BS ISO IEC 27043-2015 pdf free download – Information technology — Security techniques — Incident investigation principles and processes.
5Digital investigations5.1General principles
Digital investigations are in practice applied whenever it is needed to investigate digital evidence as aresult of an incident, whether an incident is of criminal nature or not. There are many kinds of digitalinvestigations,such as on desktop computers,laptops,servers, data repositories, handheld/mobiledevice investigations,investigations on live data (e.g.network and volatile data investigations), andinvestigations on digital appliances such as DVRs, game consoles, and control systems. The digitalinvestigation process, however, is formulated in such a way that it is applicable to any kind of digitalinvestigation.
5.2Legal principles
An overview is given of the legal requirements pertaining to digital investigations and especially theadmissibility of digital evidence in a court of law. Ilt should be noted that legal requirements may differextensively in different jurisdictions across the world.The premise is not to advocate specific legalsystems, but rather to note the generic requirements in terms of legal issues that can be adopted bythe legal system of a specific jurisdiction. Depending on the particular laws in a particular jurisdiction,specific consideration and care should be taken when an accused is found to be innocent in a court oflaw.For example, due diligence and care should be taken to ensure
一 safe deletion (seelSO/IEC27040)ofthe evidence and case data attheendofthe court caseifso required,
secure preservation of the media and devices holding the potential digital evidence as far as possible,secure preservation of the digital evidence itself and secure preservation of the investigation resultsfor possible future reference, and
notification to the subject of the investigation results.
In some jurisdictions it is acceptable that if scientific, technical, or other specialized knowledge willassist the court to understand the evidence or to determine a fact in issue, a witness accepted as anexpert by virtue of their experience, knowledge, skill, training, or education, may testify thereto in theform of an opinion.[2] To help assure admissibility of expert opinion, the following factors should beconsidered (as applicable in the particular jurisdiction):
whether the theories and techniques employed by the scientific expert have been tested;whether they have been subjected to peer review and publication;
if an error rate for the technique is known it should be reported;whether they are subject to standards governing their application;
一 whether the theories and techniques employed by the expert enjoy widespread acceptance.
NOTE The admissibility of the evidence itself and the admissibility of expert opinion about the interpretationof the evidence are two different issues to consider.For example, a technical witness may be able to testify abouthow evidence was acquired, preserved, etc. to address the adequacy of those processes without the necessity ofqualifying as an expert. In other words, the expert may also testify to technical facts.Also see ISO/IEC27042:—,8.2.Requirements for admissibility may vary considerably between jurisdictions and for that reason it ishighly advisable to obtain competent legal advice regarding those specific requirements.However,many jurisdictions will include at least the following in their admissibility requirements for evidence:
relevance — the evidence should have some relevance to the facts in dispute.BS ISO IEC 27043 pdf download.
BS ISO IEC 27043-2015 pdf free download – Information technology — Security techniques — Incident investigation principles and processes
Note:
If you can share this website on your Facebook,Twitter or others,I will share more.