ACPO Good Practice Guide ACPO Good Practice Guide
\nfor Digital Evidence for Digital Evidence
\nMarch 2012
\nACPO Good Practice Guide
\nfor Digital Evidence
\nThe Association of Chief Police Officers have agreed to this revised
\ngood practice guide being circulated to, and adopted by, Police Forces
\nin England, Wales & Northern Ireland.
\nIt is NOT PROTECTIVELY MARKED under the Government Protective
\nMarking Scheme and it is disclosable under the Freedom of
\nInformation Act 2000.
\nACPO \u00a9 2012
\n2 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland<\/p>\n
Document information
\nProtective marking NOT PROTECTIVELY MARKED
\nAuthor DAC Janet Williams QPM
\nForce\/Organisation Metropolitan Police Service
\nACPO Business Area Crime BA
\nContact details 020 7230 6800
\nReview date As required
\nVersion 5.0<\/p>\n
Any queries relating to this document should be directed to either
\nthe author detailed above or the ACPO Programme Support Office
\non 020 7084 8958\/8959.
\nThis best practice guide has been produced by the ACPO Crime
\nBusiness Area and was originally approved by ACPO Cabinet in
\nDecember 2007. The purpose of this document is to provide
\nguidance not only to assist law enforcement but for all that
\nassists in investigating cyber security incidents and crime. It will
\nbe updated according to legislative and policy changes and republished as required.
\n3 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\nContents
\nSection Page
\nIntroduction to the Guide 4
\nForeword 5
\n1 Application of Guide 6
\n2 The Principles of Digital Evidence 6
\n3 Plan 7
\n4 Capture 8
\n5 Analyse 10
\n6 Present 11
\n7 General 13
\nAppendix A Network Forensic and Volatile Data Collection
\nAppendix B Crimes involving Websites, Forums and Blogs
\nAppendix C Crime Scenes
\nAppendix D Developing a Digital Investigation Strategy
\nAppendix E ACPO Workbook
\n4 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\nINTRODUCTION TO THE GUIDE FOR DIGITAL EVIDENCE
\nIt gives me great pleasure to introduce the 5th version of the ACPO Good Practice Guide for Digital
\nEvidence. Much effort has been put in to ensure that the right information is available to practitioners and
\nmanagers in the fight against cyber crime. I would like to thank all those who contributed to its creation for
\ntheir efforts in drawing together their expert knowledge in tackling the criminal misuse of current and
\nemerging technologies. The review board drew together people from academia, private and the public
\nsector and has been an excellent example of collaborative working.
\nSince taking the UK policing lead for e-Crime in April 2008, I have overseen the creation of the Police Central
\ne-Crime Unit. The team has grown from strength to strength through partnership working leading to the
\nformation of a centre of excellence for cyber crime and the successful prosecution of cyber criminals. It is
\nonly through bringing together the expertise in policing across the UK, the capability and best practice within
\nindustry, support of Government and the Criminal Justice System that we will combat those responsible for
\ncyber crime.
\nI am pleased that there has been recognition of a need to co-ordinate the UK response to cyber security
\nissues through the establishment of the Office of Cyber Security and the Cyber Security Operations Centre.
\nThis approach will combine the various industries, law enforcement and agencies\u2019 hard work to corral them
\ninto a single effort to gather intelligence, enforcement capability and create the right framework of policy
\nand doctrine to better enable us all to tackle the major issues identified.
\nThis guide has changed from version 4, where it centred on computer based evidence; the new revision
\nreflects digital based evidence and attempts to encompass the diversity of the digital world. As such this
\nguide would not only assist law enforcement but the wider family that assists in investigating cyber security
\nincidents. I commend all to read and make use of the knowledge and learning contained in this guide to
\nprovide us with the right tools to carry out our role.
\nJanet Williams QPM
\nDeputy Assistant Commissioner
\nMetropolitan Police Service
\nACPO lead for the e-Crime Portfolio.
\n5 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\nFOREWORD
\nIt seems that whenever a review of ACPO guidance is carried out we are in the middle of technological
\nchanges that have vast impact on the work that is done within digital forensic units. It is a testament to the
\nauthors of the original four guiding principles for digital forensics that they still hold today, and one of the
\nkey early decisions of the review board was to keep those four principles, with only a slight change of
\nwording to principle four.
\nWe work in an area of constant change. There is a continuing need to re-evaluate and revise our capacities
\nto perform our duties. There is a need to recover and analyse digital data that can now be found within the
\nmany devices that are within day to day use, and can supply vital evidence in all our investigations.
\nHence a second key early decision was to change the title of the document to ACPO Good Practice Guide for
\nDigital Evidence. This would hopefully encompass all aspects of digital evidence and remove the difficulty
\nabout trying to draw the line to what is or isn\u2019t a computer and thus falling within the remit of this guide.
\nIt is important that people who work within the arena of digital forensics do not just concentrate on the
\ntechnology, as essential as that is, but that the processes we use are fit for the purpose, and that skills and
\ncapacities within units reflect the demands that are made on them.
\nA prime example of this is the use of the word \u2019triage\u2019. It has been a subject of much discussion within the
\nforensic community. It should be noted that it does not mean a single triage tool rather it is a complete
\nprocess where certain tools will play a part but are not the whole solution.
\nThis guide is not intended to be an A-Z of digital forensics, or a specific \u201chow to do\u201d instruction manual. It
\nshould paint an overall picture and provides an underlying structure to what is required within Digital
\nForensic Units (DFUs). Therefore, the guide has been produced as a high-level document without the
\nspecific guidance included in previous versions, as this guidance is now available elsewhere. Where
\nrelevant, links to other guidance documents will be given.
\nIn this document Digital Forensic Unit is used to cover any type of group that is actively involved in the
\nprocessing of digital evidence.
\n6 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\n1. SECTION 1 \u2013 APPLICATION OF GUIDE
\n1.1 When reading and applying the principles of this guide, any reference made to the police service
\nalso includes the Scottish Crime and Drugs Enforcement Agency (SCDEA) and the Police Service for
\nNorthern Ireland (PSNI) unless otherwise indicated.
\n1.2 This guide is primarily written for the guidance of UK law enforcement personnel who may deal with
\ndigital evidence. This will include:
\n\u2022 Persons who are involved in the securing, seizing and transporting of equipment from
\nsearch scenes with a view to recovering digital evidence, as well as in the identification of
\nthe digital information needed to investigate crime;
\n\u2022 Investigators who plan and manage the identification, presentation and storage of digital
\nevidence, and the use of that evidence;
\n\u2022 Persons who recover and reproduce seized digital evidence and are trained to carry out the
\nfunction and have relevant training to give evidence in court of their actions. Persons who
\nhave not received appropriate training and are unable to comply with the
\nprinciples should not carry out this category of activity;
\n\u2022 Persons who are involved in the selection and management of persons who may be required
\nto assist in the recovery, identification and interpretation of digital evidence.
\n1.3 Since the previous version of the guide was published, the Forensic Science Regulator has published
\nnew draft Codes of Conduct and Practice covering forensic science throughout the UK. All
\npractitioners working in the field of digital forensics must abide by these codes.
\n2. SECTION 2 \u2013 THE PRINCIPLES OF DIGITAL EVIDENCE
\n2.1 PRINCIPLES
\n2.1.1 Principle 1: No action taken by law enforcement agencies, persons employed within those agencies
\nor their agents should change data which may subsequently be relied upon in court.
\n2.1.2 Principle 2: In circumstances where a person finds it necessary to access original data, that person
\nmust be competent to do so and be able to give evidence explaining the relevance and the
\nimplications of their actions.
\n2.1.3 Principle 3: An audit trail or other record of all processes applied to digital evidence should be
\ncreated and preserved. An independent third party should be able to examine those processes and
\nachieve the same result.
\n2.1.4 Principle 4: The person in charge of the investigation has overall responsibility for ensuring that
\nthe law and these principles are adhered to.
\n2.2 EXPLANATION OF THE PRINCIPLES
\n2.2.1 All digital evidence is subject to the same rules and laws that apply to documentary evidence.
\n2.2.2 The doctrine of documentary evidence may be explained thus: the onus is on the prosecution to
\nshow to the court that the evidence produced is no more and no less now than when it was first
\ntaken into the possession of law enforcement.
\n2.2.3 Operating systems and other programs frequently alter, add and delete the contents of electronic
\nstorage. This may happen automatically without the user necessarily being aware that the data has
\nbeen changed.
\n7 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\n2.2.4 In order to comply with the principles of digital evidence, wherever practicable, proportionate and
\nrelevant an image should be made of the device. This will ensure that the original data is preserved,
\nenabling an independent third party to re-examine it and achieve the same result, as required by
\nprinciple 3.
\n2.2.5 This may be a physical \/ logical block image of the entire device, or a logical file image containing
\npartial or selective data (which may be captured as a result of a triage process). Investigators should
\nuse their professional judgement to endeavour to capture all relevant evidence if this approach is
\nadopted.
\n2.2.6 In cases dealing with data which is not stored locally but is stored at a remote, possibly inaccessible
\nlocation it may not be possible to obtain an image. It may become necessary for the original data to
\nbe directly accessed to recover the data. With this in mind, it is essential that a person who is
\ncompetent to retrieve the data and then able to give evidence to a court of law makes any such
\naccess. Due consideration must also be given to applicable legislation if data is retrieved which
\nresides in another jurisdiction.
\n2.2.7 It is essential to display objectivity in a court of law, as well as the continuity and integrity of
\nevidence. It is also necessary to demonstrate how evidence has been recovered, showing each
\nprocess through which the evidence was obtained. Evidence should be preserved to such an extent
\nthat a third party is able to repeat the same process and arrive at the same result as that presented
\nto a court.
\n2.2.8 It should be noted that the application of the principles does not preclude a proportionate approach
\nto the examination of digital evidence. Those making decisions about the conduct of a digital
\ninvestigation must often make judgements about the focus and scope of an investigation, taking into
\naccount available intelligence and investigative resources. This will often include a risk assessment
\nbased on technical and non-technical factors, for example the potential evidence which may be held
\nby a particular type of device or the previous offending history of the suspect. Where this is done it
\nshould be transparent, decisions should be justifiable and the rationale recorded.
\n2.2.9 Application of the four principles will also be informed by:
\n\u2022 The Forensic Science Regulator\u2019s forthcoming Codes of Practice and Conduct;
\n\u2022 The guidance around digital forensic process improvements developed by the National
\nPolicing Improvement Agency\u2019s Forensic 21 programme and those engaged in the collection,
\nexamination or reporting of digital evidence should also refer to that guidance.
\n3. SECTION 3 \u2013 PLAN
\n3.1 This also refers to the:
\n\u2022 The NPIA Forensic21 HTCU Computer Examination Process, 2011
\n\u2022 The SCDEA HTCU Guidance.
\n3.2 The proliferation of digital devices and the advances in digital communications mean that digital
\nevidence is now present or potentially present in almost every crime.
\n3.3 Digital evidence can be found in a number of different locations:
\n\u2022 Locally on an end-user device \u2013 typically a user\u2019s computer, mobile\/smart phone, satellite
\nnavigation system, USB thumb drive, or digital camera;
\n\u2022 On a remote resource that is public \u2013 for example websites used for social networking,
\ndiscussion forums, and newsgroups;
\n\u2022 On a remote resource that is private \u2013 an internet Service Provider\u2019s logs of users\u2019 activity, a
\nmobile phone company\u2019s records of customers\u2019 billing, a user\u2019s webmail account, and
\nincreasingly common, a user\u2019s remote file storage;
\n8 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\n\u2022 In transit \u2013 for example mobile phone text messages, or voice calls, emails, or internet chat.
\n3.4 It would be quite common for evidence of a crime to be in more than one of the locations
\nmentioned above. However it might be much easier to obtain the evidence from one location rather
\nthan another; careful consideration should be given to the resources required to obtain the
\nevidence.
\n3.5 For example, if evidence is required of contact between two mobile phone numbers, the best
\nmethod would be to obtain call data from the Communication Service Providers via the force SPOC,
\nrather than to request a forensic examination of the mobile phones. The call data is likely to be
\nmore comprehensive than call logs from a mobile phone and the times and dates can be relied
\nupon, which is not necessarily the case with logs from a mobile phone.
\n3.6 In addition, investigators seeking to capture \u2018in transit\u2019 evidence must be aware of the implications
\nunder the Regulation of Investigatory Powers Act (RIPA) and the need to seek appropriate
\nauthorities for doing so. Further information is available from force SPOCs.
\n3.7 With the above in mind, it is important that investigators develop appropriate strategies to identify
\nthe existence of digital evidence and to secure and interpret that evidence throughout their
\ninvestigation.
\n3.8 Due consideration should always be given by the investigators of the benefits to the overall
\ninvestigation of conducting any digital forensic work. Proportionality should be assessed when a
\ndigital forensic strategy is being considered to ensure that limited resources for digital forensic
\ninvestigation are directed appropriately.
\n4. SECTION 4 \u2013 CAPTURE
\n4.1 This also refers to:
\n\u2022 Retrieval of Video Evidence and Production of Working Copies from Digital CCTV Systems
\nv2.0;
\n\u2022 Network forensics and volatile data collection \u2013 Appendix A;
\n\u2022 Crimes involving websites, forums and blogs \u2013 Appendix B.
\n4.2 PHYSICAL CRIME SCENES
\n4.2.1 There are many different types of digital media and end-user devices, which may be encountered
\nduring a search of a crime scene, all of which have the potential to hold data which may be of value
\nto the investigation. In order to preserve the data and achieve best evidence, these items must be
\nhandled and seized appropriately, and should be treated with as much care as any other item that is
\nto be forensically examined. This section is intended to assist individuals to ensure their actions in
\nrelation to seizure are correct.
\n4.3 PROPORTIONALITY ISSUES RELATING TO SEIZURE
\n4.3.1 Proportionality issues relating to seizure are:
\n\u2022 Before seizing an item, consider whether the item is likely to hold evidence. For example, is
\nthis a family computer or a computer belonging to a suspect?
\n\u2022 Ensure that details of where the item was found are recorded, which could assist in
\nprioritising items for examination at a later stage;
\n\u2022 Consider when the offence was committed; when seizing CCTV, give consideration to
\nnarrowing down what is seized, by camera and\/or time period. Check whether another
\nsystem may be better placed to record the evidence;
\n9 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\n\u2022 Differentiate between mobile phones found on a suspect (likely to be in current use) and
\nphones found in a drawer (may not be in current use), as different levels of examination
\nmay be possible for these;
\n\u2022 Also consider that evidence may be stored online, or on an internet service provider\u2019s
\nsystems, and end-user devices may only be needed to obtain the details necessary to
\nrequest this evidence from the service provider. If so, it is best to seize items in current
\nusage, i.e. computers connected to the internet.
\n4.3.2 Digital devices and media should not be seized just because they are there. The person in charge of
\nthe search must have reasonable grounds to remove property and there must be justifiable reasons
\nfor doing so. The search provisions of PACE Legislation Codes of Practice equally apply to digital
\ndevices and media in England, Wales and Northern Ireland. In Scotland, officers should ensure they
\nare acting within the terms of the search warrant.
\n4.3.3 Due regard should also be given to the application of the European Convention of Human Rights.
\n4.4 BEFORE ATTENDING A SCENE TO CAPTURE DIGITAL EVIDENCE
\n4.4.1 Persons responsible for the seizure of digital devices, or for on-scene capture of data, should ensure:
\n\u2022 They have the necessary equipment. (Refer to the First Responder\u2019s Guide for a detailed
\nbreakdown);
\n\u2022 They have considered potential sources of evidence and know what is likely to be relevant,
\nwhere possible.
\n4.4.2 Where an investigation is likely to involve the examination of user-created digital images,
\nconsideration should be given to the question of seizing of cameras and other devices capable of
\ntaking digital photographs. For example, in cases where a suspect is believed to have taken indecent
\nphotographs of children, seizure of devices capable of taking digital photos could be useful not only
\nfor the data they store, but also to link these devices to previously identified indecent photographs
\nby the examination of digital metadata (EXIF data).
\n4.4.3 Where necessary, specialist advice from a force\u2019s Digital Forensic Unit should be sought in advance.
\nIf given sufficient information about the investigation, DFUs will be able to advise on which items are
\nmost likely to provide the evidence sought.
\n4.5 WHEN ATTENDING A SCENE
\n4.5.1 To comply with principle 3, records must be kept of all actions taken in relation to digital evidence,
\nwhich could include photographs\/diagrams of equipment locations, details of any information
\nprovided by persons present, and records of any actions taken at the scene.
\n4.5.2 Refer to the First Responder\u2019s Guide for detailed guidance on seizure for individual items. However,
\npersons attending a scene should be especially aware that systems which are powered on
\n(running) need to be handled with care, as there is the potential to make unwanted changes to
\nthe evidence if these are not dealt with correctly. Such systems should only be accessed by
\nappropriately trained personnel. In addition, volatile data of evidential value may be lost.
\n4.6 CAPTURING ONLINE EVIDENCE
\n4.6.1 In some investigations the capture of digital evidence may be from an online rather than a physical
\nlocation. Detailed guidance on securing this evidence can be found in \u2018Crimes involving websites,
\nforums and blogs\u2019 and \u2018Network forensics and volatile data\u2019.
\n4.6.2 Online evidence can roughly be split into that which is publicly available (e.g. forum postings, where
\nthe forum does not require a login to view) and that which is private (e.g. Facebook account
\ninformation). There may be scope to obtain both (e.g. by capturing the text of a forum posting and
\nthen requesting the account details of the user who made the posting from the forum owner).
\n10 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\nInvestigators should be aware of the potential issues when capturing publicly available data,
\nIncluding the \u2018footprints\u2019 which are left when accessing a site, which can alert a website owner to
\nlaw enforcement interest.
\n4.6.3 Records should be kept of all actions taken when capturing online evidence in order to comply with
\nprinciple 3.<\/p>\n
5. SECTION 5 \u2013 ANALYSE
\n5.1 This also refers to:
\n\u2022 The NPIA Forensics21 HTCU Computer Examination Process, 2011;
\n\u2022 Forensic Science Regulator\u2019s Codes of Practice and Conduct;
\n\u2022 Digital Imaging Procedure v2.1.
\n5.2 Devices seized as part of a search will typically be submitted to the force Digital Forensic Unit in
\naccordance with force policy. Due to the volume and complexity of data stored on digital devices, it
\nis not possible or desirable to extract all data held on a device for review by investigators. Instead, a
\nforensic strategy needs to be formulated to enable the examination to be focused on the relevant
\ndata.
\n5.3 The National Policing Improvement Agency is currently formulating suggested processes for digital
\nexaminations involving computer and phone devices. Readers should refer to these processes for
\nmore specific detail of best practice digital examination processes. Other types of digital
\nexaminations should follow the same principles, briefly summarised below.
\n5.4 The investigator needs to properly consider the nature and purpose of the digital examination. The
\ninvestigator must be clear on what priorities are placed on the examination as it may well be that
\nkey information needs to be found in order to preserve evidence that may exist elsewhere. This is
\nparticularly the case where it relates to the existence of additional evidence, offenders and victims.
\n5.5 When submitting evidence to Digital Forensic Units, investigators must supply specific requirements.
\nIt is not practically possible to examine every item of digital data and clear tasking is needed to
\nensure that the digital forensic practitioner has the best chance of finding any evidence which is
\nrelevant to the investigation.
\n5.6 For more complex or lengthy investigations, an initial triage\/review of the digital evidence (whether
\nor not this is done using a specific triage tool) will give investigators and practitioners a better
\nunderstanding of the nature of the digital evidence held. The forensic strategy should be regularly
\nreviewed to take account of any changes in the direction of the investigation, which may occur as a
\nresult of digital forensic examination (for example, finding emails identifying a co-conspirator) or
\ninvestigations elsewhere (a witness identifying another person as being of interest to the
\ninvestigation). For this reason it is vital that the investigator and the digital forensic practitioner
\ncommunicate regularly regarding the progress of the investigation.
\n5.7 If initial examination results in a large amount of data to be reviewed, consideration must be given
\nto who is best placed to review that data. Often this will be the investigator, due to their greater
\nknowledge of the case. Dependent on the source, this data may include:
\n\u2022 Internet history records;
\n\u2022 E-mails;
\n\u2022 Instant Messaging Logs;
\n\u2022 Media files (images and videos);
\n\u2022 Text documents;
\n\u2022 Spreadsheets;
\n\u2022 CCTV;
\n\u2022 Text Messages.
\n11 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\n5.8 Collaboration with the Digital Forensic Unit will ensure that the significance of any reviewed data is
\nnot misunderstood. For example, when reviewing keyword hits which exist in deleted files, the
\nsignificance of a hit\u2019s location may need explanation from a digital forensic practitioner.
\n5.9 For mobile phone examinations, different levels of examination may be appropriate depending on
\nthe intelligence relating to the device and the requirements of the investigation. For example, a
\nphone which has been found in a drawer may be examined only to retrieve the necessary
\ninformation to request billing details and to establish whether it is owned by the suspect (level 1). A
\nphone which is known to be in regular use by a suspect in a high profile investigation may be
\nsubject to a much more in-depth examination involving the retrieval of deleted data and potentially
\nthe physical removal and examination of memory chips (level 4). These examination levels are
\noutlined in the NPIA mobile phone SOPs.
\n5.10 INTERPRETATION OF DIGITAL DATA
\n5.10.1 As with other forensic evidence, interpretation is often required to ensure the evidential weight of
\nrecovered digital evidence is clear. Practitioners who undertake the interpretation of digital data
\nmust be competent to do so and have had sufficient training to undertake the task assigned to
\nthem.
\n5.10.2 As an example, the presence of indecent images of children on a computer would not in itself be
\nsufficient evidence of possession, as the possessor must be aware of the existence of the images. A
\ndigital forensic practitioner may interpret the presence of other digital evidence (such as a list of
\nrecently opened files, recent search terms, the name and location of folders\/files containing the
\nmaterial, or whether or not the computer is password protected) to establish the likelihood of the
\nuser being aware of the existence of these images.
\n5.10.3 Establishing the provenance of digital evidence is another key task of the forensic practitioner, who
\nmust use their knowledge and skills to identify not just that the evidence exists but also how it came
\nto be there. This is common to all forensic disciplines; for example, the presence of a defendant\u2019s
\nfingerprint on a bottle at the crime scene may not have any bearing on whether the defendant
\ncommitted the crime if the bottle may have been carried there by someone else. It is the
\nresponsibility of the practitioner to carry out analysis to identify provenance where necessary, to
\nmitigate the risk of their findings being misinterpreted.
\n5.10.4 Often the role of the digital forensic practitioner will be to make investigators and prosecutors aware
\nof the limitations of the digital evidence as well as its strengths.
\n5.10.5 It must also be borne in mind that the development of digital technology is dynamic and the
\npractitioners may well face significant challenges to their knowledge. It is not possible to be an
\nexpert in all aspects of digital forensic examination, but a practitioner should be aware of the limits
\nof their knowledge and where further research or additional specialist knowledge is required.
\n6. SECTION 6 \u2013 PRESENT
\n6.1 This also refers to:
\n\u2022 NPIA Forensics21 process maps;
\n\u2022 CPS disclosure manual, annex K.
\n6.2 Communication of the results of a digital forensic examination may be through a number of means:
\n\u2022 Verbally to an investigator\/officer throughout a case;
\n\u2022 By a statement or report on conclusion of the case;
\n\u2022 In court if witness evidence is required.
\n12 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\n6.3 In all cases a digital forensic practitioner must be aware of their duty of impartiality and that they
\nmust communicate both the extent and the limitations of the digital forensic evidence. This is
\nespecially important as, due to the nature of digital forensic evidence, it is not always immediately
\nunderstandable by the layman.
\n6.4 VERBAL FEEDBACK
\n6.4.1 This should be given regularly throughout the progress of an examination. In this way it will enable
\nthe investigator to pursue relevant lines of enquiry as these become evident, and will ensure that
\nthe practitioner is up-to-date with any information required to better target their investigation.
\n6.4.2 It is important that this communication be recorded for potential disclosure at a later date. Good
\npractice would be for a verbal conversation to be followed up via email, or to be recorded in
\ncontemporaneous notes.
\n6.5 STATEMENTS OR REPORTS
\n6.5.1 The statement or report is the ultimate product of the examination. It should outline the
\nexamination process and the significant data recovered. Whilst an initial report may be relatively
\nbrief, the practitioner should be in a position to produce a full technical report should one later be
\nrequired.
\n6.5.2 The report should be written to be understandable to the reader; this may include the use of a
\nglossary, diagrams\/screenshots to illustrate points, the use of examples and avoidance of technical
\njargon.
\n6.5.3 When particular items are reproduced in a report, care should be taken to ensure that the
\nrepresentation is accurate. For example, pictures should not be reproduced at a larger size without
\nthis being made clear in the report. If a report is produced digitally, items should be reproduced
\nwhere possible in their original file formats, to ensure that those viewing will see the item as close as
\npossible to its original appearance. If this is not appropriate (for example, if a file needs to be
\nconverted to a more common format for reviewing) then the fact that it has been converted must be
\nstated in the report. Where it is not possible to reproduce the item as it would have originally been
\nviewed, for example, when a webpage is retrieved some time after the original page was accessed,
\nthis must also be clearly stated in the report.
\n6.5.4 The report should make clear the strength of any conclusions reached and always identify where an
\nopinion is being given, to distinguish this from fact. Where opinion evidence is provided, the
\npractitioner must state the facts on which this is based, and how he or she came to this conclusion.
\n6.6 WITNESS EVIDENCE
\n6.6.1 A practitioner may need to testify about not only the conduct of the examination, but also the
\nvalidity of the procedure and their experience and qualifications to conduct the examination.
\n6.6.2 Expert witness training should be considered for digital forensic practitioners so they are familiar
\nwith the process of giving evidence and aware of their responsibilities as witnesses. A digital
\nforensic practitioner will not always be giving expert evidence and should clearly understand the
\ndistinction between expert evidence and evidence of fact.
\n6.6.3 When giving evidence, practitioners must make clear when they are expressing facts and when they
\nare giving opinions, as above. Practitioners, when giving expert evidence, must take care to do so
\nonly where it relates to their own area of expertise and remember that their duty when giving
\nevidence (whether it be in report form or as a witness) is to the court, regardless of which party has
\ninstructed them.
\n13 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\n6.7 CONTEMPORANEOUS NOTES
\n6.7.1 It is worth repeating at this point that full records should be made of all actions taken. These must
\nbe disclosed to the defence who may subsequently cause a further examination to be conducted. A
\nsignificant part of such an examination will be to validate the actions and results of the original
\nexamination. Such records are also part of the unused material for the case under investigation.
\n7. SECTION 7 \u2013 GENERAL
\n7.1 TRAINING AND EDUCATION
\n7.1.1 Also refers to:
\n\u2022 ACPO Good Practice and Advice Guide for Managers of e-Crime Investigations (\u2018Managers\u2019
\nGuide\u2019).
\n7.1.2 The general principle of training in digital investigation significantly differs from usual police training.
\nOwing to the rapidly changing environment of technology, there is a requirement for the continuous
\nbut essential retention and updating of skills.
\n7.1.3 Readers should refer to the section concerning training in the Good Practice and Advice Guide for
\nManagers of e-Crime Investigations.
\n7.1.4 It is also the personal responsibility of any person working within the area of digital forensics to
\nmaintain their knowledge of the subject areas they are involved in. Formal training is just one route,
\nbut there is also a vast amount of open-source information available for self development and
\nawareness. (Practitioners should be mindful that the veracity of open-source information cannot
\nalways be established, and should critically evaluate any information sourced in this way.)
\nProfessional development can also be progressed by attending conferences and technical
\nworkshops, conducting independent research, participating in online specialist forums or by
\ndiscussions with subject matter experts in other forces or agencies.
\n7.1.5 Police personnel should also be aware of POLKA (Police On-Line Knowledge Area), an information
\nsharing resource where there are digital forensic communities that discuss numerous topics and a
\nlibrary of some relevant documentation.
\n7.2 WELFARE IN THE WORKPLACE
\n7.2.1 Also refers to:
\n\u2022 ACPO Good Practice and Advice Guide for Managers of e-Crime Investigations.
\n7.2.2 There are a number of aspects concerning the welfare of staff working within the digital forensic
\narea and the risks associated with that type of work:
\n\u2022 The psychological effect of viewing disturbing material including indecent images of children
\n(IIOC);
\n\u2022 Electrical safety;
\n\u2022 Ergonomics, including working with Display Screen Equipment (DSE);
\n\u2022 Biohazards.
\n7.2.3 Both staff and managers should be aware of the potential impacts of these and take steps to
\nminimise their effect. For further details, refer to the Managers\u2019 Guide.
\n14 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\n7.3 DIGITAL FORENSIC CONTRACTORS
\n7.3.1 Also refers to:
\n\u2022 ACPO Good Practice and Advice Guide for Managers of e-Crime Investigations;
\n\u2022 Forensic Regulator\u2019s Codes of Practice and Conduct.
\n7.3.2 Where the services of commercial forensic service providers are required by law enforcement, it is
\nimportant to select external consulting witnesses\/forensic practitioners carefully. Any external
\npractitioner should be familiar with, and agree to comply with, the principles of digital evidence
\nreferred to in this guide.
\n7.3.3 Selection of external providers, particularly in the more unusual or highly technical areas, can be a
\nproblem for the investigator. Digital forensic units may be able to offer more advice on the criteria
\nfor selection.
\n7.3.4 Readers should refer to the ACPO Managers\u2019 Guide for further suggestions on the practical aspects
\nof selecting an external forensic service provider (including such aspects as security clearance and
\nphysical security requirements or procurement issues). They should also ensure that any forensic
\nservice provider engaged on law enforcement work is able to work in accordance with the Forensic
\nRegulator\u2019s Codes of Practice and Conduct which requires ISO accreditation (ISO 17025 and ISO
\n17020). The Regulator will expect compliance for all digital forensic services by 2014, but
\nprocurement frameworks and contracts should be looking at compliance for external service
\nproviders in advance of this date.
\n7.3.5 When engaging the services of digital forensic contractors, processes and policies for the retention
\nof case-related data should be considered, both on an ongoing basis and following the termination
\nof the contract. Contractors and those engaging them must comply with the terms of the Data
\nProtection Act, and with any local policies of the engaging organisation.
\n7.4 DISCLOSURE
\n7.4.1 Also refers to:
\n\u2022 Attorney General\u2019s Guidelines on Disclosure (revised April 2005);
\n\u2022 CPS Disclosure Manual.
\n7.4.2 The particular issues relating to disclosure of digital evidence are typically those of volume. A digital
\ninvestigation may involve the examination of a vast amount of data and it is not always
\nstraightforward for investigators and prosecutors to discharge their disclosure obligations in respect
\nof this. For example, the average hard disk is now larger than 200 gigabytes and this, if printed out
\non A4 paper, would be 10,000,000 pages long. In addition, the nature of digital evidence means it is
\nnot always possible to create a static representation which preserves the nature of the original
\nevidence (e.g. of a database) and in some cases data can only be disclosed electronically, such as
\nCCTV.
\n7.4.3 The Criminal Procedure and Investigations Act 1996 (CPIA) came into force on 1 April 19971
\n. The
\nAct, together with its Code of Practice, introduced a statutory framework for the recording,
\nretention, revelation and disclosure of unused material obtained during criminal investigations
\ncommenced on or after that date.
\n7.4.4 Additional guidance for investigators and prosecutors to assist them in complying with their statutory
\nduties is set out in the Attorney General\u2019s Guidelines on Disclosure (revised April 2005). ACPO and
\nthe CPS have also agreed detailed joint operational instructions for handling unused material,
\ncurrently set out in the Disclosure Manual.<\/p>\n
1
\nIt has recently been amended in key respects following the implementation of some of the provisions of Part V of the Criminal Justice
\nAct 2003, as of 4 April 2005
\n15 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\n7.4.5 What follows should be regarded as a very brief summary of some of the relevant guidance in the
\nDisclosure Manual. It is not intended as a replacement for the detailed guidance provided in the
\nManual itself.
\n7.4.6 Even in relatively straightforward cases, investigators may obtain, and even generate, substantial
\nquantities of material. Some of this material may in due course be used as evidence: for example,
\nphysical exhibits recovered from the scene of the crime or linked locations, CCTV material, forensic
\nevidence, statements obtained from witnesses and tape recordings of defendants interviewed under
\ncaution before charge. The remaining material is the \u2018unused material\u2019, and it is this material which
\nis the subject of the procedure for disclosure created under the CPIA.
\n7.4.7 Generally material must be examined in detail by the disclosure officer or the deputy but,
\nexceptionally, the extent and manner of inspecting, viewing or listening will depend on the nature of
\nthe material and its form. For example, it might be reasonable to examine digital material by using
\nsoftware search tools. If such material is not examined in detail, it must nonetheless be described on
\nthe disclosure schedules accurately and as clearly as possible. The extent and manner of its
\nexamination must also be described together with justification 2
\nfor such action.
\n7.4.8 The CPIA Code of Practice also provides guidance concerning the duty to pursue all reasonable lines
\nof enquiry, in relation to computer material3
\n. Examination of material held on a computer may
\nrequire expert assistance and, in some cases, Digital Evidence Recovery Officers (DEROs) may be
\ncommissioned to help extract evidence and assist with unused material. DEROs may be police
\nofficers, police staff or external service providers. The use of DEROs and related matters is discussed
\nin detail in Annex H of the Disclosure Manual.
\n7.4.9 It is important that the material is inspected and described on the unused material schedule, in
\naccordance with the above guidance, as it is the schedules (non-sensitive and sensitive) which are,
\nin due course, revealed to the prosecutor, in order that the latter can comply with the duty under
\nsection 3 CPIA to provide primary disclosure to the accused (or initial disclosure, where the criminal
\ninvestigation in question has commenced on or after 4 April 2005).
\n7.4.10 Whether the material is disclosed under section 3 of the CPIA, following service of a statement, or
\nafter an application for specific disclosure under section 8 of the Act, disclosure may be in the form
\nof providing a copy or copies of the material in question to the defence. It may also be by permitting
\nthe defence (or a suitable expert, instructed by the defence) access to the actual material. Guidance
\nconcerning this is set out in the Disclosure Manual, 30.8 \u2013 30.13.
\n7.4.11 It is important to note that where the computer material consists of sensitive images falling within
\nsection 1(1) (a) of the Protection of Children Act 1978, the guidance set out in the Memorandum of
\nUnderstanding Between CPS and ACPO concerning Section 46 Sexual Offences Act 2003 (signed on
\n4th October 2004) should be followed.
\n7.4.12 In Scotland, the question of disclosure is fundamentally different from that in England and Wales
\nand is one specifically for the Procurator Fiscal. The question of disclosure was judicially considered
\nin the case of McLeod Petitioner, 1988, SLT233. There is no obligation upon the Crown to produce
\nevery document in their possession that has any connection with the case. It is the duty of the
\nProcurator Fiscal to disclose anything that is relevant to establish the guilt or innocence of the
\naccused. The court will not lightly interfere with the view of the Procurator Fiscal.<\/p>\n
2
\nParagraph 27, Attorney General\u2019s Guidelines on Disclosure (2005) 3
\nCPIA Code of Practice, paragraph 3.5
\n16 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\n7.5 LEGISLATION
\n7.5.1 Also refers to:
\n\u2022 Legislation.gov.uk;
\n\u2022 ACPO Good Practice and Advice Guide for Managers of e-Crime Investigations.
\n7.5.2 A wide variety of legislation may apply in examinations of digital evidence. Some of the most
\nrelevant is detailed below.
\ni. Computer Misuse Act 1990 (UK Wide)
\n(http:\/\/www.legislation.gov.uk\/ukpga\/1990\/18\/introduction)
\nS1 Unauthorised Access To Computer Material
\n\u2022 It is an offence to cause a computer to perform any function with intent to gain
\nunauthorised access to any program or data held in any computer. It will be necessary to
\nprove the access secured is unauthorised and the suspect knows this is the case. This is
\ncommonly referred to as \u2018hacking\u2019.
\n\u2022 The Police and Justice Bill 2006 amended the maximum penalty for Section 1 offences. The
\noffence is now triable either way, i.e. in the Magistrates Court or the Crown Court. The
\nmaximum custodial sentence has been increased from six months to two years.
\nS2 Unauthorised Access with Intent to Commit Other Offence
\n\u2022 An offence is committed as per S1 but the S1 offence is committed with the intention of
\ncommitting an offence or facilitating the commission of an offence. The offence to be
\ncommitted must carry a sentence fixed by law or carry a sentence of imprisonment of 5
\nyears or more. Even if it is not possible to prove the intent to commit the further offence,
\nthe S1 offence is still committed. Max penalty: 5 years imprisonment.
\nS3 Unauthorised Acts with Intent to Impair Operation
\n\u2022 An offence is committed if any person does an unauthorised act with the intention of
\nimpairing the operation of any computer. This \u2018impairment\u2019 may be such that access to data
\nis prevented or hindered or that the operation or reliability of any program is affected. This
\noffence carries a maximum penalty of ten years imprisonment. This offence is used instead
\nof the Criminal Damage Act 1971, since it is not possible to criminally damage something
\nthat is not tangible. The Police and Justice Bill 2006 amended the original Section 3
\nComputer Misuse Act offence, unauthorised modification, and increased the maximum
\npenalty to ten years imprisonment.
\nS3A Making, Supplying or Obtaining Article for Use in S1 or S3 offences
\n\u2022 The Police and Justice Bill 2006 created a new S3A offence of making, supplying (including
\noffers to supply) or obtaining articles for use in S1 or S3 computer misuse offences. The
\nmaximum penalty for this offence is two years imprisonment.
\nS10 Saving For Certain Law Enforcement Powers
\n\u2022 This section explains that S1 of the Act has effect without prejudice to the operation in
\nEngland, Wales or Scotland of any enactment relating to powers of inspection, search and
\nseizure.
\nS17 Interpretation
\n\u2022 This section assists by explaining the meaning of some of the words and phrases used
\nwithin the Act.
\n17 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\nii. The Police & Criminal Evidence Act 1984
\n(http:\/\/www.legislation.gov.uk\/ukpga\/1984\/60\/contents)
\n\u2022 This legislation does not apply in Scotland unless officers from England, Wales and Northern
\nIreland are using their cross-border policing powers and procedures.
\n\u2022 Schedule 1 details the procedure by which special procedure material and excluded material
\ncan be obtained.
\n\u2022 A circuit judge can order that such material be produced to a constable for him to take away
\nor that such material be made available for the constable to access within seven days of the
\norder. For information held on a computer, an order can be made that the material is
\nproduced in a visible and legible form in which it can be taken away.
\nOr, an order can be made giving a constable access to the material in a visible and legible
\nform within seven days of the order.
\nS8 Search Warrant
\n\u2022 A justice of the peace can issue a search warrant, if it is believed an indictable offence has
\nbeen committed and evidence of that offence is on the premises. This warrant may, as per
\nS16 of PACE, also authorise persons who can accompany the officers conducting the search
\n\u2013 for example a computer expert.
\nS19 General Power of Seizure
\n\u2022 This details the power by which an officer can seize items and the circumstances in which
\nthey can be seized.
\nS20 Extension of Powers of Seizure to Computerised Information
\n\u2022 This section details the power for requiring information held on a computer to be produced
\nin a form in which it can be taken away and in which it is visible and legible.
\nS21 Access and Copying
\n\u2022 This section details the power in relation to having items seized accessed and copied to
\nother relevant parties.
\nS22 Retention
\n\u2022 This details the circumstances in which seized property can be retained.
\nS78 Exclusion of Unfair Evidence
\n\u2022 The court can exclude evidence where, with regard to all the circumstances, it would have
\nan adverse effect on the fairness of the proceedings.
\niii. Criminal Justice & Police Act 2001 (England, Wales & NI.)
\n(http:\/\/www.legislation.gov.uk\/ukpga\/2001\/16\/contents)
\nS50 (re search and seizure \u2013 bulk items)
\n\u2022 Describes the power by which an item can be seized, if it is believed it may be something or
\nit may contain an item or items for which there is a lawful authorisation to search.
\n18 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\nS50 (1)
\n\u2022 Where a person is lawfully on premises carrying out a search and it is not practicable to
\ndetermine at the time if an item found is something that he is entitled to seize, or if the
\ncontents of an item are things that he is entitled to seize, the item can be taken away for
\nthis to be determined. There must be reasonable grounds for believing the item may be
\nsomething for which there was authorisation to search.
\nS50 (2)
\n\u2022 Where a person is lawfully on premises and an item for which there is a power to seize is
\nfound, but it is contained within an item for which there would ordinarily be no power to
\nseize and it is not practicable to separate them at the time, both items can be seized.
\n7.5.3 Factors to be considered prior to removing such property:
\n\u2022 How long would it take to determine what the item is or to separate the items?
\n\u2022 How many people would it take to do this within a reasonable time period?
\n\u2022 Would the action required cause damage to property?
\n\u2022 If the items were separated, would it prejudice the use of the item that is then seized?
\n\u2022 Once seized, the items must be separated or identified as soon as practicable. Any item
\nfound, which was seized with no power to do so, must be returned as soon as reasonably
\npracticable. Items of legal privilege, excluded material and special procedure material,
\nshould also be returned as soon as practicable, if there is no power to retain them.
\n7.5.4 It should be noted that the use of this act gives additional rights (such as the right to be present
\nduring examination) to the owner of the property.
\n7.5.5 Equivalent powers in Scotland are granted under:<\/p>\n
\u2022 Civic Government Scotland Act 1982;
\n\u2022 Criminal Procedure Scotland Act 1995;
\n\u2022 Common Law.
\n7.5.6 SEXUAL OFFENCES ACT 2003 (http:\/\/www.legislation.gov.uk\/ukpga\/2003\/42\/contents)
\n46 Criminal proceedings, investigations etc. E+W+N.I.
\n(1)After section 1A of the Protection of Children Act 1978 (c. 37) insert\u2014
\n\u201c1B Exception for criminal proceedings, investigations etc.
\n(1) In proceedings for an offence under section 1(1)(a) of making an indecent photograph or
\npseudo-photograph of a child, the defendant is not guilty of the offence if he proves that\u2014
\n(a) it was necessary for him to make the photograph or pseudo-photograph for the purposes of
\nthe prevention, detection or investigation of crime, or for the purposes of criminal proceedings, in
\nany part of the world,
\n(b) at the time of the offence charged he was a member of the Security Service, and it was
\nnecessary for him to make the photograph or pseudo-photograph for the exercise of any of the
\nfunctions of the Service, or
\n(c) at the time of the offence charged he was a member of GCHQ, and it was necessary for him
\nto make the photograph or pseudo-photograph for the exercise of any of the functions of GCHQ.
\n(2) In this section \u201cGCHQ\u201d has the same meaning as in the Intelligence Services Act 1994.\u201d
\n7.5.7 CORONERS AND JUSTICE ACT 2009 (Came into force on 06 April 2010)
\n(http:\/\/www.legislation.gov.uk\/ukpga\/2009\/25\/contents)
\n19 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\n7.5.8 CPS guidance regarding prohibited images of children can be found at:
\nhttps:\/\/www.cps.gov.uk\/legal\/p_to_r\/prohibited_images_of_children\/
\n\u2022 Sections 62-68 deal with “possession of prohibited images of children”.
\n7.5.9 The offence targets certain non-photographic images of children, possession of which is
\nnot covered by previously existing legislation.
\n7.5.10 A prohibited image is pornographic and concentrates on genitals or shows a sex act and is grossly
\noffensive, disgusting, or otherwise of an obscene character.
\n7.5.11 An image is of a child if impression conveyed is that of a child or the predominant impression is that
\nof a child despite some physical characteristics shown are not those of a child.
\n7.5.12 If the image is in a series then the context of the series can be used to determine if the individual
\nimage is prohibited or not.
\n7.5.13 Classified films are excluded (unless an individual is in possession of a still or clip that has been
\nextracted solely or principally for the purpose of sexual arousal).
\n7.5.14 There is a defence of having a legitimate reason for possession, or having not seen the image and
\nnot knowing, nor having cause to suspect, it was a prohibited image.
\n7.5.15 The maximum penalty is 3 years\u2019 imprisonment.
\n7.6 OTHER LEGISLATION
\n7.6.1 For additional guidance or information in relation to legislation not listed, investigators may wish to
\nconsult the Police National Legal Database (PNLD) or the UK Legislation website (which replaces the
\nOffice of Public Sector Information (OPSI) and Statute Law databases), available online at
\nhttp:\/\/www.legislation.gov.uk.
\n20 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland<\/p>\n
GLOSSARY OF TERMS\/ABBREVIATIONS USED IN THIS GUIDE
\nACPO: Association of Chief Police Officers
\nDFU: Digital Forensic Unit
\nNPIA: National Police Improvement Agency
\nIIOC: Indecent Images Of Children
\nSPOC: Single Point Of Contact
\nRIPA: Regulation Of Investigatory Powers Act
\nRIPSA: Regulation Of Investigatory Powers (Scotland) Act
\nDPA: Data Protection Act
\nCCTV: Closed Circuit Television
\nIP Address: Internet Protocol Address – numerical address assigned to device in a computer network that
\nuses the Internet protocol for communications.
\nPACE: Police & Criminal Evidence Act 1984
\nSIM: A subscriber identity module or subscriber identification module (SIM) on a removable SIM card
\nsecurely stores the service-subscriber key (IMSI) used to identify a subscriber on mobile telephony devices
\n(such as mobile phones and computers).
\nPUK: PIN Unlock Key (PUK)
\nCSP\/ISP: Communications Service Provider\/Internet Service Provider
\n21 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\nREFERENCES
\n\u2022 ACPO Good Practice and Advice Guide for Managers of e-Crime Investigations (\u2018Managers\u2019
\nGuide\u2019)
\nhttp:\/\/www.acpo.police.uk\/documents\/crime\/2011\/20110301%20CBA%20ACPO%20manag
\ners_guide_v10.1.4%20for%20ecrime%20investigations_2011.pdf
\n\u2022 Attorney General\u2019s Guidelines on Disclosure (revised April 2005)
\nhttp:\/\/www.cps.gov.uk\/legal\/a_to_c\/attorney_generals_guidelines_on_disclosure\/
\n\u2022 Crimes involving websites, forums and blogs
\n\u2022 CPS disclosure manual
\nhttp:\/\/www.cps.gov.uk\/legal\/d_to_g\/disclosure_manual\/
\n\u2022 Digital Imaging Procedure v2.1
\nhttp:\/\/tna.europarchive.org\/20100413151426\/http:\/\/scienceandresearch.homeoffice.gov.uk\/
\nhosdb\/publications\/cctv-publications\/DIP_2.1_16-Apr08_v2.3_(Web)47aa.html?view=Standard&pubID=555512
\n\u2022 First Responder\u2019s Guide
\n\u2022 Forensic Science Regulator\u2019s Codes of Practice and Conduct
\nhttp:\/\/www.homeoffice.gov.uk\/publications\/agencies-public-bodies\/fsr\/codes-conductpractice?view=Standard&pubID=868070
\n\u2022 Network forensics and volatile data collection
\n\u2022 NPIA Forensics21 HTCU Computer Examination Process, 2011
\n\u2022 NPIA mobile phone SOPs
\n\u2022 Retrieval of Video Evidence and Production of Working Copies from Digital CCTV Systems
\nv2.0
\nhttp:\/\/tna.europarchive.org\/20100413151426\/http:\/\/scienceandresearch.homeoffice.gov.uk\/
\nhosdb\/publications\/cctv-publications\/66-
\n08_Retrieval_of_Video_Ev13c4f.html?view=Standard&pubID=585513
\n\u2022 SCDEA guidance
\n22 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\nACKNOWLEDGEMENTS
\nReview Board members
\nPaul Birch (Serious Fraud Office)
\nLisa Burrell (Police Central e-Crime Unit)
\nRick Conway (Surrey Police)
\nSteve Edwards (Police Central e-Crime Unit)
\nDennis Edgar-Neville (Canterbury University\/British Computer Society)
\nDanny Faith (NTAC\/F3)
\nSteve Guest (IACIS)
\nDan Haagman (7-Safe)
\nSonny Hanspal (NPIA)
\nKeith McDevitt (SCDEA)
\nJelle Niemantsverdriet (VerizonBusiness)
\nBev Nutter (MPS-DEFS)
\nHarry Parsonage (Nottingham Police)
\nPeter Salter (PSNI)
\nLindy Shepherd (Cranfield University)
\nPaul Slater (PWC)
\nRob Watson (7-Safe)
\nAlastair Wilson (SCDEA)
\nMark Wilson (MPS-DOI)
\nPaul Wright (VerizonBusiness)
\nOther acknowledgments
\nEsther George (CPS)
\nJane Stevenson (Workplace Wellbeing)
\nEddie Fisher (MPS-DEFS)
\n23 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\nAPPENDIX A
\nNETWORK FORENSICS
\nHome and corporate network environments
\nNetworks of computers are becoming more common in the domestic environment and are well established in
\ncorporate settings. In the home, they are usually based around the broadband Internet connection, which
\noften also offers functionality to set up a small internal (and often wireless) network within the household.
\nIn corporate environments, more advanced network setups can be found, for which no generic description
\ncan be given.
\nThe use of wireless networks in both the corporate and home environment is also increasing at a
\nconsiderable rate. To the forensic investigator, this presents a number of challenges and an increased
\nnumber of potential artefacts to consider. Owing to the potential complexity of \u2018technical\u2019 crime scenes,
\nspecialist advice should be sought when planning the digital evidence aspect of the forensic strategy.
\nWireless devices
\nA whole range of wired and wireless devices may be encountered:<\/p>\n
\u25cf Network devices which connect individual systems or provide network functionality: Switches, hubs,
\nrouters, firewalls (or devices which combine all three).
\n\u25cf Devices to connect individual computers to the network, such as network cards (which can also be
\nembedded within the computer)
\n\u25cf Devices to set up a wireless network: Wireless Access Points.
\n\u25cf Printers and digital cameras.
\n\u25cf Bluetooth (small range wireless) devices \u2013 PDAs, mobile phones, dongles.
\n\u25cf Hard drives which can be connected to the network.
\nWireless networks cannot be controlled in the same way as a traditionally cabled solution and are potentially
\naccessible by anyone within radio range. The implications of this should be carefully considered when
\nplanning a search or developing the wider investigative strategy. A device, such as a computer or a hard
\ndrive, may not be located on the premises where the search and seizure is conducted.
\nHome networks and data
\nIf devices are networked, it may not be immediately obvious where the computer files and data, which are
\nbeing sought, are kept. Data could be on any one of them. Networks, both wired and wireless, also enable
\nthe users of the computers to share resources; such as printers, scanners and connections to the Internet. It
\nmay well be the case that if one of the computers is connected to the Internet, some or all of the others are
\nalso.
\nWith the widespread use of broadband type Internet subscriptions such as ADSL and cable, the Internet
\nconnection is nowadays likely to be of an \u2018always on\u2019 type connection. This implies that even if no-one is
\napparently working on a computer or using the Internet, there may be data passing to and from computers
\nor between the network and the Internet.
\nIf a wired network is present, there will usually be a small box (called a \u2018hub\u2019 or a \u2018switch\u2019) also present,
\nconnecting the computers together. Hubs, switches and routers look very much the same as one another.
\nThe network cables are usually connected at the rear.
\nThe network may also be connected to another device (called a Cable Modem or a ADSL Modem) providing
\naccess to the Internet. Sometimes, the hub\/switch\/router mentioned before are combined with these
\nmodems in one device.
\n24 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\nOne wire from a modem will usually be connected to the telephone or television cable system and another
\nwire will be connected either to one of the computers present or directly to the network hub, or the modem
\nitself may be incorporated within the hub in a modem\/router.
\nOperation planning in networked environments
\nWhen planning an operation involving a network, consider carefully the possibility of remote access, i.e.
\nperson(s) accessing a network with or without permissions from outside the target premises. Investigators
\nshould consider the possibility of nefarious activity being carried out through the insecure network of an
\ninnocent party. The implications of such a scenario are that search warrants could be obtained on the basis
\nof a resolved Internet Protocol address, which actually relates to an innocent party. The implications are
\npotentially unlawful searches, legal action taken against the relevant investigative agency and a waste of
\nresources.
\nConsider also the possibility of a computer\u2019s access to remote online storage, which may physically reside in
\na foreign jurisdiction. This can include web-based services for email, photo or document storage or other
\napplications offered via the Internet. There will be legal issues in relation to accessing any such material.
\nLegal advice should be sought prior to any access or retrieval and often the provider of the particular service
\nwill have to be contacted to ensure that material is preserved while the relevant mutual legal assistance
\nrequests are being arranged.
\nNetwork detection
\nNetwork detecting and monitoring is a specialist area and should not be considered without expert advice.
\nRecommendations for dealing with networks and wireless implementations involve the following steps:
\n\u25cf Identify and check network devices to see how much network or Internet activity is taking place.
\nConsider using a wireless network detector to determine whether wireless is in operation and to
\nlocate wireless devices. Consideration should also be given to mobile Internet devices such as 3G or
\nGPRS dongles or phones, which operate using the mobile phone network;
\n\u25cf As you do so, consider photographing the layout of the network and the location of the machines
\nconnected to it, so as to allow a possible future reconstruction;
\n\u25cf Once satisfied that no data will be lost as a result, you may isolate the network from the Internet.
\nThis is best done by identifying the connection to the telephone system or wireless communications
\npoint and unplugging it from the telephone point. Keep modems and routers running, as they may
\nneed to be interrogated to find out what is connected to them. Owing to their nature, it is
\nparticularly difficult to ascertain what is connected to a wireless network;
\n\u25cf Trace each wire from the network devices to discover the computer to which it is connected. This
\nmay not be possible in premises where cables may be buried in conduits or walls (advice in this case
\nshould be sought from the local IT administrator, if available, as to the set up of the system). Make
\na note of each connection. Note which computer is connected to which number \u2018port\u2019 on the network
\ndevice (hub \/ switch \/ router or multi function device). Label each connection in such a way that the
\nsystem can be rebuilt exactly as it stands, should there be any future questions as to the layout. It is
\nhighly recommended that pictures be taken of the setup;
\n\u25cf Consider making a connection to the access point\/router in order to establish the external IP
\naddress. Most modern networks use Network Address Translation (NAT) which means that they
\ncommunicate with an internal IP address and never get assigned and external IP one.
\nIn a wireless environment, remember that no cables are used between a PC and other devices. However,
\nthere will still be some physical cabling to each device (which could include a network cable to the wired
\nnetwork, power cables etc.), the configuration of which should be recorded. Please also note that Cable \/
\nADSL modems can have wireless capabilities built in.
\n\u25cf Once satisfied that the evidential impact is acceptable, you may remove each connection in turn
\nfrom the network device once it has been identified. This will isolate each computer in turn from the
\nnetwork. The same can be done with cabling into wireless devices;
\n\u25cf Seize and bag all network hardware, modems, original boxes and CDs \/ floppy disks etc. (provided
\nthey are easily removable);
\n25 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\n\u25cf Subsequently treat each device as you would a stand-alone device;
\n\u25cf Remember that the data which is sought may be on any one of the computers on the network.
\nOfficers should make a decision based on the reasonable assumption that relevant data may be
\nstored on a device before seizing that device;
\n\u25cf Bear in mind the possibility that the network may be a wireless network as well as a wired one, i.e.
\ncertain computers may be connected to the network via conventional network cabling. Others may
\nbe connected to that same network via the mains system, and others may be connected via a
\nwireless link;
\n\u25cf Also, bear in mind that any mobile phones and PDAs may be wireless or Bluetooth enabled and
\nconnected to a domestic network.
\nConcerns with remote wireless storage often focus around the inability to locate the device. In this instance,
\nit would be impossible to prove that an offence had been committed. Artefacts on seized computers might
\nprovide evidence that a remote storage device has been used, however the analysis of such artefacts will
\ntake time and this cannot often be done during the onsite seizure.
\nCorporate network environments
\nWhen dealing with computer systems in a corporate environment, the forensic investigator faces a number
\nof differing challenges. If the system administrator is not part of the investigation then seek their assistance.
\nThe most significant is likely to be the inability to shut down server(s) due to company operational
\nconstraints. In such cases, it is common practice that a network enabled \u2018forensic software\u2019 agent is
\ninstalled, which will give the ability to image data across the network \u2018on-the-fly\u2019, or to a network share or a
\nlocally connected removable storage medium such as a USB hard drive.
\nOther devices could be encountered which may assist the investigation. For example, routers and firewalls
\ncan give an insight into network configuration through Access Control Lists (ACLs) or security rule sets. This
\nmay be achieved by viewing the configuration screens as an administrator of the device. This will require the
\nuser names and passwords obtained at the time of seizure or from the suspect during interview.
\nBy accessing the devices, data may be added, violating Principle 1 but, if the logging mechanism is
\nresearched prior to investigation, the forensic footprints added during investigation may be taken into
\nconsideration and therefore Principle 2 can be complied with.
\nIn the case of large company networks, consider gaining the advice and assistance of the network
\nadministrator\/ support team (assuming that they are not suspects).
\nVOLATILE DATA COLLECTION
\nIn certain circumstances, it may be necessary or advisable for computer forensic investigators to gather
\nevidence from a computer whilst its running or in a \u2018live\u2019 state. This technique has become a common
\npractice as, even though some changes to the original evidence will be made, this method often allows
\naccess to evidence which would have been unavailable if the power is removed from a system. In order to
\ncapture volatile data on a device the device WILL have to be accessed. Therefore changes WILL be caused
\nby the examiner.
\nSpecial consideration should be given to Principle 2 of the guidelines, as conducting live-forensics implies
\naccess to the original evidence. Any person doing this needs to be competent and fully aware of the impact
\ntheir actions have and should be prepared to explain their reasons for taking this route.
\nLive forensics approach
\nBy profiling the footprint of trusted forensic tools used to gather volatile data, the digital forensic examiner
\ncan understand the impact of using such tools and can explain any artefacts left by the tools.
\nIn order to ensure that a consistent approach is used and the chance of errors is minimized, it is
\nrecommended to use a scripted approach using a number of basic and trusted tools. Regardless of the tools
\nused, it is advisable to start with capturing the contents of RAM, the volatile memory.
\n26 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\nIf other tools are used before the contents of the RAM are stored, it is very likely that running the forensic
\ntools will overwrite parts of the RAM.
\nOther examples of information, which might be available in the dump of the RAM contents, can be retrieved
\nusing different tools:
\n\u25cf listings of running processes;
\n\u25cf logged on and registered users;
\n\u25cf network information including listening, open and closing network ports;
\n\u25cf ARP (address resolution protocol) cache;
\n\u25cf Registry information.
\nThe tools used to capture this volatile information are generally run from removable media like a USB stick,
\nDVD or CD-ROM or a floppy disk. A USB stick is generally most convenient, as the output of the tools can be
\nwritten back to the stick. Writing tool output to the original drive should be avoided whenever possible, as
\nthis changes the contents of the hard drive and can destroy potential evidence. Again, principle 2 does allow
\nthe investigator to do this, but a conscious decision will have to be made and the process written down.
\nWhen inserting USB devices the examiner must ensure that they know the details of the serial numbers of
\nthe devices they are connecting so that they can be eliminated when analysing the date captured.
\nWhen in doubt as to whether or not to use live forensics, consult with the digital forensic examiner for
\nadvice. And, it should be noted that in live forensics it is not always possible to know upfront which
\napproach will yield the best results. Whichever method is chosen, remember to take meticulous notes \u2013 as
\ndictated by principle 3.
\nSummary of steps
\nA summary of the steps to be taken is shown below. Documentation of all actions, together with reasoning,
\nshould also apply when following such steps:
\n\u25cf Perform a risk assessment of the situation \u2013 Is it evidentially required and safe to perform volatile
\ndata capture?
\n\u25cf If so, install volatile data capture device to a removable data carrier (such as a USB stick) \u2013
\npreferably, this has already been done prior to starting the operation;
\n\u25cf Plug the data carrier into the machine and start the data collection script;
\n\u25cf Once complete, stop the device (particularly important for USB devices, which if removed before
\nproper shutdown can lose information);
\n\u25cf Remove the device;
\n\u25cf Verify the data output on a separate forensic investigation machine (not the suspect system);
\n\u25cf Immediately follow with standard power-off procedure.
\nThe capture and analysis of volatile data no doubt presents the investigator with technical challenges.
\nHowever, as cases become more complex and connectivity between devices and public networks proliferate,
\nwith an increase in more advanced malware, which cannot always be retrieved using more traditional disk
\nforensics, the above recommendations will need to be considered.
\nIt is vitally important that only someone with the relevant training and is competent to do so should take any
\nof these actions.
\n27 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\nAPPENDIX B
\nCRIMES INVOLVING WEBSITES, FORUMS, AND BLOGS
\nWhere a crime involves evidence displayed on a website the most convenient method of recovering the
\nevidence may be by engaging the assistance of suitably trained staff to visit the website and take copies of
\nthe evidential content. In order to do this the officer taking report of the matter needs to obtain the address
\nof the website, for example, http:\/\/www.acpo.police.uk, or if it is a specific page within the site.
\nhttp:\/\/www.acpo.police.uk\/about_pages\/structure.html.
\nWhen carrying out any evidence recovery it is essential that an audit trail of all activity carried out by the
\ninvestigator is recorded in a log. The recommended method for copying a website is to visit the site and
\nrecord the relevant pages using video capture software so there is a visible representation of how they look
\nwhen visited at the time. If video capture software is not available then the pages can be saved as
\nscreenshots. It is also advisable to follow this by capturing the web pages themselves either by using
\nwebsite copying software or saving the individual pages. Copying the pages themselves, as well as obtaining
\na visual record, means that the code from the web pages is also secured should that become relevant later.
\nThis work should be conducted from a computer which has been specifically set up to be non-attributable on
\nthe Internet. Failure to use an appropriate system may lead to the compromise of other police operations.
\nAnyone visiting a website generally exposes a certain amount of information to the website, for example it is
\ncommon on police systems to have a web browser which is branded with the forces name. This branding is
\nexposed to a website being visited and so may be recorded in logs on the site along with other information
\namongst which, will include the pages visited.
\nIf it appears likely that the evidence on the website might be lost by a delay in carrying out the above
\nprocedures then the person reporting may be asked to make a copy of the evidence by whatever means
\nthey are capable of (either printing, screenshot or saving pages), alternatively this could be done by the
\nperson receiving the report. Before taking these steps every effort should be made to secure the services of
\na competent person to carry out this work as failing to capture the information correctly could have a
\ndetrimental impact on the investigation.
\nWhere there is difficulty in capturing the evidence by visiting the site it might be possible to make an official
\nrequest to the owner of the site by whatever legal procedures are required within the jurisdiction. The
\nCSP\/ISP SPOC or Digital Forensic Unit can usually advise on the appropriate procedures.
\nBy making a request to the service provider hosting the site it may be possible to recover evidence of who
\nhas created the web page or posting. It is not unusual for details of the user such as name, address, phone
\nnumber, banking details, email address, and alternative email address to be recorded by a host.
\nIf there is a requirement to identify who has committed some activity on a website, for example where a
\nfraud has been committed by purchasing goods from a website or by posting a message on a website, the
\nlikelihood is that the suspect may be traceable from logs on the site. When any user accesses the Internet
\nthey are allocated a unique address known as an IP address and their Internet Service Provider (ISP) keeps
\nlogs of the times and dates and the identity of the user allocated any IP address.
\nWhen a user visits a site and conducts some activity, for example logs on, posts a message, or makes a
\npurchase, it is likely that the user\u2019s IP address has been logged by the website. It is often possible to obtain
\ncopies of logs from websites if there is a requirement to see who has been active on a website by making a
\nrequest via the force CSP\/ISP SPOC.
\nIf the evidence is no longer available to be retrieved by any of the above means, and where the use of
\nresources can be justified by the seriousness of the case, it may be possible to recover evidence of the site
\ncontents from an end user device that has been used to view the site by conducting a forensic examination
\nof the device.
\n28 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\nWhere investigators wish to carry out open source intelligence research on the Internet they should be
\ntrained to do so and conduct the research from a computer which cannot be attributed to the investigator\u2019s
\nagency.
\nCovert Interaction on the Internet
\nIn circumstances where investigators wish to communicate covertly with an online suspect they MUST use
\nthe services of a Nationally Accredited and Registered (CII). CIIs have received specialist training which
\naddresses the technical and legal issues relating to undercover operations on the Internet.
\nCrimes involving email communication
\nThere are generally two methods of sending and receiving email, one by using a web browser and accessing
\nemail online for example at the Hotmail, Windows Live, Yahoo or Google websites. In these circumstances
\nthe mail is stored on the webmail server and is read through the user\u2019s browser. The other method is to
\naccess email using a program such as Outlook or Windows Mail to download mail to the user\u2019s computer.
\nThe program is used to view and store the emails locally.
\nWhere the evidence in a case involves an email sent from a person who the police want to trace the key
\nevidence is usually found in what is known as the email\u2019s \u201cFull Internet Header\u201d. Each email sent over the
\nInternet contains this header which is normally not visible to the user. It contains details of the route taken
\nacross the Internet by the email and includes the IP address of the sender. Even where an email has been
\nsent with a fictitious email address which has been registered with false details, it is often possible to identify
\nthe sender from the Full Internet Header.
\nIn order to obtain the Full Internet Header the person taking the incident report needs to ascertain which of
\nthe two methods the recipient uses to access their email. Where it is web based identify the webmail host
\n(i.e. Hotmail, Yahoo etc.) or if by a program on the computer ascertain what program and version number of
\nthe program. The version number can usually be found in the program\u2019s Help on the menu bar under an
\nitem called \u201cAbout\u201d.
\nEach webmail provider and email program treat the Full Internet Header differently and if the officer or user
\ndoes not know how to display the header the details of the webmail provider or program need to be passed
\nto a specialist in the Digital Forensic Unit or CSP\/ISP SPOC who will be able to provide advice.
\nOnce the header has been exposed the relevant email should be printed together with the header, and may
\nalso be saved electronically. Depending upon the seriousness of the case and the volume of email evidence,
\nadvice may be sought from the digital forensics unit on the most appropriate method of securing and
\nretaining the email evidence.
\nOnce the full header has been obtained the force CSP\/ISP SPOC will be able to use this to conduct enquiries
\nto attempt to identify the sender from the originating IP address.
\nWhere an email address of a suspect is known but there is no email available from which a full header can
\nbe obtained, it may be possible to identify the user of the email address and their location. Depending upon
\nthe email service provider various details of the user may be recorded together with the first registration IP
\naddress and a varying period of IP address login history. These details may be obtained by making an
\nappropriate CSP\/ISP SPOC request for the email address. In conducting such enquiries it needs to be
\nrecognised that it is a trivial exercise to send an email with a false email address in the “From:” field of an
\nemail.
\nOn some occasions the investigating agency might access a user\u2019s email account with written authority from
\nthe user in order to secure evidence. Where this is the case, if third party material is exposed as a
\nconsequence of viewing the user\u2019s emails, advice should be sought as to whether a Directed Surveillance
\nAuthority should be in place in addition to the user\u2019s authority. Even if the password and log in details are
\navailable. For example as a result of the Forensic examination authority and formal authority is required to
\naccess the email account.
\n29 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\nWhere justified by the investigation, consideration may be given to accessing messages on an email
\nprovider\u2019s server by obtaining the appropriate RIPA authority.
\nCrimes Involving Internet Chat
\nUsers can employ a number of different devices to engage in chat on the Internet. There are three main
\nways to chat – using a website’s chat facility, for example Facebook, using an instant messenger program
\nlike Windows Live Messenger, or much less commonly, using Internet Relay Chat (IRC).
\nWhere an incident is reported which involves the use of chat the person taking the report needs to ascertain
\nwhat method of chat was being used, i.e. what is the name of the website hosting the chat and its full
\nInternet address, or what program is being used. The key evidence to be secured is
\n\u25cf any information which may identify the suspect party, and
\n\u25cf the content of any chat.
\nIf the chat is web-based the details of the website, any chat room name and the user name of the suspect
\nshould be obtained together with the times and dates of any chat activity. If the chat facility is part of a
\nsocial networking site the user will most likely have a unique ID number as well as a user name. This is
\nusually visible in the web browser’s address bar when viewing a user’s profile or when the mouse pointer is
\nmoved over the user name. The force CSP\/ISP SPOC or Digital Forensic Unit can provide help in finding this
\nID number. If the chat is by instant messenger program then the user name of the suspect should be
\nobtained together with the associated email address which is usually available from the contact list of the
\nperson reporting. Generally a user’s contact list can be accessed from any computer connected to the
\nInternet so if it is considered that the user’s computer might be retained for a forensic examination then it
\nshould not itself be used to access the contact list.
\nThere is usually an option for a user to save chat logs but more often than not the default setting is for logs
\nnot to be saved. If the user has saved chat logs that contain evidence, the logs should be saved to
\nremovable media for production as evidence, if no removable media is available they should be printed out.
\nUsers are able to engage in chat from many types of device in addition to computers. Where the
\ncircumstances of the case warrant it, an end-user device could be submitted for forensic examination in
\norder to recover evidence of the suspect’s contact details and chat content.
\nWhere a suspect’s user details are obtained it may be possible to identify the suspect by making the
\nappropriate CSP\/ISP SPOC requests.
\nIn the event that the chat has been conducted using IRC the following details should be obtained – the IRC
\nprogram used, the name of the IRC server, the channel and any usernames. Further advice should then be
\nsought from the Digital Forensic Unit.
\nCommunications in the course of a transmission
\nDigital evidence in transit may be any form of communication using the Internet or a telecommunications
\nnetwork such as email, chat, voice calls, text messages, and voice-mail. Where such evidence is sought
\nadvice should be obtained from the force Covert Authorities Bureau.
\n30 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\nAPPENDIX C
\nCRIME SCENES
\nThere are many different types of digital media and end-user devices, which may be encountered during a
\nsearch of a crime scene, all of which have the potential to hold data which may be of value to the
\ninvestigation. In order to preserve the data and achieve best evidence, these items must be handled and
\nseized appropriately, and should be treated with as much care as any other item that is to be forensically
\nexamined. This section is intended to assist individuals to ensure their actions in relation to seizure are
\ncorrect.
\nThe following guidance deals with the majority of scenarios that may be encountered. The general
\nprinciples, if adhered to, will ensure the best chance of evidence being recovered in an uncontaminated and,
\ntherefore, acceptable manner.
\nItems found during a search will normally fall into the broad categories of computer-based media items,
\nCCTV systems and mobile devices. These are considered separately below.
\nProportionality
\nBefore seizing an item, consider whether the item is likely to hold evidence (eg, is this a family computer or
\na computer belonging to a suspect?) Ensure that details of where the item was found are recorded. Consider
\nwhen the offence was committed; when seizing CCTV, give consideration to narrowing down what is seized,
\nby camera and\/or time period. Check whether another system may be better placed to record the evidence.
\nDifferentiate between mobile phones found on a suspect and phones found in a drawer, as different levels of
\nexamination may be possible for these. Also consider that evidence may be stored online, or on an internet
\nservice provider’s systems, and end-user devices may only be needed to obtain the details necessary to
\nrequest this evidence from the service provider. If so, it is best to seize items in current usage, i.e.
\ncomputers connected to the internet.
\nDigital devices and media should not be seized just because it is there. The person in charge of the search
\nmust have reasonable grounds to remove property and there must be justifiable reasons for doing so. The
\nsearch provisions of PACE Legislation Codes of Practice equally apply to digital devices and media in
\nEngland, Wales and Northern Ireland. In Scotland, officers should ensure they are acting within the terms of
\nthe search warrant.
\nDue regard should also be taken concerning any possible contravention of the European Convention of
\nHuman Rights.
\nWhat to take to a scene
\nThe following is a suggested list of equipment that might be of value during planned searches. This basic
\ntool-kit should be considered for use in the proper dismantling of digital systems as well as for their
\npackaging and removal:
\n\u25cf Property register;
\n\u25cf Exhibit labels (tie-on and adhesive);
\n\u25cf Labels and tape to mark and identify component parts of the system, including leads and sockets;
\n\u25cf Tools such as screw drivers (flathead and crosshead), small pliers, and wire cutters for removal of
\ncable ties;
\n\u25cf A range of packaging and evidential bags fit for the purpose of securing and sealing heavy items
\nsuch as computers and smaller items such as PDAs and mobile phone handsets;
\n\u25cf Cable ties for securing cables;
\n\u25cf Flat pack assembly boxes – consider using original packaging if available;
\n\u25cf Coloured marker pens to code and identify removed items;
\n\u25cf Camera and\/or video to photograph scene in situ and any on-screen displays;
\n\u25cf Torch;
\n\u25cf Forensically sterile storage material.
\n31 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\nIn addition, the following items may be useful when attending scenes to retrieve CCTV:
\n\u25cf Laptop with USB and network connectivity. A selection of proprietary replay software could be
\ninstalled, to enable the downloaded data to be checked;
\n\u25cf External CD\/DVD writer;
\n\u25cf USB hard drives.
\nRecords to be kept
\nTo comply with principle 3, records must be kept of all actions taken in relation to digital evidence, for
\nexample:
\n\u25cf Sketch map\/photographs of scene and digital equipment;
\n\u25cf Record location and contact details;
\n\u25cf If a business, record opening hours;
\n\u25cf Details of all persons present where digital equipment is located;
\n\u25cf Details of digital items – make, model, serial number;
\n\u25cf Details of connected peripherals;
\n\u25cf Remarks\/comments\/information offered by user(s) of equipment;
\n\u25cf Actions taken at scene showing exact time;
\n\u25cf Notes\/photographs showing state of system when found.
\nComputer based devices and media
\nThis includes desktop or laptop PCs and Apple Macintosh systems, digital cameras, memory cards, USB
\nsticks, external hard drives and games consoles, amongst other items. Mobile devices which have wireless
\nconnectivity\/ communications capability (such as tablet computers and satellite navigation systems) fall
\nunder the heading of ‘mobile devices’.
\nSystems which are powered on (running) need to be handled with care, as there is the potential to make
\nunwanted changes to the evidence if these are not dealt with correctly. Such systems should only be
\naccessed by appropriately trained officers In addition, volatile data of evidential value may be lost. Be aware
\nof the potential to lose other valuable data, particularly when dealing with business systems, which could
\ngive rise to a claim for damages. In these cases expert advice should be sought before seizing a business
\nsystem which is powered on.
\nDesktop and laptop computers\/games consoles
\nThe scene should be fully documented by written notes and\/or a photographic record.
\nIf a device is powered on, it needs to be handled carefully to preserve any volatile data and to avoid
\nunwanted changes to the stored data.
\nConsider removing the device from any network, as devices can be remotely accessed, causing alteration to
\nthe data – but balance this against the possibility of losing data of evidential value, such as the list of
\ncurrently open connections. If unsure, seek expert advice.
\nSeizure steps:
\n1. Secure and take control of the area containing the equipment;
\n2. Move people away from any computers and power supplies and do not allow any interaction with
\ndigital devices by suspect;
\n3. Photograph or video the scene and all the components including the leads in situ. If no camera is
\navailable, draw a sketch plan of the system and label the ports and cables so that system\/s may be
\nreconstructed at a later date;
\n4. Allow any printers to finish printing.
\n32 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\nIf switched off:
\n5. Do not, in any circumstance, switch the computer on;
\n6. Make sure that the computer is switched off, by moving the mouse \u2013 some screen savers may give
\nthe appearance that the computer is switched off, but hard drive and monitor activity lights may
\nindicate that the machine is switched on;
\n7. Be aware that some laptop computers may power on by opening the lid. Remove the battery from
\nthe laptop. Seize any power supply cables for future use.
\nIf switched on:
\n8. Record what is on the screen by photographing it and by making a written note of the content of
\nthe screen;
\n9. Do not touch the keyboard or click the mouse. If the screen is blank or a screen saver is present,
\nthe investigator should be asked to decide if they wish to restore the screen. If so, a short
\nmovement of the mouse should restore the screen or reveal that the screen saver is password
\nprotected. If the screen restores, photograph or video it and note its content. If password protection
\nis shown, continue as below, without any further touching of the mouse. Record the time and
\nactivity of the use of the mouse in these circumstances. (For games consoles, or tablet computers,
\nthe equivalent would be moving the controller joystick or touching the touchscreen);
\n10. If the system may contain valuable evidence in its current state (for example, if it is currently
\ndisplaying a relevant document or an instant message conversation), seizing officers should seek
\nexpert advice from their local digital forensic unit as this may be lost if the power is lost. This is
\nespecially important if the suspect is a technically knowledgeable user who may be using encryption,
\nas there may be no way to retrieve evidence stored in encrypted volumes once the power is lost;
\n11. Consider advice from the owner\/user of the computer but make sure this information is treated with
\ncaution;
\n12. Remove the main power source battery from laptop computers. However, prior to doing so, consider
\nif the machine is in standby mode. In such circumstances, battery removal could result in avoidable
\ndata loss. This is normally evident by a small LED (light) lit on the casing. In this case, officers
\nshould seek advice from their local digital forensic unit;
\n13. Unplug the power and other devices from sockets on the computer itself (i.e. not the wall socket).
\nWhen removing the power supply cable, always remove the end connected to the computer, and not
\nthat attached to the socket. This will avoid any data being written to the hard drive if an
\nuninterruptible power supply is fitted. If the equipment was switched on, do not close down any
\nprograms or shut down the computer, as this will cause changes to the stored data and may trigger
\nwiping software to run, if this is installed;
\n14. Ensure that all items have signed and completed exhibit labels attached to them. Failure to do so
\nmay create difficulties with continuity and cause the equipment to be rejected by the digital forensic
\nunit;
\n15. Search the area for diaries, notebooks or pieces of paper with passwords on them, often attached or
\nclose to the computer;
\n16. Ask the user about the setup of the system, including any passwords, if circumstances dictate. If
\nthese are given, record them accurately;
\n17. Allow the equipment to cool down before removal;
\n18. Track any cables that can be seen as they made lead you to other devices in other rooms.
\nMobile devices
\nThis includes mobile phones, smartphones, and other devices which may have wireless
\nconnectivity\/communications capability such as tablet computers, personal digital assistants (PDAs), personal
\nmedia players and satellite navigation systems.
\n1. Secure and take control of the area containing the equipment. Do not allow others to interact with
\nthe equipment;
\n2. Photograph the device in situ, or note where it was found, and record the status of the device and
\nany on-screen information;
\n33 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\n3. If the device is switched on, power it off. It is important to isolate the device from receiving signals
\nfrom a network to avoid changes being made to the data it contains. For example, it is possible to
\nwipe certain devices remotely and powering the device off will prevent this.
\nHowever, in exceptional circumstances the decision may be made to keep the device on. Timely access to
\nthe handset data is critical the decision may be made to leave the device switched on. Consideration may be
\ngiven to place the handset in a Faraday environment to further prevent signal reception. In such
\ncircumstances advice should be sought from the DFU.
\n4. Seize cables, chargers, packaging, manuals, phone bills etc. as these may assist the enquiry and
\nminimise the delays in any examination;
\n5. Packaging materials and associated paperwork may be a good source of PIN\/PUK details;
\n6. Be aware that some mobile phone handsets may have automatic housekeeping functions, which
\nclear data after a number of days. For example, some Symbian phones start clearing call\/event
\nlogs after 30 days, or any other user defined period. Submit items for examination as soon as
\npossible.
\nHandling and transporting digital evidence
\nDigital Devices
\nHandle with care. If placing in a car, place upright where it will not receive serious physical shocks. Keep
\naway from magnetic sources (loudspeakers, heated seats & windows and police radios).
\nHard disks
\nAs for all digital devices protect from magnetic fields. Place in anti-static bags, tough paper bags or tamperevident cardboard packaging or wrap in paper and place in aerated plastic bags.
\nRemovable storage
\nfloppy disks, memory sticks, memory cards, CDs\/DVDs) Protect from magnetic fields. Do not fold or bend.
\nDo not place labels directly onto floppy disks or CDs\/DVDs. Package in tamper-force approved packaging to
\navoid interaction with the device whilst it is sealed.
\nOther items<\/p>\n
Protect from magnetic fields. Package correctly and seal in plastic bags. Do not allow items to get wet.
\nOther Considerations<\/p>\n
1. If fingerprints or DNA evidence are likely to be required, always consult with the investigator;
\n2. Using aluminium powder on electronic devices can be dangerous and result in the loss of evidence.
\nBefore any examination using this substance, consider all options carefully.
\nThe equipment should be stored at normal room temperature, without being subject to any extremes of
\nhumidity and free from magnetic influence such as radio receivers. Dust, smoke, sand, water and oil are also
\nharmful to electronic equipment. Some devices are capable of storing internal data (such as the time and
\ndate set on the system) by use of batteries. If the battery is allowed to become flat, internal data will be
\nlost. It is not possible to determine the life expectancy of any one battery. However, this is an important
\nconsideration when storing a device for long periods before forensic examination and should be addressed in
\nlocal policy.
\n34 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\nAPPENDIX D
\nDEVELOPING A DIGITAL INVESTIGATION STRATEGY
\nThe investigation of crimes and incidents in which digital evidence is involved, particularly the Internet,
\npresents some unique challenges to the investigator. The explosion of the availability and use of
\ntechnology, the growth of virtual storage, development of \u2018Cloud Services\u2019 (online services) and the
\nconvergence of mobile and traditional computer technology has resulted in most investigations having a
\ndigital element of some description.
\nInvestigators need to have a greater understanding of the use of digital evidence if interviews of witnesses
\nand suspects are to be effective. This is particularly the case in serious or complex investigations where a
\nfailure to identify and secure volatile digital data could have a significant impact on the conduct of the
\ninvestigation.
\nIt is important that investigators develop appropriate strategies to identify the existence of digital evidence
\nand to secure and interpret that evidence. Irrespective of the size or complexity the investigator should
\nconsider five primary stages.
\n\u25cf Data Capture and search and seizure at crime scenes;
\n\u25cf Data Examination;
\n\u25cf Data Interpretation;
\n\u25cf Data Reporting;
\n\u25cf Interview of Witness and Suspects.
\nInvestigators should seek the advice of their force Telecoms\/ISP SPOC, Network Investigators and Digital
\nForensic Units at the earliest opportunity to formulate a written digital forensic strategy.
\nDue consideration should always be given by the investigators of the benefits to the overall investigation of
\nconducting any digital forensic work
\nDATA CAPTURE STRATEGY
\nThe investigator should develop a Data Capture Strategy to identify and secure all relevant digital evidence.
\nOther than a requirement to react to immediate events the investigator should be able to plan this strategy
\nin advance.
\nWhere a crime or incident is reported, early consideration should be given to the potential to glean evidence
\nfrom the Internet or end user devices which have a digital memory capacity and from which evidence \/
\nintelligence may be retrieved.<\/p>\n
Social Network Sites
\nPriority \u2013 Establish the use of Social Networking, Online Communities, Online Storage and other Cloud
\nServices by witnesses and suspects. Whilst this may be revealed by the examination of seized devices it may
\nbe gleaned more quickly if asked during interview.
\nMany current investigations involve Social Networking Sites. It is imperative that early consideration is made
\naround securing Social Networking Profiles that fall within the investigation. The best evidence is available
\nfrom the service provider however they are often located outside of the UK and may or may not secure the
\ncontent on the appropriate request via the force CSP\/ISP SPOC. As such the investigator should always
\nsecure a copy of what is seen by them as this may be the only opportunity to secure this evidence before it
\nchanges.
\n35 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\nOpen Source Research
\nThe internet is a huge repository of information much of it of value to the investigator. Research by properly
\ntrained staff, preferably with access to a stand alone computer, will enable the investigator to get the best
\nfrom the vast amount of information that is now held online. In addition to this the force CSP\/ISP SPOCs will
\nbe able to give advice on the type of data that can potentially be obtained from ISP\u2019s, web mail and web
\nbased providers.
\nCare should be taken when undertaking Internet research from any computer linked to the Police National
\nNetwork (pnn) as a digital footprint will be left and may reveal the law enforcement interest. This will not be
\nobvious to the general internet user but will most certainly be clear to the hosts or providers of the service
\nand those who are particularly technically aware and monitoring IP addresses.
\nRegistration details are often asked for and whilst in some instances they will inevitably be fictitious, on
\nmany occasions they will include the following;
\n\u2022 IP log on;
\n\u2022 Name and Address;
\n\u2022 Landline and Mobile phone Numbers;
\n\u2022 Banking data;
\n\u2022 Emails used;
\n\u2022 Username and passwords;
\n\u2022 Linked accounts.
\nWhilst law enforcement are used to working with RIPA, RIPSA and the DPA to obtain information this
\nlegislation only applies within the UK. Many services are based outside of the UK based organisations.<\/p>\n
It is essential that the CSP\/ISP SPOC is engaged at the earliest opportunity to these enquiries with the
\nobjective of preserving known time critical data.
\nNational Technical Assistance Centre (NTAC)
\nIf encrypted files are located or suspected it is important that the suspect is asked for them, failure to do so
\nmay result in an offence under sec 49 of RIPA. Encryption is difficult to break and assistance can be sought
\nvia the Digital Forensic Unit from the National Technical Assistance Centre (NTAC) in London.
\nThe National Technical Assistance Centre (NTAC) provides technical support only to public authorities,
\nparticularly law enforcement agencies and the intelligence services. It includes a facility for the complex
\nprocessing of lawfully obtained protected electronic information.
\nNTAC is the leading national authority for all matters relating to the processing of protected information into
\nan intelligible format and the disclosure of key material.
\nAll public authorities should consult with NTAC at the earliest opportunity when considering exercising the
\npowers in Part III of the Regulation of Investigatory Powers Act (RIPA).
\nA public authority cannot serve any notice under Section 49 of RIPA or, when the authority considers it
\nnecessary, seek to obtain appropriate permission, without the prior written approval of NTAC.
\nInvestigating Crimes where Digital Evidence may be present
\nThe proliferation of digital devices and the advances in digital communications mean that digital evidence is
\nnow present or potentially present in almost every crime.
\nDigital evidence can be found in a number of different locations,
\n\u25cf Locally on an end-user device – typically a users computer, mobile\/smart phone, satellite navigation
\nsystem, USB thumb drive, or digital camera;
\n36 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\n\u25cf On a remote resource that is public – for example websites used for social networking, discussion
\nforums, and newsgroups;
\n\u25cf On a remote resource that is private \u2013 an Internet Service Provider\u2019s logs of users\u2019 activity, a mobile
\nphone company\u2019s records of customers\u2019 billing, a user\u2019s webmail account, and increasingly common,
\na user\u2019s remote file storage;
\n\u25cf In transit \u2013 for example mobile phone text messages, or voice calls, emails, or Internet chat.
\nInvestigating Different Types of Crime and Identifying Sources of Evidence
\nIt would be quite common for evidence of a crime to be in more than one of the locations mentioned above.
\nHowever it might be much easier to obtain the evidence from one location rather than another; careful
\nconsideration should be given to the resources required to obtain the evidence.
\nFor example, if evidence is required of contact between two mobile phone numbers, the best method would
\nbe to obtain call data from the Communication Service Providers via the force SPOC, rather than to request a
\nforensic examination of the mobile phones. The call data is likely to be more comprehensive than call logs
\nfrom a mobile phone and the times and dates can be relied upon, which is not necessarily the case with logs
\nfrom a mobile phone.
\nCOVERT FORENSIC COMPUTING
\nSome investigations may require consideration of gathering digital intelligence in a covert manner. It is
\nevidently not appropriate to discuss covert tactics within this document however opportunities exist to
\ncapture digital data online and physically from devices in a covert manner where the appropriate authorities
\nare in place.
\nDATA EXAMINATION STRATEGY
\nDevices seized as part of a search will be forwarded to the force Digital Forensic Unit in accordance with
\nforce policy.
\nThe investigator needs to properly consider the nature and purpose of the digital examination.
\nThe investigator must tailor the needs of the digital examination not only based on the investigation
\nrequirements but the ability of the Digital Forensic Unit to deliver it. The better the briefing the better the
\nadvice will be.
\nThe Investigator must be clear on what priorities are placed on the examination as it may well be, as
\npreviously stated, that key information needs to be found in order to preserve evidence that may exist
\nelsewhere. This is particularly the case where it relates to the existence of additional evidence, offenders
\nand victims. A preview of content may be appropriate albeit the limitations of this approach will require to be
\nproperly understood.
\nPriorities may also be set on the type of data to be extracted and viewed by persons other than the Digital
\nForensics Unit as this may reduce the burden on the unit and increase the likelihood of the delivery of the
\ndata. This will of course depend on the nature of the examination. But could include;
\n\u2022 Internet History;
\n\u2022 Emails;
\n\u2022 Evidence of webmail;
\n\u2022 Instant Messaging Logs;
\n\u2022 Media Files (images & videos);
\n\u2022 Social Networks;
\n\u2022 Forums & Chat Rooms;
\n\u2022 Cloud Services \/ Virtual Storage;
\n\u2022 File Sharing programs;
\n\u2022 Usernames \/ Passwords;
\n\u2022 Encrypted Files;
\n\u2022 Word Documents;
\n\u2022 Spreadsheets.
\n37 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\nThe discussion between the investigator and digital forensic unit should result in an agreed digital extraction
\n\/ examination plan to achieve an agreed outcome. The plan may need to be reviewed as the evidential
\npicture and priorities change.
\nDATA INTERPRETATION STRATEGY
\nStaff tasked by the investigator to undertake the digital data extraction \/ examination must be competent to
\ndo so and have had sufficient training to undertake the task assigned to them. It must be borne in mind that
\nthe development of digital technology is dynamic and the examiners may well face significant challenges to
\ntheir knowledge.
\nIt is the role of the Digital Evidence Examiner to provide the investigator with a report\/statement accounting
\nfor the examination of the devices as part of the investigation. The report should account in full for the
\nparameters set for the examination, data extracted and data examined. There should also be provision to
\nprovide an interpretation of technical aspects of the examination relevant to the provision of evidence in the
\ncase.
\nThe investigator should have a full discussion with the examiner ahead of the production of any reports to
\nensure all the relevant evidence is contained in the report and that the processes used adhered to the ACPO
\nPrinciples governing handling digital based evidence. These principles are explained in the section headed
\n\u201cThe Principles of Digital Evidence\u201d in this guide.
\nDATA REPORTING
\nThe report is the ultimate product of the examination. It should outline the examination process and the
\nsignificant data recovered. Whilst an initial report may be relatively brief, the examiner should be in a
\nposition to produce a full technical report should one later be required.
\nExamination notes must be preserved for disclosure or testimony purposes and, if required, the preparation
\nof a full technical report. In Scotland, they will be preserved as productions to be used as evidence in court.
\nAn examiner may need to testify about not only the conduct of the examination, but also the validity of the
\nprocedure and their experience and qualifications to conduct the examination.
\nThe role of the examiner is to secure from any seized material true copy of any data that they may contain
\nForensic hardware should be subject to initial and periodic testing. . It is worth repeating at this point that
\nfull records should be made of all actions taken. These can be made available to the defence who may
\nsubsequently cause a further examination to be conducted. A significant part of such an examination will be
\nto validate the actions and results of the original examination. Such records are also part of the unused
\nmaterial for the case under investigation.
\nIt is important to remember that legislation continues to change to keep up with technological
\nand societal change. It is important, therefore, to consider the legal requirements and
\nrestrictions when examining digital evidence. Recent case law and precedents set at higher
\ncourts are important considerations when preparing an evidence package for an investigator
\nThis applies, in particular, to the use of the Internet and files downloaded from the Internet; or
\nmaterial accessible from foreign jurisdictions i.e. online data stores.
\nInterview of Witnesses and Suspects
\nThe interview of witnesses\/suspects is a crucial opportunity to identify key information about the nature and
\nuse of digital data relative to the investigation in hand. As such those involved must be properly briefed and
\ncompetent to undertake the interview having the necessary understanding of the areas to explore.
\nConsideration should be given to consulting with a trained Interview Advisor with a view to the compilation
\nof an appropriate interview strategy.
\nBear in mind that the digital examination of devices seized will take time and may not necessarily reveal vital
\ninformation that the witness \/ suspect may be aware of. Typically this may include;
\n38 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\n\u25cf Web Mail Addresses \/ Username & Passwords \/ shared or sole use;
\n\u25cf Social Network Profiles \/ Username & Passwords \/ shared or sole use;
\n\u25cf Use of Forums & Chat Rooms \/ Username & Passwords;
\n\u25cf Use of Cloud Services \/ Username & Passwords \/ shared or sole use;
\n\u25cf Use of Virtual Storage \/ Username & Passwords \/ shared or sole use;
\n\u25cf Use of Role Play Gaming Sites \/ Username & Passwords \/ shared or sole use;
\n\u25cf Use of Auction sites \/ Username & Passwords \/ shared or sole use;
\n\u25cf Use of Online Banking;
\n\u25cf List of User Names;
\n\u25cf Use of Encryption \/ Encryption Keys;
\n\u25cf User Names of contacts;
\n\u25cf Use of the devices;
\n\u25cf Websites Visited;
\n\u25cf Internet Service Provider.
\nThis list is not exhaustive
\n39 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\nWORKBOOK FOR THE CREATION OF ACPO GUIDANCE\/PRACTICE ADVICE
\nThis workbook, with all sections completed, must be included in the final document as an Appendix
\nand submitted, through the Head of the Business Area, to the Programme Support Office for quality
\nassurance prior to submission to Cabinet for approval as ACPO Doctrine.
\nACPO EQUALITY IMPACT ASSESSMENT TEMPLATE (DIVERSITY AUDIT) AS AGREED WITH THE
\nCRE
\n1. Identify all aims of the guidance\/advice
\n1.1 Identify the aims and projected outcomes of the guidance\/advice:
\n1.2 Which individuals and organisations are likely to have an interest in or
\nlikely to be affected by the proposal?
\n2. Consider the evidence
\n2.1 What relevant quantitative data has been considered?
\nAge
\nDisability
\nGender
\nRace
\nReligion \/ Belief
\nSexual Orientation
\n2.2 What relevant qualitative information has been considered?
\nAge
\nDisability
\nGender
\nRace
\nReligion \/ Belief
\nSexual Orientation
\n2.3 What gaps in data\/information were identified?
\nAge
\nDisability
\nGender
\nRace
\nReligion \/ Belief
\nSexual Orientation
\n2.4 What consideration has been given to commissioning research?
\nAge
\nDisability
\nGender
\nRace
\nReligion \/ Belief
\nSexual Orientation
\n40 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\n3. Assess likely impact
\n3.1 From the analysis of data and information has any potential for
\ndifferential\/adverse impact been identified?
\nAge
\nDisability
\nGender
\nRace
\nReligion \/ Belief
\nSexual Orientation
\n3.2 If yes explain any intentional impact:
\nAge
\nDisability
\nGender
\nRace
\nReligion \/ Belief
\nSexual Orientation
\n3.3 If yes explain what impact was discovered which you feel is justifiable in
\norder to achieve the overall proposal aims. Please provide examples:
\nAge
\nDisability
\nGender
\nRace
\nReligion \/ Belief
\nSexual Orientation
\n3.4 Are there any other factors that might help to explain differential\/adverse
\nimpact?
\nAge
\nDisability
\nGender
\nRace
\nReligion \/ Belief
\nSexual Orientation
\n4. Consider alternatives
\n4.1 Summarise what changes have been made to the proposal to remove or
\nreduce the potential for differential\/adverse impact:
\n4.2 Summarise changes to the proposal to remove or reduce the potential for
\ndifferential\/adverse impact that were considered but not implemented
\nand explain why this was the case:
\n4.3 If potential for differential\/adverse impact remains explain why
\nimplementation is justifiable in order to meet the wider proposal
\naims:
\n41 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)
\nAssociation of Chief Police Officers of England, Wales & Northern Ireland
\n5. Consult formally
\n5.1 Has the proposal been subject to consultation? If no, please state why not.
\nIf yes, state which individuals and organisations were consulted and
\nwhat form the consultation took:
\nAge
\nDisability
\nGender
\nRace
\nReligion \/ Belief
\nSexual Orientation
\n5.2 What was the outcome of the consultation?
\nAge
\nDisability
\nGender
\nRace
\nReligion \/ Belief
\nSexual Orientation
\n5.3 Has the proposal been reviewed and\/or amended in light of the outcomes
\nof consultation?
\n5.4 Have the results of the consultation been fed back to the consultees?
\n6. Decide whether to adopt the proposal
\n6.1 Provide a statement outlining the findings of the impact assessment
\nprocess. If the proposal has been identified as having a possibility to
\nadversely impact upon diverse communities, the statement should include
\njustification for the implementation:
\n7. Make Monitoring Arrangements
\n7.1 What consideration has been given to piloting the proposal?
\n7.2 What monitoring will be implemented at a national level by the proposal
\nowning agency and\/or other national agency?
\n7.3 Is this proposal intended to be implemented by local agencies that have a
\nstatutory duty to impact assess policies? If so, what monitoring
\nrequirements are you placing on that agency?
\n8. Publish Assessment Results
\n8.1 What form will the publication of the impact assessment take?
\nAuthor:- DAC Janet Williams QPM
\nMetropolitan Police Service
\nCrime BA
\nAny queries relating to this document should be directed to either the author detailed above or the ACPO Programme
\nSupport Office on 020 7084 8958\/8959.<\/p>\n","protected":false},"excerpt":{"rendered":"
ACPO Good Practice Guide ACPO Good Practice Guide for Digital Evidence for Digital Evidence March 2012 ACPO Good Practice Guide for Digital Evidence The Association of Chief Police Officers have agreed to this revised good practice guide being circulated to, and adopted by, Police Forces in England, Wales & Northern Ireland. It is NOT PROTECTIVELY […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"pagelayer_contact_templates":[],"_pagelayer_content":"","footnotes":""},"categories":[1],"tags":[],"class_list":["post-423","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/youpple.com\/dataclergy\/wp-json\/wp\/v2\/posts\/423","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/youpple.com\/dataclergy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/youpple.com\/dataclergy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/youpple.com\/dataclergy\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/youpple.com\/dataclergy\/wp-json\/wp\/v2\/comments?post=423"}],"version-history":[{"count":1,"href":"https:\/\/youpple.com\/dataclergy\/wp-json\/wp\/v2\/posts\/423\/revisions"}],"predecessor-version":[{"id":424,"href":"https:\/\/youpple.com\/dataclergy\/wp-json\/wp\/v2\/posts\/423\/revisions\/424"}],"wp:attachment":[{"href":"https:\/\/youpple.com\/dataclergy\/wp-json\/wp\/v2\/media?parent=423"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/youpple.com\/dataclergy\/wp-json\/wp\/v2\/categories?post=423"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/youpple.com\/dataclergy\/wp-json\/wp\/v2\/tags?post=423"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}