ISO/IEC 27037:2012 — Information technology — Security techniques — Guidelines for identification, collection, acquisition, and preservation of digital evidence
This standard provides guidance on identifying, gathering/collecting/acquiring, handling and protecting/preserving digital forensic evidence i.e. “digital data that may be of evidential value” for use in court.
The fundamental purpose of the ISO27k digital forensics standards is to promote good practice methods and processes for forensic capture and investigation of digital evidence. While individual investigators, organizations and jurisdictions may well retain certain methods, processes and controls, it is hoped that standardization will (eventually) lead to the adoption of similar if not identical approaches internationally, making it easier to compare, combine and contrast the results of such investigations even when performed by different people or organizations and potentially across different jurisdictions.
One of the most critical issues in forensic investigations is the acquisition and preservation of evidence in such a way as to ensure its integrity. As with conventional physical evidence, it is crucial for the first and subsequent responders (defined as “Digital Evidence First Responders” and “Digital Evidence Specialists”) to maintain the chain of custody of all digital forensic evidence, ensuring that it is gathered and protected through structured processes that are acceptable to the courts. More than simply providing integrity, the processes must provide assurance that nothing untoward can have occurred. This requires that a defined baseline level of information security controls is met or exceeded.
Digital forensic evidence can come from any electronic storage or communications media such as cellphones, computers, iPod's, video game consoles etc. By its nature, digital forensic evidence is fragile - it can be easily damaged or altered due to improper handling, whether by accident or on purpose.
Prior to the release of ISO/IEC 27037, there were no globally-accepted standards on acquiring digital evidence, the first step in the process. Police have developed their own national guidelines and procedures for the acquisition and protection of electronic evidence. However, this creates issues when cross-border crimes are committed since digital forensic evidence acquired in one country may need to be presented in the courts of another. Tainted evidence that may have been acquired or protected without the requisite level of security may be legally inadmissible.
Scope and purpose
The standard provides detailed guidance on the identification, collection and/or acquisition, marking, storage, transport and preservation of electronic evidence, particularly to maintain its integrity. It defines and describes the processes through which evidence is recognized and identified, documentation of the crime scene, collection and preservation of the evidence, and the packaging and transportation of evidence.
The scope covers ‘traditional’ IT systems and media rather than vehicle systems, cloud computing etc. The guidance is aimed primarily at first responders.
Every country has its own unique legislative system. A crime committed in one jurisdiction may not even be regarded as a crime in another. The challenge is to harmonize processes across borders such that cybercriminals can be prosecuted accordingly. Therefore, a means to allow and facilitate the exchange and use of reliable evidence (i.e. an international standard on acquiring digital evidence) is required.
“Digital evidence”, meaning information from digital devices to be presented in court, is interpreted differently in different jurisdictions. For the widest applicability, the standard will avoid using jurisdiction-specific terminology. It will not cover analysis of digital evidence, nor its admissibility, weight, relevance etc. It also will not mandate the use of particular tools or methods.
Structure and content
2 Normative reference
3 Terms and definitions
4 Abbreviated terms
6 Key components of identification, collection, acquisition and preservation of digital evidence
7 Instances of identification, collection, acquisition and preservation
Annex A Digital Evidence First Responder core skills and competency description
Annex B Minimum documentation requirements for evidence transfer
Status of the standard
The standard was published in October 2012.
This standard concerns the initial capturing of digital evidence.
ISO/IEC 27041 offers guidance on the assurance aspects of digital forensics e.g. ensuring that the appropriate methods and tools are used properly.
ISO/IEC 27042 covers what happens after digital evidence has been collected i.e. its analysis and interpretation.
ISO/IEC 27043 covers the broader incident investigation activities, within which forensics usually occur.
ISO/IEC 27050 (in 4 parts) concerns electronic discovery which is pretty much what the other standards cover.
British Standard BS 10008:2008 “Evidential weight and legal admissibility of electronic information. Specification.” may also be of interest.
I am puzzled why SC 27 is developing several distinct forensics standards, covering different aspects of forensics, when they are in reality complementary parts of the same process. A multi-part standard would make more sense to me, with an overview part explaining how the jigsaw pieces fit together.