ACPO Guidelines for Computer Forensics
ACPO Good Practice Guide for Computer-Based Electronic Evidence
All of our computer forensics experts adhere to the Association of Chief Police Officers (ACPO) Good Practice Guide for Computer Based Electronic Evidence. The main principles of the ACPO Good Practice Guide for Computer Based Electronic Evidence are:
Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
Principle 2: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.
Explanation of the principles
Computer-based electronic evidence is subject to the same rules and laws that apply to documentary evidence.
The doctrine of documentary evidence may be explained thus: the onus is on the prosecution to show to the court that the evidence produced is no more and no less now than when it was first taken into the possession of police.
Operating systems and other programs frequently alter and add to the contents of electronic storage. This may happen automatically without the user necessarily being aware that the data has been changed.
In order to comply with the principles of computer-based electronic evidence, wherever practicable, an image should be made of the entire target device. Partial or selective file copying may be considered as an alternative in certain circumstances e.g. when the amount of data to be imaged makes this impracticable. However, investigators should be careful to ensure that all relevant evidence is captured if this approach is adopted.
In a minority of cases, it may not be possible to obtain an image using a recognised imaging device. In these circumstances, it may become necessary for the original machine to be accessed to recover the evidence. With this in mind, it is essential that a witness, who is competent to give evidence to a court of law, makes any such access.
It is essential to display objectivity in a court, as well as the continuity and integrity of evidence. It is also necessary to demonstrate how evidence has been recovered, showing each process through which the evidence was obtained. Evidence should be preserved to such an extent that a third party is able to repeat the same process and arrive at the same result as that presented to a court.
It is recommended that the full ACPO Guidelines are read, they can be found here.