Long ago when forensics started out, each police department or private investigation company would do things in their own way. Most didn’t have a computer forensics expert and used their IT department or nearest computer geek instead, who would have had varying degrees of expertise. This led to evidence being mistreated and people called expert witnesses when really they weren’t. To make sure things were done properly, the Association of Chief Police Officers (ACPO) set up guidelines called Good Practice Guide for Computer-Based Electronic Evidence on how to deal with digital artefacts (computers, mobile phones etc) so that they are properly looked after and admissible in court.
Three of the principles are:
- The data held on the computer must not be altered. Copies of the hard drives and other storage media must be made and used when investigating. This is so a third party can take another copy of the hard drive and repeat the tests carried out and come up with exactly the same conclusions. If the computer is turned on, the hard drive is in a different state compared to when it was off and is corrupted – leading possibly to different conclusions
- Only in exceptional circumstances can an investigator use the original data on the computer. Circumstances might be that a life is in danger and the information needed is in the perpetrators email inbox for example. Also, only an expert should do this who can explain the implications of their actions
- An audit trail or log must record all the steps taken on the artefact so that a third party can retrace the steps taken and produce the same results
If you want to read the full guidelines (dead interesting!), which include subjects like crime scenes, network forensics & volatile data, control of paedophile images, guide for mobile phone seizure & examination then you can download it here [pdf].