Thanks for all your responses, opinions, corrections, and suggestions. This is some pretty overwhelming, yet very valuable information I'm getting.
This forum post will (if allowed) definitely be part of my literature review and other pieces of literature to go with it. The suggestions and methodologies I've been reading will be stored and used if appropriate. It would be nice if I could attempt to even visit a digital forensics lab in action but I think I'd be pushing it by attempting to get that.
Either way, this thread is still being actively read (until January when I will most likely start the main bulk of the report) so any other comments will be greatly valued.
The ACPO points are interesting and whilst there might be 'guidance' provided, often its the 4 principles that stand out. I feel like these could be revisited.
Thanks for your response tootypeg.
Just by looking at this thread, the ACPO guidelines seem to be popular and are happy the way it is. Do you have any reasons why you think it should be revisited?
Just by looking at this thread, the ACPO guidelines seem to be popular and are happy the way it is. Do you have any reasons why you think it should be revisited?
IMHO, being "principles" they are very good (please read as making a lot of sense) and "universal"
ACPO Principle 1 That no action take is taken that should change data held on a digital device including a computer or mobile phone that may subsequently be relied upon as evidence in court.
ACPO Principle 2 Where a person finds it necessary to access original data held on a digital device that the person must be competent to do so and able to explain their actions and the implications of those actions on the digital evidence to a Court.
ACPO Principle 3 That an trail or record of all actions taken that have been applied to the digital evidence should be created and preserved. An independent third party forensic expert should be able to examine those processes and reach the same conclusion.
ACPO Principle 4 That the individual in charge of the investigation has overall responsibility to ensure that these principles are followed.
The issues are (still IMHO)
ACPO principle #1 is not (anymore) applicable in all cases (when it comes to phones or encrypted devices) because in some occasions data is actually modified by the method used to access the data, and on this there are different points of view (personally I believe that documented, motivated and *needed* changes to data are not an issue).
ACPO principle #2 is not (anymore) applied in a number of cases (search for "push button forensics" for some takes on the matter).
ACPO principle #3 is not anymore applicable due (mainly) to the issues seen above, and this is also intertwined to the validation (or actually utter lack of it) of tools mandated by - besides "common sense" - ISO 17025.
ACPO principle #4 remains applicable, but is undermined by the (IMHO common) viloations of principles #2 and #3.
jaclaz
I think it depends on your point of view of the term "principle".
If we think about the common usage of the word principle then I think it helps.
So point one is essentially saying "In principle we should not modify the original data". Nothing wrong with that in my mind.
The second principle goes on to say that "In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions." Again that's perfectly sensible in my view and is really dealing with your concern over principle one. In that, generally speaking, you should seek to avoid accessing/modifying original data, but if it's necessary, the person should be competent enough to know and explain what they did, and why it was necessary. I think this would cover lots of things - mobile extractions probably being the most common example.
Principle three is still applicable in my view (in the broadest sense). However I would remove the final sentence, especially with respect to collection of data that cannot be repeated at a later stage, and this was probably written mostly with something like disk-based evidence, rather than a collection of data that may not be repeatable later. I'd also focus this principle more on documentation of interaction with the source evidence and properly documenting findings. Ie there could be circumstances where, as an example, someone could use a proprietary "black box" piece of software to locate data, and justifiably not reveal the method, or not know it, but be example to point to the raw data on the disk, it's location/details, etc.
Principle 4 - I understand why it was written, and generally is little more than a heads-up, that the "officer in the case" is essentially in charge of what happens, in law enforcement matters. However in practice they're not going to be sat on the shoulder of an examiner directing them or in a position to ensure "the law and these principles are adhered to". This could be rewritten to reflect more that an examiner should consider all legal and evidentary implications of actions they intend to take and, where necessary, consult the person in charge of the investigation for authorisation to proceed with a course of action, particularly in circumstances where data may be being modified or accessed outside the scope of a physically seized item. Or something like that 😉
In that, generally speaking, you should seek to avoid accessing/modifying original data, but if it's necessary, the person should be competent enough to know and explain what they did, and why it was necessary. I think this would cover lots of things - mobile extractions probably being the most common example.
Yep ) , but in this I am seemingly a little stricter in my interpretation, in the sense that even if no data is actually modified, the person should be competent enough anyway, i.e. not a "button pusher".
Anyway, the whole point I was trying to make still revolves not on the (undoubtable) validity of "principles", I don't think anyone can seriously be against any of them in theory, the issues are only about how they are put (or often actually not put) in practice.
Which is not entirely unlike the majority of critiques on ISO 17025, there is nothing actually "wrong" in their provisions, the issue comes when/where yje norm is applied to digital forensics and with the actual ways it is put in practice by real world labs/investigators on real world cases.
jaclaz
