ISO/IEC 27037 — IT Security — Security techniques — Guidelines for identification, collection, acquisition, and preservation of digital evidence (DIS)
At this stage, the title and scope of this standard remain uncertain but the project team is developing guidance for identifying, gathering/collecting/acquiring, handling and protecting/preserving digital forensic evidence, that being “digital data that may be of evidential value”. [The terms may be evolving, but the meaning is pretty obvious.]
Background
One of the most critical issues in forensic investigations is the acquisition and preservation of evidence in such a way as to ensure its integrity. As with conventional physical evidence, it is crucial for the first and subsequent responders (defined as “Digital Evidence First Responders” and “Digital Evidence Specialists”) to maintain the chain of custody of all digital forensic evidence, ensuring that it is gathered and protected through structured processes that are acceptable to the courts. More than simply providing integrity, the processes must provide assurance that nothing untoward can have occurred. This requires that a defined baseline level of information security controls is met or exceeded.
Digital forensic evidence can come from any electronic storage or communications media such as cellphones, computers, iPod's, video game consoles etc. By its nature, digital forensic evidence is fragile - it can be easily damaged or altered due to improper handling, whether by accident or on purpose.
Currently, there are no globally-accepted standards on acquiring digital evidence, the first step in the process. Police have developed their own national guidelines and procedures for the acquisition and protection of electronic evidence. However, this creates issues when cross-border crimes are committed since digital forensic evidence acquired in one country may need to be presented in the courts of another. Tainted evidence that may have been acquired or protected without the requisite level of security may be legally inadmissible.
Scope
The standard will provide detailed guidance on the identification, collection and/or acquisition, marking, storage, transport and preservation of electronic evidence, particularly to maintain its integrity. It will define and describe the process of recognition and identification of the evidence, documentation of the crime scene, collection and preservation of the evidence, and the packaging and transportation of evidence.
The scope has been refined slightly to cover ‘traditional’ IT systems and media rather than vehicle systems, cloud computing etc., at this time anyway. New technologies inevitably present new challenges and the field is continually evolving, but the project team wants to complete and release the initial guidance as soon as practicable, which means concentrating on current, stable technologies. The guidance is aimed primarily at first responders.
Purpose and justification
Every country has its own unique legislative system. A crime committed in one jurisdiction may not even be regarded as a crime in another. The challenge is to harmonize processes across borders such that cybercriminals can be prosecuted accordingly. Therefore, a means to allow and facilitate the exchange and use of reliable evidence (i.e. an international standard on acquiring digital evidence) is required.
“Digital evidence”, meaning information from digital devices to be presented in court, is interpreted differently in different jurisdictions. For the widest applicability, the standard will avoid using jurisdiction-specific terminology. It will not cover analysis of digital evidence, nor its admissibility, weight, relevance etc. It also will not mandate the use of particular tools or methods.
The New Work Item proposal made the following justification for developing the standard:
“Cross-border investigation is critical in this time where international boundaries have little effect on flows of digital information. Money and information are routinely and often instantaneously electronically transferred across countries and continents. Recent international initiatives, such as the Convention on Cybercrime, demonstrate that the international community recognizes the importance of improved and shared digital evidence best practices. An important need that will be met by the proposed international standard is the facilitation of inter-jurisdictional exchange of evidence. This proposed international standard will provide benefits by reducing the requirement for expensive and time-consuming travel by investigative agency staff and witnesses. It will provide a basis for resolving disputes concerning digital evidence in legal proceedings.”
Claimed benefits of the standard include:
-
Maintaining an assured minimum level of integrity of digital forensic evidence required for cross-border legal actions; and
-
Assisting law enforcement and private sector organizations that gather and/or preserve and communicate digital forensic evidence for criminal investigations, to achieve and protect the quality of evidence required.
Latest available status info
The project is coming along nicely. The standard is expected to be published during 2012.
[Meanwhile, if you’re interested in this area, take a look at British Standard BS 10008:2008 Evidential weight and legal admissibility of electronic information. Specification.]
|
