ISO/IEC INTERNATIONAL STANDARD 27037 First edition 2012-10-15 Information technology Security techniques Guidelines for identification, collection, acquisition, and preservation of digital evidence Technologies de Iinformation - Techniques de sécurite - Lignes directrices pour I'identification, la collecte, I'acquisition et la préservation depreuvesnumeriques Reference number ISO/IEC 27037:2012(E) 'so IEC @ISO/IEC2012 y IHS under ted without license from IHS Not for Resale ISO/IEC 27037:2012(E) COPYRIGHTPROTECTEDDOCUMENT ISO/IEC2012 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either isO at the address below or IsO's memberbody in the country of the requester. ISO copyright office Case postale 56. CH-1211 Geneva 20 Tel. + 4122749 01 11 Fax + 41 22 749 09 47 E-mail [email protected] Web www.iso.org Published in Switzerland @ ISO/IEC 2012 - All rights reserved py IHS unde permitted without license from IHS Not for Resale ISO/IEC 27037:2012(E) Contents Page Foreword Introduction 1 Scope 2 Normative reference.. 3 Terms and definitions. 4 Abbreviated terms. 5 Overview..... 5.1 Context for collecting digital evidence ... 5.2 5.3 5.3.1 General.. 5.3.2 Auditability. 5.3.3 Repeatability. 5.3.4 Reproducibility 5.3.5 Justifiability 5.4 Digital evidence handling processes . 5.4.1 5.4.2 Identification.. 5.4.3 Collection. 5.4.4 Acquisition.... 5.4.5 Preservation. 6 Key components of identification, collection, acquisition and preservation of digital evidence ... ..10 6.1 Chain of custody.. 10 6.2 Precautions at the site of incident....... 11 6.2.1 General.. 11 6.2.2 Personnel 11 6.2.3 Potential digital evidence 6.3 6.4 Competency 6.5 Use reasonable care 6.6 Documentation 14 6.7 Briefing 14 6.7.1 General. 14 6.7.2 Digital evidence specific 14 6.7.3 Personnel specific...... 6.7.4 Real-timeincidents 15 6.7.5 Other briefing information .. 15 6.8 Prioritizing collection and acquisition ...... 16 6.9 Preservation of potential digital evidence.... 6.9.1 Overview... 17 6.9.2 Preserving potential digital evidence. 6.9.3 Packaging digital devices and potential digital evidence. 6.9.4 Transporting potential digital evidence... 18 7 Instances of identification, collection, acquisition and preservation ... 7.1 Computers, peripheral devices and digitai storage media ... 19 7.1.1 19 7.1.2 Collection ... ili Copyright International Organizaion for Standardization All rights reserved ted without license from IHS Not for Resale