DIN EN ISO IEC 27042-2016 Information technology - Security techniques - Guidelines for the analysis and interpretation of digital evidence (ISO IEC 27042 2015) German version EN I.pdf

1、December 2016 English price group 14No part of this translation may be reproduced without prior permission ofDIN Deutsches Institut fr Normung e. V., Berlin. Beuth Verlag GmbH, 10772 Berlin, Germany,has the exclusive right of sale for German Standards (DIN-Normen).ICS 35.030!%“2599156www.din.deDIN E

2、N ISO/IEC 27042Information technology Security techniques Guidelines for the analysis and interpretation of digital evidence (ISO/IEC 27042:2015);English version EN ISO/IEC 27042:2016,English translation of DIN EN ISO/IEC 27042:2016-12Informationstechnik ITSicherheitsverfahren Leitfaden fr die Analy

3、se und Interpretation digitaler Beweismittel (ISO/IEC 27042:2015);Englische Fassung EN ISO/IEC 27042:2016,Englische bersetzung von DIN EN ISO/IEC 27042:2016-12Technologies de linformation Techniques de scurit Lignes directrices pour lanalyse et linterprtation de preuves numriques (ISO/IEC 27042:2015

4、);Version anglaise EN ISO/IEC 27042:2016,Traduction anglaise de DIN EN ISO/IEC 27042:2016-12www.beuth.deDocument comprises 26 pagesDTranslation by DIN-Sprachendienst.In case of doubt, the German-language original shall be considered authoritative.02.17 DIN EN ISO/IEC 27042:2016-12 2 A comma is used

5、as the decimal marker. National foreword This document (EN ISO/IEC 27042:2016) has been prepared by Technical Committee ISO/IEC JTC 1, Subcommittee SC 27 “IT Security techniques (Secretariat: DIN, Germany). Based on a decision of CEN/BT, ISO/IEC 27042:2015 has been submitted to the Unique Acceptance

6、 Procedure (UAP) and taken over as EN ISO/IEC 27042:2016 without any modification. The responsible German body involved in its preparation was DIN-Normenausschuss Informationstechnik und Anwendungen (DIN Standards Committee Information Technology and selected IT Applications), Working Committee NA 0

7、43-27-04 AK IT-Sicherheitsmanahmen und Dienste. For some relevant terms, there are only vague German translations. To avoid misunderstanding, in case of such terms, the respective English term is given in brackets. In addition, the following English terms need to be explained more precisely: Electro

8、nic Discovery, e-discovery The term “electronic discovery (there are different ways of spelling) in its original meaning refers to the electronic information interchange in legal proceedings and is an important component of Anglo-American legal systems. Meanwhile, however, there are a multitude of d

9、ifferent interpretations and variations of this term and respective translations (e. g. “elektronische Beweissicherung “electronic preservation of evidence, “elektronische Recherche “electronic research etc.). Thus, it has been decided to retain the term “E-Discovery in the German translation of thi

10、s standard. Investigation This term has generally been translated as “Untersuchung in German. The German term “Ermittlung is misleading in most cases as in the context of prosecution, it comprises a number of further measures. The translation “Ermittlung is only applied here if superordinate investi

11、gation measures are actually meant. Proficiency This English term (a German translation would be “Leistungsfhigkeit or “Knnen) is explained in the definition under 3.16 and 11.1 as the “ability of an investigative team to produce results equivalent to those of a different investigative team given th

12、e same sources of potential digital evidence. This definition is deemed insufficient to adequately explain the German term “Leistungsfhigkeit. The DIN Standards corresponding to the International Standards referred to in this document are as follows: ISO/IEC 27037:2012 DIN EN ISO/IEC 27037 ISO/IEC 2

13、7041:2015 DIN EN ISO/IEC 27041 DIN EN ISO/IEC 27042:2016-12 3 National Annex NA (informative) Bibliography DIN EN ISO/IEC 27037, Information technology Security techniques Guidelines for identification, collection, acquisition and preservation of digital evidence DIN EN ISO/IEC 27041, Information te

14、chnology Security techniques Guidance on assuring suitability and adequacy of incident investigative method DIN EN ISO/IEC 27042:2016-12 4 This page is intentionally blank EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN ISO/IEC 27042 August 2016 ICS 35.040 English Version Information technology

15、 - Security techniques - Guidelines for the analysis and interpretation of digital evidence (ISO/IEC 27042:2015) Technologies de linformation - Techniques de scurit Lignes directrices pour lanalyse et linterprtation de preuves numriques (ISO/IEC 27042:2015) Informationstechnik - IT-Sicherheitsverfah

16、ren - Leitfaden fr die Analyse und Interpretation digitaler Beweismittel (ISO/IEC 27042:2015) This European Standard was approved by CEN on 19 June 2016. CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Stan

17、dard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN and CENELEC member. This European Standard exists in three official vers

18、ions (English, French, German). A version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CEN and CENELEC members are the national stan

19、dards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Sl

20、ovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2016 CEN and CENELEC All rights of exploitation in any form and by any

21、means reserved worldwide for CEN and CENELEC national Members. Ref. No. EN ISO/IEC 27042:2016 E -Foreword .4Introduction .51 Scope . 92 Normative references 93 Terms and definitions . 94 Symbols and abbreviated terms 125 Investigation 125.1 Overview .125.2 Continuity .135.3 Repeatability and reprodu

22、cibility135.4 Structured approach .135.5 Uncertainty 146 Analysis .156.1 Overview .156.2 General principles .156.3 Use of tools 166.4 Record keeping 167 Analytical models .167.1 Static analysis 167.2 Live analysis .167.2.1 Overview 167.2.2 Live analysis of non-imageable and non-copyable systems 177.

23、2.3 Live analysis of imageable or copyable systems 178 Interpretation .178.1 General 178.2 Accreditation of fact .178.3 Factors affecting interpretation 189 Reporting .189.1 Preparation . 189.2 Suggested report content 1810 Competence.1910.1 Overview . 1910.2 Demonstration of competence . 1910.3 Rec

24、ording competence 1911 Proficiency .2011.1 Overview . 2011.2 Mechanisms for demonstration of proficiency 20Annex A (informative) Examples of Competence and Proficiency Specifications 21Bibliography .22Contents PageEuropean foreword .3EN ISO/IEC 27042:2016 (E) DIN EN ISO/IEC 27042:2016-12 2 European

25、foreword The text of ISO/IEC 27042:2015 has been prepared by Technical Committee ISO/IEC JTC 1 “Information technology” of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and has been taken over as EN ISO/IEC 27042:2016. This European

26、Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by February 2017, and conflicting national standards shall be withdrawn at the latest by February 2017. Attention is drawn to the possibility that some of the elemen

27、ts of this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or all such patent rights. According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this Euro

28、pean Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slo

29、venia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. Endorsement notice The text of ISO/IEC 27042:2015 has been approved by CEN as EN ISO/IEC 27042:2016 without any modification. EN ISO/IEC 27042:2016 (E) DIN EN ISO/IEC 27042:2016-12 3 ForewordISO (the International Organization for Sta

30、ndardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organiz

31、ation to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology

32、, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of docum

33、ent should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held re

34、sponsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information gi

35、ven for the convenience of users and does not constitute an endorsement.For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the followi

36、ng URL: Foreword - Supplementary informationThe committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 27, IT Security techniques.EN ISO/IEC 27042:2016 (E) DIN EN ISO/IEC 27042:2016-12 4 IntroductionGeneralThis International Standard provides guidance on the conduct of

37、the analysis and interpretation of potential digital evidence in order to identify and evaluate digital evidence which can be used to aid understanding of an incident. The exact nature of the data and information making up the potential digital evidence will depend on the nature of the incident and

38、the digital evidence sources involved in that incident.When using this International Standard, the user assumes that the guidance given in ISO/IEC 27035-2 and ISO/IEC 27037:2012 has been followed and that all processes used are compatible with the guidance given in ISO/IEC 27043:2015 and ISO/IEC 270

39、411).Relationship to other standardsThis International Standard is intended to complement other standards and documents which give guidance on the investigation of, and preparation to investigate, information security incidents. It is not a comprehensive guide, but lays down certain fundamental prin

40、ciples which are intended to ensure that tools, techniques, and methods can be selected appropriately and shown to be fit for purpose should the need arise.This International Standard also intends to inform decision-makers that need to determine the reliability of digital evidence presented to them.

41、 It is applicable to organizations needing to protect, analyse, and present potential digital evidence. It is relevant to policy-making bodies that create and evaluate procedures relating to digital evidence, often as part of a larger body of evidence.This International Standard describes part of a

42、comprehensive investigative process which includes, but is not limited to, the following topic areas: incident management, including preparation, and planning for investigations; handling of digital evidence; use of, and issues caused by, redaction; intrusion prevention and detection systems, includ

43、ing information which can be obtained from these systems; security of storage, including sanitization of storage; ensuring that investigative methods are fit for purpose; carrying out analysis and interpretation of digital evidence; understanding principles and processes of digital evidence investig

44、ations; security incident event management, including derivation of evidence from systems involved in security incident event management; relationship between electronic discovery and other investigative methods, as well as the use of electronic discovery techniques in other investigations; governan

45、ce of investigations, including forensic investigations.These topic areas are addressed, in part, by the following ISO/IEC standards. ISO/IEC 270371) To be published.EN ISO/IEC 27042:2016 (E) DIN EN ISO/IEC 27042:2016-12 5 This International Standard describes the means by which those involved in th

46、e early stages of an investigation, including initial response, can assure that sufficient potential digital evidence is captured to allow the investigation to proceed appropriately. ISO/IEC 27038Some documents can contain information that must not be disclosed to some communities. Modified document

47、s can be released to these communities after an appropriate processing of the original document. The process of removing information that is not to be disclosed is called “redaction”.The digital redaction of documents is a relatively new area of document management practice, raising unique issues an

48、d potential risks. Where digital documents are redacted, removed information must not be recoverable. Hence, care needs to be taken so that redacted information is permanently removed from the digital document (e.g. it must not be simply hidden within non-displayable portions of the document).ISO/IEC 27038 specifies methods for digital redaction of digital documents. It also specifies requirements for software th