Nội dung text Pautas para identificación, recolección, adquisición y preservación de pruebas digitales - ISO-IEC 27037-2012.pdf
Reference number ISO/IEC 27037:2012(E) © ISO/IEC 2012 INTERNATIONAL STANDARD ISO/IEC 27037 First edition 2012-10-15 Information technology — Security techniques — Guidelines for identification, collection, acquisition, and preservation of digital evidence Technologies de l'information — Techniques de sécurité — Lignes directrices pour l'identification, la collecte, l'acquisition et la préservation de preuves numériques
ISO/IEC 27037:2012(E) © ISO/IEC 2012 – All rights reserved iii Contents Page Foreword ............................................................................................................................................................. v Introduction ...................................................................................................................................................... vi 1 Scope ..................................................................................................................................................... 1 2 Normative reference ............................................................................................................................ 1 3 Terms and definitions ......................................................................................................................... 2 4 Abbreviated terms ............................................................................................................................... 4 5 Overview ................................................................................................................................................ 6 5.1 Context for collecting digital evidence ........................................................................................... 6 5.2 Principles of digital evidence ............................................................................................................ 6 5.3 Requirements for digital evidence handling .................................................................................. 6 5.3.1 General................................................................................................................................................... 6 5.3.2 Auditability ............................................................................................................................................ 7 5.3.3 Repeatability ......................................................................................................................................... 7 5.3.4 Reproducibility ..................................................................................................................................... 7 5.3.5 Justifiability .......................................................................................................................................... 7 5.4 Digital evidence handling processes .............................................................................................. 8 5.4.1 Overview ................................................................................................................................................ 8 5.4.2 Identification ......................................................................................................................................... 8 5.4.3 Collection .............................................................................................................................................. 9 5.4.4 Acquisition ............................................................................................................................................ 9 5.4.5 Preservation........................................................................................................................................ 10 6 Key components of identification, collection, acquisition and preservation of digital evidence .............................................................................................................................................. 10 6.1 Chain of custody ................................................................................................................................ 10 6.2 Precautions at the site of incident ................................................................................................. 11 6.2.1 General................................................................................................................................................. 11 6.2.2 Personnel ............................................................................................................................................ 11 6.2.3 Potential digital evidence ................................................................................................................ 12 6.3 Roles and responsibilities ............................................................................................................... 12 6.4 Competency ........................................................................................................................................ 13 6.5 Use reasonable care ......................................................................................................................... 13 6.6 Documentation ................................................................................................................................... 14 6.7 Briefing ................................................................................................................................................ 14 6.7.1 General................................................................................................................................................. 14 6.7.2 Digital evidence specific .................................................................................................................. 14 6.7.3 Personnel specific ............................................................................................................................. 15 6.7.4 Real-time incidents ........................................................................................................................... 15 6.7.5 Other briefing information ............................................................................................................... 15 6.8 Prioritizing collection and acquisition .......................................................................................... 16 6.9 Preservation of potential digital evidence .................................................................................... 17 6.9.1 Overview .............................................................................................................................................. 17 6.9.2 Preserving potential digital evidence ............................................................................................ 17 6.9.3 Packaging digital devices and potential digital evidence ......................................................... 17 6.9.4 Transporting potential digital evidence ........................................................................................ 18 7 Instances of identification, collection, acquisition and preservation .................................... 19 7.1 Computers, peripheral devices and digital storage media ....................................................... 19 7.1.1 Identification ....................................................................................................................................... 19 7.1.2 Collection ............................................................................................................................................ 21
ISO/IEC 27037:2012(E) iv © ISO/IEC 2012 – All rights reserved 7.1.3 Acquisition ..........................................................................................................................................25 7.1.4 Preservation ........................................................................................................................................29 7.2 Networked devices ............................................................................................................................29 7.2.1 Identification .......................................................................................................................................29 7.2.2 Collection, acquisition and preservation ......................................................................................31 7.3 CCTV collection, acquisition and preservation ...........................................................................33 Annex A (informative) DEFR core skills and competency description ...................................................35 Annex B (informative) Minimum documentation requirements for evidence transfer .....................37 Bibliography ....................................................................................................................................................38
English