BS ISO IEC 27042 pdf download

BS ISO IEC 27042 pdf download.Information technology — Security techniques — Guidelines for the analysis and interpretation of digital evidence
1 Scope
This International Standard provides guidance on the analysis and interpretation of digital evidence in a manner which addresses issues of continuity, validity, reproducibility, and repeatability. It encapsulates best practice for selection, design, and implementation of analytical processes and recording sufficient information to allow such processes to be subjected to independent scrutiny when required. It provides guidance on appropriate mechanisms for demonstrating proficiency and competence of the investigative team. Analysis and interpretation of digital evidence can be a complex process. In some circumstances, there can be several methods which could be applied and members of the investigative team will be required to justify their selection of a particular process and show how it is equivalent to another process used by other investigators. In other circumstances, investigators may have to devise new methods for examining digital evidence which has not previously been considered and should be able to show that the method produced is “fit for purpose”. Application of a particular method can influence the interpretation of digital evidence processed by that method. The available digital evidence can influence the selection of methods for further analysis of digital evidence which has already been acquired. This International Standard provides a common framework, for the analytical and interpretational elements of information systems security incident handling, which can be used to assist in the implementation of new methods and provide a minimum common standard for digital evidence produced from such activities.
3 Terms and definitions
For the purposes of this document, the terms and definitions in ISO/IEC 27000:2013 and the following apply.3.1 analysis evaluation of potential digital evidence (3.15) in order to assess its relevance to the investigation Note 1 to entry: Potential digital evidence (3.15), which is determined as having relevance, becomes digital evidence (3.5). Note 2 to entry: See also Figure 2. 3.2 client person or organization on whose behalf the investigation is to be undertaken 3.3 competence ability to apply knowledge and skills to achieve intended results [SOURCE: ISO/IEC 17021:2011, 3.7] 3.4 contemporaneous notes contemporaneous record written record of actions taken and decisions made, produced at the same time or as soon afterwards as is practically possible, as the actions and decisions it records Note 1 to entry: In many jurisdictions, it is necessary for contemporaneous notes to be handwritten in non- erasable in a tamper-evident notebook to assist with issues of non-repudiation and admissibility. 3.5 digital evidence information or data, stored or transmitted in binary form which has been determined, through the process of analysis, to be relevant to the investigation Note 1 to entry: This should not be confused with legal digital evidence (3.14) or potential digital evidence (3.15). Note 2 to entry: See also Figure 2. [SOURCE: ISO/IEC 27037:2012, 3.5, modified – Note 1 and Note 2 to entry added, definition adapted to distinguish between evidence relating to the incident under investigation and other non-relevant information or data.]3.6 emulate accurately imitate, or perform in the same way as, another application or environment 3.7 examination set of processes applied to identify and retrieve relevant potential digital evidence from one or more sources 3.8 evidence obfuscation effect of an operation performed on potential digital evidence which results in the digital evidence being hidden or obscured in some way Note 1 to entry: This can be the result of a deliberate or coincidental action and can or cannot result in spoliation of the digital evidence. 3.9 interpretation synthesis of an explanation, within agreed limits, for the factual information about evidence resulting from the set of examinations and analyses making up the investigation 3.10 investigation application of examinations, analyses, and interpretation to aid understanding of an incident 3.11 investigative lead person leading the investigation at a strategic level 3.12 investigative team all persons involved directly in the conduct of the investigation 3.13 investigator member of the investigative team, including the investigative lead (3.11) 3.14 legal digital evidence digital evidence (3.5) which has been accepted into a judicial process Note 1 to entry: See also Figure 2.