ISO/IEC 27037 -- IT Security -- Security techniques -- Guidelines for identification, collection and/or acquisition and preservation of digital evidence (DRAFT)
At this stage, the title and scope of this standard remain a little uncertain. The project team is developing guidance for gathering and protecting digital forensic evidence, particularly for cross-border crimes where evidence acquired in one country might be presented in the courts of a second but in practice, jurisdictional issues make this a difficult target to achieve except in some circumstances. The standard could however also prove useful within a single jurisdiction.
Background
One of the most critical issues in forensic investigations is the acquisition and preservation of evidence in such a way as to ensure its integrity. As with conventional physical evidence, it is crucial for the first and subsequent responders to maintain the chain of custody of all digital forensic evidence, ensuring that it is gathered and protected through structured processes that are acceptable to the courts. More than simply providing integrity, the processes must provide assurance that nothing untoward can have occurred. This requires that a defined baseline level of information security controls is met or exceeded.
Digital forensic evidence can come from any electronic storage or communications media such as cellphones, computers, iPod's, video game consoles etc. By its nature, digital forensic evidence is particularly fragile - it can be easily damaged or altered due to improper handling, whether by accident or on purpose.
Currently, there are no standards available on acquiring digital evidence, the first step in the process. Law enforcement in respective nations have developed their own guidelines and procedures for the acquisition and protection of electronic evidence. However, this creates issues when cross-border crimes are committed since digital forensic evidence acquired in one country may need to be presented in the courts of another. Evidence that has potentially been acquired or protected without the requisite level of security is likely to be tainted and may be inadmissible in court.
Scope
The standard will provide detailed guidance on the identification, collection and/or acquisition, marking, storage, transport and preservation of electronic evidence, particularly to maintain its integrity. It will define and describe the process of recognition and identification of the evidence, documentation of the crime scene, collection and preservation of the evidence, and the packaging and transportation of evidence.
The New Work Item proposal described the scope as follows:
“This International Standard will provide guidance concerning identification, collection and/or acquisition, marking, storage, transport, and preservation of digital evidence. This standard will cover acquisition of digital evidence from various types of sources including, but not limited to:
[Note: JTC1/SC7 has a parallel project on IT forensics - coordination is necessary to ensure that the resulting standards align.]
Purpose and justification
Every country has its own unique legislative system. A crime committed in one jurisdiction may not even be regarded as a crime in another. The challenge is to harmonize processes across borders such that cybercriminals can be prosecuted accordingly. Therefore, a means to allow and facilitate the exchange and use of reliable evidence (i.e. an international standard on acquiring digital evidence) is required.
“Digital evidence”, meaning information that can be presented in court, is interpreted differently in different jurisdictions. For the widest applicability, the standard will avoid using jurisdiction-specific terminology. It will not cover analysis of digital evidence, nor its admissibility, weight, relevance etc. It also will not mandate the use of particular tools or methods.
The New Work Item proposal made the following justification for developing the standard:
“Cross-border investigation is critical in this time where international boundaries have little effect on flows of digital information. Money and information are routinely and often instantaneously electronically transferred across countries and continents.
Recent international initiatives, such as the Convention on Cybercrime, demonstrate that the international community recognizes the importance of improved and shared digital evidence best practices.
An important need that will be met by the proposed international standard is the facilitation of inter-jurisdictional exchange of evidence.
This proposed international standard will provide benefits by reducing the requirement for expensive and time-consuming travel by investigative agency staff and witnesses. It will provide a basis for resolving disputes concerning digital evidence in legal proceedings.”
Benefits of the standard include:
-
Maintaining an assured minimum level of integrity of digital forensic evidence required for cross-border legal actions; and
-
Assisting law enforcement and private sector organizations that gather and/or preserve and communicate digital forensic evidence for criminal investigations, to achieve and protect the quality of evidence required.
ISO/IEC 27037 is currently at WD stage.
Comments received from other ISO/IEC committees working in this area suggest some rationalization or repositioning may be needed to avoid conflicts/overlaps with other developing standards, and to ensure full coverage. For example, the present scope covers “reactive” evidence collection as part of an incident investigation, rather than “proactive” collection of evidence as a normal part of business operations. SC27 may in time develop additional standards in this general area but for now has resolved to focus solely on the identification, collection and acquisition of digital evidence.
[Meanwhile, if you’re interested in this area, take a look at British Standard BS 10008:2008 Evidential weight and legal admissibility of electronic information. Specification.]
|
