1.12. ACPO Guidelines

1.12. ACPO Guidelines #

Digital Forensic Process #

Digital Forensic Process

Before Arriving at the Scene #

  • Understand the nature of the investigation
    • Legal case or internal investigation
    • Technical (e.g. DoS attack, remote attack) or non-technical case (e.g. drug dealing)
    • Find out the computer skill level of the suspect
  • Taking all necessary equipment
    • Write-blockers
    • Hard drive
    • Imaging devices
    • Screwdrivers
    • Gloves
    • Evidence bags
    • Evidence inventory forms
    • Video/camera with batteries
    • Storage space

Things to do First #

  • Avoid evidence contamination (limiting access to scene, protective clothing)
  • Identify the state of digital devices:
    • Computers: on, off, hibernate, sleep, networked?
    • Mobile devices: on, off, battery level, connected to computer?
  • Locate additional evidence containers, such as USB drives, CD/DVDs, sticky notes

Handling the Devices #

  • Whether the device was on or off when found, leave it in that state
  • If the device was switched on:
    • Decide whether to pull the plug, shutdown via OS, perform live acquisition
    • Live acquisition:
      • Provides minimal downtime
      • Lists running processes
      • Some data is only available in RAM (encryption keys, private browsing, etc.)
    • If not handled properly, potential evidence could be contaminated or destroyed.
  • If the device was switched off:
    • Take photos
    • Label cables
    • Disconnecting cables
    • Get ready for packaging

Evidence Preparation

Documentation #

  • Documenting the complete journey of the evidence during the life of the case to maintain the Chain of Custody
  • Can be used to answer questions such as:
    • Who collected what data and when?
    • How and where?
    • Who took possession of what?
    • How was something stored and protected in storage?
    • Who took it out of storage and why?
    • When was it returned to the evidence locker and by whom?

Storage and Transportation #

  • Keep electronic evidence away from magnetic sources
  • Protect from extreme changes in temperature
  • Use proper anti-shock material, such as bubble wrap
  • Prolonged storage can result in alteration of evidence, since batteries have limited life span (like BIOS)
  • Store all seized evidence in a properly secured storage area

Rules of Evidence #

  • Authentic
    • It came from where it was supposed to
    • Evidence must be tied to the incident in order to prove something
  • Reliable and Accurate
    • No doubt for authenticity and nothing has been contaminated
  • Complete
    • The whole story needs to be there
  • Admissible
    • In conformity with common law and legislative rules
  • Convincing to juries
    • Believable and understandable

ACPO Guidelines #

Association of Chief Police Officers (ACPO) Crime Committee published the Good Practice Guide for Digital Evidence V5 in 2012.

Edit Edit this page

© 2024 Ryan Bester & Collaborators