BS ISO IEC 27043:2015 pdf free download – Information technology – Security techniques – Incidentinvestigation principles andprocesses
3.6 digital investigation
use of scientifically derived and proven methods towards the identification, collection, transportation,storage, analysis，interpretation，presentation，distribution,return,and/or destruction of digitalevidence derived from digital sources, while obtaining proper authorizations for all activities, properlydocumenting all activities,interacting with the physical investigation, preserving digital evidence, andmaintaining the chain of custody, for the purpose of facilitating or furthering the reconstruction ofevents found to be incidents requiring a digital investigation, whether of criminal nature or not
5.1General principles
Digital investigations are in practice applied whenever it is needed to investigate digital evidence as aresult of an incident, whether an incident is of criminal nature or not. There are many kinds of digitalinvestigations, such as on desktop computers,laptops, servers,data repositories, handheld/mobiledevice investigations, investigations on live data (e.g. network and volatile data investigations), andinvestigations on digital appliances such as DVRs, game consoles, and control systems.The digitalinvestigation process, however, is formulated in such a way that it is applicable to any kind of digitalinvestigation.
5.2Legal principles
An overview is given of the legal requirements pertaining to digital investigations and especially theadmissibility of digital evidence in a court of law. It should be noted that legal requirements may differextensively in different jurisdictions across the world. The premise is not to advocate specific legalsystems, but rather to note the generic requirements in terms of legal issues that can be adopted bythe legal system of a specific jurisdiction. Depending on the particular laws in a particular jurisdiction,specific consideration and care should be taken when an accused is found to be innocent in a court oflaw.For example, due diligence and care should be taken to ensure
6.1General overview of the processes
The digital investigation processes described in this International Standard are purposely designedat an abstract level so that they can be used for different digital investigations and different types ofdigital evidence.The use of this methodology is intended to aid the design and development of high-levelprocesses with the intent to subsequently decompose them into atomic processes (see lSo/IEC 27041).Also, the processes aim to be comprehensive in that they represent a harmonization of all publisheddigital processes by the time of writing this International Standard.The investigation processes areorganized in a succinct fashion and describe how to follow these processes.
The six concurrent processes are aimed at allowing the said processes to be executed as on-goingprocesses. The reason for having the concurrent processes is mainly to assure admissibility of digitalevidence into a legal system, since, in the case of not having such processes, any investigation mayrun the risk that the admitted potential evidence might not be suitable for litigation due to improperhandling, and documentation of potential digital evidence.These concurrent processes are, thus,basedon principles that need to be followed throughout a digital investigation, alongside with the other classesof processes.
The digital investigation processes are multi-tiered, where each process would contain a set of sub-processes. Sub-processes can only be fully defined for a specific type of incident and investigation. Legalrules will also likely have a high impact on the definition of sub-processes. These various classes ofdigital investigation processes are described in more detail in the clauses to follow,i.e. Clauses 7 to 11.