The basic investigative model in ISO/IEC 27037 and 27042
ISO/IEC 27037 and ISO/IEC 27042 provide a model of investigation which covers the complete process from detection of an incident through to production of a final report to aid understanding of how the incident occurred.
ISO/IEC 27041 deals with ways to ensure that the methods used in investigation are fit for purpose.
In this introductory guide, we'll deal with the major elements of the investigative model used in ISO/IEC 27037 and ISO/IEC 27042.
Stages of investigation
Once an incident has been detected, the goal is to collect and secure as much potential evidence as possible and then to analyse it for relevance and interpret its meaning and significance in order to produce a final report which explain what happened, how it happened and give some insights into how it might be prevented from happening again. The model used in the standards can be summarised as the acronym ICAPAIR
- I - Identify the sources of potential digital evidence - i.e. the devices and stores, including remote stores out in the cloud or elsewhere, which might contain data which could be relevant.
- C - Collect the sources, as many as possible. Often it will be possible to physically remove the sources from the site so the next stage can be carried out under controlled lab. conditions, but it is sometimes necessary to combine this stage with the next one in order to avoid disrupting operations. In essence, the collection stage requires that the investigator controls access to the source until the next stage is complete.
- A - Acquire the potential digital evidence by extracting it from the sources, ideally using a system which allows for verification that the extracted data is identical to that on the source. In cases where verification is not possible, the method should be provably appropriate using the techniques described in ISO/IEC 27041 (as should every other method used).
- P - Preserve the extracted data in a way which prevents or avoids modification and ensures that it can be reliably and repeatably used as if it was the original.
- A - Analyse the preserved data to determine if it has relevance. This is the stage at which the totality of potential digital evidence starts to be reduced and only the relevant digital evidence is passed on.
- I - Interpet the digital evidence to build up a picture of what happened and how it happened, and to determine which of the remaining potential digital evidence needs to be considered next. (This stage and the preceding ones form an interative process and there may be several loops around them until sufficient evidence has been processed to allow proper understanding to be achieved).
- R - Report, in a form which is appropriate for the "customer" or target audience, the findings of the investigation, remember to list any constraints on the investigation and to make clear what are facts and what are opinions.
Throughout the process, detailed contemporaneous notes (see our guides for more information) MUST be taken to avoid possible problems surrounding continuity of evidence - i.e. to establish who had custody of the evidence at all times after the investigation commenced. If there is any break in the chain of custody (i.e. a time when it is not clear where the evidence was or who had control of it), then its authenticity can be called in to question, rendering it useless.
Although the model described will allow a good investigation to be carried out, it's a bit like going into a kitchen and starting to cook without doing any preparation - opening cupboards at random to see what ingredients are available. Something will come out of it, eventually, but it won't necessarily be the best dish possible and it will take much longer and cost more than it should. Ideally, therefore, a form of "mise en place" or advance preparation should be carried out as early as possible - preferably before the need for investigation appears.
This will involve auditing systems to identify where key business functions are being carried out, which data is being held where, and how systems interact with one another, to produce a comprehensive log of all sources of potential digital evidence. Furthermore, wherever possible, systems should be tuned to ensure that they collect data which has the potential to be digital evidence, or at least keep it available for long enough for it to be useful. Of course, there is a cost associated with this in the form of extra storage requirements, but the absence of data is likely to mean an absence of evidence and thus make an investigation inompleted or impossible.
If you have any thoughts on this process, or would like help with preparing for or conducting investigations, please contact n-gate ltd. now.