The question haunts digital forensics training rooms across the UK like a ghost that refuses to leave - why are we still relying on guidance that's older than some of the smartphones we're trying to crack? The answer is the Association of Chief Police Officers' Good Practice Guide for Digital Evidence (ACPO and ACPO guidelines), which provided four simple principles that shaped an entire generation of digital investigators, but the guide hasn't been updated since the last issue in March 2012. That's practically the Stone Age in tech years.

ACPO disappeared in 2015, replaced by the National Police Chiefs' Council (NPCC), yet here we are in 2025, still referring to those familiar principles like a security blanket. It's a bit like using a Nokia X21 manual to fix an iPhone 16 - perhaps some basics may apply, but you're missing about 90% of what you really need to know.

THE STUBBORN APPEAL OF SIMPLE RULES

But here's the thing (and this might sound contradictory) - there's a reason ACPO guidelines refuse to die. It is generally accepted that the conceptual basis remains "more than relevant." Those four core principles aren't just guidelines; they've become ritualistic mantras, repeated so often that they are embedded in the mindset of experienced digital investigators.

1. No data alteration: No action should be taken that changes the data on a computer or storage media that could be used as evidence in formal proceedings. The integrity of the original data must be preserved.

2. Competence and explanation: Any person who accesses original data must be competent to do so and be able to explain their actions and their implications for the digital evidence in formal proceedings.

3. Audit trail: A detailed record, or audit trail, of all processes applied to computer-based electronic evidence must be created and maintained. This trail should allow an independent third party to examine the processes and reproduce the same results.

4. Accountability: The person in charge of the investigation is ultimately responsible for ensuring that the law and these principles are followed.

Simple. Memorable. Almost annoyingly catchy - like that song you can't get out of your head, except this one might save a reputation or even your career during formal proceedings.

The appeal of the ACPO guidelines lies in their simplicity. When you're a nervous beginner handling your first seized device, sweating over the risk of contaminating evidence, these principles cut through the clutter. They are memorable enough to be recalled under any circumstances by even the most inexperienced individual, although sometimes, with increasingly complex cases, investigators and analysts overlook the power of simplicity.

THE TECHNOLOGY TIME WARP

Here's where things get really messy, though.

Technology's processing power doubles approximately every two years, following Moore's Law like clockwork. Meanwhile, the guidance remains stuck in 2012, treating Random Access Memory (RAM) "like it's a floppy disk" while modern smartphones outperform our forensic tools as if they're in the Matrix.

Reflecting on what has changed since 2012

Cloud storage was not widespread. Internet of Things (IoT) devices seemed like science fiction to most. Cryptocurrency was considered a niche experiment. Full disk encryption was rare. Now? We are overwhelmed with data volumes that would have been unthinkable then, managing devices that destroy evidence faster than we can say "write-blocker."

The sheer volume is astonishing - it wasn’t that long ago when a 1TB drive seemed huge. Now, we're dealing with multi-petabyte cloud accounts and devices with security features that make Fort Knox look like a garden gate. Yet our fundamental guidance predates most of these challenges entirely.

THE INTERNATIONAL PERSPECTIVE: WE'RE NOT ALONE

It's not just a problem in the United Kingdom (UK). The global forensics community faces similar issues, though some are adapting more quickly. The Scientific Working Group on Digital Evidence (SWGDE) has been consistently publishing excellent best practices with regular updates - their mobile acquisition guidelines were refreshed this year, specifically addressing modern challenges rather than ignoring them.

Interpol (March 2021) has established comprehensive guidelines for handling digital evidence that recognise modern realities: encrypted communications, cloud storage, and cross-border data flows. Their framework maintains fundamental principles but adapts them to today's technological reality.

Europol's guidance (2024) continually adapts to the evolving threat landscape, recognising that digital evidence increasingly spans multiple jurisdictions, involves advanced encryption, and includes AI-generated content. These international standards offer roadmaps that ACPO's static framework cannot effectively match.

The National Institute of Standards and Technology (NIST) guidelines provide another perspective, emphasising risk-based approaches to handling evidence. Their frameworks recognise that "one size fits all" approaches struggle with the diversity of modern digital environments - from IoT networks to blockchain transactions to Artificial Intelligence (AI)- generated media.

THE REAL-WORLD CONSEQUENCES

Here's where theory clashes with harsh reality - and it's not pretty. Digital triage, that supposedly efficient practice of preliminary analysis, is often handed to untrained staff who are asked to use tools they don't fully understand. While new frameworks deliver structure, they lack "the same day-to-day principles ACPO provided."

This creates a dangerous gap that could lead to inconsistent practices, compromised evidence, and unclear accountability when cases go to formal proceedings. There is a "real risk" that shortcuts start to undermine the very evidence we're trying to preserve.

Unfortunately, at The Coalition of Cyber Investigators, we have seen this happen many times. One recent example was during a training session, when a junior analyst confidently explained how they'd "quickly checked" a suspect's phone using commercial software and bypassed proper imaging procedures because "it was just a quick look." The shocked looks on the faces of some of the more experienced attendees said it all.

That's ACPO's legacy right there - not the guidance itself, but the risks that surface when convenience is prioritised over principles.

COURTS STILL ACCEPT ACPO... FOR NOW

Although they are old, the ACPO guidelines still hold legal weight. Courts continue to accept evidence processed under these rules, mainly because they set essential standards for the chain of custody and evidence integrity. Judges are familiar with the ACPO Guidelines as they have been tested, challenged, and confirmed through numerous cases over the years.

This creates an intriguing paradox: while newer, more comprehensive guidelines exist, ACPO's legal precedent makes practitioners hesitant to discard it altogether. Why take the risk of a defence solicitor challenging your approach when ACPO offers established legal protection?

However - and this is crucial - legal acceptance does not equal technical adequacy. Courts and formal proceedings might accept ACPO-compliant evidence, but that does not mean ACPO effectively addresses modern forensic challenges.

THE STEPPING STONE EFFECT

Perhaps ACPO's persistence reflects its role as an educational bridge rather than a final goal. Several practitioners mentioned learning ACPO first and then progressing to other frameworks. They found it simpler to grasp ACPO’s straightforward process first, which made it easier to grasp more complex standards.

This progression makes sense as ACPO guidelines offer foundational concepts while specialised standards address specific contexts. Just like learning basic cooking principles before attempting molecular gastronomy, the ACPO guidelines establish core competencies that can be built upon when embracing more advanced frameworks.

But here's the catch: if ACPO guidelines are merely a stepping stone, shouldn't we clearly label them as such? Confusing situations occur when introductory guidance is mistaken for comprehensive instruction, leading to the Nokia X21/iPhone 16 dilemma mentioned earlier.

WHAT ACTUALLY NEEDS UPDATING?

The core ACPO principles themselves aren't flawed, as evidence integrity, documentation, explainability, and legal compliance remain essential requirements. What is flawed is the context, the examples, and the practical guidance for applying these principles in 2025.

Modern digital forensics needs updated guidance addressing:

• Cloud Evidence Handling: ACPO guidelines predate widespread cloud adoption. How do you "not alter original evidence" when it's distributed across multiple servers in different jurisdictions? Current guidance feels woefully inadequate when dealing with Google Workspace accounts or Microsoft 365 environments.

• Encrypted Device Procedures: Full disk encryption is now standard, not exceptional. ACPO's traditional imaging approaches often fail completely with modern devices. We need clear protocols for handling encrypted evidence that maintain the chain of custody while acknowledging technical limitations.

• IoT and Smart Home Evidence: Ring doorbells, Alexa devices, and smart thermostats weren't even concepts when the ACPO guidelines were written. Yet today, they're increasingly central to investigations. How do you apply ACPO principles to devices that constantly communicate with cloud services?

• AI and Machine Learning: Deepfakes, AI-generated content, and algorithmic evidence interpretation create entirely new categories of digital evidence. ACPO's framework simply doesn't address these challenges.

• Cross-Border Digital Evidence: Modern investigations routinely involve evidence spanning multiple countries with different legal frameworks. ACPO's UK-centric approach needs greater international compatibility.

THE PATH FORWARD: EVOLUTION, NOT REVOLUTION

The solution isn't discarding ACPO - it's building on its key principles and evolving the procedures to take account of today's and tomorrow's challenges. The four ACPO principles offer strong foundations, but we need modern frameworks that tackle current realities while upholding legal strength.

Several practitioners suggested that ACPO needs updating so that these points can be summarised in a single, straightforward official document that can be referenced from 2025. This makes sense - preserve the conceptual strength while updating the practical application.

We already have frameworks that provide more comprehensive and current procedures, processes, and best practices. What is needed is a practical, memorable link between ACPO's simplicity and the complexity of these new standards - something that maintains ACPO's educational effectiveness while tackling modern challenges.

International cooperation provides an alternative way forward. Interpol and Europol guidelines illustrate how fundamental principles can adjust to modern circumstances. NIST frameworks demonstrate how risk-based methods can support various technological environments while preserving evidential integrity.

CONCLUSION: TIME FOR THOUGHTFUL EVOLUTION

So, do ACPO guidelines require updating? Absolutely. The technology landscape has changed dramatically since 2012, and our guidance should reflect these realities. Moore's Law doesn't pause for policy updates.

But - and this is important - all newer guidelines fundamentally build upon ACPO's core principles. Whether it's NIST, Interpol, Europol, or domestic frameworks, they all emphasise evidence integrity, documentation, explainability, and legal compliance. ACPO got the basics right, and they are likely to continue to stand the test of time.

Courts continue accepting ACPO-compliant evidence because these principles remain sound. The problem isn't the principles themselves - it's applying 2012 practical guidance to 2025 technological realities.

The forensics community requires updated guidance that maintains ACPO's clarity and legal strength while addressing modern challenges: cloud evidence, encryption, IoT devices, AI-generated content, and cross-border investigations. We seek evolution, not revolution.

Until that occurs, ACPO will continue - not because it's perfect, but because it's familiar, legally tested, and much better than nothing. However, "better than nothing" shouldn't be our standard in a field where evidence integrity can determine someone's guilt or innocence.

It's time for new ACPO-style guidance that honours the past while embracing the future, maintaining those memorable principles while recognising that modern digital forensics operates in a world ACPO's authors couldn't have imagined. The question isn't whether we should abandon ACPO - it's whether we're brave enough to build something better while preserving what made it valuable in the first place.

Ultimately, whether we follow guidelines from 2012 or 2025, the aim stays the same: to preserve the integrity of digital evidence from seizure to courtroom. That principle goes beyond any specific guidance document - it's what differentiates professional forensics from mere data recovery.

Technology will continue to evolve, Moore's Law will continue progressing, and our guidance must adapt accordingly. ACPO served us well, but it's time to recognise that what worked in 2012 doesn't necessarily work as well today.

Authored by: The Coalition of Cyber Investigators

Paul Wright (United Kingdom) & Neal Ysart (Philippines)

©2025 The Coalition of Cyber Investigators. All rights reserved.

The Coalition of Cyber Investigators is a collaboration between

Paul Wright (United Kingdom) - Experienced Cybercrime, Intelligence (OSINT & HUMINT) and Digital Forensics Investigator;

Neal Ysart (Philippines) - Elite Investigator & Strategic Risk Advisor, Ex-Big 4 Forensic Leader; and

Lajos Antal (Hungary) Highly Experienced Cyber Forensics, Investigations and Cybercrime Expert.

The Coalition unites leading experts to deliver cutting edge research, OSINT, Investigations & Cybercrime Advisory Services worldwide.

Our two co-founders, Paul Wright and Neal Ysart, offer over 80 years of combined professional experience. Their careers span law enforcement, cyber investigations, open source intelligence, risk management, and strategic advisory roles across multiple continents.

They have been instrumental in setting formative legal precedents and stated cases in cybercrime investigations, as well as contributing to the development of globally accepted guidance and standards for handling digital evidence.

Their leadership and expertise form the foundation of the Coalition’s commitment to excellence and ethical practice.

Alongside them, Lajos Antal, a founding member of our Boiler Room Investment Fraud Practice, brings deep expertise in cybercrime investigations, digital forensics and cyber response, further strengthening our team’s capabilities and reach.

If you've been affected by an investment fraud scheme and need assistance, The Coalition of Cyber Investigators specialise in investigating boiler room investment fraud. With decades of hands-on experience in investigations and OSINT, we are uniquely positioned to help.

We offer investigations, preparation of investigative reports for law enforcement, regulators and insurers, and pre-investment validation services to help you avoid scams in the first place.

Why Digital Forensics Still Clings to ACPO Guidelines from 2012?

It's Complicated...