ISO/IEC INTERNATIONAL STANDARD 27043 Firstedition 2015-03-01 Information technology Security techniques Incident investigation principles and processes Technologies de I'information - Techniques de securite - Principes d'investigation numerique et les processus Reference number IS0/IEC27043:2015(E) IEC . Intermational Organization for Standardization lardization5956617 @IS0/IEC2015 ed without license from IHS IS0/IEC27043:2015(E) COPYRIGHTPROTECTEDDOCUMENT IS0/IEC2015 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO's member body in the country of the requester. ISOcopyrightoffice Casepostale 56.CH-1211Geneva20 Tel. +4122 749 0111 Fax +41 22 749 09 47 E-mail copyright@iso.org Web www.iso.org Published in Switzerland PrganizationforStandardization networking permited withoutlicense from IHS Not for Resale, 2015/6/2 07:07:0 IS0/IEC27043:2015(E) Foreword Introduction. ..vi 1 Scope. ..1 2 Normativereferences .1 3 Terms and definitions ..1 4 Symbols and abbreviated terms ..3 5 Digital investigations 5.1 General principles ..4 5.2 Legal principles.. .4 6 Digitalinvestigation processes .5 6.1 General overviewoftheprocesses .5 6.2 Classes of digital investigation processes .5 7 Readiness processes. .7 7.1 Overview of thereadinessprocesses .1 7.2 Scenario definition process. .9 7.3 Identificationofpotentialdigitalevidencesourcesprocess 7.4 Planning pre-incident gathering, storage, and handling of data representing potential digital evidence process. ..11 7.5 Planning pre-incident analysis of data representing potential digital evidence process...11 7.6 Planning incident detection process. 11 7.7 Definingsystemarchitectureproces.. ..11 7.8 Implementing systemarchitectureprocess. ..12 7.9 Implementing pre-incident gathering, storage, and handling of data representing potential digitalevidenceprocess ..12 7.10 Implementing pre-incident analysis of data representing potential digital ..12 evidenceprocess 7.11 Implementing incident detection process ..12 7.12 Assessmentofimplementationprocess ..13 7.13 Implementation of assessment results process ..13 8 Initializationprocesses ..13 8.1 Overviewofinitializationprocesses ..13 8.2 Incidentdetectionprocess ..14 8.3 First response process. .15 8.4 Planning process ..15 8.5 Preparation proces.. ..15 9 Acquisitiveprocesses. .16 9.1 Overview ofacquisitiveprocesses ..16 9.2 Potential digital evidence identification process ..16 9.3 Potential digital evidence collection process. .17 9.4 Potential digital evidenceacquisition process ..17 9.5 Potentialdigitalevidencetransportationprocess ..17 9.6 Potential digitalevidencestorageand preservationprocess .17 10 Investigativeprocesses .18 10.1 Overviewof investigativeprocesses ..18 10.2 Potential digital evidenceacquisition process ..19 10.3 Potential digital evidenceexamination and analysisprocess .19 10.4 Digital evidence interpretation process.. .19 10.5 Reportingprocess ..19 10.6 Presentation process .20 10.7 Investigation closure process. .20 ntemainal oganzation @SEG2015-Allrights reserved iii Licensee=Zhejiang Institute of Standardization 5956617 ithout license from IHS Not for Resale, 2015/6/2 07:07:0 No reproduction or rietworking permi