1、BS ISO/IEC 27037:2012Information technology Security techniques Guidelines for identification, collection, acquisition and preservation of digitalevidenceBS EN ISO/IEC 27037:2016(ISO/IEC 27037:2012)BSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06BS EN ISO/IEC 27037:2
2、016 BRITISH STANDARDNational forewordThis British Standard is the UK implementation of EN ISO/IEC 27037:2016. It is identical to ISO/IEC 27037:2012. It supersedes BS ISO/IEC 27037:2012 which is withdrawn.The UK participation in its preparation was entrusted by Technical Committee IST/33, IT - Securi
3、ty techniques, to Subcommittee IST/33/4, Security Controls and Services.A list of organizations represented on this subcommittee can be obtained on request to its secretary.This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct
4、application. The British Standards Institution 2016. Published by BSI Standards Limited 2016ISBN 978 0 580 92350 0ICS 35.040Compliance with a British Standard cannot confer immunity from legal obligations.This British Standard was published under the authority of the Standards Policy and Strategy Co
5、mmittee on 31 October 2012.Amendments/corrigenda issued since publicationDate Text affected31 October 2016 This corrigendum renumbers BS ISO/IEC 27037:2012 as BS EN ISO/IEC 27037:2016.EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN ISO/IEC 27037 August 2016 ICS 35.040 English Version Informatio
6、n technology - Security techniques - Guidelines for identification, collection, acquisition and preservation of digital evidence (ISO/IEC 27037:2012) Technologies de linformation - Techniques de scurit - Lignes directrices pour lidentification, la collecte, lacquisition et la prservation de preuves
7、numriques (ISO/IEC 27037:2012) Informationstechnik - IT-Sicherheitsverfahren - Leitfaden fr die Identifikation, Sammlung, Erhebung und Erhaltung der digitalen Beweissicherung (ISO/IEC 27037:2012) This European Standard was approved by CEN on 19 June 2016. CEN and CENELEC members are bound to comply
8、with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Ma
9、nagement Centre or to any CEN and CENELEC member. This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC Managem
10、ent Centre has the same status as the official versions. CEN and CENELEC members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Ita
11、ly, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Ave
12、nue Marnix 17, B-1000 Brussels 2016 CEN and CENELEC All rights of exploitation in any form and by any means reserved worldwide for CEN and CENELEC national Members. Ref. No. EN ISO/IEC 27037:2016 E EN ISO/IEC 27037:2016 (E) 3 European foreword The text of ISO/IEC 27037:2012 has been prepared by Tech
13、nical Committee ISO/IEC JTC 1 “Information technology” of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and has been taken over as EN ISO/IEC 27037:2016. This European Standard shall be given the status of a national standard, either
14、 by publication of an identical text or by endorsement, at the latest by February 2017, and conflicting national standards shall be withdrawn at the latest by February 2017. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN and/
15、or CENELEC shall not be held responsible for identifying any or all such patent rights. According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech
16、 Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom.
17、 Endorsement notice The text of ISO/IEC 27037:2012 has been approved by CEN as EN ISO/IEC 27037:2016 without any modification. BS EN ISO/IEC 27037:2016EN ISO/IEC 27037:2016 (E)BS ISO/IEC 27037:2012ISO/IEC 27037:2012(E) ISO/IEC 2012 All rights reserved iiiContents Page Foreword . v Introduction vi 1
18、Scope . 1 2 Normative reference 1 3 Terms and definitions . 2 4 Abbreviated terms . 4 5 Overview 6 5.1 Context for collecting digital evidence . 6 5.2 Principles of digital evidence 6 5.3 Requirements for digital evidence handling 6 5.3.1 General. 6 5.3.2 Auditability 7 5.3.3 Repeatability . 7 5.3.4
19、 Reproducibility . 7 5.3.5 Justifiability 7 5.4 Digital evidence handling processes 8 5.4.1 Overview 8 5.4.2 Identification . 8 5.4.3 Collection 9 5.4.4 Acquisition 9 5.4.5 Preservation 10 6 Key components of identification, collection, acquisition and preservation of digital evidence 10 6.1 Chain o
20、f custody 10 6.2 Precautions at the site of incident . 11 6.2.1 General. 11 6.2.2 Personnel 11 6.2.3 Potential digital evidence 12 6.3 Roles and responsibilities . 12 6.4 Competency 13 6.5 Use reasonable care . 13 6.6 Documentation . 14 6.7 Briefing 14 6.7.1 General. 14 6.7.2 Digital evidence specif
21、ic 14 6.7.3 Personnel specific . 15 6.7.4 Real-time incidents . 15 6.7.5 Other briefing information . 15 6.8 Prioritizing collection and acquisition 16 6.9 Preservation of potential digital evidence 17 6.9.1 Overview 17 6.9.2 Preserving potential digital evidence 17 6.9.3 Packaging digital devices a
22、nd potential digital evidence . 17 6.9.4 Transporting potential digital evidence 18 7 Instances of identification, collection, acquisition and preservation 19 7.1 Computers, peripheral devices and digital storage media . 19 7.1.1 Identification . 19 7.1.2 Collection 21 BS EN ISO/IEC 27037:2016ISO/IE
23、C 27037:2012(E)BS ISO/IEC 27037:2012ISO/IEC 27037:2012(E) iv ISO/IEC 2012 All rights reserved7.1.3 Acquisition 25 7.1.4 Preservation 29 7.2 Networked devices 29 7.2.1 Identification .29 7.2.2 Collection, acquisition and preservation 31 7.3 CCTV collection, acquisition and preservation .33 Annex A (i
24、nformative) DEFR core skills and competency description .35 Annex B (informative) Minimum documentation requirements for evidence transfer .37 Bibliography 38 BS EN ISO/IEC 27037:2016ISO/IEC 27037:2012(E)BS ISO/IEC 27037:2012ISO/IEC 27037:2012(E) ISO/IEC 2012 All rights reserved vForeword ISO (the I
25、nternational Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees esta
26、blished by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In th
27、e field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards.
28、Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of t
29、his document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 27037 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques. BS EN ISO/IEC 27037:20
30、16ISO/IEC 27037:2012(E)BS ISO/IEC 27037:2012ISO/IEC 27037:2012(E) vi ISO/IEC 2012 All rights reservedIntroduction This International Standard provides guidelines for specific activities in handling potential digital evidence; these processes are: identification, collection, acquisition and preservat
31、ion of potential digital evidence. These processes are required in an investigation that is designed to maintain the integrity of the digital evidence an acceptable methodology in obtaining digital evidence that will contribute to its admissibility in legal and disciplinary actions as well as other
32、required instances. This International Standard also provides general guidelines for the collection of non-digital evidence that may be helpful in the analysis stage of the potential digital evidence. This International Standard intends to provide guidance to those individuals responsible for the id
33、entification, collection, acquisition and preservation of potential digital evidence. These individuals include Digital Evidence First Responders (DEFRs), Digital Evidence Specialists (DESs), incident response specialists and forensic laboratory managers. This International Standard ensures that res
34、ponsible individuals manage potential digital evidence in practical ways that are acceptable worldwide, with the objective to facilitate investigation involving digital devices and digital evidence in a systematic and impartial manner while preserving its integrity and authenticity. This Internation
35、al Standard also intends to inform decision-makers who need to determine the reliability of digital evidence presented to them. It is applicable to organizations needing to protect, analyze and present potential digital evidence. It is relevant to policy-making bodies that create and evaluate proced
36、ures relating to digital evidence, often as part of a larger body of evidence. The potential digital evidence referred to in this International Standard may be sourced from different types of digital devices, networks, databases, etc. It refers to data that is already in a digital format. This Inter
37、national Standard does not attempt to cover the conversion of analog data into digital format. Due to the fragility of digital evidence, it is necessary to carry out an acceptable methodology to ensure the integrity and authenticity of the potential digital evidence. This International Standard does
38、 not mandate the use of particular tools or methods. Key components that provide credibility in the investigation are the methodology applied during the process, and individuals qualified in performing the tasks specified in the methodology. This International Standard does not address the methodolo
39、gy for legal proceedings, disciplinary procedures and other related actions in handling potential digital evidence that are outside the scope of identification, collection, acquisition and preservation. Application of this International Standard requires compliance with national laws, rules and regu
40、lations. It should not replace specific legal requirements of any jurisdiction. Instead, it may serve as a practical guideline for any DEFR or DES in investigations involving potential digital evidence. It does not extend to the analysis of digital evidence and it does not replace jurisdiction-speci
41、fic requirements that pertain to matters such as admissibility, evidential weighting, relevance and other judicially controlled limitations on the use of potential digital evidence in courts of law. This International Standard may assist in the facilitation of potential digital evidence exchange bet
42、ween jurisdictions. In order to maintain the integrity of the digital evidence, users of this International Standard are required to adapt and amend the procedures described in this International Standard in accordance with the specific jurisdictions legal requirements for evidence. Although this In
43、ternational Standard does not include forensic readiness, adequate forensic readiness can largely support the identification, collection, acquisition, and preservation process of digital evidence. Forensic readiness is the achievement of an appropriate level of capability by an organization in order
44、 for it to be able to identify, collect, acquire, preserve, protect and analyze digital evidence. Whereas the processes and activities described in this International Standard are essentially reactive measures used to investigate an incident after it occurred, forensic readiness is a proactive proce
45、ss of attempting to plan for such events. BS EN ISO/IEC 27037:2016ISO/IEC 27037:2012(E)BS ISO/IEC 27037:2012ISO/IEC 27037:2012(E) ISO/IEC 2012 All rights reserved viiThis International Standard complements ISO/IEC 27001 and ISO/IEC 27002, and in particular the control requirements concerning potenti
46、al digital evidence acquisition by providing additional implementation guidance. In addition, this International Standard will have applications in contexts independent of ISO/IEC 27001 and ISO/IEC 27002. This International Standard should be read in conjunction with other standards related to digit
47、al evidence and the investigation of information security incidents. BS EN ISO/IEC 27037:2016ISO/IEC 27037:2012(E)BS ISO/IEC 27037:2012BS EN ISO/IEC 27037:2016BS ISO/IEC 27037:2012INTERNATIONAL STANDARD ISO/IEC 27037:2012(E) ISO/IEC 2012 All rights reserved 1Information technology Security technique
48、s Guidelines for identification, collection, acquisition, and preservation of digital evidence 1 Scope This International Standard provides guidelines for specific activities in handling digital evidence, which are identification, collection, acquisition and preservation of digital evidence that may
49、 be of evidential value. This International Standard provides guidance to individuals with respect to common situations encountered throughout the digital evidence handling process and assists organizations in their disciplinary procedures and in facilitating the exchange of potential digital evidence between jurisdictions. This International Standard gives guidance for the following devices and/or functions that are used in various circumstances: Digital storage media used in standard computers like hard drives, floppy disks, optical a
