DIN EN ISO IEC 27043-2016 Information technology - Security techniques - Incident investigation principles and processes (ISO IEC 27043 2015) German version EN ISO IEC 27043 2016《信.pdf

1、December 2016 English price group 18No part of this translation may be reproduced without prior permission ofDIN Deutsches Institut fr Normung e. V., Berlin. Beuth Verlag GmbH, 10772 Berlin, Germany,has the exclusive right of sale for German Standards (DIN-Normen).ICS 35.030!%“2599157www.din.deDIN E

2、N ISO/IEC 27043Information technology Security techniques Incident investigation principles and processes (ISO/IEC 27043:2015);English version EN ISO/IEC 27043:2016,English translation of DIN EN ISO/IEC 27043:2016-12Informationstechnik ITSicherheitsverfahren Grundstze und Prozesse fr die Untersuchun

3、g von Vorfllen (ISO/IEC 27043:2015);Englische Fassung EN ISO/IEC 27043:2016,Englische bersetzung von DIN EN ISO/IEC 27043:2016-12Technologies de linformation Techniques de scurit Principes dinvestigation numrique et les processus (ISO/IEC 27043:2015);Version anglaise EN ISO/IEC 27043:2016,Traduction

4、 anglaise de DIN EN ISO/IEC 27043:2016-12www.beuth.deDocument comprises 41 pagesDTranslation by DIN-Sprachendienst.In case of doubt, the German-language original shall be considered authoritative.01.17 DIN EN ISO/IEC 27043:2016-12 2 A comma is used as the decimal marker. National foreword This docum

5、ent (EN ISO/IEC 27043:2016) has been prepared by Joint Technical Committee ISO/IEC JTC 1 “Information technology”, Subcommittee SC 27 “IT Security techniques” (Secretariat: DIN, Germany). Based on a decision of CEN/BT, ISO/IEC 27043:2015 has been submitted to the Unique Acceptance Procedure (UAP) an

6、d taken over as EN ISO/IEC 27043:2016 without any modification. The responsible German body involved in its preparation was DIN-Normenausschuss Informationstechnik und Anwendungen (DIN Standards Committee Information Technology and selected IT Applications), Working Committee NA 043-27-04 AK IT-Sich

7、erheitsmanahmen und Dienste. The DIN Standard corresponding to the International Standard referred to in this document is as follows: ISO/IEC 27000 DIN EN ISO/IEC 27000*)National Annex NA (informative) Bibliography E DIN ISO/IEC 27000, Information technology Security techniques Information security

8、management systems Overview and vocabulary (ISO/IEC DIS 27000:2015) *)Under preparation. EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN ISO/IEC 27043 August 2016 ICS 35.040 English Version Information technology - Security techniques - Incident investigation principles and processes(ISO/IEC 27

9、043:2015) Technologies de linformation - Techniques de scurit -Principes dinvestigation numrique et les processus (ISO/IEC 27043:2015) Informationstechnik - IT-Sicherheitsverfahren - Grundstze und Prozesse fr die Untersuchung von Vorfllen (ISO/IEC 27043:2015) This European Standard was approved by C

10、EN on 19 June 2016. CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such nationa

11、l standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN and CENELEC member. This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CEN and CENELEC memb

12、er into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CEN and CENELEC members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Ma

13、cedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION E

14、UROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2016 CEN and CENELEC All rights of exploitation in any form and by any means reserved worldwide for CEN and CENELEC national Members. Ref. No. EN ISO/IEC 27043:2016 E European foreword 4Introduction 61 Sco

15、pe 102 Normative references . 103 Terms and definitions . 104 Symbols and abbreviated terms 125 Digital investigations 135.1 General principles . 135.2 Legal principles . 136 Digital investigation processes . 146.1 General overview of the processes . 146.2 Classes of digital investigation processes

16、. 147 Readiness processes 167.1 Overview of the readiness processes . 167.2 Scenario definition process . 187.3 Identification of potential digital evidence sources process 187.4 Planning pre-incident gathering, storage, and handling of data representing potential digital evidence process . 207.5 Pl

17、anning pre-incident analysis of data representing potential digital evidence process 207.6 Planning incident detection process . 207.7 Defining system architecture process 207.8 Implementing system architecture process 217.9 Implementing pre-incident gathering, storage, and handling of data represen

18、ting potential digital evidence process . 217.10 Implementing pre-incident analysis of data representing potential digital evidence process 217.11 Implementing incident detection process 217.12 Assessment of implementation process 227.13 Implementation of assessment results process 228 Initializatio

19、n processes 228.1 Overview of initialization processes . 228.2 Incident detection process . 238.3 First response process. 248.4 Planning process 248.5 Preparation process. 249 Acquisitive processes 259.1 Overview of acquisitive processes 259.2 Potential digital evidence identification process .259.3

20、 Potential digital evidence collection process .269.4 Potential digital evidence acquisition process .269.5 Potential digital evidence transportation process 269.6 Potential digital evidence storage and preservation process 2610 Investigative processes .2710.1 Overview of investigative processes . 2

21、710.2 Potential digital evidence acquisition process .2810.3 Potential digital evidence examination and analysis process .2810.4 Digital evidence interpretation process . 2810.5 Reporting process . 2810.6 Presentation process 2910.7 Investigation closure process 29Foreword 5Contents PageDIN EN ISO/I

22、EC 27043:2016-12 EN ISO/IEC 27043:2016 (E) 2 11 Concurrent processes .2911.1 Overview of the concurrent processes 2911.2 Obtaining authorization process 3011.3 Documentation process 3011.4 Managing information flow process 3011.5 Preserving chain of custody process . 3011.6 Preserving digital eviden

23、ce process 3111.7 Interaction with physical investigation process3112 Digital investigation process model schema 31Annex A (informative) Digital investigation processes: motivation for harmonization 33Bibliography .37DIN EN ISO/IEC 27043:2016-12 EN ISO/IEC 27043:2016 (E) 3 European foreword The text

24、 of ISO/IEC 27043:2015 has been prepared by Technical Committee ISO/IEC JTC 1 “Information technology” of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and has been taken over as EN ISO/IEC 27043:2016. This European Standard shall be

25、 given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by February 2017, and conflicting national standards shall be withdrawn at the latest by February 2017. Attention is drawn to the possibility that some of the elements of this docume

26、nt may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or all such patent rights. According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this European Standard: Au

27、stria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Swe

28、den, Switzerland, Turkey and the United Kingdom. Endorsement notice The text of ISO/IEC 27043:2015 has been approved by CEN as EN ISO/IEC 27043:2016 without any modification. DIN EN ISO/IEC 27043:2016-12 EN ISO/IEC 27043:2016 (E) 4 ForewordISO (the International Organization for Standardization) and

29、 IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal wit

30、h particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC hav

31、e established a joint technical committee, ISO/IEC JTC 1.The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be not

32、ed. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for iden

33、tifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).Any trade name used in this document is information given for the conveni

34、ence of users and does not constitute an endorsement.For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT), see the following URL: Foreword S

35、upplementary information .The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee SC 27, Security techniques.DIN EN ISO/IEC 27043:2016-12 EN ISO/IEC 27043:2016 (E) 5 IntroductionAbout this International StandardThis International Standard provides guideline

36、s that encapsulate idealized models for common investigation processes across various investigation scenarios. This includes processes from pre-incident preparation up to and including returning evidence for storage or dissemination, as well as general advice and caveats on processes and appropriate

37、 identification, collection, acquisition, preservation, analysis, interpretation, and presentation of evidence. A basic principle of digital investigations is repeatability, where a suitably skilled investigator has to be able to obtain the same result as another similarly skilled investigator, work

38、ing under similar conditions. This principle is exceptionally important to any general investigation. Guidelines for many investigation processes have been provided to ensure that there is clarity and transparency in obtaining the produced result for each particular process. The motivation to provid

39、e guidelines for incident investigation principles and processes follows.Established guidelines covering incident investigation principles and processes would expedite investigations because they would provide a common order of the events that an investigation entails. Using established guidelines a

40、llows smooth transition from one event to another during an investigation. Such guidelines would also allow proper training of inexperienced investigators. The guidelines, furthermore, aim to assure flexibility within an investigation due to the fact that many different types of digital investigatio

41、ns are possible. Harmonized incident investigation principles and processes are specified and indications are provided of how the investigation processes can be customized in different investigation scenarios.A harmonized investigation process model is needed in criminal and civil prosecution settin

42、gs, as well as in other environments, such as corporate breaches of information security and recovery of digital information from a defective storage device. The provided guidelines give succinct guidance on the exact process to be followed during any kind of digital investigation in such a way that

43、, if challenged, no doubt should exist as to the adequacy of the investigation process followed during such an investigation.Any digital investigation requires a high level of expertise. Those involved in the investigation have to be competent, proficient in the processes used, and they have to use

44、validated processes (see ISO/IEC 27041) which are compatible with the relevant policies and/or laws in applicable jurisdictions.Where the need arises to assign a process to a person, that person will take the responsibility for the process. Therefore, a strong correlation between a process responsib

45、ility and a persons input will determine the exact investigation process required according to the harmonized investigation processes provided as guidelines in this International Standard.This International Standard is structured by following a top-down approach. This means that the investigation pr

46、inciples and processes are first presented on a high (abstract) level before they are refined with more details. For example, a high-level overview of the investigation principles and processes are provided and presented in figures as “black boxes” at first, where after each of the high-level proces

47、ses are divided into more fine-grained (atomic) processes. Therefore, a less abstract and more detailed view of all the investigation principles and processes are presented near the end of this International Standard as shown in Figure 8.This International Standard is intended to complement other st

48、andards and documents which provide guidance on the investigation of, and preparation to, investigate information security incidents. It is not an in-depth guide, but it is a guide that provides a rather wide overview of the entire incident investigation process. This guide also lays down certain fundamental principles which are intended to ensure that tools, techniques, and methods can be selected appropriately and shown to be fit for purpose shoul