Tuesday, July 10, 2007

New ACPO guidelines

The ACPO released their new guidelines recently. I really have to hand it to the ACPO for reviewing their own guidelines on a regular basis and keeping up with new techniques and technology.

Of particular interest in the document is the Network Forensics and Volatile data section.

"By profiling the forensic footprint of
trusted volatile data forensic tools, an investigator will be
in a position to understand the impact of using such tools
and will therefore consider this during the investigation
and when presenting evidence."


It's about time that this statement was made in an official manner. While I'm in the process of actually defining a methodology to run these tests, it's really nice to see this.

It was also important for the ACPO to include the note about the Trojan Defense.

"Considering a potential Trojan defence, investigators
should consider collecting volatile evidence. Very often,
this volatile data can be used to help an investigator
support or refute the presence of an active backdoor."


Great inclusion!

The ACPO seems to hint at the requirement to add network forensics procedures due to trojan defense claims and the apparently large amount of claims that "the trojan did it".

Any of you fine folks across the pond have a metric for the number of claims?
It would also seem as if Network Forensics will be a major focal point in the upcoming months for many investigators.

I have to commend the ACPO for releasing these guidelines, it's a great resource.

1 comments:

Anonymous said...

Interestingly, the document is not yet available from ACPO directly.

The URL has changed slightly:
http://www.7safe.com/electronic_evidence/ACPO_guidelines_computer_evidence.pdf