Digital Forensics
Guidelines
Guidelines to good practice
The purpose of applying known guidelines to the forensic process is to add a collection of forensically sound practices to the undergoing work. Different guidelines and standard practices offer widely acknowledged principles to the forensic process to maintain evidential integrity and to properly seize and collect electronic evidence. In addition, by simply mentioning the application of known guidelines in your forensic process you will assure external parties who have limited knowledge of your work that you are following a sound practice and remove potential doubt they may have had in your forensic approach and findings.
Selection of guidelines and standards
The existence of multiple guidelines makes it important to digital investigators to choose their approach wisely. Even though most of the guidelines overlap at several areas, the investigator must be careful not to overlook crucial methodologies relevant to proper and lawful handling of the potential electronic evidence.
This section will cover the basics of some of the internationally known guidelines used by both law enforcement in the public sector as well as digital forensics investigators in the private sector.
Association of Chief Police Officers (UK)
The Association of Chief Police Officers of England, Wales and Northern Ireland (ACPO) "Good Practice Guide for Digital Evidence" is a collection of best practices primarily written to guide UK law enforcement personnel who deal with digital evidence. The latest document to current date (Q2 2020) is the fifth version of March 2012. The guide covers four principles for the handling of digital evidence:
- No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court
- In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions
- An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result
- The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to
It is important to notice that this practical guide is intended for use in recovering electronic evidence and is not meant as a guide for the examination or analysis of digital evidence. In addition to the four principles, the ACPO guide covers several other sections and topics relating to digital evidence ranging from planning and attending a crime scene to disclosure and legislations.
Source: https://www.digital-detective.net/acpo-good-practice-guide-for-digital-evidence/
Document: PDF
Scientific Working Group on Digital Evidence (US)
The Scientific Working Group on Digital Evidence (SWGDE) was formed by The Federal Crime Laboratory Directors group in 1998 to explore digital evidence as a forensic discipline. The initial participants of the group included the forensic laboratories of several US public bodies such as the FBI, DEA, US Customs, US Secret Service and NASA. The SWGDE offers a wide array of documentation and best practices for multiple areas within the digital forensics arena.
The following is a short sample list of best practice documentation available on their domain:
- SWGDE Best Practices for Digital Evidence Collection
- SWGDE Best Practices for Computer Forensic Acquisitions
- SWGDE Best Practices for Maintaining the Integrity of Imagery
- SWGDE Best Practices for Computer Forensic Examination
- SWGDE Best Practices for Chip-Off
Source: https://www.swgde.org/
Department of Justice (US)
The Department of Justice (DOJ) published their own guide intended to assist State and local law enforcement, including first responders, who may be responsible for preserving electronic material at a crime scene. The guide offers several chapters introducing the reader to digital evidence and investigation tools. Throughout the guide, the readers learn how to secure and document the crime scene as well as how to collect, handle and evaluate potential electronic evidence.
Source: https://www.ncjrs.gov/
Document: PDF
International Organization on Computer Evidence
The International Organization on Computer Evidence (IOCE) was established in 1995 to form an international platform for law enforcement to discuss and share information and issues relating to computer crime and computer forensics. In 1997, the IOCE was tasked with the development of international standards for the exchange and recovery of electronic evidence. Based on the material contained in the UKs Association of Chief Police Officers (ACPO) Best Practice Guide and the SWGDE Draft Standards, a proposed set of principles were presented to and approved by the International Organization on Computer Evidence (IOCE) at the International Hi-Tech Crime and Forensics Conference in October 1999.
The IOCE principles are as follow:
- Upon seizing digital evidence, actions taken should not change that evidence
- When it is necessary for a person to access original digital evidence, that person must be forensically competent
- All activity relating to the seizure, access, storage, or transfer of digital evidence must be fully documented, preserved, and available for review
- An individual is responsible for all actions taken with respect to digital evidence while the digital evidence is in their possession
- Any agency that is responsible for seizing, accessing, storing, or transferring digital evidence is responsible for compliance with these principles
Source: https://archives.fbi.gov/archives/about-us/lab/forensic-science-communications/fsc/april2000/swgde.htm#IOCEInternationalPrinciples
Interpol
The Interpol Guidelines for Digital Forensics Laboratories is meant to be seen as a template document to be used by countries when considering developing their digital forensics capability. Advice given should be used in accordance with national legislation, practice and procedures. The document is intended for use by Interpol member countries with the objective to ensure that the electronic evidence being produced is admissible in a court of law in other member countries as well as in international criminal justice systems. The guidelines refer to both the Association of Chief Police Officers (ACPO) and the Scientific Working Group on Digital Evidence (SWGDE).
The guidelines include detailed information and setup of digital forensic laboratories as well as covering how to setup and manage a digital forensic case including the laboratory analysis procedure. Similar to the ACPO Good Practice Guide for Digital Evidence, the Interpol guidelines also include a list of principles to follow when dealing with electronic evidence.
The principles presented in the guidelines read as follow:
- Electronic evidence must be obtained in a legal manner
- The Staff involved must complete the appropriate training program, prior to handling electronic evidence
- Any actions taken on the electronic evidence must not change its data. If it is necessary to access the original data or change the system setting, it is recommended that only competent staff be able to do so, and that staff must be able to justify those actions
- Any action that requires the original data to be accessed or changed should be recorded and witnessed by a fellow practitioner if possible
- A record of all actions taken when handling electronic evidence must be created and preserved so that they can be audited. An independent third party should be able to repeat those actions and achieve the same results
Source: https://www.interpol.int/
Document: PDF