ISO/IEC 27037:2012
Information technology — Security techniques — Guidelines for identification, collection, acquisition and preservation of digital evidence
ISO/IEC 27037:2012 provides guidelines for specific activities in the handling of digital evidence, which are identification, collection, acquisition and preservation of potential digital evidence that can be of evidential value.
It provides guidance to individuals with respect to common situations encountered throughout the digital evidence handling process and assists organizations in their disciplinary procedures and in facilitating the exchange of potential digital evidence between jurisdictions.
ISO/IEC 27037:2012 gives guidance for the following devices and circumstances:
- Digital storage media used in standard computers like hard drives, floppy disks, optical and magneto optical disks, data devices with similar functions,
- Mobile phones, Personal Digital Assistants (PDAs), Personal Electronic Devices (PEDs), memory cards,
- Mobile navigation systems,
- Digital still and video cameras (including CCTV),
- Standard computer with network connections,
- Networks based on TCP/IP and other digital protocols, and
- Devices with similar functions as above.
The above list of devices is an indicative list and not exhaustive.
| Get this standard | Prices exclude GST | |
|---|---|---|
| PDF ( Single user document) |
$343.00 NZD
|
|
| HardCopy |
$389.00 NZD
|
|
| Networkable PDF |
Price varies
|
1 Scope
2 Normative reference
3 Terms and definitions
4 Abbreviated terms
5 Overview
5.1 Context for collecting digital evidence
5.2 Principles of digital evidence
5.3 Requirements for digital evidence handling
5.3.1 General
5.3.2 Auditability
5.3.3 Repeatability
5.3.4 Reproducibility
5.3.5 Justifiability
5.4 Digital evidence handling processes
5.4.1 Overview
5.4.2 Identification
5.4.3 Collection
5.4.4 Acquisition
5.4.5 Preservation
6 Key components of identification, collection, acquisition and preservation of digital evidence
6.1 Chain of custody
6.2 Precautions at the site of incident
6.2.1 General
6.2.2 Personnel
6.2.3 Potential digital evidence
6.3 Roles and responsibilities
6.4 Competency
6.5 Use reasonable care
6.6 Documentation
6.7 Briefing
6.7.1 General
6.7.2 Digital evidence specific
6.7.3 Personnel specific
6.7.4 Real-time incidents
6.7.5 Other briefing information
6.8 Prioritizing collection and acquisition
6.9 Preservation of potential digital evidence
6.9.1 Overview
6.9.2 Preserving potential digital evidence
6.9.3 Packaging digital devices and potential digital evidence
6.9.3.1 Baseline activities: packaging of potential digital evidence
6.9.3.2 Additional activities: packaging of potential digital evidence
6.9.4 Transporting potential digital evidence
7 Instances of identification, collection, acquisition and preservation
7.1 Computers, peripheral devices and digital storage media
7.1.1 Identification
7.1.1.1 Physical incident scene search and documentation
7.1.1.2 Non-digital evidence collection
7.1.1.3 Decision-making process for collection or acquisition
7.1.2 Collection
7.1.2.1 Powered on digital devices
7.1.2.1.1 Overview
7.1.2.1.2 Baseline activities: powered on digital device collection
7.1.2.1.3 Additional activities: powered on digital device collection
7.1.2.2 Powered off digital devices
7.1.2.2.1 Overview
7.1.2.2.2 Baseline activities: powered off digital device collection
7.1.2.2.3 Additional activities: powered off digital device collection
7.1.3 Acquisition
7.1.3.1 Powered on digital devices
7.1.3.1.1 Overview
7.1.3.1.2 Baseline activities: powered on digital device acquisition
7.1.3.1.3 Additional activities: powered on digital device acquisition
7.1.3.2 Powered off digital devices
7.1.3.2.1 Overview
7.1.3.2.2 Acquisition of powered off digital device
7.1.3.3 Mission-critical digital devices
7.1.3.4 Partial acquisition
7.1.3.5 Digital storage media
7.1.4 Preservation
7.2 Networked devices
7.2.1 Identification
7.2.1.1 Overview
7.2.1.2 Physical incident scene search and documentation
7.2.2 Collection, acquisition and preservation
7.2.2.1 Overview
7.2.2.2 Guidelines for networked device collection
7.2.2.3 Guidelines for networked device acquisition
7.2.2.4 Guidelines for networked device preservation
7.3 CCTV collection, acquisition and preservation
Keep me up-to-date
Sign up to receive updates when there are changes to this standard
Related Information
Similar Standards
-
AS/NZS ISO/IEC 27001:2023
Information security, cybersecurity and privacy protection – Information security management systems – Requirements
-
AS/NZS ISO/IEC 27001:2023 A1
Information security, cybersecurity and privacy protection - Privacy enhancing data de-identification framework
-
AS/NZS ISO/IEC 27002:2022
Information security, cybersecurity and privacy protection — Information security controls
-
AS/NZS ISO/IEC 27011:2025
Information security, cybersecurity and privacy protection – Information security controls based on ISO/IEC 27002 for telecommunications organizations
1 Scope
2 Normative reference
3 Terms and definitions
4 Abbreviated terms
5 Overview
5.1 Context for collecting digital evidence
5.2 Principles of digital evidence
5.3 Requirements for digital evidence handling
5.3.1 General
5.3.2 Auditability
5.3.3 Repeatability
5.3.4 Reproducibility
5.3.5 Justifiability
5.4 Digital evidence handling processes
5.4.1 Overview
5.4.2 Identification
5.4.3 Collection
5.4.4 Acquisition
5.4.5 Preservation
6 Key components of identification, collection, acquisition and preservation of digital evidence
6.1 Chain of custody
6.2 Precautions at the site of incident
6.2.1 General
6.2.2 Personnel
6.2.3 Potential digital evidence
6.3 Roles and responsibilities
6.4 Competency
6.5 Use reasonable care
6.6 Documentation
6.7 Briefing
6.7.1 General
6.7.2 Digital evidence specific
6.7.3 Personnel specific
6.7.4 Real-time incidents
6.7.5 Other briefing information
6.8 Prioritizing collection and acquisition
6.9 Preservation of potential digital evidence
6.9.1 Overview
6.9.2 Preserving potential digital evidence
6.9.3 Packaging digital devices and potential digital evidence
6.9.3.1 Baseline activities: packaging of potential digital evidence
6.9.3.2 Additional activities: packaging of potential digital evidence
6.9.4 Transporting potential digital evidence
7 Instances of identification, collection, acquisition and preservation
7.1 Computers, peripheral devices and digital storage media
7.1.1 Identification
7.1.1.1 Physical incident scene search and documentation
7.1.1.2 Non-digital evidence collection
7.1.1.3 Decision-making process for collection or acquisition
7.1.2 Collection
7.1.2.1 Powered on digital devices
7.1.2.1.1 Overview
7.1.2.1.2 Baseline activities: powered on digital device collection
7.1.2.1.3 Additional activities: powered on digital device collection
7.1.2.2 Powered off digital devices
7.1.2.2.1 Overview
7.1.2.2.2 Baseline activities: powered off digital device collection
7.1.2.2.3 Additional activities: powered off digital device collection
7.1.3 Acquisition
7.1.3.1 Powered on digital devices
7.1.3.1.1 Overview
7.1.3.1.2 Baseline activities: powered on digital device acquisition
7.1.3.1.3 Additional activities: powered on digital device acquisition
7.1.3.2 Powered off digital devices
7.1.3.2.1 Overview
7.1.3.2.2 Acquisition of powered off digital device
7.1.3.3 Mission-critical digital devices
7.1.3.4 Partial acquisition
7.1.3.5 Digital storage media
7.1.4 Preservation
7.2 Networked devices
7.2.1 Identification
7.2.1.1 Overview
7.2.1.2 Physical incident scene search and documentation
7.2.2 Collection, acquisition and preservation
7.2.2.1 Overview
7.2.2.2 Guidelines for networked device collection
7.2.2.3 Guidelines for networked device acquisition
7.2.2.4 Guidelines for networked device preservation
7.3 CCTV collection, acquisition and preservation