1、BS EN ISO/IEC 27042:2016Information technology Security techniques Guidelines for the analysisand interpretation of digitalevidence (ISO/IEC 27042:2015)BSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06BS EN ISO/IEC 27042:2016 BRITISH STANDARDNational forewordThis Brit
2、ish Standard is the UK implementation of EN ISO/IEC 27042:2016.The UK participation in its preparation was entrusted by TechnicalCommittee IST/33, IT - Security techniques, to Subcommittee IST/33/4,A list of organizations represented on this subcommittee can beobtained on request to its secretary.Th
3、is publication does not purport to include all the necessaryprovisions of a contract. Users are responsible for its correctapplication. The British Standards Institution 2016. Published by BSI StandardsLimited 2016ISBN 978 0 580 92354 8ICS 35.040Compliance with a British Standard cannot confer immun
4、ity fromlegal obligations.This British Standard was published under the authority of theStandards Policy and Strategy Committee on 30 June 2015.Amendments/corrigenda issued since publicationDate Text affected31 October 2016 This corrigendum renumbers BS EN ISO/IEC 27042:2016BS ISO/IEC 27042:2015 asS
5、ecurity Controls and Services.It is identical to ISO/IEC 27042:2015. It supersedes BS ISO/IEC 27042:2015which is withdrawn.EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN ISO/IEC 27042 August 2016 ICS 35.040 English Version Information technology - Security techniques - Guidelines for the analy
6、sis and interpretation of digital evidence (ISO/IEC 27042:2015) Technologies de linformation - Techniques de scurit - Lignes directrices pour lanalyse et linterprtation de preuves numriques (ISO/IEC 27042:2015) Informationstechnik - IT-Sicherheitsverfahren - Leitfaden fr die Analyse und Interpretati
7、on digitaler Beweismittel (ISO/IEC 27042:2015) This European Standard was approved by CEN on 19 June 2016. CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without
8、any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN and CENELEC member. This European Standard exists in three official versions (English, French, German). A version in an
9、y other language made by translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CEN and CENELEC members are the national standards bodies of Austria, Belgium, Bulgaria, Cro
10、atia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and
11、United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPEN DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2016 CEN and CENELEC All rights of exploitation in any form and by any means reserved worldwide for CEN and CENELEC na
12、tional Members. Ref. No. EN ISO/IEC 27042:2016 E EN ISO/IEC 27042:2016 (E) European foreword The text of ISO/IEC 27042:2015 has been prepared by Technical Committee ISO/IEC JTC 1 “Information technology” of the International Organization for Standardization (ISO) and the International Electrotechnic
13、al Commission (IEC) and has been taken over as EN ISO/IEC 27042:2016. This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by February 2017, and conflicting national standards shall be withdrawn at the la
14、test by February 2017. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or all such patent rights. According to the CEN-CENELEC Internal Regulations, the national
15、 standards organizations of the following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuan
16、ia, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. Endorsement notice The text of ISO/IEC 27042:2015 has been approved by CEN as EN ISO/IEC 27042:2016 without any modification. iiBS EN ISO/IEC 27042:20
17、16ISO/IEC 27042:2015(E)Foreword ivIntroduction v1 Scope . 12 Normative references 13 Terms and definitions . 14 Symbols and abbreviated terms . 45 Investigation . 45.1 Overview 45.2 Continuity 55.3 Repeatability and reproducibility. 55.4 Structured approach 55.5 Uncertainty . 66 Analysis 76.1 Overvi
18、ew 76.2 General principles 76.3 Use of tools . 86.4 Record keeping . 87 Analytical models 87.1 Static analysis . 87.2 Live analysis 87.2.1 Overview . 87.2.2 Live analysis of non-imageable and non-copyable systems . 97.2.3 Live analysis of imageable or copyable systems . 98 Interpretation 98.1 Genera
19、l . 98.2 Accreditation of fact 98.3 Factors affecting interpretation 109 Reporting .109.1 Preparation . 109.2 Suggested report content 1010 Competence.1110.1 Overview . 1110.2 Demonstration of competence . 1110.3 Recording competence 1111 Proficiency .1211.1 Overview . 1211.2 Mechanisms for demonstr
20、ation of proficiency 12Annex A (informative) Examples of Competence and Proficiency Specifications 13Bibliography .14 ISO/IEC 2015 All rights reserved iiiContents PageBS EN ISO/IEC 27042:2016ISO/IEC 27042:2015(E)ForewordISO (the International Organization for Standardization) and IEC (the Internatio
21、nal Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields
22、of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a join
23、t technical committee, ISO/IEC JTC 1.The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document wa
24、s drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all
25、such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and
26、does not constitute an endorsement.For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary info
27、rmationThe committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 27, IT Security techniques.iv ISO/IEC 2015 All rights reservedBS EN ISO/IEC 27042:2016ISO/IEC 27042:2015(E)IntroductionGeneralThis International Standard provides guidance on the conduct of the analysis a
28、nd interpretation of potential digital evidence in order to identify and evaluate digital evidence which can be used to aid understanding of an incident. The exact nature of the data and information making up the potential digital evidence will depend on the nature of the incident and the digital ev
29、idence sources involved in that incident.When using this International Standard, the user assumes that the guidance given in ISO/IEC 27035-2 and ISO/IEC 27037:2012 has been followed and that all processes used are compatible with the guidance given in ISO/IEC 27043:2015 and ISO/IEC 270411).Relations
30、hip to other standardsThis International Standard is intended to complement other standards and documents which give guidance on the investigation of, and preparation to investigate, information security incidents. It is not a comprehensive guide, but lays down certain fundamental principles which a
31、re intended to ensure that tools, techniques, and methods can be selected appropriately and shown to be fit for purpose should the need arise.This International Standard also intends to inform decision-makers that need to determine the reliability of digital evidence presented to them. It is applica
32、ble to organizations needing to protect, analyse, and present potential digital evidence. It is relevant to policy-making bodies that create and evaluate procedures relating to digital evidence, often as part of a larger body of evidence.This International Standard describes part of a comprehensive
33、investigative process which includes, but is not limited to, the following topic areas: incident management, including preparation, and planning for investigations; handling of digital evidence; use of, and issues caused by, redaction; intrusion prevention and detection systems, including informatio
34、n which can be obtained from these systems; security of storage, including sanitization of storage; ensuring that investigative methods are fit for purpose; carrying out analysis and interpretation of digital evidence; understanding principles and processes of digital evidence investigations; securi
35、ty incident event management, including derivation of evidence from systems involved in security incident event management; relationship between electronic discovery and other investigative methods, as well as the use of electronic discovery techniques in other investigations; governance of investig
36、ations, including forensic investigations.These topic areas are addressed, in part, by the following ISO/IEC standards. ISO/IEC 270371) To be published. ISO/IEC 2015 All rights reserved vBS EN ISO/IEC 27042:2016ISO/IEC 27042:2015(E)This International Standard describes the means by which those invol
37、ved in the early stages of an investigation, including initial response, can assure that sufficient potential digital evidence is captured to allow the investigation to proceed appropriately. ISO/IEC 27038Some documents can contain information that must not be disclosed to some communities. Modified
38、 documents can be released to these communities after an appropriate processing of the original document. The process of removing information that is not to be disclosed is called “redaction”.The digital redaction of documents is a relatively new area of document management practice, raising unique
39、issues and potential risks. Where digital documents are redacted, removed information must not be recoverable. Hence, care needs to be taken so that redacted information is permanently removed from the digital document (e.g. it must not be simply hidden within non-displayable portions of the documen
40、t).ISO/IEC 27038 specifies methods for digital redaction of digital documents. It also specifies requirements for software that can be used for redaction. ISO/IEC 27040:2015This International Standard provides detailed technical guidance on how organizations can define an appropriate level of risk m
41、itigation by employing a well-proven and consistent approach to the planning, design, documentation, and implementation of data storage security. Storage security applies to the protection (security) of information where it is stored and to the security of the information being transferred across th
42、e communication links associated with storage. Storage security includes the security of devices and media, the security of management activities related to the devices and media, the security of applications and services, and security relevant to end-users during the lifetime of devices and media a
43、nd after end of use.Security mechanisms like encryption and sanitization can affect ones ability to investigate by introducing obfuscation mechanisms. They have to be considered prior to and during the conduct of an investigation. They can also be important in ensuring that storage of evidential mat
44、erial during and after an investigation is adequately prepared and secured. ISO/IEC 27041It is important that methods and processes deployed during an investigation can be shown to be appropriate. This International Standard provides guidance on how to provide assurance that methods and processes me
45、et the requirements of the investigation and have been appropriately tested. ISO/IEC 27043:2015This International Standard defines the key common principles and processes underlying the investigation of incidents and provides a framework model for all stages of investigations.The following ISO/IEC p
46、rojects also address, in part, the topic areas identified above and can lead to the publication of relevant standards at some time after the publications of this International Standard. ISO/IEC 27035 (all parts)This is a three-part standard that provides organizations with a structured and planned a
47、pproach to the management of security incident management. It is composed of ISO/IEC 27035-1This part presents basic concepts and phases of information security incident management. It combines these concepts with principles in a structured approach to detecting, reporting, assessing, responding, an
48、d applying lessons learned. ISO/IEC 27035-2vi ISO/IEC 2015 All rights reservedBS EN ISO/IEC 27042:2016ISO/IEC 27042:2015(E)This part presents the concepts to plan and prepare for incident response. The concepts, including incident management policy and plan, incident response team establishment, and
49、 awareness briefing and training, are based on the plan and prepare phase of the model presented in ISO/IEC 27035-1. This part also covers the “Lessons Learned” phase of the model. ISO/IEC 27035-3This part includes staff responsibilities and practical incident response activities across the organization. Particular focus is given to the incident response team activities such including monitoring, detection, analysis, and response activities for the collected data or security events. ISO/IEC 270442)This provides guidelines to organiz