ACPO Good Practice Guidefor Digital EvidenceMarch 2012

ACPO Good Practice Guidefor Digital EvidenceThe Association of Chief Police Officers have agreed to this revisedgood practice guide being circulated to, and adopted by, Police Forcesin England, Wales & Northern Ireland.It is NOT PROTECTIVELY MARKED under the Government ProtectiveMarking Scheme and it is disclosable under the Freedom ofInformation Act 2000.ACPO 2012

2 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)Document informationProtective markingNOT PROTECTIVELY MARKEDAuthorDAC Janet Williams QPMForce/OrganisationMetropolitan Police ServiceACPO Business AreaCrime BAContact details020 7230 6800Review dateAs requiredVersion5.0This best practice guide has been produced by the ACPO CrimeBusiness Area and was originally approved by ACPO Cabinet inDecember 2007. The purpose of this document is to provideguidance not only to assist law enforcement but for all thatassists in investigating cyber security incidents and crime. It willbe updated according to legislative and policy changes and republished as required.Any queries relating to this document should be directed to eitherthe author detailed above or the ACPO Programme Support Officeon 020 7084 8958/8959.Association of Chief Police Officers of England, Wales & Northern Ireland

3 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)ContentsSectionPageIntroduction to the Guide4Foreword51Application of Guide62The Principles of Digital al13Appendix ANetwork Forensic and Volatile Data CollectionAppendix BCrimes involving Websites, Forums and BlogsAppendix CCrime ScenesAppendix DDeveloping a Digital Investigation StrategyAppendix EACPO WorkbookAssociation of Chief Police Officers of England, Wales & Northern Ireland

4 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)INTRODUCTION TO THE GUIDE FOR DIGITAL EVIDENCEIt gives me great pleasure to introduce the 5th version of the ACPO Good Practice Guide for DigitalEvidence. Much effort has been put in to ensure that the right information is available to practitioners andmanagers in the fight against cyber crime. I would like to thank all those who contributed to its creation fortheir efforts in drawing together their expert knowledge in tackling the criminal misuse of current andemerging technologies. The review board drew together people from academia, private and the publicsector and has been an excellent example of collaborative working.Since taking the UK policing lead for e-Crime in April 2008, I have overseen the creation of the Police Centrale-Crime Unit. The team has grown from strength to strength through partnership working leading to theformation of a centre of excellence for cyber crime and the successful prosecution of cyber criminals. It isonly through bringing together the expertise in policing across the UK, the capability and best practice withinindustry, support of Government and the Criminal Justice System that we will combat those responsible forcyber crime.I am pleased that there has been recognition of a need to co-ordinate the UK response to cyber securityissues through the establishment of the Office of Cyber Security and the Cyber Security Operations Centre.This approach will combine the various industries, law enforcement and agencies’ hard work to corral theminto a single effort to gather intelligence, enforcement capability and create the right framework of policyand doctrine to better enable us all to tackle the major issues identified.This guide has changed from version 4, where it centred on computer based evidence; the new revisionreflects digital based evidence and attempts to encompass the diversity of the digital world. As such thisguide would not only assist law enforcement but the wider family that assists in investigating cyber securityincidents. I commend all to read and make use of the knowledge and learning contained in this guide toprovide us with the right tools to carry out our role.Janet Williams QPMDeputy Assistant CommissionerMetropolitan Police ServiceACPO lead for the e-Crime Portfolio.Association of Chief Police Officers of England, Wales & Northern Ireland

5 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)FOREWORDIt seems that whenever a review of ACPO guidance is carried out we are in the middle of technologicalchanges that have vast impact on the work that is done within digital forensic units. It is a testament to theauthors of the original four guiding principles for digital forensics that they still hold today, and one of thekey early decisions of the review board was to keep those four principles, with only a slight change ofwording to principle four.We work in an area of constant change. There is a continuing need to re-evaluate and revise our capacitiesto perform our duties. There is a need to recover and analyse digital data that can now be found within themany devices that are within day to day use, and can supply vital evidence in all our investigations.Hence a second key early decision was to change the title of the document to ACPO Good Practice Guide forDigital Evidence. This would hopefully encompass all aspects of digital evidence and remove the difficultyabout trying to draw the line to what is or isn’t a computer and thus falling within the remit of this guide.It is important that people who work within the arena of digital forensics do not just concentrate on thetechnology, as essential as that is, but that the processes we use are fit for the purpose, and that skills andcapacities within units reflect the demands that are made on them.A prime example of this is the use of the word ’triage’. It has been a subject of much discussion within theforensic community. It should be noted that it does not mean a single triage tool rather it is a completeprocess where certain tools will play a part but are not the whole solution.This guide is not intended to be an A-Z of digital forensics, or a specific “how to do” instruction manual. Itshould paint an overall picture and provides an underlying structure to what is required within DigitalForensic Units (DFUs). Therefore, the guide has been produced as a high-level document without thespecific guidance included in previous versions, as this guidance is now available elsewhere. Whererelevant, links to other guidance documents will be given.In this document Digital Forensic Unit is used to cover any type of group that is actively involved in theprocessing of digital evidence.Association of Chief Police Officers of England, Wales & Northern Ireland

6 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)1.SECTION 1 – APPLICATION OF GUIDE1.1When reading and applying the principles of this guide, any reference made to the police servicealso includes the Scottish Crime and Drugs Enforcement Agency (SCDEA) and the Police Service forNorthern Ireland (PSNI) unless otherwise indicated.1.2This guide is primarily written for the guidance of UK law enforcement personnel who may deal withdigital evidence. This will include: Persons who are involved in the securing, seizing and transporting of equipment fromsearch scenes with a view to recovering digital evidence, as well as in the identification ofthe digital information needed to investigate crime;Investigators who plan and manage the identification, presentation and storage of digitalevidence, and the use of that evidence;Persons who recover and reproduce seized digital evidence and are trained to carry out thefunction and have relevant training to give evidence in court of their actions. Persons whohave not received appropriate training and are unable to comply with theprinciples should not carry out this category of activity;Persons who are involved in the selection and management of persons who may be requiredto assist in the recovery, identification and interpretation of digital evidence.1.3Since the previous version of the guide was published, the Forensic Science Regulator has publishednew draft Codes of Conduct and Practice covering forensic science throughout the UK. Allpractitioners working in the field of digital forensics must abide by these codes.2.SECTION 2 – THE PRINCIPLES OF DIGITAL EVIDENCE2.1PRINCIPLES2.1.1Principle 1: No action taken by law enforcement agencies, persons employed within those agenciesor their agents should change data which may subsequently be relied upon in court.2.1.2Principle 2: In circumstances where a person finds it necessary to access original data, that personmust be competent to do so and be able to give evidence explaining the relevance and theimplications of their actions.2.1.3Principle 3: An audit trail or other record of all processes applied to digital evidence should becreated and preserved. An independent third party should be able to examine those processes andachieve the same result.2.1.4Principle 4: The person in charge of the investigation has overall responsibility for ensuring thatthe law and these principles are adhered to.2.2EXPLANATION OF THE PRINCIPLES2.2.1All digital evidence is subject to the same rules and laws that apply to documentary evidence.2.2.2The doctrine of documentary evidence may be explained thus: the onus is on the prosecution toshow to the court that the evidence produced is no more and no less now than when it was firsttaken into the possession of law enforcement.2.2.3Operating systems and other programs frequently alter, add and delete the contents of electronicstorage. This may happen automatically without the user necessarily being aware that the data hasbeen changed.Association of Chief Police Officers of England, Wales & Northern Ireland

7 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)2.2.4In order to comply with the principles of digital evidence, wherever practicable, proportionate andrelevant an image should be made of the device. This will ensure that the original data is preserved,enabling an independent third party to re-examine it and achieve the same result, as required byprinciple may be a physical / logical block image of the entire device, or a logical file image containingpartial or selective data (which may be captured as a result of a triage process). Investigators shoulduse their professional judgement to endeavour to capture all relevant evidence if this approach isadopted.2.2.6In cases dealing with data which is not stored locally but is stored at a remote, possibly inaccessiblelocation it may not be possible to obtain an image. It may become necessary for the original data tobe directly accessed to recover the data. With this in mind, it is essential that a person who iscompetent to retrieve the data and then able to give evidence to a court of law makes any suchaccess. Due consideration must also be given to applicable legislation if data is retrieved whichresides in another jurisdiction.2.2.7It is essential to display objectivity in a court of law, as well as the continuity and integrity ofevidence. It is also necessary to demonstrate how evidence has been recovered, showing eachprocess through which the evidence was obtained. Evidence should be preserved to such an extentthat a third party is able to repeat the same process and arrive at the same result as that presentedto a court.2.2.8It should be noted that the application of the principles does not preclude a proportionate approachto the examination of digital evidence. Those making decisions about the conduct of a digitalinvestigation must often make judgements about the focus and scope of an investigation, taking intoaccount available intelligence and investigative resources. This will often include a risk assessmentbased on technical and non-technical factors, for example the potential evidence which may be heldby a particular type of device or the previous offending history of the suspect. Where this is done itshould be transparent, decisions should be justifiable and the rationale recorded.2.2.9Application of the four principles will also be informed by: The Forensic Science Regulator’s forthcoming Codes of Practice and Conduct;The guidance around digital forensic process improvements developed by the NationalPolicing Improvement Agency’s Forensic 21 programme and those engaged in the collection,examination or reporting of digital evidence should also refer to that guidance.3.SECTION 3 – PLAN3.1This also refers to the: The NPIA Forensic21 HTCU Computer Examination Process, 2011The SCDEA HTCU Guidance.3.2The proliferation of digital devices and the advances in digital communications mean that digitalevidence is now present or potentially present in almost every crime.3.3Digital evidence can be found in a number of different locations: Locally on an end-user device – typically a user’s computer, mobile/smart phone, satellitenavigation system, USB thumb drive, or digital camera;On a remote resource that is public – for example websites used for social networking,discussion forums, and newsgroups;On a remote resource that is private – an internet Service Provider’s logs of users’ activity, amobile phone company’s records of customers’ billing, a user’s webmail account, andincreasingly common, a user’s remote file storage;Association of Chief Police Officers of England, Wales & Northern Ireland

8 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011) In transit – for example mobile phone text messages, or voice calls, emails, or internet chat.3.4It would be quite common for evidence of a crime to be in more than one of the locationsmentioned above. However it might be much easier to obtain the evidence from one location ratherthan another; careful consideration should be given to the resources required to obtain theevidence.3.5For example, if evidence is required of contact between two mobile phone numbers, the bestmethod would be to obtain call data from the Communication Service Providers via the force SPOC,rather than to request a forensic examination of the mobile phones. The call data is likely to bemore comprehensive than call logs from a mobile phone and the times and dates can be reliedupon, which is not necessarily the case with logs from a mobile phone.3.6In addition, investigators seeking to capture ‘in transit’ evidence must be aware of the implicationsunder the Regulation of Investigatory Powers Act (RIPA) and the need to seek appropriateauthorities for doing so. Further information is available from force SPOCs.3.7With the above in mind, it is important that investigators develop appropriate strategies to identifythe existence of digital evidence and to secure and interpret that evidence throughout theirinvestigation.3.8Due consideration should always be given by the investigators of the benefits to the overallinvestigation of conducting any digital forensic work. Proportionality should be assessed when adigital forensic strategy is being considered to ensure that limited resources for digital forensicinvestigation are directed appropriately.4.SECTION 4 – CAPTURE4.1This also refers to: Retrieval of Video Evidence and Production of Working Copies from Digital CCTV Systemsv2.0;Network forensics and volatile data collection – Appendix A;Crimes involving websites, forums and blogs – Appendix B.4.2PHYSICAL CRIME SCENES4.2.1There are many different types of digital media and end-user devices, which may be encounteredduring a search of a crime scene, all of which have the potential to hold data which may be of valueto the investigation. In order to preserve the data and achieve best evidence, these items must behandled and seized appropriately, and should be treated with as much care as any other item that isto be forensically examined. This section is intended to assist individuals to ensure their actions inrelation to seizure are correct.4.3PROPORTIONALITY ISSUES RELATING TO SEIZURE4.3.1Proportionality issues relating to seizure are: Before seizing an item, consider whether the item is likely to hold evidence. For example, isthis a family computer or a computer belonging to a suspect?Ensure that details of where the item was found are recorded, which could assist inprioritising items for examination at a later stage;Consider when the offence was committed; when seizing CCTV, give consideration tonarrowing down what is seized, by camera and/or time period. Check whether anothersystem may be better placed to record the evidence;Association of Chief Police Officers of England, Wales & Northern Ireland

9 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011) Differentiate between mobile phones found on a suspect (likely to be in current use) andphones found in a drawer (may not be in current use), as different levels of examinationmay be possible for these;Also consider that evidence may be stored online, or on an internet service provider’ssystems, and end-user devices may only be needed to obtain the details necessary torequest this evidence from the service provider. If so, it is best to seize items in currentusage, i.e. computers connected to the internet.4.3.2Digital devices and media should not be seized just because they are there. The person in charge ofthe search must have reasonable grounds to remove property and there must be justifiable reasonsfor doing so. The search provisions of PACE Legislation Codes of Practice equally apply to digitaldevices and media in England, Wales and Northern Ireland. In Scotland, officers should ensure theyare acting within the terms of the search warrant.4.3.3Due regard should also be given to the application of the European Convention of Human Rights.4.4BEFORE ATTENDING A SCENE TO CAPTURE DIGITAL EVIDENCE4.4.1Persons responsible for the seizure of digital devices, or for on-scene capture of data, should ensure: They have the necessary equipment. (Refer to the First Responder’s Guide for a detailedbreakdown);They have considered potential sources of evidence and know what is likely to be relevant,where possible.4.4.2Where an investigation is likely to involve the examination of user-created digital images,consideration should be given to the question of seizing of cameras and other devices capable oftaking digital photographs. For example, in cases where a suspect is believed to have taken indecentphotographs of children, seizure of devices capable of taking digital photos could be useful not onlyfor the data they store, but also to link these devices to previously identified indecent photographsby the examination of digital metadata (EXIF data).4.4.3Where necessary, specialist advice from a force’s Digital Forensic Unit should be sought in advance.If given sufficient information about the investigation, DFUs will be able to advise on which items aremost likely to provide the evidence sought.4.5WHEN ATTENDING A SCENE4.5.1To comply with principle 3, records must be kept of all actions taken in relation to digital evidence,which could include photographs/diagrams of equipment locations, details of any informationprovided by persons present, and records of any actions taken at the scene.4.5.2Refer to the First Responder’s Guide for detailed guidance on seizure for individual items. However,persons attending a scene should be especially aware that systems which are powered on(running) need to be handled with care, as there is the potential to make unwanted changes tothe evidence if these are not dealt with correctly. Such systems should only be accessed byappropriately trained personnel. In addition, volatile data of evidential value may be lost.4.6CAPTURING ONLINE EVIDENCE4.6.1In some investigations the capture of digital evidence may be from an online rather than a physicallocation. Detailed guidance on securing this evidence can be found in ‘Crimes involving websites,forums and blogs’ and ‘Network forensics and volatile data’.4.6.2Online evidence can roughly be split into that which is publicly available (e.g. forum postings, wherethe forum does not require a login to view) and that which is private (e.g. Facebook accountinformation). There may be scope to obtain both (e.g. by capturing the text of a forum posting andthen requesting the account details of the user who made the posting from the forum owner).Association of Chief Police Officers of England, Wales & Northern Ireland

10 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)Investigators should be aware of the potential issues when capturing publicly available data,Including the ‘footprints’ which are left when accessing a site, which can alert a website owner tolaw enforcement interest.4.6.3Records should be kept of all actions taken when capturing online evidence in order to comply withprinciple 3.5.SECTION 5 – ANALYSE5.1This also refers to: The NPIA Forensics21 HTCU Computer Examination Process, 2011;Forensic Science Regulator’s Codes of Practice and Conduct;Digital Imaging Procedure v2.1.5.2Devices seized as part of a search will typically be submitted to the force Digital Forensic Unit inaccordance with force policy. Due to the volume and complexity of data stored on digital devices, itis not possible or desirable to extract all data held on a device for review by investigators. Instead, aforensic strategy needs to be formulated to enable the examination to be focused on the relevantdata.5.3The National Policing Improvement Agency is currently formulating suggested processes for digitalexaminations involving computer and phone devices. Readers should refer to these processes formore specific detail of best practice digital examination processes. Other types of digitalexaminations should follow the same principles, briefly summarised below.5.4The investigator needs to properly consider the nature and purpose of the digital examination. Theinvestigator must be clear on what priorities are placed on the examination as it may well be thatkey information needs to be found in order to preserve evidence that may exist elsewhere. This isparticularly the case where it relates to the existence of additional evidence, offenders and victims.5.5When submitting evidence to Digital Forensic Units, investigators must supply specific requirements.It is not practically possible to examine every item of digital data and clear tasking is needed toensure that the digital forensic practitioner has the best chance of finding any evidence which isrelevant to the investigation.5.6For more complex or lengthy investigations, an initial triage/review of the digital evidence (whetheror not this is done using a specific triage tool) will give investigators and practitioners a betterunderstanding of the nature of the digital evidence held. The forensic strategy should be regularlyreviewed to take account of any changes in the direction of the investigation, which may occur as aresult of digital forensic examination (for example, finding emails identifying a co-conspirator) orinvestigations elsewhere (a witness identifying another person as being of interest to theinvestigation). For this reason it is vital that the investigator and the digital forensic practitionercommunicate regularly regarding the progress of the investigation.5.7If initial examination results in a large amount of data to be reviewed, consideration must be givento who is best placed to review that data. Often this will be the investigator, due to their greaterknowledge of the case. Dependent on the source, this data may include: Internet history records;E-mails;Instant Messaging Logs;Media files (images and videos);Text documents;Spreadsheets;CCTV;Text Messages.Association of Chief Police Officers of England, Wales & Northern Ireland

11 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)5.8Collaboration with the Digital Forensic Unit will ensure that the significance of any reviewed data isnot misunderstood. For example, when reviewing keyword hits which exist in deleted files, thesignificance of a hit’s location may need explanation from a digital forensic practitioner.5.9For mobile phone examinations, different levels of examination may be appropriate depending onthe intelligence relating to the device and the requirements of the investigation. For example, aphone which has been found in a drawer may be examined only to retrieve the necessaryinformation to request billing details and to establish whether it is owned by the suspect (level 1). Aphone which is known to be in regular use by a suspect in a high profile investigation may besubject to a much more in-depth examination involving the retrieval of deleted data and potentiallythe physical removal and examination of memory chips (level 4). These examination levels areoutlined in the NPIA mobile phone SOPs.5.10INTERPRETATION OF DIGITAL DATA5.10.1 As with other forensic evidence, interpretation is often required to ensure the evidential weight ofrecovered digital evidence is clear. Practitioners who undertake the interpretation of digital datamust be competent to do so and have had sufficient training to undertake the task assigned tothem.5.10.2 As an example, the presence of indecent images of children on a computer would not in itself besufficient evidence of possession, as the possessor must be aware of the existence of the images. Adigital forensic practitioner may interpret the presence of other digital evidence (such as a list ofrecently opened files, recent search terms, the name and location of folders/files containing thematerial, or whether or not the computer is password protected) to establish the likelihood of theuser being aware of the existence of these images.5.10.3 Establishing the provenance of digital evidence is another key task of the forensic practitioner, whomust use their knowledge and skills to identify not just that the evidence exists but also how it cameto be there. This is common to all forensic disciplines; for example, the presence of a defendant’sfingerprint on a bottle at the crime scene may not have any bearing on whether the defendantcommitted the crime if the bottle may have been carried there by someone else. It is theresponsibility of the practitioner to carry out analysis to identify provenance where necessary, tomitigate the risk of their findings being misinterpreted.5.10.4 Often the role of the digital forensic practitioner will be to make investigators and prosecutors awareof the limitations of the digital evidence as well as its strengths.5.10.5 It must also be borne in mind that the development of digital technology is dynamic and thepractitioners may well face significant challenges to their knowledge. It is not possible to be anexpert in all aspects of digital forensic examination, but a practitioner should be aware of the limitsof their knowledge and where further research or additional specialist knowledge is required.6.SECTION 6 – PRESENT6.1This also refers to: 6.2NPIA Forensics21 process maps;CPS disclosure manual, annex K.Communication of the results of a digital forensic examination may be through a number of means: Verbally to an investigator/officer throughout a case;By a statement or report on conclusion of the case;In court if witness evidence is required.Association of Chief Police Officers of England, Wales & Northern Ireland

12 NOT PROTECTIVELY MARKED ACPO Good Practice Guide for Digital Evidence, Version 5 (October 2011)6.3In all cases a digital forensic practitioner must be aware of their duty of impartiality and that theymust communicate both the extent and the limitations of the digital forensic evidence. This isespecially important as, due to the nature of digital forensic evidence, it is not always immediatelyunderstandable by the layman.6.4VERBAL FEEDBACK6.4.1This should be given regularly throughout the progress of an examination. In this way it will enablethe investigator to pursue relevant lines of enquiry as these become evident, and will ensure thatthe practitioner is up-to-date with any information required to better target their investigation.6.4.2It is important that this communication be recorded for potential disclosure at a later date. Goodpractice would be for a verbal conversation to be followed up via email, or to be recorded incontemporaneous notes.6.5STATEMENTS OR REPORTS6.5.1The statement or report is the ultimate product of the examination. It should outline theexamination process and the significant data recovered. Whilst an initial report may be relativelybrief, the practitioner should be in a position to produce a full technical report should one later berequired.6.5.2The report should be written to be understandable to the reader; this may include the use of aglossary, diagrams/screenshots to illustrate points, the use of examples and avoidance of technicaljargon.6.5.3When particular items are reproduced in a report, care should be taken to ensure that therepresentation is accurate. For example, pictures should not be reproduced at a larger size withoutthis being made clear in the report. If a report is produced digitally, items should be reproducedwhere possible in their original file formats, to ensure that those viewing will see the item as close aspossible to its original appearance. If this is not appropriate (for example, if a file needs to beconverted to a more common format for reviewing) then the fact that it has been converted must bestated in the report. Where it is not possible to reproduce the item as it would have originally beenviewed, for example, when a webpage is retrieved some time after the original page was accessed,this must also be clearly stated in the report.6.5.4The report shou

authors of the original four guiding principles for digital forensics that they still hold today, and one of the key early decisions of the review board was to keep those four principles, with only a slight change of wording to principle four. We work in an area of constant change. There is a continuing need to re-evaluate and revise our capacities