Welcome to Bucaro TecHelp!

Bucaro TecHelp
Maintain Your Computer and Use it More Effectively
to Design a Web Site and Make Money on the Web

About Bucaro TecHelp About BTH User Agreement User Agreement Privacy Policy Privacy Site Map Site Map Contact Bucaro TecHelp Contact RSS News Feeds News Feeds

Victims of Sandy Hook

Stop the Slaughter of Innocents. Congress is bought and paid for by gun lunatics and gun promotion groups. If you want to live in a safe America, help buy Congress back for America. Send a donation to Mayors Against Illegal Guns, 909 Third Avenue, 15th Floor New York, NY 10022

Beginner's Guide to Computer Forensics


Computer forensics is the practice of collecting, analysing and reporting on digital information in a way that is legally admissible. It can be used in the detection and prevention of crime and in any dispute where evidence is stored digitally. Computer forensics has comparable examination stages to other forensic disciplines and faces similar issues.

About this guide

This guide discusses computer forensics from a neutral perspective. It is not linked to particular legislation or intended to promote a particular company or product and is not written in bias of either law enforcement or commercial computer forensics. It is aimed at a non-technical audience and provides a high-level view of computer forensics.

This guide uses the term "computer", but the concepts apply to any device capable of storing digital information. Where methodologies have been mentioned they are provided as examples only and do not constitute recommendations or advice.

Uses of computer forensics

There are few areas of crime or dispute where computer forensics cannot be applied. Law enforcement agencies have been among the earliest and heaviest users of computer forensics and consequently have often been at the forefront of developments in the field. Computers may constitute a "scene of a crime", for example with hacking or denial of service attacks or they may hold evidence in the form of emails, internet history, documents or other files relevant to crimes such as murder, kidnap, fraud and drug trafficking.

It is not just the content of emails, documents and other files which may be of interest to investigators but also the "meta-data" associated with those files. A computer forensic examination may reveal when a document first appeared on a computer, when it was last edited, when it was last saved or printed and which user carried out these actions.

More recently, commercial organisations have used computer forensics to their benefit in a variety of cases such as;

Intellectual Property theft
Industrial espionage
Employment disputes
Fraud investigations
Matrimonial issues
Bankruptcy investigations
Inappropriate email and internet use in the work place
Regulatory compliance


For evidence to be admissible it must be reliable and not prejudicial, meaning that at all stages of this process admissibility should be at the forefront of a computer forensic examiner's mind. One set of guidelines which has been widely accepted to assist in this is the Association of Chief Police Officers Good Practice Guide for Computer Based Electronic Evidence or ACPO Guide for short. Although the ACPO Guide is aimed at United Kingdom law enforcement its main principles are applicable to all computer forensics in whatever legislature. The four main principles from this guide have been reproduced below.

No action should change data held on a computer or storage media which may be subsequently relied upon in court.

In circumstances where a person finds it necessary to access original data held on a computer or storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third-party should be able to examine those processes and achieve the same result.

The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.

In summary, no changes should be made to the original, however if access/changes are necessary the examiner must know what they are doing and to record their actions.

RSS Feed RSS Feed

Follow Stephen Bucaro Follow @Stephen Bucaro

Careers Sections

Fire HD
[Site User Agreement] [Advertise on This site] [Search This Site] [Contact Form]
Copyright©2001-2016 Bucaro TecHelp 13771 N Fountain Hills Blvd Suite 114-248 Fountain Hills, AZ 85268