Good day everyone, As promised in my previous blog, I said I will be listing out some principles that Computer Forensics professionals need to adhere to. Without wasting much time, let's dive right into it.
PRINCIPLE 1- ACPO PRINCIPLES
ACPO stands for the a
Association of Chief Police Officers . This principles of ACPO are guidelines for handling digital evidence in the UK and it is essential that they are strictly adhered to when investigating computers. There are four ACPO principles.
Association of Chief Police Officers . This principles of ACPO are guidelines for handling digital evidence in the UK and it is essential that they are strictly adhered to when investigating computers. There are four ACPO principles.
The principles are
Principle 1: An officer must never change data held on a device
Principle 2: In a situation when an officer has to change data held on a device, the officer must be competent to do so and also give evidence explaining the relevance and implication of his/her actions.
Principle 3: An audit trail of all the processes followed must be listed out such that when a third party follows it, he/she must come out with the same results.
Principle 4: The case officer must make sure that all laws are adhered to.
Explanation of this principle
To explain this, what this simply means is that before investigation is been conducted on a media device, it is very important that a chain of custody is created for the digital evidence. I have explained what a chain of custody is and why it is important. You can find more about coc(chain of custody) here.
To explain this, what this simply means is that before investigation is been conducted on a media device, it is very important that a chain of custody is created for the digital evidence. I have explained what a chain of custody is and why it is important. You can find more about coc(chain of custody) here.
While investigating, it is also important to use a write blocker. A write blocker is a device that
allows acquisition of information on a drive the without creating the possibility of accidentally damaging the drive contents.
allows acquisition of information on a drive the without creating the possibility of accidentally damaging the drive contents.
Img src(https://bounga.id/content/tableau-t8u-usb30-forensic-bridge-write-blocker)
During investigations, Globally approved forensic tools should be used and all investigations are to be completed on a cloned copy of the media and not the original to avoid contamination such as changing of time stamps.
In a minority of cases, it may not be possible to obtain an image using a recognised imaging device. In these circumstances, it may become necessary for the original machine to be accessed to recover the evidence. With this in mind, it is essential that a witness, who is competent to give evidence to a court of law, makes any such access.
There are many other guidelines out there and the one listed above is a generally accepted one in the UK.
Many thanks for reading
erzurum
ReplyDeleteeskişehir
giresun
gümüşhane
hakkari
CRYW