Central to the process of presenting computer based evidence is the need to capture the data in the correct manner in the first instance. Without this first step being completed to an accepted standard, any information subsequently discovered is likely to be valueless if presented as evidence. It has become an established and documented principle that in any instance where computer based evidence is produced, a copy should be made of the entire target device. Partial or selective file copying should not be readily considered as an alternative.

In addition, there are several documented central principles for the handling of computer media in an evidentially sound manner. Two of the most important are:

• No action taken by Police or their agents should change data held on a computer or other media which may subsequently be relied upon in Court. 
• An audit trail or other record of all processes applied to computer based evidence should be created and preserved. An independent third party should be able to repeat those processes and achieve the same result.

In some criminal cases, for example, the following legislation may have relevance during investigations involving computer based evidence. This list is by no means exhaustive, and the implications of this type of legislation should be considered when carrying out work involving computer based evidence:

• The Police and Criminal Evidence Act 1984 – Section 19, 20, 21, 22 and 78 
• Computer Misuse Act 1990 – Section 1, 2, 3, 10 and 17 
• Copyright Designs and Patents Act 1988 – Section 107,108 and 109 
• Telecommunications Act 1984 – Section 42, 42A, 43, 44 and 45 
• Post Office Act 1953 – Section 11 
• Data Protection Act 1984 
• Interception of Communications Act 1985 
• Health and Safety Act 1986