SIST EN ISO/IEC 27041:2017

SLOVENSKI STANDARD
01-januar-2017
Informacijska tehnologija - Varnostne tehnike - Smernice za zagotavljanje
primernosti in ustreznosti metod za preiskovanje incidentov (ISO/IEC 27041:2015)
Information technology - Security techniques - Guidance on assuring suitability and
adequacy of incident investigative method (ISO/IEC 27041:2015)
Informationstechnik - IT-Sicherheitsverfahren - Leitfaden zur Sicherung der Tauglichkeit
und Eignung von Vorfall-Untersuchungsmethoden (ISO/IEC 27041:2015)
Technologies de l'information - Techniques de sécurité - Directives sur la façon d'assurer
l'aptitude à l'emploi et l'adéquation d'une méthode d'investigation d'incident (ISO/IEC
27041:2015)
Ta slovenski standard je istoveten z: EN ISO/IEC 27041:2016
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EN ISO/IEC 27041
EUROPEAN STANDARD
NORME EUROPÉENNE
August 2016
EUROPÄISCHE NORM
ICS 35.040
English Version
Information technology - Security techniques - Guidance
on assuring suitability and adequacy of incident
investigative method (ISO/IEC 27041:2015)
Technologies de l'information - Techniques de sécurité Informationstechnik - IT-Sicherheitsverfahren -
- Directives sur la façon d'assurer l'aptitude à l'emploi Leitfaden zur Sicherung der Tauglichkeit und Eignung
et l'adéquation d'une méthode d'investigation von Vorfall-Untersuchungsmethoden (ISO/IEC
d'incident (ISO/IEC 27041:2015) 27041:2015)
This European Standard was approved by CEN on 19 June 2016.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions
for giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden,
Switzerland, Turkey and United Kingdom.

EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATIO N

EUROPÄISCHES KOMITEE FÜR NORMUN G

CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels
© 2016 CEN and CENELEC All rights of exploitation in any form and by any means Ref. No. EN ISO/IEC 27041:2016 E
reserved worldwide for CEN and CENELEC national
Members.
Contents Page
European foreword . 3

European foreword
The text of ISO/IEC 27041:2015 has been prepared by Technical Committee Committee ISO/IEC JTC 1
“Information technology” of the International Organization for Standardization (ISO) and the
International Electrotechnical Commission (IEC) and has been taken over as EN ISO/IEC 27041:2016.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by February 2017, and conflicting national standards
shall be withdrawn at the latest by February 2017.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN [and/or CENELEC] shall not be held responsible for identifying any or all such patent
rights.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia,
France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta,
Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland,
Turkey and the United Kingdom.
Endorsement notice
The text of ISO/IEC 27041:2015 has been approved by CEN as EN ISO/IEC 27041:2016 without any
modification.
INTERNATIONAL ISO/IEC
STANDARD 27041
First edition
2015-06-15
Information technology — Security
techniques — Guidance on assuring
suitability and adequacy of incident
investigative method
Technologies de l’information — Techniques de sécurité — Directives
sur la façon d’assurer l’aptitude à l’emploi et l’adéquation d’une
méthode d’investigation d’incident
Reference number
ISO/IEC 27041:2015(E)
©
ISO/IEC 2015
ISO/IEC 27041:2015(E)
© ISO/IEC 2015
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2015 – All rights reserved

ISO/IEC 27041:2015(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 4
5 Method development and assurance . 4
5.1 Overview . 4
5.2 General principles . 4
5.3 General development and deployment model . 4
5.4 Assurance stages . 5
5.5 Requirements capture and analysis . 6
5.5.1 General principles of requirements . 6
5.5.2 Functional Requirements . 7
5.5.3 Verification of requirements . 7
5.6 Process Design . 7
5.6.1 Overview . 7
5.6.2 Tool Selection . 7
5.6.3 Uncertainty and risk evaluation . 7
5.7 Process Implementation . 8
5.7.1 Overview . 8
5.7.2 Tool choice — guidance for deployment . 8
5.8 Process Verification . 8
5.8.1 General principles of verification . 8
5.8.2 Verification of processes . 9
5.8.3 Verification of tools . 9
5.9 Process Validation . 9
5.9.1 General principles of validation . 9
5.9.2 Comprehensive validation . 9
5.9.3 Sufficient validation . 9
5.9.4 Fully validated processes .10
5.9.5 Failed validation .10
5.10 Confirmation .10
5.11 Deployment .10
5.11.1 Tool choice .10
5.12 Review and Maintenance .10
6 Assurance Models .11
6.1 Overview .11
6.2 In-house assurance .11
6.3 External assurance .11
6.4 Mixed assurance .11
7 Production of evidence for assurance .11
7.1 Overview .11
7.2 Pre-validation preparation .12
7.3 Producing Evidence of Validation .12
7.4 Maintenance of Validation .12
7.5 Validation of Examinations .12
7.6 Validation of Investigations .13
Annex A (informative) Examples .14
Bibliography .18
© ISO/IEC 2015 – All rights reserved iii

ISO/IEC 27041:2015(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
Details of any patent rights identified during the development of the document will be in the Introduction
and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical Barriers
to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 27, IT Security
techniques.
iv © ISO/IEC 2015 – All rights reserved

ISO/IEC 27041:2015(E)
Introduction
About this International Standard
This International Standard is concerned with providing assurance that the investigative process used
is appropriate for the incident under investigation and the results which are required. It also describes,
at an abstract level, the concept of breaking seemingly complex processes into a series of smaller atomic
parts, which should aid in the development of simple, yet robust, investigation methods. It should be
considered by any person authorising, giving instruction for, managing, or conducting an investigation.
It should be applied prior to any investigation, in the context of principles and processes (defined in
1)
ISO/IEC 27043:2015) and sound preparation and planning (defined in ISO/IEC 27035-2 ) to ensure the
suitability of methods to be applied in the investigative processes described in ISO/IEC 27037:2012 and
ISO/IEC 27042:2015.
Relationship to other standards
This International Standard is intended to complement other standards and documents which give
guidance on the investigation of, and preparation to investigate, information security incidents. It is not
a comprehensive guide, but lays down certain fundamental principles which are intended to ensure that
tools, techniques, and methods can be selected appropriately and shown to be fit for purpose should the
need arise.
This International Standard also intends to inform decision-makers that need to determine the
reliability of digital evidence presented to them. It is applicable to organizations needing to protect,
analyse, and present potential digital evidence. It is relevant to policy-making bodies that create and
evaluate procedures relating to digital evidence, often as part of a larger body of evidence.
This International Standard describes part of a comprehensive investigative process which includes, but
is not limited to, the following topic areas:
— incident management, including preparation and planning for investigations;
— handling of digital evidence;
— use of, and issues caused by, redaction;
— intrusion prevention and detection systems, including information which can be obtained from
these systems;
— security of storage, including sanitization of storage;
— ensuring that investigative methods are fit for purpose;
— carrying out analysis and interpretation of digital evidence;
— understanding principles and processes of digital evidence investigations;
— security incident event management, including derivation of evidence from systems involved in
security incident event management;
— relationship between electronic discovery and other investigative methods, as well as the use of
electronic discovery techniques in other investigations;
— governance of investigations, including forensic investigations.
These topic areas are addressed, in part, by the following ISO/IEC standards:
— ISO/IEC 27037:2012
1) To be published.
© ISO/IEC 2015 – All rights reserved v

ISO/IEC 27041:2015(E)
This International Standard describes the means by which those involved in the early stages of an
investigation, including initial response, can ensure that sufficient potential digital evidence is captured
to allow the investigation to proceed appropriately.
— ISO/IEC 27038:2014
Some documents can contain information that must not be disclosed to some communities. Modified
documents can be released to these communities after an appropriate processing of the original
document. The process of removing information that is not to be disclosed is called “redaction”.
The digital redaction of documents is a relatively new area of document management practice, raising
unique issues and potential risks. Where digital documents are redacted, removed information must
not be recoverable. Hence, care needs to be taken so that redacted information is permanently removed
from the digital document (e.g. it must not be simply hidden within non-displayable portions of the
document).
ISO/IEC 27038:2014 specifies methods for digital redaction of digital documents. It also specifies
requirements for software that can be used for redaction.
— ISO/IEC 27040:2015
This International Standard provides detailed technical guidance on how organizations can define
an appropriate level of risk mitigation by employing a well-proven and consistent approach to the
planning, design, documentation, and implementation of data storage security. Storage security applies
to the protection (security) of information where it is stored and to the security of the information
being transferred across the communication links associated with storage. Storage security includes
the security of devices and media, the security of management activities related to the devices and
media, the security of applications and services, and security relevant to end-users during the lifetime
of devices and media and after end of use.
Security mechanisms like encryption and sanitization can affect one’s ability to investigate by
introducing obfuscation mechanisms. They have to be considered prior to and during the conduct of
an investigation. They can also be important in ensuring that storage of evidential material during and
after an investigation is adequately prepared and secured.
— ISO/IEC 27042:2015
This International Standard describes how methods and processes to be used during an investigation
can be designed and implemented in order to allow correct evaluation of potential digital evidence,
interpretation of digital evidence, and effective reporting of findings.
— ISO/IEC 27043:2015
This International Standard defines the key common principles and processes underlying the
investigation of incidents and provides a framework model for all stages of investigations.
The following ISO/IEC projects also address, in part, the topic areas identified above and can lead to the
publication of relevant standards at some time after the publications of this International Standard.
2)
— ISO/IEC 27035 (all parts)
This is a three-part standard that provides organizations with a structured and planned approach to
the management of security incident management. It is composed of
3)
— ISO/IEC 27035-1
2) To be published.
3) To be published.
vi © ISO/IEC 2015 – All rights reserved

ISO/IEC 27041:2015(E)
This part presents basic concepts and phases of information security incident management. It combines
these concepts with principles in a structured approach to detecting, reporting, assessing, responding,
and applying lessons learned.
4)
— ISO/IEC 27035-2
This part presents the concepts to plan and prepare for incident response. The concepts, including
incident management policy and plan, incident response team establishment, and awareness briefing
5)
and training, are based on the plan and prepare phase of the model presented in ISO/IEC 27035-1 . This
part also covers the “Lessons Learned” phase of the model.
6)
— ISO/IEC 27035-3
This part includes staff responsibilities and practical incident response activities across the organization.
Particular focus is given to the incident response team activities such including monitoring, detection,
analysis, and response activities for the collected data or security events.
7)
— ISO/IEC 27050 (all parts)
This addresses activities in electronic discovery, including, but not limited to identification, preservation,
collection, processing, review, analysis, and production of electronically stored information (ESI).
In addition, it provides guidance on measures, spanning from initial creation of ESI through its final
disposition, which an organization can undertake to mitigate risk and expense should electronic
discovery become an issue. It is relevant to both non-technical and technical personnel involved in some
or all of the electronic discovery activities. It is important to note that this guidance is not intended to
contradict or supersede local jurisdictional laws and regulations.
Electronic discovery often serves as a driver for investigations, as well as evidence acquisition and
handling activities. In addition, the sensitivity and criticality of the data sometimes necessitate
protections like storage security to guard against data breaches.
— ISO/IEC 30121:2015
This International Standard provides a framework for governing bodies of organizations (including
owners, board members, directors, partners, senior executives, or similar) on the best way to prepare
an organization for digital investigations before they occur. This International Standard applies to the
development of strategic processes (and decisions) relating to the retention, availability, access, and
cost effectiveness of digital evidence disclosure. This International Standard is applicable to all types
and sizes of organizations. The International Standard is about the prudent strategic preparation for
digital investigation of an organization. Forensic readiness ensures that an organization has made the
appropriate and relevant strategic preparation for accepting potential events of an evidential nature.
Actions may occur as the result of inevitable security breaches, fraud, and reputation assertion. In every
situation, information technology (IT) has to be strategically deployed to maximize the effectiveness of
evidential availability, accessibility, and cost efficiency
Figure 1 shows typical activities surrounding an incident and its investigation. The numbers shown in
this diagram (e.g. 27037) indicate the International Standards listed above and the shaded bars show
where each is most likely to be directly applicable or has some influence over the investigative process
(e.g. by setting policy or creating constraints). It is recommended, however, that all should be consulted
prior to, and during, the planning and preparation phases. The process classes shown are defined fully
in this International Standard and the activities identified match those discussed in more detail in
ISO/IEC 27035-2, ISO/IEC 27037:2012, and ISO/IEC 27042:2015.
4) To be published.
5) To be published.
6) To be published.
7) New project.
© ISO/IEC 2015 – All rights reserved vii

ISO/IEC 27041:2015(E)
Figure 1 — Applicability of standards to investigation process classes and activities
viii © ISO/IEC 2015 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 27041:2015(E)
Information technology — Security techniques —
Guidance on assuring suitability and adequacy of incident
investigative method
1 Scope
This International Standard provides guidance on mechanisms for ensuring that methods and processes
used in the investigation of information security incidents are “fit for purpose”. It encapsulates best
practice on defining requirements, describing methods, and providing evidence that implementations of
methods can be shown to satisfy requirements. It includes consideration of how vendor and third-party
testing can be used to assist this assurance process.
This document aims to
— provide guidance on the capture and analysis of functional and non-functional requirements
relating to an Information Security (IS) incident investigation,
— give guidance on the use of validation as a means of assuring suitability of processes involved in the
investigation,
— provide guidance on assessing the levels of validation required and the evidence required from a
validation exercise,
— give guidance on how external testing and documentation can be incorporated in the validation
process.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000:2013, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions in ISO/IEC 27000:2013 and the following
apply.
3.1
atomic
performing a single function only
Note 1 to entry: A method (3.11) for recovery of all live files from a device can be atomic if it relies solely on the
use of filesystem meta-data. A method for recovery of all deleted files is unlikely to be atomic as it will require
sub-methods which identify and extract particular file structures from the data on the storage device based on
knowledge of file contents (e.g. .jpg, .png, .odt, XML, etc.).
3.2
black box testing
examining a process by using it to process known inputs and comparing the results against predicted
outputs which reflect the requirements for the process
© ISO/IEC 2015 – All rights reserved 1

ISO/IEC 27041:2015(E)
3.3
client
person or organisation on whose behalf the investigation is to be undertaken
[SOURCE: ISO/IEC 27042:2015, 3.2]
3.4
confirmation
formal assessment of existing objective evidence that a process is fit (or remains fit) for a specified
purpose
3.5
contemporaneous notes
contemporaneous record
written record of actions taken and decisions made, produced at the same time or as soon afterwards as
is practically possible, as the actions and decisions it records
Note 1 to entry: In many jurisdictions, it is necessary for contemporaneous notes to be handwritten in non-
erasable ink in a tamper-evident notebook to assist with issues of authenticity and admissibility.
[SOURCE: ISO/IEC 27042:2015, 3.4]
3.6
examination
set of processes applied to identify and retrieve relevant potential digital evidence from one or more
sources
[SOURCE: ISO/IEC 27042:2015, 3.7]
3.7
investigation
application of examinations (3.6), analyses, and interpretation to aid understanding of an incident
[SOURCE: ISO/IEC 27042:2015, 3.10]
3.8
investigative lead
person leading the investigation at a strategic level
[SOURCE: ISO/IEC 27042:2015, 3.11]
3.9
investigative team
all persons involved directly in the conduct of the investigation
[SOURCE: ISO/IEC 27042:2015, 3.12]
3.10
investigator
member of the investigative team (3.9), including the investigative lead (3.8)
[SOURCE: ISO/IEC 27042:2015, 3.13]
3.11
method
definition of an operation which can be used to produce data or derive information as an output from
specified inputs
Note 1 to entry: Ideally, a method (3.11) should be atomic (3.1) (i.e. it should not perform more than one function)
in order to enable re-use of methods and the processes (3.12) derived from them and to reduce the amount of work
required to validate processes.
2 © ISO/IEC 2015 – All rights reserved

ISO/IEC 27041:2015(E)
3.12
process
operational implementation of a method (3.11)
3.13
producer
creator or provider of a tool (3.17), including anyone who modifies or customises a tool
Note 1 to entry: The person(s) or organization(s) responsible for the creation or maintenance of a tool or
customisation of a tool is the producer.
Note 2 to entry: Providing scripts to automate common functions modifies or customises a tool.
3.14
requirements
statement which translates or expresses a need and its associated constraints and conditions
Note 1 to entry: Requirements exist at different tiers and express the need in high-level form (e.g. software
component requirement).
[SOURCE: ISO/IEC IEEE 29148:2011, 4.1.17]
3.15
requirements analysis
process (3.12) through which understanding and prioritisation of the requirements (3.14) is achieved
3.16
requirements capture
process (3.12) through which the requirements (3.14) for a process are discovered, reviewed, articulated,
and documented
3.17
tool
software, hardware, or firmware used in a process (3.12)
3.18
validation
confirmation (3.4), through the provision of objective evidence, that the requirements (3.14) for a specific
intended use or application have been fulfilled
Note 1 to entry: Validation is carried out on a process (3.12) to ensure that it is fit for purpose, i.e. to ensure that
the process, as implemented, produces expected results in a consistent, repeatable, and reproducible manner.
[SOURCE: ISO/IEC 27004:2009, 3.17, Modified – Note 1 to entry has been added]
3.19
validation set
series of objective tests with clearly defined goals, inputs, and outputs, directly related to the agreed
requirements (3.14) for the process (3.12) under validation (3.18)
3.20
verification
confirmation (3.4), through the provision of objective evidence, that specified requirements have been
fulfilled
Note 1 to entry: Verification only provides assurance that a product conforms to its specification.
[SOURCE: ISO/IEC 27004:2009, 3.18, Modified – Original note was removed, Note 1 to entry has been
added]
© ISO/IEC 2015 – All rights reserved 3

ISO/IEC 27041:2015(E)
3.21
verification function
function which is used to verify that two sets of data are identical
[SOURCE: ISO/IEC 27037:2012, 3.25, Modified – Notes were removed]
3.22
white box testing
testing which includes inspection of the implementation detail
3.23
work instruction
detailed description of how to perform and record a process (3.12)
[SOURCE: ISO/TR 10013:2001, 3.1, Modified - changed from plural to singular, task changed to process]
4 Symbols and abbreviated terms
ATA AT Attachment
SATA Serial ATA
USB Universal Serial Bus
5 Method development and assurance
5.1 Overview
Assurance of suitability and adequacy of incident investigation methods can be required in order
to demonstrate clearly that the investigator used methods which were fit for the purpose(s) of the
investigation and used methods which were not subject to unacceptable errors or uncertainty. Digital
evidence resulting from the application of unassured methods can be considered inherently flawed and
subject to challenge which can result in it being rendered useless for the purposes of the investigation.
This standard presents an assurance model which includes all stages of development of the activities
which make up an investigation, as described in ISO/IEC 27042:2015, from initial specification through
to deployment and maintenance.
5.2 General principles
Assuring suitability and adequacy of incident investigation methods should follow a suitable model,
such as the Plan-Do-Check-Act model used in ISO/IEC 9001:2000, in order to ensure that all processes
are subject to review at least as often as they are used.
5.3 General development and deployment model
Prior to a process being deployed for use in investigations, it should undergo a proper development
process in order to ensure that it is fit for purpose. Figure 2 shows typical stages in this process, which
are:
— Requirements capture and analysis
— Process design
— Process implementation
— Process verification (optional and non-essential)
— Process validation
4 © ISO/IEC 2015 – All rights reserved

ISO/IEC 27041:2015(E)
— Confirmation
— Deployment
— Review and maintenance
Each of these stages is discussed in more detail below.
5.5
5.12
5.11
5.6
5.10
5.7
5.9
5.8
Figure 2 — Development and deployment process, including assurance stages
5.4 Assurance stages
Assurance should be included in the development model, above, in the following key assurance stages:
— Requirements capture and analysis
— Process validation
— Confirmation
— Review and maintenance
NOTE Further guidance on the conduct of these stages is given in the description of assurance models in
Clause 5.
© ISO/IEC 2015 – All rights reserved 5

ISO/IEC 27041:2015(E)
5.5 Requirements capture and analysis
5.5.1 General principles of requirements
Prior to designing a process for use in an examination, a proper set of requirements should be produced,
accepted by the client and recorded in accordance with good practice. This set of requirements should be
derived from the requirements identified for the complete investigation and may include both functional
and non-functional requirements.
Each requirement defines an essential capability, characteristic or quality factor. Each individual
requirement statement should be necessary, implementation-free (i.e. it states only what is required,
not how the requirement should be met), unambiguous, complete, singular and consistent with the
remainder of the requirements in the set.
Requirements vary in intent and in the kinds of properties they represent. They can be grouped together
into similar types to aid in analysis and verification. Examples of types of requirements include:
— Functional – describe the functions or tasks to be performed and will include such considerations
as expected inputs and outputs;
— Performance – defines the extent, how well, and under what conditions a function or task is to be
performed;
— Interface – defines how the solution interacts with external systems, or how elements within the
solution (including human elements) interact with each other;
— Process – include compliance with local laws and processes or administrative requirements;
— Non-functional – define how a solution is supposed to be, including quality requirements such as
portability, reliability, maintainability and security, or human factors requirements such as safety,
efficiency or health and wellbeing.
In addition to all essential requirements, the lists of requirements produced should also include clear
definitions of the boundaries of operation associated with the anticipated potential digital evidence
and related investigative processes (e.g. maximum file sizes, maximum and minimum number of input
values).
A new list of requirements may need to be formulated for each investigation undertaken to ensure the
examination correctly fulfils the specific case requirements. Using a monolithic approach to the design
would require a significant validation overhead and so the user should where practically possible select
predefined atomic stages which are compatible with dynamic user definable input parameters.
In that way the unique changes to the requirements will typically be limited to the specific case
input parameters, and so the case specific validation would predominantly be limited to the specific
parameters supplied to the case under investigation, and not the underlying function or process which
should have been designed at the readiness phase.
EXAMPLE While specific keyword searches will be directly dependent on the case being investigated the
keyword filter process should, if designed correctly, be an atomic process which is independent of the keywords
used. The area which requires unique case specific validation be the definition of the correctness of the keyword[s]
applied (i.e. the undefined uncertainty error will be in the user’s design of the specific search terms used, for
instance only searching for “Joe Blogs” would miss references to “Joe Bloggs”, “Mr Blogs”, “J. Blogs”, “Joe”, “Joey”,
etc.).
The incident under investigation should be clearly identified and defined, including limitations to the
scope of the investigation. Sources of potential digital evidence and questions to be answered should be
identified. Sources of risk and their potential effects on the investigation, personnel and systems should
also be identified.
6 © ISO/IEC 2015 – All rights reserved

ISO/IEC 27041:2015(E)
Once the requirements for the investigation have been identified, the investigative team should then
develop requirements for the examinations, analyses and processes which will make up the investigation
(see ISO/IEC 27042:2015).
5.5.2 Functional Requirements
Functional requirements are those stemming directly from investigative needs and which are expected
by the users of the process. They do not define how the process should operate but will include such
considerations as expected inputs and outputs. All functional requirements should be satisfied by the
investigation.
EXAMPLE The need to process a particular type of filesystem is a functional requirement as it is derived
directly from a source of potential digital evidence.
5.5.3 Verification of requirements
Undertaking an exercise to verify the requirements will ensure that the specified requirements are well
formed and that the needs of the investigative method have been adequately expressed. It involves an
analysis of the recorded requirements to identify problems such as conflicting, missing, incomplete,
ambiguous, inconsistent or incongruous requirements. Any identified problems should be resolved
before moving on to subsequent assurance stages.
5.6 Process Design
5.6.1 Overview
The design of a process should take account of all requirements identified as a result of the requirement
capture and analysis stages. It should give detail of how the method will be implemented, taking account
of accepted non-functional requirements and is the point at which tool selection should be carried out.
Design need not specify the exact detail of each element of the process, but should clearly identify the
flow of activity and evidential material from one step to the next.
5.6.2 Tool Selection
During the design phase, any tools which may participate in the process should be identified and their
role(s) in the resulting process identified. Where several tools can perform the same function in the
process, it may be useful to identify some or all of these tools in order to cope with variation in operating
environments (e.g. write blockers may offer different interfaces such as ATA, SATA, USB etc.) Care should
be taken, however, to ensure that allowing for variable requirements in this way does not advers
...