The fundamental principles of computer forensics can be thought of as rules governing the way in which digital evidence is handled which allow such evidence to be admissible in court.

Immediately we can see that any attempt to define these principles is made difficult by the fact that legislation concerning digital evidence differs from country to country. Nevertheless, attempts have been made to standardise principles on an international basis and the following are commonly agreed upon:

- The act of collecting digital evidence should not result in any alteration of the data in question, wherever this is possible

- All handling of digital evidence (from collection through to preservation and analysis) must be fully documented

- Access to original digital evidence should be restricted to those deemed "forensically competent"

Each of the above principles require more detailed explanation to be properly appreciated and understood, and debate continues regarding their implementation. For example, how are situations where it is impossible to avoid the alteration of some data during evidence collection to be handled (e.g. during live analysis)? What does "fully documented" mean and how are details of an investigation to be recorded? How do you determine if someone is "forensically competent"?

--