CISO2CISO.COM & CYBER SECURITY GROUP

GUIDELINES FOR DIGITAL FORENSICS FIRST RESPONDERS BY INTERPOL

Foreword
In pursuit of providing guidance and support to law enforcement agencies across the globe, the
INTERPOL Innovation Centre (IC) developed the INTERPOL Guidelines for Digital Forensics First
Responders: Best Practices for Search and Seizure of Electronic and Digital Evidence. I am pleased to
present these Guidelines which aim to establish best practices for handling and using digital evidence
during search and seizure preparatory and execution stages. Key technical considerations are also
identified on the effective preservation of data to ensure that it can support law enforcement in
criminal investigations and it can be admissible in court. This guide is intended to assist law
enforcement officers from different crime areas who may attend to a crime scene, being responsible
for collecting, securing, and transporting electronic and digital evidence. It will also be helpful for
supervisors of aforementioned officers in guiding and supporting them. Moreover, it can be useful for
prosecutors to get a better understanding of collection and handling of evidence.
As our society becomes increasingly integrated with digital technology encompassing every facet of
our daily lives and law enforcement work, it may be difficult to remember an occasion where you had
limited interaction with a digital device. For today’s law enforcement community, there is a
continuous trend towards investigations relying on some form of digital evidence. While we would
consider that digital evidence indeed shares similar aspects when compared to traditional forms of
evidence, there are also unique considerations to be taken into account.
The intangible nature of data obtained in electronic form, its volatility, and the ease at which it can be
altered, all pose challenges to the integrity of digital evidence. Thus, it is vital that first responders and
law enforcement practitioners are able to properly identify and handle digital evidence ensuring that
the latter stages of the digital forensic process can be performed on the basis of sound judgement.
I am grateful for the contribution of the IC team, particularly its Digital Forensics Laboratory (DFL) for
sharing their knowledge and subject matter expertise. I also extend my thanks to our colleagues from
the INTERPOL Capacity Building and Training Directorate (CBT) who have supported this initiative and
will utilize the Guidelines in the context of projects focused on enhancing digital forensic capabilities.
Finally, I would like to thank the Norwegian Ministry of Foreign Affairs for its generous support.
The Guidelines are a reflection of INTERPOL’s sustained efforts in fostering international police
cooperation and our commitment to assist our member countries in response to the complex global
security challenges in the digital domain.
Director Anita Hazenberg
INTERPOL Innovation Centre Directora

INTRODUCTION
This guide aims to offer support and advice to Digital Forensic practitioners from law enforcement
during the activities of search and seizure for identification and handling of electronic evidence
through methods that guarantee their integrity.
An electronic device should not be seized without due preconditions. It is the investigation team
together with the digital forensic experts that will assist in the collection and processing of electronic
evidence, who will determine whether it is relevant or not to obtain and process those electronic
devices.
Electronic evidence, like all other traditional evidence, must be carefully manipulated so that they can be incorporated as evidence in the judicial process. This affects both the physical integrity of the
devices and the information or data contained therein. It must be taken into consideration that some
electronic devices require specific procedures for collecting, packing and transporting, either because they are susceptible to damage by electromagnetic fields or because they may suffer changes in their contents during handling and preservation.
It should be taken in consideration that the possibility of obtaining traditional (non-electronic)
evidence from the investigated scenario should not be excluded and that it could be relevant both for the investigation and for the subsequent treatment of electronic evidence. This is the case of any
annotation related to the use of passwords, settings, email accounts, etc. These pieces of evidence
must be manipulated according to the established procedures to preserve and assure their probative
value.

Leave a Reply

Your email address will not be published.