EN ISO/IEC 27043:2016

SLOVENSKI STANDARD
01-januar-2017
,QIRUPDFLMVNDWHKQRORJLMD9DUQRVWQHWHKQLNH1DþHODLQSRVWRSNL]DSUHLVNRYDQMH
LQFLGHQWRY,62,(&
Information technology - Security techniques - Incident investigation principles and
processes (ISO/IEC 27043:2015)
Informationstechnik - IT-Sicherheitsverfahren - Grundsätze und Prozesse für die
Untersuchung von Vorfällen (ISO/IEC 27043:2015)
Technologies de l'information - Techniques de sécurité - Principes d'investigation
numérique et les processus (ISO/IEC 27043:2015)
Ta slovenski standard je istoveten z: EN ISO/IEC 27043:2016
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EN ISO/IEC 27043
EUROPEAN STANDARD
NORME EUROPÉENNE
August 2016
EUROPÄISCHE NORM
ICS 35.040
English Version
Information technology - Security techniques - Incident
investigation principles and processes (ISO/IEC
27043:2015)
Technologies de l'information - Techniques de sécurité Informationstechnik - IT-Sicherheitsverfahren -
- Principes d'investigation numérique et les processus Grundsätze und Prozesse für die Untersuchung von
(ISO/IEC 27043:2015) Vorfällen (ISO/IEC 27043:2015)
This European Standard was approved by CEN on 19 June 2016.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions
for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden,
Switzerland, Turkey and United Kingdom.

EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATIO N

EUROPÄISCHES KOMITEE FÜR NORMUN G

CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2016 CEN and CENELEC All rights of exploitation in any form and by any means Ref. No. EN ISO/IEC 27043:2016 E
reserved worldwide for CEN and CENELEC national
Members.
Contents Page
European foreword . 3

European foreword
The text of ISO/IEC 27043:2015 has been prepared by Technical Committee ISO/IEC JTC 1 “Information
technology” of the International Organization for Standardization (ISO) and the International
Electrotechnical Commission (IEC) and has been taken over as EN ISO/IEC 27043:2016.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by February 2017, and conflicting national standards
shall be withdrawn at the latest by February 2017.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent
rights.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia,
France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta,
Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and the United Kingdom.
Endorsement notice
The text of ISO/IEC 27043:2015 has been approved by CEN as EN ISO/IEC 27043:2016 without any
modification.
INTERNATIONAL ISO/IEC
STANDARD 27043
First edition
2015-03-01
Information technology — Security
techniques — Incident investigation
principles and processes
Technologies de l’information — Techniques de sécurité — Principes
d’investigation numérique et les processus
Reference number
ISO/IEC 27043:2015(E)
©
ISO/IEC 2015
ISO/IEC 27043:2015(E)
© ISO/IEC 2015
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2015 – All rights reserved

ISO/IEC 27043:2015(E)
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 3
5 Digital investigations . 4
5.1 General principles . 4
5.2 Legal principles . 4
6 Digital investigation processes . 5
6.1 General overview of the processes . 5
6.2 Classes of digital investigation processes . 5
7 Readiness processes . 7
7.1 Overview of the readiness processes . 7
7.2 Scenario definition process . 9
7.3 Identification of potential digital evidence sources process . 9
7.4 Planning pre-incident gathering, storage, and handling of data representing
potential digital evidence process .11
7.5 Planning pre-incident analysis of data representing potential digital evidence process .11
7.6 Planning incident detection process .11
7.7 Defining system architecture process .11
7.8 Implementing system architecture process .12
7.9 Implementing pre-incident gathering, storage, and handling of data representing
potential digital evidence process .12
7.10 Implementing pre-incident analysis of data representing potential digital
evidence process .12
7.11 Implementing incident detection process .12
7.12 Assessment of implementation process .13
7.13 Implementation of assessment results process .13
8 Initialization processes .13
8.1 Overview of initialization processes .13
8.2 Incident detection process .14
8.3 First response process.15
8.4 Planning process .15
8.5 Preparation process.15
9 Acquisitive processes .16
9.1 Overview of acquisitive processes .16
9.2 Potential digital evidence identification process .16
9.3 Potential digital evidence collection process .17
9.4 Potential digital evidence acquisition process .17
9.5 Potential digital evidence transportation process .17
9.6 Potential digital evidence storage and preservation process .17
10 Investigative processes .18
10.1 Overview of investigative processes .18
10.2 Potential digital evidence acquisition process .19
10.3 Potential digital evidence examination and analysis process .19
10.4 Digital evidence interpretation process .19
10.5 Reporting process .19
10.6 Presentation process .20
10.7 Investigation closure process .20
© ISO/IEC 2015 – All rights reserved iii

ISO/IEC 27043:2015(E)
11 Concurrent processes .20
11.1 Overview of the concurrent processes .20
11.2 Obtaining authorization process .21
11.3 Documentation process .21
11.4 Managing information flow process .21
11.5 Preserving chain of custody process .21
11.6 Preserving digital evidence process .22
11.7 Interaction with physical investigation process.22
12 Digital investigation process model schema .22
Annex A (informative) Digital investigation processes: motivation for harmonization .24
Bibliography .28
iv © ISO/IEC 2015 – All rights reserved

ISO/IEC 27043:2015(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
Details of any patent rights identified during the development of the document will be in the Introduction
and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers
to Trade (TBT), see the following URL: Foreword — Supplementary information.
The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee
SC 27, Security techniques.
© ISO/IEC 2015 – All rights reserved v

ISO/IEC 27043:2015(E)
Introduction
About this International Standard
This International Standard provides guidelines that encapsulate idealized models for common
investigation processes across various investigation scenarios. This includes processes from pre-incident
preparation up to and including returning evidence for storage or dissemination, as well as general advice
and caveats on processes and appropriate identification, collection, acquisition, preservation, analysis,
interpretation, and presentation of evidence. A basic principle of digital investigations is repeatability,
where a suitably skilled investigator has to be able to obtain the same result as another similarly skilled
investigator, working under similar conditions. This principle is exceptionally important to any general
investigation. Guidelines for many investigation processes have been provided to ensure that there is
clarity and transparency in obtaining the produced result for each particular process. The motivation
to provide guidelines for incident investigation principles and processes follows.
Established guidelines covering incident investigation principles and processes would expedite
investigations because they would provide a common order of the events that an investigation entails.
Using established guidelines allows smooth transition from one event to another during an investigation.
Such guidelines would also allow proper training of inexperienced investigators. The guidelines,
furthermore, aim to assure flexibility within an investigation due to the fact that many different types
of digital investigations are possible. Harmonized incident investigation principles and processes are
specified and indications are provided of how the investigation processes can be customized in different
investigation scenarios.
A harmonized investigation process model is needed in criminal and civil prosecution settings, as well
as in other environments, such as corporate breaches of information security and recovery of digital
information from a defective storage device. The provided guidelines give succinct guidance on the
exact process to be followed during any kind of digital investigation in such a way that, if challenged, no
doubt should exist as to the adequacy of the investigation process followed during such an investigation.
Any digital investigation requires a high level of expertise. Those involved in the investigation have to be
competent, proficient in the processes used, and they have to use validated processes (see ISO/IEC 27041)
which are compatible with the relevant policies and/or laws in applicable jurisdictions.
Where the need arises to assign a process to a person, that person will take the responsibility for the
process. Therefore, a strong correlation between a process responsibility and a person’s input will
determine the exact investigation process required according to the harmonized investigation processes
provided as guidelines in this International Standard.
This International Standard is structured by following a top-down approach. This means that the
investigation principles and processes are first presented on a high (abstract) level before they are
refined with more details. For example, a high-level overview of the investigation principles and
processes are provided and presented in figures as “black boxes” at first, where after each of the high-
level processes are divided into more fine-grained (atomic) processes. Therefore, a less abstract and
more detailed view of all the investigation principles and processes are presented near the end of this
International Standard as shown in Figure 8.
This International Standard is intended to complement other standards and documents which provide
guidance on the investigation of, and preparation to, investigate information security incidents. It
is not an in-depth guide, but it is a guide that provides a rather wide overview of the entire incident
investigation process. This guide also lays down certain fundamental principles which are intended
to ensure that tools, techniques, and methods can be selected appropriately and shown to be fit for
purpose should the need arise.
Relationship to other standards
This International Standard is intended to complement other standards and documents which give
guidance on the investigation of, and preparation to investigate, information security incidents. It is not a
vi © ISO/IEC 2015 – All rights reserved

ISO/IEC 27043:2015(E)
comprehensive guide, but lays down certain fundamental principles which are intended to ensure that tools,
techniques, and methods can be selected appropriately and shown to be fit for purpose should the need arise.
This International Standard also intends to inform decision-makers that need to determine the
reliability of digital evidence presented to them. It is applicable to organizations needing to protect,
analyse, and present potential digital evidence. It is relevant to policy-making bodies that create and
evaluate procedures relating to digital evidence, often as part of a larger body of evidence.
This International Standard describes part of a comprehensive investigative process which includes, but
is not limited to, the following topic areas:
— incident management, including preparation and planning for investigations;
— handling of digital evidence;
— use of, and issues caused by, redaction;
— intrusion prevention and detection systems, including information which can be obtained from
these systems;
— security of storage, including sanitization of storage;
— ensuring that investigative methods are fit for purpose;
— carrying out analysis and interpretation of digital evidence;
— understanding principles and processes of digital evidence investigations;
— security incident event management, including derivation of evidence from systems involved in
security incident event management;
— relationship between electronic discovery and other investigative methods, as well as the use of
electronic discovery techniques in other investigations;
— governance of investigations, including forensic investigations.
These topic areas are addressed, in part, by the following ISO/IEC standards.
— ISO/IEC 27037
This International Standard describes the means by which those involved in the early stages of
an investigation, including initial response, can assure that sufficient potential digital evidence is
captured to allow the investigation to proceed appropriately.
— ISO/IEC 27038
Some documents can contain information that must not be disclosed to some communities. Modified
documents can be released to these communities after an appropriate processing of the original
document. The process of removing information that is not to be disclosed is called “redaction”.
The digital redaction of documents is a relatively new area of document management practice,
raising unique issues and potential risks. Where digital documents are redacted, removed
information must not be recoverable. Hence, care needs to be taken so that redacted information
is permanently removed from the digital document (e.g. it must not be simply hidden within non-
displayable portions of the document).
ISO/IEC 27038 specifies methods for digital redaction of digital documents. It also specifies
requirements for software that can be used for redaction.
— ISO/IEC 27040
This International Standard provides detailed technical guidance on how organizations may define
an appropriate level of risk mitigation by employing a well-proven and consistent approach to the
© ISO/IEC 2015 – All rights reserved vii

ISO/IEC 27043:2015(E)
planning, design, documentation, and implementation of data storage security. Storage security
applies to the protection (security) of information where it is stored and to the security of the
information being transferred across the communication links associated with storage. Storage
security includes the security of devices and media, the security of management activities related to
the devices and media, the security of applications and services, and security relevant to end-users
during the lifetime of devices and media and after end of use.
Security mechanisms like encryption and sanitization can affect one’s ability to investigate by
introducing obfuscation mechanisms. They have to be considered prior to and during the conduct of
an investigation. They can also be important in ensuring that storage of evidential material during
and after an investigation is adequately prepared and secured.
— ISO/IEC 27041
It is important that methods and processes deployed during an investigation can be shown to be
appropriate. This document provides guidance on how to provide assurance that methods and
processes meet the requirements of the investigation and have been appropriately tested.
— ISO/IEC 27042
This International Standard describes how methods and processes to be used during an investigation
can be designed and implemented in order to allow correct evaluation of potential digital evidence,
interpretation of digital evidence, and effective reporting of findings.
The following ISO/IEC projects also address, in part, the topic areas identified above and can lead to the
publication of relevant standards at some time after the publications of this International Standard.
— ISO/IEC 27035 (all parts)
This is a three-part standard that provides organizations with a structured and planned approach
to the management of security incident management. It is composed of
— ISO/IEC 27035-1
— ISO/IEC 27035-2
— ISO/IEC 27035-3
— ISO/IEC 27044
— ISO/IEC 27050 (all parts)
— ISO/IEC 30121
This International Standard provides a framework for governing bodies of organizations (including
owners, board members, directors, partners, senior executives, or similar) on the best way to
prepare an organization for digital investigations before they occur. This International Standard
applies to the development of strategic processes (and decisions) relating to the retention,
availability, access, and cost effectiveness of digital evidence disclosure. This International Standard
is applicable to all types and sizes of organizations. The International Standard is about the prudent
strategic preparation for digital investigation of an organization. Forensic readiness assures that an
organization has made the appropriate and relevant strategic preparation for accepting potential
events of an evidential nature. Actions may occur as the result of inevitable security breaches, fraud,
and reputation assertion. In every situation, information technology (IT) has to be strategically
deployed to maximize the effectiveness of evidential availability, accessibility, and cost efficiency
Figure 1 shows typical activities surrounding an incident and its investigation. The numbers shown in
this diagram (e.g. 27037) indicate the International Standards listed above and the shaded bars show
where each is most likely to be directly applicable or has some influence over the investigative process
(e.g. by setting policy or creating constraints). It is recommended, however, that all should be consulted
prior to, and during, the planning and preparation phases. The process classes shown are defined fully
viii © ISO/IEC 2015 – All rights reserved

ISO/IEC 27043:2015(E)
in this International Standard and the activities identified match those discussed in more detail in
ISO/IEC 27035-2, ISO/IEC 27037, and ISO/IEC 27042.
.
.
Figure 1 — Applicability of standards to investigation process classes and activities
© ISO/IEC 2015 – All rights reserved ix

INTERNATIONAL STANDARD ISO/IEC 27043:2015(E)
Information technology — Security techniques — Incident
investigation principles and processes
1 Scope
This International Standard provides guidelines based on idealized models for common incident
investigation processes across various incident investigation scenarios involving digital evidence. This
includes processes from pre-incident preparation through investigation closure, as well as any general
advice and caveats on such processes. The guidelines describe processes and principles applicable to
various kinds of investigations, including, but not limited to, unauthorized access, data corruption,
system crashes, or corporate breaches of information security, as well as any other digital investigation.
In summary, this International Standard provides a general overview of all incident investigation
principles and processes without prescribing particular details within each of the investigation
principles and processes covered in this International Standard. Many other relevant International
Standards, where referenced in this International Standard, provide more detailed content of specific
investigation principles and processes.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000 and the following apply.
3.1
acquisition
process of creating a copy of data within a defined set
Note 1 to entry: The product of an acquisition is a potential digital evidence copy.
[SOURCE: ISO/IEC 27037:2012, 3.1]
3.2
activity
set of cohesive tasks of a process
[SOURCE: ISO/IEC 12207:2008, 4.3]
3.3
analysis
process of evaluating potential digital evidence in order to assess its relevance to the investigation
Note 1 to entry: Potential digital evidence, which is determined to be relevant, becomes digital evidence.
[SOURCE: ISO/IEC 27042:—, 3.1]
© ISO/IEC 2015 – All rights reserved 1

ISO/IEC 27043:2015(E)
3.4
collection
process of gathering the physical items that contain potential digital evidence
[SOURCE: ISO/IEC 27037:2012, 3.3]
3.5
digital evidence
information or data, stored or transmitted in binary form, that may be relied on as evidence
[SOURCE: ISO/IEC 27037:2012, 3.5]
3.6
digital investigation
use of scientifically derived and proven methods towards the identification, collection, transportation,
storage, analysis, interpretation, presentation, distribution, return, and/or destruction of digital
evidence derived from digital sources, while obtaining proper authorizations for all activities, properly
documenting all activities, interacting with the physical investigation, preserving digital evidence, and
maintaining the chain of custody, for the purpose of facilitating or furthering the reconstruction of
events found to be incidents requiring a digital investigation, whether of criminal nature or not
3.7
identification
process involving the search for, recognition, and documentation of potential digital evidence
[SOURCE: ISO/IEC 27037:2012, 3.12]
3.8
incident
single or a series of unwanted or unexpected information security breaches or events, whether of
criminal nature or not, that have a significant probability of compromising business operations or
threatening information security
3.9
interpretation
synthesis of an explanation, within agreed limits, for the factual information about evidence resulting
from the set of examinations and analysis making up the investigation
[SOURCE: ISO/IEC 27042:—, 3.9]
3.10
investigation
application of examinations, analysis, and interpretation to aid understanding of an incident
[SOURCE: ISO/IEC 27042:—, 3.10]
3.11
method
definition of an operation which can be used to produce data or derive information as an output from
specified inputs
Note 1 to entry: Ideally, a method should be atomic (i.e. it should not perform more than one function) in order to
promote re-use of methods and the processes derived from them and to reduce the amount of work required to
validate processes.
[SOURCE: ISO/IEC 27041:—, 3.11]
2 © ISO/IEC 2015 – All rights reserved

ISO/IEC 27043:2015(E)
3.12
potential digital evidence
information or data, stored or transmitted in binary form, which has not yet been determined, through
the process of examination and analysis, to be relevant to the investigation
[SOURCE: ISO/IEC 27042:—, 3.15, modified — Definition adapted to refer to the abstract process
“examination and analysis” rather than analysis only; note 1 and note 2 to entry not included.]
3.13
preservation
process to maintain and safeguard the integrity and/or original condition of the potential digital
evidence and digital evidence
[SOURCE: ISO/IEC 27037:2012, 3.15, modified — Added “and digital evidence”.]
3.14
process
set of activities that have a common goal and last for a limited period of time
Note 1 to entry: Also see ISO/IEC 27000 and ISO 9000 for similar definitions of a process.
Note 2 to entry: The meaning of “process” in this International Standard refers to a higher level of abstraction
than the definition of “process” in ISO/IEC 27041.
3.15
readiness
process of being prepared for a digital investigation before an incident has occurred
3.16
validation
confirmation, through the provision of objective evidence, that the requirements for a specific intended
use or application have been fulfilled
[SOURCE: ISO/IEC 27004:2009, 3.17]
3.17
verification
confirmation, through the provision of objective evidence, that specified requirements have been fulfilled
Note 1 to entry: Verification only provides assurance that a product conforms to its specification.
[SOURCE: ISO/IEC 27041:—, 3.20]
3.18
volatile data
caused by data that is especially prone to change and can be easily modified
Note 1 to entry: Change can be switching off the power or passing through a magnetic field. Volatile data also includes
data that changes as the system state changes. Examples include data stored in RAM and dynamic IP addresses.
[SOURCE: ISO/IEC 27037:2012, 3.26, modified — Inserted “caused by” at the beginning of the
original definition.]
4 Symbols and abbreviated terms
DVR digital video recorder
IP Internet Protocol
JPEG Joint Photographic Experts Group
© ISO/IEC 2015 – All rights reserved 3

ISO/IEC 27043:2015(E)
RAM random access memory
PKI public key infrastructure
5 Digital investigations
5.1 General principles
Digital investigations are in practice applied whenever it is needed to investigate digital evidence as a
result of an incident, whether an incident is of criminal nature or not. There are many kinds of digital
investigations, such as on desktop computers, laptops, servers, data repositories, handheld/mobile
device investigations, investigations on live data (e.g. network and volatile data investigations), and
investigations on digital appliances such as DVRs, game consoles, and control systems. The digital
investigation process, however, is formulated in such a way that it is applicable to any kind of digital
investigation.
5.2 Legal principles
An overview is given of the legal requirements pertaining to digital investigations and especially the
admissibility of digital evidence in a court of law. It should be noted that legal requirements may differ
extensively in different jurisdictions across the world. The premise is not to advocate specific legal
systems, but rather to note the generic requirements in terms of legal issues that can be adopted by
the legal system of a specific jurisdiction. Depending on the particular laws in a particular jurisdiction,
specific consideration and care should be taken when an accused is found to be innocent in a court of
law. For example, due diligence and care should be taken to ensure
— safe deletion (see ISO/IEC 27040) of the evidence and case data at the end of the court case if so required,
— secure preservation of the media and devices holding the potential digital evidence as far as possible,
secure preservation of the digital evidence itself and secure preservation of the investigation results
for possible future reference, and
— notification to the subject of the investigation results.
In some jurisdictions it is acceptable that if scientific, technical, or other specialized knowledge will
assist the court to understand the evidence or to determine a fact in issue, a witness accepted as an
expert by virtue of their experience, knowledge, skill, training, or education, may testify thereto in the
[2]
form of an opinion. To help assure admissibility of expert opinion, the following factors should be
considered (as applicable in the particular jurisdiction):
— whether the theories and techniques employed by the scientific expert have been tested;
— whether they have been subjected to peer review and publication;
— if an error rate for the technique is known it should be reported;
— whether they are subject to standards governing their application;
— whether the theories and techniques employed by the expert enjoy widespread acceptance.
NOTE The admissibility of the evidence itself and the admissibility of expert opinion about the interpretation
of the evidence are two different issues to consider. For example, a technical witness may be able to testify about
how evidence was acquired, preserved, etc., to address the adequacy of those processes without the necessity of
qualifying as an expert. In other words, the expert may also testify to technical facts. Also see ISO/IEC 27042:—, 8.2.
Requirements for admissibility may vary considerably between jurisdictions and for that reason it is
highly advisable to obtain competent legal advice regarding those specific requirements. However,
many jurisdictions will include at least the following in their admissibility requirements for evidence:
— relevance — the evidence should have some relevance to the facts in dispute.
4 © ISO/IEC 2015 – All rights reserved

ISO/IEC 27043:2015(E)
— authenticity — the evidence should be shown to be what it purports to be. For example, if a particular
JPEG image extracted from the hard drive of a particular server is relevant to a question of fact
under dispute, the trier of fact will demand demonstrable assurance that the drive is in fact from
that particular server, that it has not been modified in any way since its collection, that the process
used to extract the JPEG image is trustworthy, etc.
It is important that legal issues need to be applied throughout the entire investigation process. For each
and every sub-process, a legal check should be conducted in order to determine whether the legal laws
and regulations are adhered to within the particular jurisdiction. It is recommended to seek legal advice
within the particular jurisdiction in case of uncertainty.
6 Digital investigation processes
6.1 General overview of the processes
The digital investigation processes described in this International Standard are purposely designed
at an abstract level so that they can be used for different digital investigations and different types of
digital evidence. The use of this methodology is intended to aid the design and development of high-level
processes with the intent to subsequently decompose them into atomic processes (see ISO/IEC 27041).
Also, the processes aim to be comprehensive in that they represent a harmonization of all published
digital processes by the time of writing this International Standard. The investigation processes are
organized in a succinct fashion and describe how to follow these processes.
6.2 Classes of digital investigation processes
The digital investigation processes constitute a long list. In order to abstract digital investigation
processes at a higher level, they can be categorized into the following digital investigation process classes:
— readiness processes: That class of processes dealing with pre-incident investigation processes. This
class deals with defining strategies which can be employed to ensure systems are in place, and that
the staff involved in the investigative process are proficiently trained prior to dealing with an incident
occurring. The readiness processes are optional to the rest of the digital investigation processes. The
reason for this is explained in more detail in 7.1. Readiness processes include the following:
— scenario definition;
— identification of potential digital evidence sources;
— planning pre-incident gathering;
— storage and handling of data representing potential digital evidence;
— planning pre-incident analysis of data representing potential digital evidence;
— planning incident detection;
...