1、BS EN ISO/IEC 27043:2016Information technology Security techniques Incidentinvestigation principles andprocesses (ISO/IEC 27043:2015)BSI Standards PublicationWB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06BS EN ISO/IEC 27043:2016 BRITISH STANDARDNational forewordThis British Standard is the
2、 UK implementation of The UK participation in its preparation was entrusted by TechnicalCommittee IST/33, IT - Security techniques, to SubcommitteeA list of organizations represented on this subcommittee can beobtained on request to its secretary.This publication does not purport to include all the
3、necessaryprovisions of a contract. Users are responsible for its correctapplication. The British Standards Institution 2016. Published by BSI StandardsLimited 2016ISBN 978 0 580 92355 5ICS 35.040Compliance with a British Standard cannot confer immunity fromlegal obligations.This British Standard was
4、 published under the authority of theStandards Policy and Strategy Committee on 31 March 2015.Amendments/corrigenda issued since publicationDate Text affected30 September 2016 This corrigendum renumbersBS EN ISO/IEC 27043:2016BS ISO/IEC 27043:2015 asIST/33/4, Security Controls and Services.EN ISO/IE
5、C 27043:2016. It is identical to ISO/IEC 27043:2015.It supersedes BS ISO/IEC 27043:2015 which is withdrawn.EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN ISO/IEC 27043 August 2016 ICS 35.040 English Version Information technology - Security techniques - Incident investigation principles and pr
6、ocesses (ISO/IEC 27043:2015) Technologies de linformation - Techniques de scurit - Principes dinvestigation numrique et les processus (ISO/IEC 27043:2015) Informationstechnik - IT-Sicherheitsverfahren - Grundstze und Prozesse fr die Untersuchung von Vorfllen (ISO/IEC 27043:2015) This European Standa
7、rd was approved by CEN on 19 June 2016. CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references con
8、cerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN and CENELEC member. This European Standard exists in three official versions (English, French, German). A version in any other language made by translation under the responsibility of a
9、CEN and CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CEN and CENELEC members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yug
10、oslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMIT EUROPE
11、N DE NORMALISATION EUROPISCHES KOMITEE FR NORMUNG CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2016 CEN and CENELEC All rights of exploitation in any form and by any means reserved worldwide for CEN and CENELEC national Members. Ref. No. EN ISO/IEC 27043:2016 E EN ISO/IEC 27043:2
12、016 (E) European foreword The text of ISO/IEC 27043:2015 has been prepared by Technical Committee ISO/IEC JTC 1 “Information technology” of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) and has been taken over as EN ISO/IEC 27043:201
13、6. This European Standard shall be given the status of a national standard, either by publication of an identical text or by endorsement, at the latest by February 2017, and conflicting national standards shall be withdrawn at the latest by February 2017. Attention is drawn to the possibility that s
14、ome of the elements of this document may be the subject of patent rights. CEN and/or CENELEC shall not be held responsible for identifying any or all such patent rights. According to the CEN-CENELEC Internal Regulations, the national standards organizations of the following countries are bound to im
15、plement this European Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Roman
16、ia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United Kingdom. Endorsement notice The text of ISO/IEC 27043:2015 has been approved by CEN as EN ISO/IEC 27043:2016 without any modification. BS EN ISO/IEC 27043:2016ISO/IEC 27043:2015(E)Foreword vIntroduction vi1 Scope . 12 Normativ
17、e references 13 Terms and definitions . 14 Symbols and abbreviated terms . 35 Digital investigations . 45.1 General principles 45.2 Legal principles 46 Digital investigation processes 56.1 General overview of the processes 56.2 Classes of digital investigation processes 57 Readiness processes . 77.1
18、 Overview of the readiness processes 77.2 Scenario definition process 97.3 Identification of potential digital evidence sources process . 97.4 Planning pre-incident gathering, storage, and handling of data representing potential digital evidence process . 117.5 Planning pre-incident analysis of data
19、 representing potential digital evidence process 117.6 Planning incident detection process . 117.7 Defining system architecture process 117.8 Implementing system architecture process 127.9 Implementing pre-incident gathering, storage, and handling of data representing potential digital evidence proc
20、ess . 127.10 Implementing pre-incident analysis of data representing potential digital evidence process 127.11 Implementing incident detection process 127.12 Assessment of implementation process 137.13 Implementation of assessment results process 138 Initialization processes 138.1 Overview of initia
21、lization processes . 138.2 Incident detection process . 148.3 First response process. 158.4 Planning process 158.5 Preparation process. 159 Acquisitive processes 169.1 Overview of acquisitive processes 169.2 Potential digital evidence identification process .169.3 Potential digital evidence collecti
22、on process .179.4 Potential digital evidence acquisition process .179.5 Potential digital evidence transportation process 179.6 Potential digital evidence storage and preservation process 1710 Investigative processes .1810.1 Overview of investigative processes . 1810.2 Potential digital evidence acq
23、uisition process .1910.3 Potential digital evidence examination and analysis process .1910.4 Digital evidence interpretation process . 1910.5 Reporting process . 1910.6 Presentation process 2010.7 Investigation closure process 20 ISO/IEC 2015 All rights reserved iiiBS EN ISO/IEC 27043:2016ISO/IEC 27
24、043:2015(E)11 Concurrent processes .2011.1 Overview of the concurrent processes 2011.2 Obtaining authorization process 2111.3 Documentation process 2111.4 Managing information flow process 2111.5 Preserving chain of custody process . 2111.6 Preserving digital evidence process 2211.7 Interaction with
25、 physical investigation process2212 Digital investigation process model schema 22Annex A (informative) Digital investigation processes: motivation for harmonization 24Bibliography .28iv ISO/IEC 2015 All rights reservedBS EN ISO/IEC 27043:2016ISO/IEC 27043:2015(E)ForewordISO (the International Organi
26、zation for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the resp
27、ective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of informat
28、ion technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different
29、types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall n
30、ot be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).Any trade name used in this document is in
31、formation given for the convenience of users and does not constitute an endorsement.For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT), se
32、e the following URL: Foreword Supplementary information.The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee SC 27, Security techniques. ISO/IEC 2015 All rights reserved vBS EN ISO/IEC 27043:2016ISO/IEC 27043:2015(E)IntroductionAbout this International S
33、tandardThis International Standard provides guidelines that encapsulate idealized models for common investigation processes across various investigation scenarios. This includes processes from pre-incident preparation up to and including returning evidence for storage or dissemination, as well as ge
34、neral advice and caveats on processes and appropriate identification, collection, acquisition, preservation, analysis, interpretation, and presentation of evidence. A basic principle of digital investigations is repeatability, where a suitably skilled investigator has to be able to obtain the same r
35、esult as another similarly skilled investigator, working under similar conditions. This principle is exceptionally important to any general investigation. Guidelines for many investigation processes have been provided to ensure that there is clarity and transparency in obtaining the produced result
36、for each particular process. The motivation to provide guidelines for incident investigation principles and processes follows.Established guidelines covering incident investigation principles and processes would expedite investigations because they would provide a common order of the events that an
37、investigation entails. Using established guidelines allows smooth transition from one event to another during an investigation. Such guidelines would also allow proper training of inexperienced investigators. The guidelines, furthermore, aim to assure flexibility within an investigation due to the f
38、act that many different types of digital investigations are possible. Harmonized incident investigation principles and processes are specified and indications are provided of how the investigation processes can be customized in different investigation scenarios.A harmonized investigation process mod
39、el is needed in criminal and civil prosecution settings, as well as in other environments, such as corporate breaches of information security and recovery of digital information from a defective storage device. The provided guidelines give succinct guidance on the exact process to be followed during
40、 any kind of digital investigation in such a way that, if challenged, no doubt should exist as to the adequacy of the investigation process followed during such an investigation.Any digital investigation requires a high level of expertise. Those involved in the investigation have to be competent, pr
41、oficient in the processes used, and they have to use validated processes (see ISO/IEC 27041) which are compatible with the relevant policies and/or laws in applicable jurisdictions.Where the need arises to assign a process to a person, that person will take the responsibility for the process. Theref
42、ore, a strong correlation between a process responsibility and a persons input will determine the exact investigation process required according to the harmonized investigation processes provided as guidelines in this International Standard.This International Standard is structured by following a to
43、p-down approach. This means that the investigation principles and processes are first presented on a high (abstract) level before they are refined with more details. For example, a high-level overview of the investigation principles and processes are provided and presented in figures as “black boxes
44、” at first, where after each of the high-level processes are divided into more fine-grained (atomic) processes. Therefore, a less abstract and more detailed view of all the investigation principles and processes are presented near the end of this International Standard as shown in Figure 8.This Inte
45、rnational Standard is intended to complement other standards and documents which provide guidance on the investigation of, and preparation to, investigate information security incidents. It is not an in-depth guide, but it is a guide that provides a rather wide overview of the entire incident invest
46、igation process. This guide also lays down certain fundamental principles which are intended to ensure that tools, techniques, and methods can be selected appropriately and shown to be fit for purpose should the need arise.Relationship to other standardsThis International Standard is intended to com
47、plement other standards and documents which give guidance on the investigation of, and preparation to investigate, information security incidents. It is not a vi ISO/IEC 2015 All rights reservedBS EN ISO/IEC 27043:2016ISO/IEC 27043:2015(E)comprehensive guide, but lays down certain fundamental princi
48、ples which are intended to ensure that tools, techniques, and methods can be selected appropriately and shown to be fit for purpose should the need arise.This International Standard also intends to inform decision-makers that need to determine the reliability of digital evidence presented to them. I
49、t is applicable to organizations needing to protect, analyse, and present potential digital evidence. It is relevant to policy-making bodies that create and evaluate procedures relating to digital evidence, often as part of a larger body of evidence.This International Standard describes part of a comprehensive investigative process which includes, but is not limited to, the following topic areas: incident management, including preparation and planning for investigations; handling of digital evidence; use of, and issues caused by, redaction; intrus
