ISO/IEC 27042:2015 — Information technology — Security techniques — Guidelines for the analysis and interpretation of digital evidence
The fundamental purpose of the ISO27k digital forensics standards is to promote good practice methods and processes for forensic capture and investigation of digital evidence. While individual investigators, organizations and jurisdictions may well retain certain methods, processes and controls, it is hoped that standardization will (eventually) lead to the adoption of similar if not identical approaches internationally, making it easier to compare, combine and contrast the results of such investigations even when performed by different people or organizations and potentially across different jurisdictions.
Scope and purpose
As the title suggests, this standard offers guidance on the process of analysing and interpreting digital evidence, which is of course just a part of the forensics process. It lays out a generic framework encapsulating good practices in this area.
Aside from the standard evidential controls (maintaining the chain of custody, scrupulous documentation etc.), the standard emphasizes the integrity of the analytical and interpretational processes such that different investigators working on the same digital evidence ought to come up with essentially the same results - or at least any differences should be traceable to choices they made along the way. Given the volume, variety and complexity of digital evidence these days, that’s quite a challenge, hence the drive for standardization, good practices, common terminology and sound, rational approaches.
The standard touches on issues such as the selection and use of forensic tools, plus proficiency and competency of the investigators.
Status of the standard
The standard was published in 2015.
ISO/IEC 27037 concerns the initial capturing of digital evidence.
ISO/IEC 27041 offers guidance on the assurance aspects of digital forensics e.g. ensuring that the appropriate methods and tools are used properly.
This standard covers what happens after digital evidence has been collected i.e. its analysis and interpretation.
ISO/IEC 27043 covers the broader incident investigation activities, within which forensics usually occur.
ISO/IEC 27050 (in 4 parts) concerns electronic discovery which is pretty much what the other standards cover.
British Standard BS 10008:2008 “Evidential weight and legal admissibility of electronic information. Specification.” may also be of interest.
I am puzzled why SC 27 is developing several distinct forensics standards, covering different aspects of forensics, when they are in reality complementary parts of the same process. I understand the decision not to integrate this content into 27037 but a multi-part standard would make more sense to me personally, with an overview part explaining how the jigsaw pieces fit together. Wouldn’t a multi-part standard be a workable compromise? The editors have rejected such a proposal, claiming that it was considered and rejected when the forensics standards development projects were launched. So, sorry customers, it seems you will have to buy and correlate multiple standards to accumulate the complete forensics suite in ISO27k.