The latest industry news, articles and events
With the prolific usage of electronic devices such as smartphones and computers, the amount of data generated from these devices is vast. As such, there can be an expectation within almost any investigation for the need to identify digital evidence. If identified, collected and analysed in a forensically sound manner, electronic evidence can prove crucial to the outcome of criminal, civil and corporate investigations.
Electronic evidence, also commonly known as digital evidence, is data stored within electronic devices or systems that can be recovered by forensic experts and used as admissible evidence in court.
Data recovered from the following devices and applications are considered as evidence. However, this is only admissible if recovered using a forensic methodology by a certified expert.
The Association of Chief Police Officers (ACPO) guidelines are a set of principles for handling electronic evidence. It is critical that these are strictly adhered to when investigating computers or digital media as it ensures evidence continuity and admissibility of digital evidence in court.
The main principles of the ACPO Good Practice Guide for Computer Based Electronic Evidence are:
No action taken by law enforcement agencies or their agents should change data held on a computer or storage media, which may subsequently be relied upon in court.
In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.
Applying the ACPO Guidelines in practice means that a chain of custody should be established. This ensures that no unauthorised access to digital media can occur. When the digital evidence is forensically interrogated a write-blocker is required, so that data cannot be overwritten or altered from its original format, preserving the evidence. Specialist forensic tools should be used, and all interrogations completed on a forensic image (or clone), not on the original media device.
London: 0207 438 2045
Manchester: 0161 797 8123