Cyber cops get forensics code

Police have been issued new guidelines for gathering computer crime and electronic forensic evidence that deals with handling PDAs and mobile phones and the use of outside expert witnesses in investigations.

The revised Good Practice Guide for Computer-based Electronic Evidence has been compiled by the National Hi-Tech Crime Unit and the Association of Chief Police Officers with the aim of assisting the seizure of equipment and data and preventing its corruption.

The guide said: "Computer-based electronic evidence is, by its very nature, fragile. It can be altered, damaged or destroyed by improper handling or improper examination. Operating systems and other programs frequently alter and add to the contents of electronic storage."

A section of the booklet refers to the use of external expert investigators and witnesses in sensitive cases such as those involving images of paedophilia.

Just last month the Soham family police liaison officer Detective Constable Brian Stevens was cleared of 11 charges of possession and distribution of indecent photographs of children after the prosecution admitted a computer expert had made mistakes in assessing the evidence on Stevens' computer.

The guide acknowledges the difficulty police have in selecting external consulting witnesses but says "wherever practicable" all sensitive investigations should be conducted by law enforcement personnel.

General advice at crime scenes is for police to isolate and switch off machines that may contain electronic evidence but new guidance includes the handling of PDAs, organisers and mobile phones.

"With an organiser/PDA there is no hard disk and the concern has to be to change the evidence in the main memory as little as possible," it said. "[For mobile phones] the general advice is to switch the handset off due to the potential for loss of data if the battery fails or new network traffic overwrites call logs or recoverable deleted areas (eg SMS); there is also the potential for sabotage."

Commenting on the new guidelines, Mark Morris, head of forensics intelligence and security at LogicaCMG and former Scotland Yard Computer Crime Squad officer, said it is very easy for officers to unwittingly corrupt data and weaken any case where there is a prosecution.

"The evidence is volatile. It disappears very quickly. It is very easily destroyed and very quickly destroyed. Seize it, quarantine it and take a forensically sound image. Turn the computer off and leave it. [Any accessing of data] can alter the time and date stamp and that is the first hole any defence expert will go for," he said.

The guidelines are available here.