Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

Collecting evidence is not easy...

Incident management is becoming increasingly important within information security as the realization that even the most effective defense in depth doesn’t always prevent a breach from happening. The ISO27001 standard dedicates section A.16 of Annex A to a selection of seven controls designed to make incident management as good as it can be in the circumstances.  One of these controls, A.16.1.7, deals with the collection of evidence, stating that “The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.”

An excellent demonstration of the principles and tools involved in such Digital Forensics was given recently by Russ May, Visiting Professor at Sunderland University in the UK at a meeting of the information security group ISACA and I will attempt to pass on some of the main points here.

A specialist area

The first thing to say is that this is a very specialist area and things have to be done in a certain way otherwise the evidence will be inadmissible in court. In ISO27001 terms this means that your procedures need to acknowledge that and take the initial steps to secure the scene and avoid making any basic errors. As far the control goes, it is perfectly acceptable within ISO27001 to then call in a specialist organization who will take over from there. The investigation of the evidence should then take place under the control of your incident management procedures (Annex A – A.16.1.1 Responsibility and procedures), often led by your legal team.

So what should the first responders know about securing the scene before the specialists arrive? Well, there are 4 principles that are generally accepted as good practice to ensure that evidence stays admissible.

Principle 1

Don’t change any data. If anyone does anything that results in the data on the relevant system being altered in any way then this will affect any subsequent court case. Examples could be as simple as waking up a laptop or logging on. So think before you touch anything.

Principle 2

(Really one for the specialists, this) Only access the original data in exceptional circumstances. The first thing a specialist will do is use some tools to take a bit copy of any data held in memory, whether it’s on a hard disk, flash memory or maybe a SIM card on a phone. All analysis then takes place on the copy and the original is never touched unless maybe time is of the essence and gaining information to prevent a further crime is more important than keeping the evidence admissible (this is rare).

Principle 3

Always keep an audit trail of what has been done. Forensic tools will do this automatically but this also applies to the first people on the scene. Taking photographs and videos is encouraged as long as you don’t touch anything to do it.

Principle 4

The person in charge must ensure that the guidelines are followed. Few excuses are accepted in court so training staff to respond appropriately is a must.

Data is very persistent

Obviously digital evidence comes in an increasing variety of forms, with mobiles phones and tablets now taking over from laptops as the major focus of investigations in criminal cases. The sheer volume and level of detail that can be extracted from many of these devices is remarkable even after they have been theoretically wiped by reset routines. Professor May gave an example of a wiped Blackberry purchased second-hand on eBay which was gave up a treasure trove of information about who the previous owner was, where he lived and, through GPS records stored on the phone, even where he had been. The moral is that wiping doesn’t get rid of the data.

The main point of this from an ISO27001 angle is to ensure that your procedures for the disposal of mobile devices and removable media (Annex A.6.2.1 Mobile device policy and A.8.3.2 Disposal of media) are effective enough to ensure that this type of data doesn’t end up in the wrong hands. The only way to ensure this unfortunately is complete destruction but given the relative cost of modern devices against the value of your organization’s data and reputation, this has to be the way to go.

Our thanks to Professor May and ISACA for this valuable update

Over 3000 businesses have purchased our toolkits


Easy to follow, complete, logical setup and approach, and the templates are very easy to customize with company branding.

ReMark International

View all Testimonials