must be competent to do so and able to explain their actions and the implications of those actions on the digital evidence to a Court.
ACPO Principle 3: That an trail or record of all actions taken that have been applied to the digital evidence should be created and preserved. An independent third party forensic expert should be able to examine those processes and reach the same conclusion.
ACPO Principle 4: That the individual in charge of the investigation has overall responsibility to ensure that these principles are followed.
- Write Blockers – https://www.forensicswiki.org/wiki/Write_Blockers
- EnCase – Guidance Software
- X Ways
- Internet Examiner – http://www.siquest.com/
- NetAnalysis – https://www.digital-detective.net/digital-forensic-software/netanalysis/
- Access Data FTK manager – https://accessdata.com/product-download/ftk-imager-version-4-2-0
- Store Mailware – https://www.ghisler.com/