Topic-specific policies
ISO/IEC 27042


Search this site
 

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >

 

ISO/IEC 27042:2015 — Information technology — Security techniques — Guidelines for the analysis and interpretation of digital evidence

 

Abstract

“ISO/IEC 27042:2015 provides guidance on the analysis and  interpretation of digital evidence in a manner which addresses issues of continuity, validity, reproducibility, and repeatability. It  encapsulates best practice for selection, design, and implementation of  analytical processes and recording sufficient information to allow such  processes to be subjected to independent scrutiny when required. It  provides guidance on appropriate mechanisms for demonstrating  proficiency and competence of the investigative team. Analysis and interpretation of digital evidence can be a complex  process. In some circumstances, there can be several methods which could be applied and members of the investigative team will be required to  justify their selection of a particular process and show how it is  equivalent to another process used by other investigators. In other  circumstances, investigators may have to devise new methods for  examining digital evidence which has not previously been considered and  should be able to show that the method produced is “fit for purpose”. Application of a particular method can influence the interpretation  of digital evidence processed by that method. The available digital  evidence can influence the selection of methods for further analysis of  digital evidence which has already been acquired. ISO/IEC 27042:2015 provides a common framework, for the analytical  and interpretational elements of information systems security incident  handling, which can be used to assist in the implementation of new  methods and provide a minimum common standard for digital evidence  produced from such activities.”
[Source: ISO/IEC 27042:2015]
 

Introduction

The fundamental purpose of the ISO27k digital forensics standards is to promote good practice methods and processes for forensic capture and investigation of digital evidence. While individual investigators, organisations and jurisdictions may well retain certain methods, processes and controls, it is hoped that standardization will (eventually) lead to the adoption of similar if not identical approaches internationally, making it easier to compare, combine and contrast the results of such investigations even when performed by different people or organisations and potentially across different jurisdictions.

 

Scope and purpose

As the title suggests, this standard offers guidance on the process of analysing and interpreting digital evidence, which is of course just a part of the forensics process. It lays out a generic framework encapsulating good practices in this area.

Aside from the standard evidential controls (maintaining the chain of custody, scrupulous documentation etc.), the standard emphasizes the integrity of the analytical and interpretational processes such that different investigators working on the same digital evidence ought to come up with essentially the same results - or at least any differences should be traceable to choices they made along the way. Given the volume, variety and complexity of digital evidence these days, that’s quite a challenge, hence the drive for standardization, good practices, common terminology and sound, rational approaches.

The standard touches on issues such as the selection and use of forensic tools, plus proficiency and competency of the investigators.

 

Status of the standard

The standard was published in 2015.

Confirmed without change in 2021.

 

Related standards

ISO/IEC 27037 concerns the initial capturing of digital evidence.

ISO/IEC 27041 offers guidance on the assurance aspects of digital forensics e.g. ensuring that the appropriate methods and tools are used properly.

This standard covers what happens after digital evidence has been collected i.e. its analysis and interpretation.

ISO/IEC 27043 covers the broader incident investigation activities, within which forensics usually occur.

ISO/IEC 27050 (in 4 parts) concerns electronic discovery which is pretty much what the other standards cover.

British Standard BS 10008:2008 “Evidential weight and legal admissibility of electronic information. Specification.” may also be of interest.

 

Personal comments

I am puzzled why SC 27 has several distinct forensics standards, covering different aspects of forensics, when they are in reality complementary parts of the same process. I understand the decision not to integrate this content into 27037 but a multi-part standard would make more sense to me personally, with an overview part explaining how the jigsaw pieces fit together. Wouldn’t a multi-part standard be a workable compromise? The editors have rejected such a proposal, claiming that it was considered and rejected when the forensics standards development projects were launched. So, sorry valued customers, it seems you will have to buy and correlate multiple standards to accumulate the complete forensics suite in ISO27k.

 

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2022 IsecT Ltd.