Beginner's Guide to Computer Forensics
Computer forensics is the practice of collecting, analysing and reporting on digital
information in a way that is legally admissible. It can be used in the detection and prevention
of crime and in any dispute where evidence is stored digitally. Computer forensics has comparable
examination stages to other forensic disciplines and faces similar issues.
About this guide
This guide discusses computer forensics from a neutral perspective. It is not linked
to particular legislation or intended to promote a particular company or product and is not
written in bias of either law enforcement or commercial computer forensics. It is aimed at
a non-technical audience and provides a high-level view of computer forensics.
This guide uses the term "computer", but the concepts apply to any device capable of
storing digital information. Where methodologies have been mentioned they are provided as
examples only and do not constitute recommendations or advice.
Uses of computer forensics
There are few areas of crime or dispute where computer forensics cannot be applied. Law
enforcement agencies have been among the earliest and heaviest users of computer forensics
and consequently have often been at the forefront of developments in the field. Computers may
constitute a "scene of a crime", for example with hacking or denial of service attacks or
they may hold evidence in the form of emails, internet history, documents or other files
relevant to crimes such as murder, kidnap, fraud and drug trafficking.
It is not just the content of emails, documents and other files which may be of interest
to investigators but also the "meta-data" associated with those files. A computer forensic
examination may reveal when a document first appeared on a computer, when it was last edited,
when it was last saved or printed and which user carried out these actions.
More recently, commercial organisations have used computer forensics to their benefit
in a variety of cases such as;
• Intellectual Property theft
• Industrial espionage
• Employment disputes
• Fraud investigations
• Matrimonial issues
• Bankruptcy investigations
• Inappropriate email and internet use in the work place
• Regulatory compliance
For evidence to be admissible it must be reliable and not prejudicial, meaning that at
all stages of this process admissibility should be at the forefront of a computer forensic
examiner's mind. One set of guidelines which has been widely accepted to assist in this is
the Association of Chief Police Officers Good Practice Guide for Computer Based Electronic
Evidence or ACPO Guide for short. Although the ACPO Guide is aimed at United Kingdom law enforcement
its main principles are applicable to all computer forensics in whatever legislature. The four
main principles from this guide have been reproduced below (with references to law enforcement
• No action should change data held on a computer or storage media which
may be subsequently relied upon in court.
• In circumstances where a person finds it necessary to access original data
held on a computer or storage media, that person must be competent to do so and be able to
give evidence explaining the relevance and the implications of their actions.
• An audit trail or other record of all processes applied to computer-based
electronic evidence should be created and preserved. An independent third-party should be able
to examine those processes and achieve the same result.
• The person in charge of the investigation has overall responsibility for
ensuring that the law and these principles are adhered to.
In summary, no changes should be made to the original, however if access/changes are
necessary the examiner must know what they are doing and to record their actions.