COMMITTEE DRAFT Reference number:

ISO/IEC 1st CD 27042 ISO/IEC JTC 1/SC 27 N11983

Date: 2012-12-19 Supersedes document SC 27 N11028
THIS DOCUMENT IS STILL UNDER STUDY AND SUBJECT TO CHANGE. IT SHOULD NOT BE USED
FOR REFERENCE PURPOSES.
ISO/IEC JTC 1/SC 27 Circulated to P- and O-members, and to technical committees and organizations in
Information technology -
Security techniques liaison for comments by: 2013-03-20
Secretariat: Germany Please submit your comments via the online balloting application by the due date
(DIN) indicated.
ISO/IEC CD 27042
Title: Information technology -- Security techniques – Guidelines for the analysis and interpretation
of digital evidence

Project: 1.27.93 (27042)

Explanatory Report
Status SC 27 Decision Reference documents
Input Output
WG 4 Study period on 9 WG 4 meeting, Oct.
th
Call f. contr. (N9448)
Digital evidence 2010, resolution 13
readiness and analysis (N9084).
NWIP th
10 WG 4 meeting, April UK contr. (N9674). Meeting Report (N9979);
Prelim. draft 2011, WG 4 meeting Prelim draft (N9998);
report (N9943). ZA NB NWIP (N9935 = JTC
1 N10649).
st th
1 WD 27042 11 WG 4 meeting, Oct. SoV (N10632). Call f. contr. (N10651);
2011, resolutions 1, 9, 5 DoC (N10184);
st
(N10152). Text f. 1 WD (N10185).
nd th
2 WD 27042 12 WG 4 meeting, May SoCom (N10883). Liaisons to:
2012, resolutions 1, 5, P5, European Commission
P9 (N9402) and 24th SC (N1048);
27 Plenary, May 2012, CDFS (N11047);
resolution 11 Deleg. of DoC (N11027);
nd
Auth. f. CD (N11330). Text f. 2 WD (N11028).
st th
1 CD 27042 13 WG 4 meeting, Oct SoCom (N11534); DoC (N11982);
st
2012, resolution 33 DE, com. (N11652); Text f. 1 CD (N11983).
(N11941). Draft DoC (N11664).
CD Registration and Consideration
th
In accordance with resolution 33 (contained in SC 27 N11941) of the 13 SC 27/WG 4 Plenary meeting held
in Rome, Italy, October 2012 the attached document has been registered with the ISO Central Secretariat
st st
(ITTF) as a 1 Committee Draft (CD) and is hereby circulated for a 1 CD 3-month letter ballot closing by

2013-03-20
MEDIUM: http://isotc.iso.org/livelink/livelink/open/jtc1sc27
NO. OF PAGES: 1 + 20

Secretariat, ISO/IEC JTC 1/SC27 -

DIN Deutsches Institut fuer Normung e.V., Am DIN-Platz, Burggrafenstr. 6, D-10787 [D-10772 postal] Berlin , Germany
Telephone: + 49 2601-2652; Facsimile: + 49 2601-1723; E-Mail: krystyna.passia@din.de, http://www.jtc1sc27.din.de/en
 © ISO/IEC 2012 – All rights reserved

1 ISO/IEC JTC 1/SC 27 N 11983

2 Date: 2012-12-08

3 ISO/IEC CD 27042

4 ISO/IEC JTC 1/SC 27/WG 4

5 Secretariat: DIN

6 Information technology — Security techniques — Guidelines for the

7 analysis and interpretation of digital evidence
8 Élément introductif — Élément central — Élément complémentaire

10 Warning

11 This document is not an ISO International Standard. It is distributed for review and comment. It is subject to
12 change without notice and may not be referred to as an International Standard.

13 Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of
14 which they are aware and to provide supporting documentation.

15

Document type: International Standard

Document subtype:
Document stage: (30) Committee
Document language: E

D:\Dokumente und Einstellungen\pas\Eigene

Dateien\PROJECT_admin\27042_NP_DigitEvidenReadin&Analysis_20110705\03_01_1stCD_27042_201212
19\N11983_1stCD27042_v3_20121219.doc STD Version 2.1c2
 ISO/IEC CD 27042

1 Copyright notice
2 This ISO document is a working draft or committee draft and is copyright-protected by ISO. While the
3 reproduction of working drafts or committee drafts in any form for use by participants in the ISO standards
4 development process is permitted without prior permission from ISO, neither this document nor any extract
5 from it may be reproduced, stored or transmitted in any form for any other purpose without prior written
6 permission from ISO.

7 Requests for permission to reproduce this document for the purpose of selling it should be addressed as
8 shown below or to ISO's member body in the country of the requester:
9 Secretariat of ISO/IEC JTC 1/SC 27
10 DIN German Institute for Standardization
11 DE-10772 Berlin

12 Tel. + 49 30 2601 2652

13 Fax + 49 30 2601 4 2652
14 E-mail krystyna.passia@din.de

15 Web http://www.jtc1sc27.din.de/en (public web site)

16 http://isotc.iso.org/isotcportal/index.html (SC27 documents)

17 Reproduction for sales purposes may be subject to royalty payments or a licensing agreement.

18 Violators may be prosecuted.

19

20

21

II © ISO/IEC 2012 – All rights reserved

 ISO/IEC CD 27042

1 Contents Page

2 Foreword ............................................................................................................................................................. 4
3 Introduction ......................................................................................................................................................... 5
4 1 Scope ...................................................................................................................................................... 1
5 2 Normative references ............................................................................................................................ 1
6 3 Terms and definitions ........................................................................................................................... 1
7 4 Analysis .................................................................................................................................................. 5
8 4.1 Introduction ............................................................................................................................................ 5
9 4.2 General principles ................................................................................................................................. 5
10 4.3 Analytical models .................................................................................................................................. 7
11 4.3.1 Static analysis ........................................................................................................................................ 7
12 4.3.2 Live analysis .......................................................................................................................................... 7
13 4.4 Use of tools ............................................................................................................................................ 8
14 4.5 Record keeping ...................................................................................................................................... 8
15 5 Interpretation ......................................................................................................................................... 9
16 5.1 General ................................................................................................................................................... 9
17 5.2 Accreditation of Fact ............................................................................................................................. 9
18 5.3 Factors affecting interpretation ........................................................................................................... 9
19 6 Reporting .............................................................................................................................................. 10
20 6.1 Preparation ........................................................................................................................................... 10
21 6.2 Suggested report content ................................................................................................................... 10
22 7 Competence ......................................................................................................................................... 11
23 7.1 Introduction .......................................................................................................................................... 11
24 7.2 Certification of competence ............................................................................................................... 11
25 7.3 Maintenance of competence .............................................................................................................. 11
26 7.4 Example competence definition ........................................................................................................ 12
27 8 Proficiency ........................................................................................................................................... 12
28 8.1 Introduction .......................................................................................................................................... 12
29 8.2 Mechanisms for demonstration of proficiency ................................................................................ 12
30 8.3 Example proficiency definition .......................................................................................................... 13
31 Bibliography ...................................................................................................................................................... 14
33
32

© ISO/IEC 2012 – All rights reserved III

 ISO/IEC CD 27042

1 Foreword
2 ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
3 Commission) form the specialized system for worldwide standardization. National bodies that are members of
4 ISO or IEC participate in the development of International Standards through technical committees
5 established by the respective organization to deal with particular fields of technical activity. ISO and IEC
6 technical committees collaborate in fields of mutual interest. Other international organizations, governmental
7 and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
8 technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.

9 International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.

10 The main task of the joint technical committee is to prepare International Standards. Draft International
11 Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
12 an International Standard requires approval by at least 75 % of the national bodies casting a vote.

13 Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
14 rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.

15 ISO/IEC 27042 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
16 Subcommittee SC 27, Security techniques..

17

IV © ISO/IEC 2012 – All rights reserved

 ISO/IEC CD 27042

1 Introduction
2 This International Standard is intended to complement other standards and documents which give guidance
3 on the investigation of, and preparation to investigate, Information Security Incidents. It is not a
4 comprehensive guide, but lays down certain fundamental principles which are intended to ensure that tools,
5 techniques and methods can be selected appropriately and shown to be fit for purpose should the need arise.

6 This International Standard also intends to inform decision-makers that need to determine the reliability of
7 digital evidence presented to them. It is applicable to organizations needing to protect, analyze and present
8 potential digital evidence. It is relevant to policy-making bodies that create and evaluate procedures relating to
9 digital evidence, often as part of a larger body of evidence.

10 This International Standard describes part of a comprehensive investigative process (See Figure 1).

11

12 Figure Fehler! Fehlende Testbedingung.1 — Relationships between International Standards which affect
13 investigations

14 It should be used in conjunction with the following International Standards:

15  ISO/IEC 27043: Guidance on Investigation Principles and Processes, which defines the basic principles
16 and processes underlying the investigation of incidents.

17  ISO/IEC 27035: Guidelines on Incident Management: Part 2 of International Standard deals with
18 Investigative readiness - i.e. steps which should be taken prior to an incident occurring in order to ensure
19 that investigations can be conducted appropriately.

20  ISO/IEC 27037: Guidelines for the Identification, Collection, Acquisition and Preservation of Digital
21 Evidence - i.e. the means by which those involved in the early stages of the investigation can ensure that
22 sufficient potential digital evidence is captured to allow the investigation to proceed appropriately.

© ISO/IEC 2012 – All rights reserved V

 ISO/IEC CD 27042

1  ISO/IEC 27041: Guidance on Assuring the Suitability and Adequacy of Investigative Methods - i.e.
2 methods by which the processes adopted at all stages of the investigation can be shown to be
3 appropriate.

4 This International Standard provides guidance on the conduct of the analysis and interpretation of potential
5 digital evidence in order to identify and evaluate digital evidence which can be used to aid understanding of an
6 incident. It assumes that the guidance given in ISO/IEC 27035-2 and ISO/IEC 27037 has been followed that
7 all processes used are compatible with the guidance given in ISO/IEC 27043 and ISO/IEC 27041.

VI © ISO/IEC 2012 – All rights reserved

 COMMITTEE DRAFT ISO/IEC CD 27042

1 Information technology — Security techniques — Guidelines for

2 the analysis and interpretation of digital evidence

3 1 Scope
4 This International Standard provides guidance on the analysis and interpretation of digital evidence in a
5 manner which addresses issues of continuity, validity, reproducibility and repeatability. It encapsulates best
6 practice for selection, design and implementation of analytical processes and recording sufficient information
7 to allow such processes to be subjected to independent scrutiny when required. It provides guidance on
8 appropriate mechanisms for demonstrating proficiency and competence of the investigative team.

9 Analysis and Interpretation of digital evidence can be a complex process. In some circumstances there may
10 be several methods which could be applied and members of the investigative team will be required to justify
11 their selection of a particular process and show how it is equivalent to another process used by other
12 investigators. In other circumstances, investigators may have to devise new methods for examining digital
13 evidence which has not been previously been considered and should be able to show that the method
14 produced is “fit for purpose”.

15 Application of a particular method may influence the interpretation of digital evidence processed by that
16 method. The available digital evidence may influence the selection of methods for further analysis of digital
17 evidence which has already been acquired.

18 This International Standard provides a common framework, for the analytical and interpretational elements of
19 information systems security incident handling, which can be used to assist in the implementation of new
20 methods and provide a minimum common standard for digital evidence produced from such activities.

21 2 Normative references
22 The following documents, in whole or in part, are normatively referenced in this document and are
23 indispensable for its application. For dated references, only the edition cited applies. For undated references,
24 the latest edition of the referenced document (including any amendments) applies.

25 ISO/IEC 27000:2009, Information technology — Security techniques — Information security management

26 systems – Overview and vocabulary

27 ISO/IEC 27037, Information technology — Security techniques — Guidance on the identification, collection,
28 acquisition and preservation of digital evidence

29 ISO/IEC 27041, Information technology — Security techniques — Guidance on assuring suitability and
30 adequacy of investigation methods

31 3 Terms and definitions

32 For the purposes of this document, the terms and definitions in ISO/IEC 27000 and the following apply.

33 3.1
34 analysis
35 evaluation of potential digital evidence in order to assess its relevance to the investigation

© ISO/IEC 2012 – All rights reserved 1

1 Note 1 to entry: Potential digital evidence, which is determined as having relevance, becomes digital evidence.
 COMMITTEE DRAFT ISO/IEC CD 27042

1 3.2
2 competence
3 a person's ability to apply their current skills and knowledge in order to allow them to carry out a task
4 successfully

5 3.3
6 customer
7 person or organisation on whose behalf the investigation is to be undertaken

8 3.4
9 digital evidence
10 information or data, stored or transmitted in binary form which has been determined, through the process of
11 analysis, to be relevant to the investigation

12 Note 1 to entry: This should not be confused with legal digital evidence.

13 [SOURCE: ISO/IEC 27037:2012, 3.5, modified – Note 1 to entry added, definition adapted to focus on the
14 investigation)

15 3.5
16 examination
17 set of processes applied to identify and retrieve relevant potential digital evidence from one or more sources

18 3.6
19 evidence obfuscation
20 effect of an operation performed on potential digital evidence which results in the digital evidence being
21 hidden or obscured in some way

22 Note 1 to entry: This may be the result of a deliberate or coincidental action and may or may not result in spoliation of
23 the digital evidence.

24 3.7
25 interpretation
26 synthesis of an explanation, within agreed limits, for the factual information about evidence resulting from the
27 set of examinations and analyses making up the investigation

28 3.8
29 investigation
30 application of examinations, analyses and interpretation to aid understanding of an incident

31 3.9
32 investigative lead
33 person leading the investigation at a strategic level

34 3.10
35 investigative team
36 all persons involved directly in the conduct of the investigation

37 3.11
38 investigator
39 member of the investigative team, including the investigative lead

40 3.12
41 legal digital evidence
42 digital evidence which has been accepted into a judicial process

© ISO/IEC 2012 – All rights reserved 3

 COMMITTEE DRAFT ISO/IEC CD 27042

1 3.13
2 proficiency
3 ability of an investigative team to produce results equivalent to those of a different investigative team given the
4 same sources of potential digital evidence

© ISO/IEC 2012 – All rights reserved 4

1 3.14
2 repeatability
3 property of a process conducted to get the same test results on the same testing environment

4 Note 1 to entry: Same testing environment means the same computer, hard drive, mode of operation, etc.

5 3.15
6 reproducibility
7 property of a process to get the same test results on a different testing environment

8 Note 1 to entry: Different testing environment means different computer, hard drive, operator, etc.

9 3.16
10 spoliation
11 act of making or allowing change(s) to the potential digital evidence that diminishes its evidential value

12 3.17
13 validation
14 confirmation, through the provision of objective evidence, that the requirements for a specific intended use or
15 application have been fulfilled

16 [SOURCE: ISO/IEC 27004:2009, 3.17]

17 3.18
18 verification
19 confirmation, through the provision of objective evidence, that specified requirements have been fulfilled

20 Note 1 to entry: Verification only provides assurance that a product conforms to its specification.

21 [SOURCE: ISO/IEC 27004:2009, 3.18, Modified – Original note was removed, Note 1 to entry has been
22 added]

23 3.19
24 verification function
25 function which is used to verify that two sets of data are identical

26 [SOURCE: ISO/IEC 27037:2012, 3.25, Modified – Notes were removed]

27 4 Analysis

28 4.1 Introduction

29 Analysis is required as many of the meaningful digital artefacts are latent in their native form (e.g., the
30 remnants of a deleted file in free space that must be carved out of free space and reconstructed). As noted
31 below, analysis must make use of validated processes (as defined by ISO/IEC 27041) be performed by
32 competent personnel and be scrupulously documented to establish traceable and defensible provenance for
33 information.

34 4.2 General principles

35 Analysis relates to the identification and evaluation of digital evidence from sources of potential digital
36 evidence. It is likely to be an iterative process (see Figure 2) as each item of digital evidence identified may

© ISO/IEC 2012 – All rights reserved

5
 1 lead to the re-consideration of other digital evidence. Identification and evaluation can only be carried out in
2 the presence of sufficient contextual information to allow the analyst to make informed decisions about each
3 item under consideration (e.g. information about the suspected incident, the system under consideration and
4 the nature of the sources of potential digital evidence being examined).

5 Analysts and their support staff must, therefore, be competent to carry out their roles in the analysis.
6 Competence may be defined in terms of the individual processes they will carry out, or as a set of well-defined
7 competencies against which they can be assessed.

8 Processes used to carry out the examination of items of potential digital evidence should be fully validated
9 (see ISO/IEC 27041) for their role(s) in the investigation.

10 Processes used should not change the contents of any sources of potential digital evidence under
11 examination. Where there is a risk of damage to potential digital evidence, the risk should be managed to
12 avoid the possible damage. However, if the occurrence of such damage is inevitable and/or strictly necessary,
13 the investigative team should be competent to explain the effects of any actions taken which may have
14 resulted in damage, as well as the reasons for such actions and damage.

15 If a member of the investigative team believes that he/she has found evidence of another incident, he/she
16 should inform the investigative lead of this fact and await further instructions. Investigative leads informed of
17 such evidence should consult with appropriate authorities before allowing the investigation to proceed.

18 NOTE 1 In many jurisdictions, exceeding the authority of one's investigative mandate may render all results (not just
19 those relevant to the newly discovered incident) unusable in legal administrative proceedings.

20 At all times, members of the investigative team should be aware of their duty to be strictly impartial. If, during
21 the course of investigating a premise, the investigative team finds evidence disproving the premise, or which
22 supports or suggests a counter-premise, this shall be reported together with the supporting evidence.

23 An independent investigator, unconnected with the analysis and interpretation, should be able to examine the
24 processes and decisions made by the original investigative team and achieve the same results. For this to
25 happen, a proper documented process should have been followed with appropriately detailed records kept.

26 NOTE 2 This International Standard assumes that potential digital evidence has been gathered in accordance with the
27 recommendations of ISO/IEC 27037, Guidelines for the identification, collection, acquisition and preservation of digital
28 evidence, and that steps similar to those described in ISO/IEC 27037 will be used to preserve potential digital evidence
29 during analysis.

© ISO/IEC 2012 – All rights reserved

1

2 Figure Fehler! Fehlende Testbedingung.2 — Typical analysis & reporting process

3 4.3 Analytical models

4 4.3.1 Static analysis

5 Static analysis is the examination of potential digital evidence, by inspection only, in order to determine its
6 value as digital evidence (e.g. by identifying artefacts, constructing event timelines, examining file contents
7 and deleted data, etc.). Potential digital evidence will be inspected in raw form and interpreted through the use
8 of appropriate processes (e.g. by loading into appropriate viewers) but executable code will not be executed.

9 This method of analysis is particularly appropriate for the analysis of consequential data (e.g. contents of log
10 files, contents of network packets, contents of memory dumps) and meta-data (e.g. file permissions and
11 timestamps). In some cases, however, it may not be possible for analysts to gain a full understanding of the
12 significance of potential digital evidence from static analysis alone (e.g. intrusion or data exfiltration by means
13 of malware).

14 Static analysis should normally be carried out on a copy of the original potential digital evidence (as described
15 in ISO/IEC 27037) to avoid accidental digital evidence spoliation or obfuscation.

16 4.3.2 Live analysis

17 In some circumstances it may be necessary or desirable to examine a live version of the systems under
18 analysis in order to gain proper understanding. This may be particularly useful when dealing with complex
19 networks, encrypted storage devices or suspected polymorphic code.

© ISO/IEC 2012 – All rights reserved

7
 1 Two distinct forms of live analysis exist:

2 a) live analysis of systems which cannot be imaged or copied; and

3 b) live analysis of systems which can be imaged or copied.

4 4.3.2.1 Live analysis of non-copyable systems

5 Where it is not possible, for technical or operational reasons (e.g. unique hardware, adverse effect on
6 business), or where there may be a significant risk of loss of potential digital evidence when imaging or
7 copying is attempted (e.g. strongly encrypted file systems) it may be necessary to carry out a live analysis on
8 a system without first following the steps recommended in ISO/IEC 27037.

9 In these circumstances, the analysts(s) should take great care to minimise the risk of damage to potential
10 digital evidence and should ensure that they have a full and detailed record of all processes performed.
11 Investigative leads should ensure that any person required to carry out a live analysis is fully competent to do
12 so and able to explain their processes and any alterations to data, potential digital evidence or systems which
13 may have occurred as a result of their actions.

14 4.3.2.2 Live analysis of imageable or copyable systems

15 Analysts should take care to emulate the original environment as closely as possible by using verified virtual
16 machines, copies of original hardware or even the real original hardware in order to allow live analysis. Where
17 emulation is to be used, care should be taken to ensure that the emulation is as close as possible to the
18 original system. Steps should be taken to ensure that any changes required to allow the copy to run in the
19 emulator do not materially change the operation of the system and the potential digital evidence under
20 analysis.

21 NOTE Care in using emulation is also required when dealing with suspected malware infection as some malware
22 variants can detect that they are being executed in a virtual environment and modify their behaviour or refuse to run.

23 4.4 Use of tools

24 Tools (combinations of software, hardware and firmware) can be of great help in the analysis process.
25 Selection of tools should be based on the agreed requirements and the processes which make up the
26 analysis. The user should be competent to use the tools in the context of the relevant process. New tools
27 should be considered carefully prior to adoption and processes involving them should be capable of passing
28 validation and confirmation prior to deployment. For the selection of tools for use in validated processes, the
29 procedure specified in ISO/IEC 27041, Guidance on assuring the suitability and adequacy of incident
30 investigation methods, should be followed.

31 NOTE The concept of validation requires consideration of the intended use of the tool. Hence the requirement is
32 solely to validate the process in the context of the investigation. A tool which is known to be flawed may still be used,
33 providing the process in which the tool participates can be shown to be fit for its intended use.

34 4.5 Record keeping

35 Throughout the analysis, each person carrying out any process should keep accurate and detailed
36 contemporaneous notes of their actions and the results of those actions, in addition to chain of custody record,
37 described in ISO/IEC 27037:2012. These should be sufficiently detailed to allow another similarly competent
38 person to repeat those actions and achieve the same results. The notes should include details of relevant
39 information received and decisions taken, including reasons for the decision.

© ISO/IEC 2012 – All rights reserved

 1 5 Interpretation

2 5.1 General

3 The objective of Interpretation is to evaluate digital evidence produced from analysis based on its contents
4 and context including key patterns, topics, relevant people, etc., in order to derive meaning. Interpretation
5 involves fact finding, impact analysis and validation/verification of results. It may require repetition of analysis
6 and/or potential digital evidence collection depending on the results of interpretation.

7 5.2 Accreditation of Fact

8 When assessing evidence care must be taken to distinguish facts that have been found and facts that have
9 been inferred from the following:

10  facts that were found;

11  additional data provided;

12  experience of the investigator;

13  other inferred facts; or

14  any combination of the above.

15 For example, the presence of an extant file on a device is a Fact. If that file was an attachment to an email in
16 an inbox, it can be inferred that the file was created on the device due to being received in an email; hence
17 this is an Inferred Fact.

18 Distinctions between these two types of facts need to be kept in mind and care taken that all the facts required
19 to support any inference are in place and themselves verified. When reporting these facts the distinction
20 between the two needs to be stated and the logical process that has occurred in any inference be clear and
21 repeatable.

22 5.3 Factors affecting interpretation

23 Interpretation of any digital evidence is dependent on the information available about the context of creation of
24 that item of digital evidence. To be able to carry out a proper interpretation, the investigative team may require
25 information from persons involved in the day to day running of the system(s) which are being investigated.
26 Care should be taken, however, to test the reliability of any such information provided and to ensure that
27 potentially unreliable information does not unduly influence the investigation.

28 They will also require information about the purpose of the investigation and a definition of the scope of their
29 work, including the purpose and target audience of the final report.

30 During analysis and interpretation, the investigative team should take account of the quality of potential digital
31 evidence available (e.g. completeness, source and original purpose, possibility of evidence obfuscation
32 measures being deployed).

33 The goal of the interpretation stage is to produce an explanation of the facts found during the analysis, within
34 the context provided to the investigative team. If the contextual information changes, the interpretation may
35 also have to change to reflect this. If facts lend themselves to more than one interpretation, all of them - or at

© ISO/IEC 2012 – All rights reserved

9
1 least the more plausible - should be presented as a result of the analysis stating, if possible, their respective
2 likelihoods.

3 The investigative team should remember that their primary responsibility is to provide a fair and accurate
4 interpretation of the facts as they determine them.

5 6 Reporting

6 6.1 Preparation

7 Prior to commencing the investigation, the nature and purpose of the final report should be ascertained by the
8 investigative lead. This should be used to guide the investigative process and may consist of a set of
9 questions to be answered, an indication of the likely readers of the report and details of any constraints and
10 limitations which apply to the investigation. The investigative lead should prepare a documented investigative
11 strategy or plan in order to assist in determination of resources, selection of processes and tools and to give
12 guidance to the investigative team.

13 Reports should contain all information required by applicable local policy and/or legislation.

14 6.2 Suggested report content

15 If local policy and/or legislation do not define the report contents, it is suggested that reports should contain, at
16 a minimum:

17  a clear statement of the writer's qualifications and/or competence to participate in the investigation and
18 produce the report;

19  a clear statement of the information provided to the investigative team prior to the investigation
20 commencing (including the nature of the report to be produced);

21  the nature of the incident under investigation;

22  the time and duration of the incident;

23  the location of the incident;

24  the objective of the investigation;

25  the members of the investigative team;

26  the time and duration of the investigation;

27  the location of the investigation;

28  factual details of the digital evidence found during the investigation;

29  limitations of any analysis undertaken (e.g. incomplete data sets, operational/time constraints); and

30  a list of processes used including, where appropriate, any tools used

31 Some reports may also contain:

10

© ISO/IEC 2012 – All rights reserved

 1  An interpretation of the digital evidence as it is understood by the investigator (e.g. an account of how an
2 external attack may have proceeded and led to the deposition of digital evidence found). If more than one
3 interpretation is possible, all plausible & likely interpretations should be included with an indication of their
4 relative likelihoods. The interpretation may be given as an opinion if necessary.

5  Conclusions.

6  Recommendations for further investigative and/or remedial work.

7 When a report contains opinion, the writer should clearly distinguish between facts and opinions, and give a
8 justification for any opinions stated.

9 The use of pre-prepared report templates, with standardised format, drop-down selection lists and
10 placeholders for common text with associated descriptions of the text which is likely to appear, may assist in
11 ensuring that sufficient information is included in reports.

12 7 Competence

13 7.1 Introduction

14 All steps involved in the investigation of an incident should be carried out by persons who are demonstrably
15 competent to complete the tasks assigned to them. They should be sufficiently familiar with, and experienced
16 in, the tools, methods and techniques which they will use to be able to carry them out with minimal supervision
17 and should also be able to recognise the limits of their own abilities.

18 A non-competent person's involvement in an investigation may adversely affect the results of that
19 investigation, resulting in delays in completion and/or incorrect conclusions being reached.

20 7.2 Certification of competence

21 Competence should be measured against a set of core skills identified for the processes involved in the
22 investigation as they are assigned to each person conducting a part of the investigation. Objective evidence of
23 the person's qualifications and experience should be sought. These may take the form of formal competence
24 tests, academic qualifications, job history, evidence of active participation in continuing professional
25 development (CPD) events such as conferences, training courses, or development of new tools, methods,
26 techniques, processes or standards.

27 7.3 Maintenance of competence

28 A person's competence should be reviewed at regular intervals in order to ensure that the person's record of
29 competence is accurate. The review should take account of new areas and levels of competence which have
30 been achieved and should also "retire" those competences which are no longer relevant for the person in
31 question, either because the skills and knowledge involved are no longer relevant or because they have not
32 had the opportunity to practice them sufficiently since the last review was conducted.

33 If a person's competence in a particular area is not sufficient for their role in an investigation, steps should be
34 taken to increase that level of competence through appropriate CPD activity as soon as possible.

© ISO/IEC 2012 – All rights reserved

11
1 7.4 Example competence definition

General Competence Analysis of sendmail server incidents

Specific competencies Able to

• locate, parse and interpret sendmail log files

• locate, parse and interpret user mailboxes

• locate, parse and interpret SMTP headers

found in mail messages

• locate, parse and interpret sendmail

configuration files

• describe common sendmail failure modes

and common exploits in relevant versions of
sendmail

4 8 Proficiency

5 8.1 Introduction

6 A competent investigative team may be considered proficient when, given a sample of potential digital
7 evidence, its analysis produces equivalent results to those produced by another competent investigative team
8 using a similar analysis.

9 Records which demonstrate the proficiency of an investigative team assist in showing that the analyses used
10 are accurate, reliable, reproducible and appropriate.

11 8.2 Mechanisms for demonstration of proficiency

12 Proficiency should be demonstrated through participation in an appropriate proficiency testing process

13 (ISO/IEC 17043:2010), overseen by an independent third party (ITP). In such a process all investigative teams
14 will be supplied with the same samples for analysis. The expected results of the analyses will be predicted by
15 the ITP and the ITP will be responsible for comparing the results from all participating investigative teams
16 against the predicted results and the results produced by all other investigative teams in the test group.

17 Investigative teams which produce equivalent results for the given will be considered proficient in the analysis
18 used to produce those results.

19 NOTE Among proficient investigative teams which produce equivalent results, the conclusions issued in the report
20 may not always be equivalent.

21 Proficiency tests should be repeated at regular intervals in order to show that proficiency is maintained.

12

© ISO/IEC 2012 – All rights reserved

1 If no suitable ITP test is available, an investigative team may approach other investigative teams directly to
2 establish a testing scheme suitable for their own needs. Such a scheme should, ideally, be subjected to
3 independent scrutiny to ensure it is appropriate.

4 8.3 Example proficiency definition

General proficiency Analysis of sendmail incidents

Specific proficiencies • Identify and extract relevant records from

◦ logfiles

◦ user mailboxes

◦ mail messages

◦ configuration files

◦ core files

• Identify interactions with other software,

systems and users

© ISO/IEC 2012 – All rights reserved

13
 1 Bibliography

2 [1] ISO/IEC 17024:2003, Conformity assessment -- General requirements for bodies operating certification of
3 persons

4 [2] ISO/IEC 17025:2005, Conformity Assessment – General requirements for the competence of testing and
5 calibration laboratories

6 [3] ISO/IEC 17043:2010, Conformity assessment – General requirements for proficiency testing

7 [4] ISO/IEC 27004:2009, Information technology – Security techniques – Information security management –
8 Measurement

9 [5] ISO/IEC 27035:2011, Information technology – Security techniques – Security incident management

10 [6] Casey, E (2011) Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet,
11 3ed. New York: Academic Press.

14

© ISO/IEC 2012 – All rights reserved