A new ISO/IEC standard (27037) is in its final development stages which will aim to supply guidelines for identification, acquisition, collection and preservation of digital evidence. It is part of the 27k series, dealing with Information technology security techniques. Its publication is expected inthe second half of 2012; it is now at the Draft International Standard stage.
Scope
The standard is concerned only with the specific activities of identification, collection, acquisition and preservation. It does not cover for instance analysis of the evidence, or disposal, both fundamental phases in the digital forensics workflow. It is possible that future guidelines will cover these and in fact some national bodies have already proposed work items on analysis.
This standard will not contain any “revolution” but aims at supplying all practitioners worldwide a common baseline on the handling of digital evidence, in all scenarios (investigation, corporate audit, court of law) and in a neutral way. This is in my opinion important and something that today is missing: most, if not all, of the guidelines published until now were the product of law enforcement agencies.
As the goal is to have a common worldwide guideline, the standard avoids any reference to specific jurisdictions and so is applicable mostly everywhere.
Some definitions
After detailing its scope, the standard gives some definitions: I would like to underline some of them, beginning with the very definition of Digital evidence: “Information or data stored or trasmitted in binary form that may be relied upon as evidence”. It’s obvious that not all data is evidence, it becomes evidence when “it can be relied upon”.
The guidelines try to define, at least in a general way, skills and qualifications of personnel involved in handling digital evidence. A DEFR (digital evidence first responder) is a person authorized and qualified to act first on the scene, performing DE collection and acquisition, while a DES (digital evidence specialist) has specialized knowledge and skills to handle specialized tasks.
Basic principles
These are the core of the guidelines as they are now and are intended to inform all activities. First of all potential digital evidence should be acquired in the “least intrusive manner” (i.e. avoiding to introduce changes whenever possible and minimizing them if not). Documentation and validation of the procedures followed is underlined (this is especially important if changes are introduced); also methods should be – as far as possible – reproducible and verifiable by a competent DEFR/DES. Tools used should be validated prior to use and validation evidence should be available.
Evidence handling activity is broken down in four phases (within the scope of this standard): identification, collection, acquisition, preservation.
Identification process comprises looking for, recognize and document potential DE on the scene, down to identify digital storage media and devices. Collection is the step where physical items potentially containing de are moved from the scene to a laboratory for later acquisition and analysis. Acquisition can follow collection and happen in the lab, or it can be performed on the scene: it is what is commonly called imaging of the evidence. Preservation is the process which assures integrity and usefulness of the potential evidence during all its lifetime.
Key components of all these activities are chain of custody, safety on the scene and roles and responsabilities of the persons involved.
Maintaining an adeguate and documented chain of custody allows DEFRs/DESs “[…] to account for all the acquired data and devices at all times during the investigation.”. This is usually achieved by documenting the history of each item acquired from identification moment at he scene onwards (by ID, who accessed it, whe cheked the evidence out etc.)
Scenarios
After exposing basic principles and key components of evidence handling the guidelines go ahead to detail applications scenarios and procedures. Right now there are two: the first one concerns what can be defines as computer forensics (analysis of desktops, laptops and their peripherals), while in the second one “networked devices” are considered. While in the first case procedures are quite detailed and solid, among networked devices are lumped everything between legacy mainframes and tablets, causing the related chapter to be quite confused and haphazard at the moment. It seems anyway that the guidelines will be published next year with this structure and major reorganization is to be postponed until the first revision.
Conclusion
This ISO/IEC guideline will be the first to be published by a neutral worldwide organization in the digital forensics field. This is important as it will supply a common baseline for all stakeholders: there is nothing revolutionary or cutting-edge about it but a common language that, if adopted, will facilitate the handling of digital evidence.
