BS ISO/IEC 27043:2015 pdf download-Information technology — Security techniques — Incident investigation principles and processes.
5 Digital investigations 5.1 General principles Digital investigations are in practice applied whenever it is needed to investigate digital evidence as a result of an incident, whether an incident is of criminal nature or not. There are many kinds of digital investigations, such as on desktop computers, laptops, servers, data repositories, handheld/mobile device investigations, investigations on live data (e.g. network and volatile data investigations), and investigations on digital appliances such as DVRs, game consoles, and control systems. The digital investigation process, however, is formulated in such a way that it is applicable to any kind of digital investigation. 5.2 Legal principles An overview is given of the legal requirements pertaining to digital investigations and especially the admissibility of digital evidence in a court of law. It should be noted that legal requirements may differ extensively in different jurisdictions across the world. The premise is not to advocate specific legal systems, but rather to note the generic requirements in terms of legal issues that can be adopted by the legal system of a specific jurisdiction. Depending on the particular laws in a particular jurisdiction, specific consideration and care should be taken when an accused is found to be innocent in a court of law. For example, due diligence and care should be taken to ensure — safe deletion (seeISO/IEC27040) of the evidence and case data at the end of the court case if so required, — secure preservation of the media and devices holding the potential digital evidence as far as possible, secure preservation of the digital evidence itself and secure preservation of the investigation results for possible future reference, and — notification to the subject of the investigation results.
NOTE The admissibility of the evidence itself and the admissibility of expert opinion about the interpretation of the evidence are two different issues to consider. For example, a technical witness may be able to testify about how evidence was acquired, preserved, etc., to address the adequacy of those processes without the necessity of qualifying as an expert. In other words, the expert may also testify to technical facts. Also see ISO/IEC 27042:—, 8.2.