ISO/IEC 27037 and ISO/IEC 27042 provide a model of investigation which covers the complete process from detection of an incident through to production of a final report to aid understanding of how the incident occurred.

ISO/IEC 27041 deals with ways to ensure that the methods used in investigation are fit for purpose.

In this introductory guide, we'll deal with the major elements of the investigative model used in ISO/IEC 27037 and ISO/IEC 27042.

Stages of investigation

Once an incident has been detected, the goal is to collect and secure as much potential evidence as possible and then to analyse it for relevance and interpret its meaning and significance in order to produce a final report which explain what happened, how it happened and give some insights into how it might be prevented from happening again. The model used in the standards can be summarised as the acronym ICAPAIR

Contemporaneous notes

Throughout the process, detailed contemporaneous notes (see our guides for more information) MUST be taken to avoid possible problems surrounding continuity of evidence - i.e. to establish who had custody of the evidence at all times after the investigation commenced. If there is any break in the chain of custody (i.e. a time when it is not clear where the evidence was or who had control of it), then its authenticity can be called in to question, rendering it useless.


Although the model described will allow a good investigation to be carried out, it's a bit like going into a kitchen and starting to cook without doing any preparation - opening cupboards at random to see what ingredients are available. Something will come out of it, eventually, but it won't necessarily be the best dish possible and it will take much longer and cost more than it should. Ideally, therefore, a form of "mise en place" or advance preparation should be carried out as early as possible - preferably before the need for investigation appears.

This will involve auditing systems to identify where key business functions are being carried out, which data is being held where, and how systems interact with one another, to produce a comprehensive log of all sources of potential digital evidence. Furthermore, wherever possible, systems should be tuned to ensure that they collect data which has the potential to be digital evidence, or at least keep it available for long enough for it to be useful. Of course, there is a cost associated with this in the form of extra storage requirements, but the absence of data is likely to mean an absence of evidence and thus make an investigation inompleted or impossible.

If you have any thoughts on this process, or would like help with preparing for or conducting investigations, please contact ngate ltd. now.