ISO/IEC 27042

ISO/IEC 27042:2015 – Information technology — Security techniques — Guidelines for the analysis and interpretation of digital evidence

Introduction

It is the primary purpose of ISO27k digital forensics standards to facilitate best practices and processes for forensically capturing and analyzing digital evidence. There may well be differences in individual approaches, processes, and controls among investigators, organizations, and jurisdictions, but standardization (in time) will lead to comparable, if not identical approaches involving international organizations, thereby making it easier for investigators and organizations to compare, combine, and contrast their results when performing similar investigations.

Scope and objectives

In addition to guiding analysis and interpretation of digital evidence, which is a part of forensic investigations, this standard also offers guidance on the handling of electronic evidence. Among the topics covered is a generic framework encapsulating good practices in the area.

In addition to the usual evidentiary controls (keeping the chain of custody, properly documenting the evidence, etc.), the standard focuses on maintaining the integrity of the analytical and interpretation processes, in the sense that different investigators examining the same digital evidence should come to the same conclusions – or at least their conclusions should be explained by choices they made. Today, digital evidence is quite varied and complex, which is why it is so crucial to have standardization, best practices, standardized terms, and rational approaches.

The standard outlines the selection and use of forensic tools, as well as the proficiency and competency of investigators.

The standard’s status

In 2015, the standard was published.

Standards relevant to this topic

The ISO/IEC 27037 standard deals with capturing digital evidence at an initial stage.

According to ISO/IEC 27041, assurance of the proper use of methods and tools is an important component of digital forensics. The standard addresses what happens after the digital evidence is collected, namely its analysis and interpretation.

In general, ISO/IEC 27043 encompasses incident investigation activities, within which forensic analysis is usually carried out.

Electronic discovery is the subject of ISO/IEC 27050, which is divided into four parts. The British Standard BS 10008:2008 provides a standard for the evidence weight and legal admissibility of electronic information.

Commentary

SC 27 is developing several different forensics standards, each covering a different aspect of forensics when they are quite complementary to each other. Although I understand why this content was not integrated into 27037, a multi-part standard makes more sense to me, with an overview section explaining how the bits and pieces fit together. Can’t we agree on a multi-part standard? In response, the editors claim that this proposal was previously discussed and rejected in conjunction with the forensics standards development project. Therefore, it appears ISO27k customers will have to obtain additional standards to offer a complete forensics suite.