My University Notes

Week 1 - ACPO Guidelines & Scene Management

ACPO Guidelines & Scene Management

Digital Forensic process (IPCEAPD):

1. Identification 2. Preservation 3. Collection (Has to be approved Methods) 4. Examination 5. Analysis 6. Presentation 7. Decision

Image = exact copy

Before arriving:

Is it legal or internal investigation?
Is it technical (DDOS) or Non-Technical (Drug)?

Different types of methods for collection of data depending on which one it is.

Technical = Need to consider volatile memory and traffic logs (More Careful)
Non-Tech = Normally stored on HDD

Understand the skill level of the suspect:

High skill = Need to be more careful when dealing with the case

On the Scene:

Use Write-Blockers
Image the HDD
Take the correct equipment when going to the Scene.
Determine if the computer is on or not
Look at scene and determine the next causes of action
Take Photos of everything
Live analysis or not.
Avoid contamination
Identify state of devices
Additional evidence containers

If device is switched on:

Need to determine if the computer is on or off
Decide on whether to perform a live analysis
Decide to pull plug or not

Live Acquisition

Minimal downtime
List of running device
Some data is only stored in RAM (encryption keys, Private prosing)

If data is contaminated it can not be used in a cause of law

Need to maintain a chain of custody
Storage and transportation
Keep away magnetic sources
Extreme changes in temp
Anti-Static packing
Prolonged storage can result in alteration of evidence due to batteries
Store all in secured area

Rules of evidence:

Authentic
Reliable and accurate
Complete
Admissible
Convincing to juries

ACPO Guidelines (2012)