- Data Recovery Services
- How Do Hard Drives Fail ?
- RAID / Server Recovery
- External & USB Drives
- Mobile Phones & Tablets
- CCTV & DVR
- Windows Computers
- Lost & Deleted Files
- Forensic Investigation
- Advanced Recovery Service
- Spare Parts & Donor Drives
- Disk Manufacturers
- Tape Recovery
- Tape Conversion
- SQL Recovery
- Hard Drive Help & Advice
- About Us / Contact
Computer Investigations and Electronic Evidence
Below is a summary of the Association of Chief Police Officer’s (ACPO) guidelines in the handling of electronic evidence. You can read the full ACPO document in PDF format, the “Good Practice Guide For Computer-Based Electronic Evidence” on the UK government’s site here
Summary Of Principals
- Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.
- Principle 2: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
- Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
- Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.
Explanation Of The Principles:
Computer based electronic evidence is no different from text contained within a document. For this reason, the evidence is subject to the same rules and laws that apply to documentary evidence.
The doctrine of documentary evidence may be explained thus: the onus is on the prosecution to show to the court that the evidence produced is no more and no less now than when it was first taken into the possession of police.
Operating systems and other programs frequently alter and add to the contents of electronic storage. This may happen automatically without the user necessarily being aware that the data has been changed.
In order to comply with the principles of computer based electronic evidence, wherever practicable, an image should be made of the entire target device. Partial or selective file copying may be considered as an alternative in certain circumstances e.g. when the amount of data to be imaged makes this impracticable.
In a minority of cases, it may not be possible to obtain an image using a recognised imaging device. In these circumstances, it may become necessary for the original machine to be accessed to recover the evidence. With this in mind, it is essential that a witness, who is competent to give evidence to a court of law makes any such access. It is essential to show objectively to a court both continuity and integrity of evidence. It is also necessary to demonstrate how evidence has been recovered showing each process through which the evidence was obtained. Evidence should be preserved to such an extent that a third party is able to repeat the same process and arrive at the same result as that presented to a court.
Remember, we recommended that the full ACPO Guidelines on computer based electronic evidence are read at http://www.cps.gov.uk/legal/assets/uploads/files/ACPO_guidelines_computer_evidence.pdf.
Go to Data Clinic’s main Computer Forensics page