DIN EN ISO IEC 27037-2016 Information technology - Security techniques - Guidelines for identification collection acquisition and preservation of digital evidence (ISO IEC 27037 20.pdf

1、December 2016 English price group 20No part of this translation may be reproduced without prior permission ofDIN Deutsches Institut fr Normung e. V., Berlin. Beuth Verlag GmbH, 10772 Berlin, Germany,has the exclusive right of sale for German Standards (DIN-Normen).ICS 35.030!%X“2599153www.din.deDIN

2、EN ISO/IEC 27037Information technology Security techniques Guidelines for identification, collection, acquisition and preservation of digital evidence (ISO/IEC 27037:2012);English version EN ISO/IEC 27037:2016,English translation of DIN EN ISO/IEC 27037:2016-12Informationstechnik ITSicherheitsverfah

3、ren Leitfaden fr die Identifikation, Mitnahme, Sicherung und Erhaltung digitaler Beweismittel (ISO/IEC 27037:2012);Englische Fassung EN ISO/IEC 27037:2016,Englische bersetzung von DIN EN ISO/IEC 27037:2016-12Technologies de linformation Techniques de scurit Lignes directrices pour lidentification, l

4、a collecte, lacquisition et la prservation de preuves numriques (ISO/IEC 27037:2012);Version anglaise EN ISO/IEC 27037:2016,Traduction anglaise de DIN EN ISO/IEC 27037:2016-12www.beuth.deDocument comprises 47 pagesDTranslation by DIN-Sprachendienst.In case of doubt, the German-language original shal

5、l be considered authoritative.01.17 DIN EN ISO/IEC 27037:2016-12 2 A comma is used as the decimal marker. National foreword This document (EN ISO/IEC 27037:2016) has been prepared by Joint Technical Committee ISO/IEC JTC 1 “Information technology”, Subcommittee SC 27 “IT Security techniques” (Secret

6、ariat: DIN, Germany). Based on a decision of CEN/BT, ISO/IEC 27037:2012 has been submitted to the Unique Acceptance Procedure (UAP) and taken over as EN ISO/IEC 27037:2016 without any modification. The responsible German body involved in its preparation was DIN-Normenausschuss Informationstechnik un

7、d Anwendungen (DIN Standards Committee Information Technology and selected IT Applications), Working Committee NA 043-01-27-04 AK IT-Sicherheitsmanahmen und Dienste. The DIN Standard corresponding to the International Standard referred to in this document is as follows: ISO/IEC 27000 E DIN ISO/IEC 2

8、7000*)National Annex NA (informative) Bibliography E DIN ISO/IEC 27000, Information technology Security techniques Information security management systems Overview and vocabulary *)Under preparation. EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN ISO/IEC 27037 August 2016 ICS 35.040 English Ve

9、rsion Information technology - Security techniques - Guidelines for identification, collection, acquisition and preservation of digital evidence (ISO/IEC 27037:2012) Technologies de linformation - Techniques de scurit - Lignes directrices pour lidentification, la collecte, lacquisition et la prserva

10、tion de preuves numriques (ISO/IEC 27037:2012) Informationstechnik - IT-Sicherheitsverfahren - Leitfaden fr die Identifikation, Mitnahme, Sicherung und Erhaltung digitaler Beweismittel(ISO/IEC27037:2012) This European Standard was approved by CEN on 19 June 2016. CEN and CENELEC members are bound to

11、 comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CE

12、NELEC Management Centre or to any CEN and CENELEC member. This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC

13、 Management Centre has the same status as the official versions. CEN and CENELEC members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Irel

14、and, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Cen

15、tre: Avenue Marnix 17, B-1000 Brussels 2016 CEN and CENELEC All rights of exploitation in any form and by any means reserved worldwide for CEN and CENELEC national Members. Ref. No. EN ISO/IEC 27037:2016 E Contents Page European foreword . 4 Introduction . 6 1 Scope . 8 2 Normative reference 8 3 Ter

16、ms and definitions . 9 4 Abbreviated terms . 11 5 Overview 13 5.1 Context for collecting digital evidence . 13 5.2 Principles of digital evidence 13 5.3 Requirements for digital evidence handling 13 5.3.1 General. 13 5.3.2 Auditability 14 5.3.3 Repeatability . 14 5.3.4 Reproducibility . 14 5.3.5 Jus

17、tifiability 14 5.4 Digital evidence handling processes 15 5.4.1 Overview 15 5.4.2 Identification . 15 5.4.3 Collection 16 5.4.4 Acquisition 16 5.4.5 Preservation 17 6 Key components of identification, collection, acquisition and preservation of digital evidence 17 6.1 Chain of custody 17 6.2 Precaut

18、ions at the site of incident . 18 6.2.1 General. 18 6.2.2 Personnel 18 6.2.3 Potential digital evidence 19 6.3 Roles and responsibilities . 19 6.4 Competency 20 6.5 Use reasonable care . 20 6.6 Documentation . 21 6.7 Briefing 21 6.7.1 General. 21 6.7.2 Digital evidence specific 21 6.7.3 Personnel sp

19、ecific . 22 6.7.4 Real-time incidents . 22 6.7.5 Other briefing information . 22 6.8 Prioritizing collection and acquisition 23 6.9 Preservation of potential digital evidence 24 6.9.1 Overview 24 6.9.2 Preserving potential digital evidence 24 6.9.3 Packaging digital devices and potential digital evi

20、dence . 24 6.9.4 Transporting potential digital evidence 25 DIN EN ISO/IEC 27037:2016-12 EN ISO/IEC 27037:2016 (E)2Foreword . 5 7.1.3 Acquisition 32 7.1.4 Preservation 36 7.2 Networked devices 36 7.2.1 Identification .36 7.2.2 Collection, acquisition and preservation 38 7.3 CCTV collection, acquisit

21、ion and preservation .40 Annex A (informative) DEFR core skills and competency description .42 Annex B (informative) Minimum documentation requirements for evidence transfer .44 Bibliography 45 DIN EN ISO/IEC 27037:2016-12 EN ISO/IEC 27037:2016 (E) 37 Instances of identification, collection, acquisi

22、tion and preservation 26 7.1 Computers, peripheral devices and digital storage media . 26 7.1.1 Identification . 26 7.1.2 Collection 28 European foreword The text of ISO/IEC 27037:2012 has been prepared by Technical Committee ISO/IEC JTC 1 “Information technology” of the International Organization f

23、or Standardization (ISO) and the International Electrotechnical Commission (IEC) and has been taken over as EN ISO/IEC 27037:2016. This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by February 2017, an

24、d conflicting national standards shall be withdrawn at the latest by February 2017. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or all such patent rights. Ac

25、cording to the CEN-CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germa

26、ny, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. Endorsement notice The text of ISO/IEC 27037:2012 has been approved by CEN as EN ISO/IEC

27、27037:2016 without any modification. DIN EN ISO/IEC 27037:2016-12 EN ISO/IEC 27037:2016 (E)4 Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are m

28、embers of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

29、organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the IS

30、O/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least

31、75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 27037 was prepared by Joint Technical Com

32、mittee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. DIN EN ISO/IEC 27037:2016-12 EN ISO/IEC 27037:2016 (E) 5 Introduction This International Standard provides guidelines for specific activities in handling potential digital evidence; these processes are: identif

33、ication, collection, acquisition and preservation of potential digital evidence. These processes are required in an investigation that is designed to maintain the integrity of the digital evidence an acceptable methodology in obtaining digital evidence that will contribute to its admissibility in le

34、gal and disciplinary actions as well as other required instances. This International Standard also provides general guidelines for the collection of non-digital evidence that may be helpful in the analysis stage of the potential digital evidence. This International Standard intends to provide guidan

35、ce to those individuals responsible for the identification, collection, acquisition and preservation of potential digital evidence. These individuals include Digital Evidence First Responders (DEFRs), Digital Evidence Specialists (DESs), incident response specialists and forensic laboratory managers

36、. This International Standard ensures that responsible individuals manage potential digital evidence in practical ways that are acceptable worldwide, with the objective to facilitate investigation involving digital devices and digital evidence in a systematic and impartial manner while preserving it

37、s integrity and authenticity. This International Standard also intends to inform decision-makers who need to determine the reliability of digital evidence presented to them. It is applicable to organizations needing to protect, analyze and present potential digital evidence. It is relevant to policy

38、-making bodies that create and evaluate procedures relating to digital evidence, often as part of a larger body of evidence. The potential digital evidence referred to in this International Standard may be sourced from different types of digital devices, networks, databases, etc. It refers to data t

39、hat is already in a digital format. This International Standard does not attempt to cover the conversion of analog data into digital format. Due to the fragility of digital evidence, it is necessary to carry out an acceptable methodology to ensure the integrity and authenticity of the potential digi

40、tal evidence. This International Standard does not mandate the use of particular tools or methods. Key components that provide credibility in the investigation are the methodology applied during the process, and individuals qualified in performing the tasks specified in the methodology. This Interna

41、tional Standard does not address the methodology for legal proceedings, disciplinary procedures and other related actions in handling potential digital evidence that are outside the scope of identification, collection, acquisition and preservation. Application of this International Standard requires

42、 compliance with national laws, rules and regulations. It should not replace specific legal requirements of any jurisdiction. Instead, it may serve as a practical guideline for any DEFR or DES in investigations involving potential digital evidence. It does not extend to the analysis of digital evide

43、nce and it does not replace jurisdiction-specific requirements that pertain to matters such as admissibility, evidential weighting, relevance and other judicially controlled limitations on the use of potential digital evidence in courts of law. This International Standard may assist in the facilitat

44、ion of potential digital evidence exchange between jurisdictions. In order to maintain the integrity of the digital evidence, users of this International Standard are required to adapt and amend the procedures described in this International Standard in accordance with the specific jurisdictions leg

45、al requirements for evidence. Although this International Standard does not include forensic readiness, adequate forensic readiness can largely support the identification, collection, acquisition, and preservation process of digital evidence. Forensic readiness is the achievement of an appropriate l

46、evel of capability by an organization in order for it to be able to identify, collect, acquire, preserve, protect and analyze digital evidence. Whereas the processes and activities described in this International Standard are essentially reactive measures used to investigate an incident after it occ

47、urred, forensic readiness is a proactive process of attempting to plan for such events. DIN EN ISO/IEC 27037:2016-12 EN ISO/IEC 27037:2016 (E)6 This International Standard complements ISO/IEC 27001 and ISO/IEC 27002, and in particular the control requirements concerning potential digital evidence ac

48、quisition by providing additional implementation guidance. In addition, this International Standard will have applications in contexts independent of ISO/IEC 27001 and ISO/IEC 27002. This International Standard should be read in conjunction with other standards related to digital evidence and the investigation of information security incidents. DIN EN ISO/IEC 27037:2016-12 EN ISO/IEC 27037:2016 (E) 7 1 Scope This International Standard provides guidel