What is a forensic image
a bit by bit exact copy of the original data drive (could be a hard disk drive or a USB drive or a mobile phone)
ACPO
- document drawn up for UK law enforcement
- aimed at being useful for all involved in helping to investigate ‘cyber’ incidents.
- It has subsequently been adopted by not only cyber professionals through the uk but also in some other countries too.
- 4 common sense principles to ensure all evidence collected is admissible in a court case.
- Not a set of UK laws but guiding principles to ensure digital evidence is collected and preserved ethically, legally and securely.
Principle 1
No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court
- Basically means that no one should change any date on a digital evidence
- Even powering on a device or powering off a device changes data on a device
Principle 2
In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions
- No one should do anything with a device in its original state that changes the original data but if they really need to then must know what they are doing and be able to explain to a judge what and why.
- E.g going ‘in the cloud’
Principle 3
An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
- Paperwork- document as part of your collection/preserve/analysis of evidence
- Someone should be able to follow your steps from the report
Principle 4
The person in charge of the investigation has overall responsibilit for ensuring that the law and these principles are adhered to
- The person in charge must ensure all the team are following the law and ACPO principles
Summary of principles
- Don’t change data
- If you have access original data- you have to be able to explain in detail exactly what effects your actions have had on the data
- Chain of evidence- who had it when why what did they do with it?
- The person in charge ensures the law and ACPI are followed to the letter
ACPO guidelines
Plan Capture Analyse Present Training and education
ACPO guidelines- legislation
Section 7.5 16-19
- Computer misuse act 19990
- The police and criminal evidence act 1984
- Criminal justice and police act 2001
- Sexual offences act 2003
- Coroners and justice act 2009
- Guidance on prohibited images of children
- Gives simple overview of some relevant legislation to a digital investigation
- Directs readers to full legislation
Computer misuse act 1990
- S1 unauthorised access to computer material (deals with hacking into a computer)
- S2 unauthorised access with intent to commit or facilitate commission of further offences (extends s1 and deals with suspect planning on doing other offences once they have gained unauthorised access)
- S3 unauthorised acts with intent to impair or with recklessness as to impairing operation of computer etc (Deals with unauthorised modification, preventing or obstructing access to data, or the operation or reliability of a computer program)
- S3ZA unauthorised acts causing or creating risk of serious damage (covers the use of malware and viruses)
- S3A making supplying or obtain articles for use in offence under section 1, 3 or 3ZA (covers the creation, supply and obtaining malware and similar items for use in an offence in other sections)
Copyright designs and patents act 1988
Copyright protects intellectual property
- Computer programs preparatory design material for computer programs and databases are literary works
- Almost any form of work in digital form is covered
- Duration =70 yrs after death some cases 50 years from specific event
- Copyright is automatic
designs- for a product or part of a product
- New original designs. Registered designs or unregistered designs- you can pay to have a design registered but any unregistered design automatically covered like with copyright.
Patents- new inventions including products and industrial processes
- You might design a new type of mobile phone that you can wear on your forearm, or a new process for making a mobile phone screen from glass that doesn’t break
- You have to apply for patent
- It is a lengthy process and your invention is investigated to make sure it is new
- You can renew a patent for up to 20 years
GDPR - general data protection regulation
- Tells anyone using data of EU people how to look after it
- European regulation that is a compulsory law
- Sets a goal for all EU countries to achieve but each country can choose their own law on how they will reach that goal
DPA 2018- data protection act 2018
- UK already had DPA 1998
- GDPR updates and improves DPA 19990= DPA 2018
- Tells us how we are to look after data
- GDPR us written into the UK legislation
- GDPR will affect the UK even if we do leave europe
