This guide talks about computer forensics from a neutral mindset. It’s not linked to particular legislation or intended to promote an individual company or product, and it’s not biased on the way to either law enforcement or commercial digital forensics investigation.

Rather, them aims to give the nontechnical reader a high-level view with computer forensics. We use the term ‘computer’, but the styles apply to any device capable of storing digital information. Wheresoever we mention particular methods, they are intended only like examples, not recommendations or advice.

When and how is computer forensics utilised?

There are few areas of crime or dispute where laptop forensics cannot be applied. Law enforcement agencies were among the initially and heaviest users of computer forensics – due to this fact they’ve often been at the forefront of developments during the field.

Computers can be considered a ‘scene of a crime’ : for example with hacking or denial of service disorders. They may hold evidence of crimes that happened elsewhere, by using emails, internet history, documents or other files strongly related to crimes such as murder, kidnap, fraud or drug trafficking.

A forensic computer exam can reveal more than envisioned

Investigators are not only interested in the content of emails, documents and various files, but also in the metadata associated with those files. Reports of a user’s actions may also be stored in log files and other computer software on a computer, such as internet browsers.

So a computer forensic examination might reveal when a document first appeared using a computer, when it was last edited, when it was past saved or printed and which user carried out most of these actions.

Commercial organisations have used computer forensics to help all kinds of cases, including:

Intellectual Property theft

Employment controversies

Invoice fraud, often enabled by phishing emails


Inappropriate email and internet use in the workplace

Regulatory compliance

Instructions for successful computer forensics

If evidence found in a computer forensic investigation is to be admissible, it must be reliable plus ‘not prejudicial’. This means the examiner needs to keep soundness at the front of his mind at every stage of an shop.

The U. K. ‘s Association of Chief Law Officers’ Good Practice Guide for Digital Evidence – or simply ACPO Guide – is a widely used and respected set of instructions for investigators. ACPO has now become the National Police Chief’s Council. The guide has not been updated for several years but its material remains relevant; the technologies change but the principals keep constant.

  • The four main principles from the APCO Tutorial
  • Please note references to law enforcement have been removed.

No measures should change data held on a computer or storeroom media which may be subsequently relied upon in court.

In occasions where a person finds it necessary to access original data performed on a computer or storage media, that person must be skilled to do so and be able to give evidence explaining the relevance as well as implications of their actions.

An audit trail or many other record of all processes applied to computer-based electronic evidence need to be created and preserved. An independent third-party should be able to examine those people processes and achieve the same result.

The person in charge of the exact investigation has overall responsibility for ensuring that the law along with these principles are adhered to.