Week-1 Lab: ACPO Principles of Digital Evidence
Learning outcome
By completing this lab, you should be able to:
- Understanding ACPO
- Recognise what may constitute digital evidence
- Understand that digital evidence can be fragile and easily affected
- Appreciate the importance of investigator judgement before technical analysis
- Develop foundational awareness of common digital forensics tools
- Prepare conceptually for later topics such as chain of custody and evidence acquisition
Part-1: ACPO
Step A - Read
Download and review the ACPO Good Practice Guide for Digital Evidence.
-
The document is available online: Revised Good Practice Guide for Digital Evidence (NPCC, 2011, Version 5)
-
OR you can download from here too
Focus on the four main principles, section-2:
Step B - Activity A: Match & Explain
Below are four short scenarios. For each, identify which ACPO principle applies and write 1-2 sentences explaining why.
| Scenario | ACPO Principle | Explanation |
|---|---|---|
| 1. An investigator clones a suspect’s hard drive before analysis. | ||
| 2. A junior analyst installs new software on the suspect’s laptop to recover data. | ||
| 3. Every action taken during analysis is recorded in a lab logbook. | ||
| 4. The evidence chain of custody is missing signatures from one handover. |
Step C - Discussion
- Why these principles are important in maintaining admissibility of evidence in court.
- What risks occur if one principle is ignored.
Part-2: Thinking Like a Digital Forensic Investigator
Scenario: Office Workstation Incident
You are part of an internal investigation team within an organisation.
A staff member is suspected of accessing confidential client records without authorisation.
IT security reports unusual login activity outside normal working hours.
A desktop computer used by the staff member has been identified as relevant.
At this stage:
- No forensic tools have been used
- No technical examination has taken place
- You are asked to advise, not to perform actions
Your task is to think like a digital forensic investigator, focusing on evidence, risk, and integrity.
Activity 1 - What Counts as Digital Evidence?
Working in small groups (2-3 students), decide whether each item below could be considered digital evidence in this case.
Tick Yes, No, or Not sure.
| Item | Yes | No | Not sure |
|---|---|---|---|
| Login timestamps | |||
| Browser history | |||
| Printed emails found on the desk | |||
| System event logs | |||
| USB usage history | |||
| CCTV footage of the office | |||
| Staff verbal statements |
No written explanations are required at this stage.
Activity 2 - Evidence Risk Assessment
Some digital evidence is more fragile than others.
As a group, choose three items only from the list below that you believe are most likely to change or be lost over time.
Rank them:
- 1 = highest risk
- 3 = lower risk
Write keywords only.
- Login sessions
- Running processes
- Log files
- Browser artefacts
- USB connection records
- Emails
| Rank | Evidence Type |
|---|---|
| 1 | |
| 2 | |
| 3 |
Activity 3 - Investigator Responsibility (Discussion)
You are asked by management:
“Can we quickly check the computer to see if the employee is guilty?”
Discuss as a group:
- Why is this request problematic from a forensic perspective?
- What risks could this create for the evidence?
- Who might later challenge the investigation and why?
This activity is discussion-based.
No written submission is required.
Activity 4 - Evidence Integrity Thought Exercise
Consider the statement:
“Digital evidence is easy to copy, but hard to trust.”
Provide one short example of:
- How digital evidence could be accidentally altered
or - Why trust and integrity matter in an investigation
One sentence only.
Part-3: Chain of Custody (CoC)
Scenario
A desktop computer is identified as potential digital evidence during an internal investigation.
The evidence is:
- Collected from the office
- Moved to a secure room
- Later accessed by an investigator
Activity - Complete the Chain of Custody
Below is a partially completed Chain of Custody record.
Working in pairs, complete the missing fields using realistic information.
| Item | Collected By | Date & Time | Transferred To | Signature |
|---|---|---|---|---|
Use short, realistic entries only (no explanations required).
Task
After completing the table, discuss briefly:
- What information is essential to trust this evidence?
- What would happen if one row was missing?
Part-4: Research the Tools
You are given the following list of tools. For each one, research and record:
- What the tool does (brief description)
- Why it is useful in digital forensics
- At what stage of a forensic investigation it can be used
| Tool | Description | Use in Digital Forensics | Investigation Stage |
|---|---|---|---|
| FTK Imager | |||
| RegRipper 3.0 | |||
| Event Log Explorer | |||
| Wireshark | |||
| Autopsy | |||
| DumpIt | |||
| Volatility 3 | |||
| RegEdit | |||
| MXToolbox |
For each tool, search online and find out:
- What the tool does (brief description)
- Why it is useful in digital forensics
- At what stage of a forensic investigation it can be used (e.g., collection, analysis, reporting)
Best,
Ali