This multi-part standard concerns the discovery phase, specifically the discovery of Electronically Stored Information, a legal term-of-art meaning (in essence) forensic evidence in the form of digital data. Electronic discovery (eDiscovery) involves the following main steps:

1. Identification: ESI that is potentially relevant to a case is identified, along with its locations, custodians, sizes/volumes etc. This can be more complex than it may appear, for instance involving information assets belonging not just to the individual suspects but also their employers, friends and other organisations such as phone companies and the suppliers of services such as email and Internet access (ISPs), even social media. Operational/online data, backups and archives may all contain relevant data. Often, this phase is time-critical since potential evidence (especially ephemeral operational data) may be spoiled or destroyed before it has been captured and preserved;

2. Preservation: the identified, potentially relevant ESI is placed under a legal hold, starting the formalized forensic process designed to ensure, beyond doubt, that they are protected through the remaining steps against threats such as loss/theft, accidental damage, deliberate interference/manipulation and replacement/substitution, any of which might spoil, discredit and devalue the data, perhaps resulting in the ESI being ruled inadmissible or simply becoming unusable. The legal hold is essentially a formal obligation on the custodian not to interfere with or delete the ESI. Note: this may have implications on live systems since their continued operation may spoil the ESI;

3. Collection: the ESI is collected from the original custodian, typically by physically removing the original digital storage media (hard drives, memory sticks and cards, CDs, DVDs, whatever) and perhaps associated physical evidence (such as devices, media storage cases, envelopes etc. that might have fingerprints or DNA evidence linking a suspect to the crime) into safe custody. In the case of Internet, cloud or other dispersed and ephemeral data including RAM on a running system, it may be impracticable or impossible to secure the data by capturing physical media, hence the data rather than the media may need to be captured directly in a forensically sound manner. Note: the original evidence may later be produced in court hence all subsequent forensic analysis must be performed in such a way that there is no credible possibility that it might have been spoiled e.g. by analysing bit-copies made with suitable forensic tools and methods rather than the original evidence itself. Note also that physically removing systems and media into the custody of a third party could itself be classed as an information security incident with clear implications on the confidentiality, integrity and availability of the information, particularly since, at this stage, the case is not proven: in other words, liabilities may be accumulating;

4. Processing: forensic bit-copies are stored in a form that allows them to be searched or analysed for information that is relevant to the case, using suitable forensic tools and platforms. Sifting out the few vital bits of data from a much larger volume typically collected is the crux of this step;

5. Review: forensic bit-copies are searched or analysed for information that is relevant to the case;

6. Analysis: the information is further analysed and assessed as to its relevance, suitability, weight, meaning, implications etc. Useful information is gleaned from the selected data;

7. Production: relevant information from the analysis, plus the original storage media etc., is formally presented to the court as evidence. This inevitably involves demonstrating and explaining the meaning of the evidence in terms that make sense to the court. Hopefully, something along the lines of “I state, under oath, that we complied fully with ISO/IEC 27050” will, in future, side-step a raft of challenges concerning the eDiscovery processes!