World Congress on Internet Security (WorldCIS-2014)
A Review and Comparative Evaluation of Forensics
Guidelines of NIS T SP 800-101 Rev. 1:2014 and
ISO/IEC 27037:2012
Akinola Ajijola, Pavol Zavarsky, Ron Ruhl
Information Systems Security Management
Concordia University Edmonton, Alberta
T5B 4E4 Canada
aajij0 la@csa.concordia.ab.ca, {pavoI.zavarsky,
ron.ruhl}@concordia.ab.ca
Abstract- In this paper, we present a review and comparative
evaluation of forensics guidelines of NIST SP 800-101 Rev.l:2014
and ISO/lEe 27037:2012. This study proposes and analyzes an
integrated implementation of these two forensic guidelines. The
result of this will provide a forensic investigator with a good
understanding of the two forensic standards, and present an
opportunity to forensic investigators, organizations
jurisdictions that are compliant in one standard to realize the
benefits of the other standard. As it is shown, no single standard
addresses all processes of digital forensic investigations. This
comparison identifies areas of forensics guidelines covered by
each standard, commonalities and differences in the
standards, and their limitations.
Keywords-digital evidence; chain of custody; digital handling
process; forensic investigation; forensic tools
I. INTRODUCTION
When investigating a crime, the investigator must follow
and reference guidelines on devices or infonnation technology
forensics. Although countries, organizations and individual
investigators may retain certain methods, processes and
controls, standardization is expected to lead to the adoption of
similar if not identical approaches internationally. This makes
it easier to compare, combine, and contrast the results of such
investigations even when performed by different people or
organizations and possibly across different jurisdictions [1].
It is evident that not all investigations will end up in court,
SANS Digital Forensics Survey [2013] examined how and why
organizations investigate cases. 62% of the respondents
claimed to have used digital forensics to investigate, "HR
issues/employee misuse or abuse," and of those, only 57%
indicate that they were looking for legal evidence that could be
admissible in court [2].
Having said that, forensics examiners should follow
investigative standards and treat all cases as if they will end up
in court. This means applying an appropriate degree of rigor in
the collection and preservation of potential digital evidence so
that the reliability of the evidence can be defended. [2].
Various perspectives are necessary to provide a formidable
forensic investigation, and different guidelines look at
978-1-908320-42/1/©2014 IEEE
investigation phases from different perspectives. Organizations
already recognize the benefit of adopting two forensic
standards; this is common for an organization to conform to the
requirements of one standard and then make further
improvements to conform to the requirements of the other. The
European Commission Anti-Fraud Office created the
and
Guidelines on Digital Forensic Procedures on forensic
investigation for OLAF staff by taking into account both the
internationally approved standards ISO/IEC Standard 27037 on
"Guidelines for identification, collection, acquisition and
two
preservation of digital evidence," adopted in October 2012 and
the "Good practice guide for digital evidence" published by the
UK Association of Chief Police Officers (ACPO) in March
2012 [3].
There are a number of advantages in an integrated
implementation of forensics standards, which include
comprehensiveness and improvement in the quality of forensic
investigations. Forensic investigators can experience the
benefits of implementing one forensic standard before the other
or both forensic standards when implemented simultaneously.
Key benefits of integrated implementation of these forensic
standards include credibility, lower cost of investigation,
reduction in time taken for forensic investigation, and
unnecessary duplication.
This paper presents a comparative evaluation of forensics
guidelines of NIST SP 800-101 Rev.l:2014 [4] and ISO/IEC
27037:2012 [5]. The comparative evaluation in the following
sections focuses on commonalities, differences, and limitations
in the two standards and provides the integrated
implementation of both standards.
The result of this comparison may provide a forensic
investigator with a good understanding of the two forensic
standards and the opportunity for integrated implementation of
both standards. The paper reviews existing forensics
investigation methodologies in Section II. Forensic
investigation standards ISO/IEC 27037:2012 and NIST SP
800-101:2014 are reviewed and compared in Section III.
All readers are expected to have access to copies of both
standards. For instance, forensic investigators, organizations
and jurisdictions may opt for ISO/IEC 27037 as a result of the
66
 World Congress on Internet Security (WorldCIS-2014)
trans-border nature of criminal activities and their global
context. This allows for standardization across participating
countries or, where needs are more country-specific, a
jurisdiction such as the criminal justice system may choose
NIST SP 800-101. There could also be an implementation of
ISO/IEC 27037 when NIST SP 800-101 is already
implemented, or vice versa; there could be an implementation
of both ISO/IEC 27037 and NIST SP 800-101 together; or
integration of existing ISO/IEC and NIST SP 800-101.
An Overview ofISO/ IEC 27037 and NlST SP 800-101
ISO (International Organization for Standardization) is the
world's recognized authority of International Standards.
International Standards give state of the art specifications for
products, services and good practice, helping to make
industries more efficient and effective.
ISO/IEC 27037 [5] standard seeks to create a common
reference line for the practice of digital forensics. The
application of this international standard requires compliance
with federal laws and regulations with no intention of replacing
them. Rather, it may serve as practical for any Digital Evidence
First Responders (DEFRs) and Digital Evidence Specialists
(DESs) in investigations involving potential digital evidence.
Moreover, it is intended to facilitate the usability of evidence
obtained in one jurisdiction by a legal process operating in
another jurisdiction [6].
A. Related lSO/ IEC projects
Since ISO/IEC 27037 addresses only the initial handling
process of digital evidence, other forensic process steps are
subject to additional standards, some of which are still under
development [6]. International Standards that are related to
ISO/IEC 27037 are graphically illustrated below.
Inddent invt'Sligalion principles and processes (ISOIlEC 27043)
! ! ! !
!SOIlEC 27035 ISOIlEC 27037 ISOIlEC 27041 ISOIlEC 27042
Guidance on
Guidelines on assuring
identification, suitability and
colledion, adequacy of Guidelines for
Information acquisition, and incident analysis and
5t'curity incident presen'ation of iOl1t'srigatin interpretation of
management digital ("'idente metbods digital f"idence
Figure I. Related ISO/lEC Standards
NIST (National Institute of Standards and Technology) is a
technological, non-regulatory federal agency under the U.S.
Department of Commerce. NIST works with industries to
develop and apply technology, measurements, and standards.
NIST SP 800-101 Rev 1 Guidelines on Mobile Devices
Forensics is a publication by the United States National
Institute of Standards and Technology (NIST). The guide
provides an in-depth look into mobile devices and explains
technologies involved and their relationship to forensic
procedure. The guide discusses the procedures for validation,
preservation, acquisition, examination, analysis, and reporting
of digital information [4].
978-1-908320-42/1/©2014 IEEE
II. REVIEW OF FORENSIC INVESTIGATION METHODOLOGIES
There are numerous digital forensic investigation
methodologies that have been developed and adopted since
1984, when a formalized process was presented. Different
forensic investigation standards and models have been adopted
in different nations for identification, collection, acquisition
and preservation of digital evidence [7], [8], [9]. While some of
the forensic investigation standards are precise and detailed,
some are of wider scope and general [10]. Also, some models
concentrate on the technical aspect of forensic investigation,
while some models emphasize the non-technical aspect of
forensic investigation. This section reviews some of the related
forensics investigation models.
A. Digital Forensic Research Workshop 2001 [Il}
The first Digital Forensics Research Workshop (DFRWS)
was held in Utica, New York (2001). DFRWS was the
foundation garment of digital forensic investigation process
[11]. The DFRWS investigative model consists of
Identification, Preservation, Collection, Examination, Analysis
and Presentation.
B. Abstract Digital Forensics Model [J2}
Reith, Carr and Gunsch (2002), in their study, An Abstract
Digital Forensics Model, describe a model which is to some
extent derived from the DFRWS model and not dependent on a
particular technology or electronic crime. This model uses the
protocol for an FBI physical crime scene search [12]. The
model was inspired by DFRW and therefore thought to be its
enhancement. This model has seven phases, namely
Identification, Preparation, Approach Strategy, Preservation,
Collection, Examination, Analysis.
C. Integrated Digital Investigation Process [I3}
Carrier and Spafford (2003), in their study, mapped digital
investigative process to physical investigate process. They
came up with five phases of investigative processes, namely
Readiness, Deployment, Physical Crime Scene Investigation,
! Digital Crime Scene Investigation and Review, and they call
ISOIlEC 27050·1 this model Integrated Digital Investigation Process.
D. Digital Forensic Model Based on Malaysian Investigation
Process [8}
Digital Forensic Model Based on Malaysian Investigation
Electronic
Process based on Malaysia cybercrime law [8] is an
disconry
investigation model based on existing models by incorporating
a live and static data acquisition process that focuses on
volatile data. This model consists of seven phases: Planning,
Reconnaissance, Transport & Storage, Analysis, Proof and
Defence, and Achieve Storage.
E. Association of ChiefPolice Officer (ACPO) Good Practice
Guide for Digital Evidence [7}
In the United Kingdom, the Association of Chief Police
Officers' (ACPO) has Good Practice Guide for Computer­
Based Electronic Evidence. This high-level document covers
any type of group that is actively involved in the processing of
digital evidence. This model consists of Plan, Capture,
Analyze, and Present. The purpose of this document is to
provide guidance,
67
 World Congress on Internet Security (WorldCIS-2014)
not only to assist law enforcement, but also for all that assist in
investigating cyber security incidents and crime.
F. Electronic Crime Scene Investigation: A Guide jor First
Responders, Second Edition [9}
The United States Department of Justice (DOJ) uses
Electronic Crime Scene Investigation which is the process
model guide intended to assist both State and local law
enforcement and other fIrst responders who may be responsible
for preserving an electronic crime scene. Additionally, this
model is used for recognizing, collecting, and safeguarding
digital evidence. The U.S. Department of Justice and the U.S.
Department of Commerce's National Institute of Standards and
Technology (NIST) have newly created the National
Commission on Forensic Science as part of a new initiative to
strengthen and enhance the practice of forensic science [14].
G. Enhanced Systematic Digital Forensic Investigation Model
(ESDFIM) [I5}
Kwaku et al (2012) developed the Enhanced Systematic
Digital Forensic Investigation Model (ESDFIM) and posited
that since cybercrime investigation involves multiple or
distributed computers, a successful investigation of such crime
requires access to evidence from various sources. ESDFIM
concluded that for the overall success of investigation and
prosecution, technicalities of digital forensics must be backed
by forensic laws, cooperation and collaboration with law
enforcement agencies from both the primary and secondary
crime scenes [15].
III. REVIEW OF THE FORENSIC INVESTIGA nON STANDARDS
ISO/IEC 27037 AND NIST SP 800-101
In this section, descriptions of ISO/IEC 27037 and NIST
SP 800-101 are provided. This will help in identifIcation of
commonalities, differences and limitations of the two
standards.
A. ISO/ IEC 27037
ISO/IEC 27037, an international standard titled Information
technology Security techniques Guidelines for
identifIcation, collection, acquisition, and preservation of
digital evidence was published in October 2012. It is a high
level document that provides guidelines for specifIc activities
in handling potential digital evidence.
ISO/IEC 27037 does not address methodology for legal
proceedings, disciplinary procedures and other related actions
and is not in any way intended to replace specifIc legal
requirements of any jurisdiction, but rather requires compliance
with federal laws, rules and regulations in all phases of forensic
investigation.
The standard is essentially a reactive measure used to
investigate an incident after it has occurred, whereas forensic
readiness is a proactive process of attempting to plan for such
events [5].
The scope of ISO 27037 addresses only the initial handling
process. The initial handling process is very important because
of the fragility of digital evidence. This assures integrity and
reliability of potential digital evidence.
978-1-908320-42/1/©2014 IEEE
B. Evidence handling Process ojiSO/iEC 27037
Fig. 2 below presents a model of digital handling process of
ISO 27037.
Idenuncal loD
Collection
Pres ervati on
Figure 2. Model of digital handling process of ISOITEC 27037
It shows that the decision to collect and/or acquire the
potential digital evidence is made after the identifIcation
phase, while the preservation phase is maintained throughout
the digital evidence handling processes. Preservation is,
therefore, an ongoing process.
Phase I: Identification
IdentifIcation is the fIrst phase in the process of forensic
investigation of digital devices. The phase involves the search
for, and recognition and documentation of potential digital
evidence. This process includes the prioritization of evidence
collection, based on volatility which is crucial in ensuring the
correct order of the collection and acquisition processes. This
minimizes the damage to the potential evidence in order to
obtain the best evidence. Digital Evidence First Responders
(DEFRs), Digital Evidence Specialists (DESs), incident
response specialists and forensic laboratory managers should
be aware that not all digital storage media can be easily
identifIed and located [5].
Phase 2: Collection
The second phase deals with the decision to either collect or
acquire potential digital evidence. Collection is a process where
devices that may contain potential digital evidence are removed
from their original location to a laboratory or another
controlled environment for later acquisition and analysis [5].
Phase 3: Acquisition
The acquisition process involves creating a digital evidence
copy such as complete hard disk, partition, selected fIles and all
actions and methods. All unavoidable alteration during
acquisition should be clearly documented [5]. Integrity of data
acquired is maintained to ensure that a copy acquired has not
been modifIed since acquisition.
Phase 4: Preservation
Preservation is the process of securely maintaining custody of
property without altering or changing the content of data that
resides on devices and removable media. The preservation
process is critical for potential digital evidence to be useful in
the investigation, [5] and should be initiated and maintained
throughout the digital evidence handling processes. Potential
digital evidence must be preserved to maintain its integrity for
its admissibility in a court of law.
68
 World Congress on Internet Security (WorldCIS-2014)

C. NIST SP 800-101Rev.1:2014 NIST SP 800-101 acknowledges that the forensic examination

NIST SP 800-101 Revision 1, Guidelines on Mobile
Devices Forensics, is a special publication by the National
Institute of Standards and Technology [4]. The guide explains
procedures for the preservation, acquisition, examination,
analysis and reporting of digital evidence [4]. The guide
provides an in-depth look into mobile devices and explains
technologies involved and their relationship to digital forensic
procedures.
The objective of this guide [4] is twofold: to help
organizations evolve appropriate policies and procedures for
dealing with mobile devices and to prepare forensic specialists
to conduct forensically sound examinations involving mobile
devices. This guide does not prescribe how law enforcement
and incident response communities should handle mobile
devices during their investigations or incidents.
The guide provides basic information on mobile forensics
tools, preservation, acquisition, examination and analysis, and
reporting of digital evidence on mobile devices. Method and
techniques of NIST SP 800-101 are presented as a compilation
begins with the identifIcation of a mobile device. The choice of
forensic tools to be employed in acquisition depends mainly on
the device acquired.
Phase 3: Examination and Analysis
Examination process uncovers digital evidence, including that
which may be hidden or obscured. The process begins with a
copy of the evidence acquired from the device. The analysis
process looks at the result of examination for its direct
signifIcance and probative value to the case. Examination and
analysis are accomplished using the right forensic tools.
Phase 4: Reporting
Reporting process prepares a detailed summary of all steps
taken and the conclusions reached in the investigation of the
case. This involves forensic tools and techniques used, making
sure that the fInal report is consistent with the data presented
[16].
TABLE I. COMPARISION OF FEATURES OF NIST SP 800-101
AND ISO/IEC 27037 SUMMARY -

of best practices within the discipline and references taken

from existing forensic guidelines [4]. However, no reference to Features ISO/lEe 27037 NIST SP 800-101
United States Government
ISO/IEC 27037 was made in NIST SP 800-101 to justify the
recommendations for
claim of compilation of best practices within the discipline and International, Public forensic examiner,
references taken from existing forensic guidelines. Audience
and Privates Sector response team, and private
organizations on voluntary
D. Basic Forensic Process ofNIST SP 800-101 basis
In Fig. 3 below, digital evidence preservation is maintained in Last Updated October, 2012 May, 2014
all phases of the NIST SP 800-101 forensic process, therefore
Description High Level Mid/Low Level
making preservation a continuous process.
The guide seeks to The guide presents
create a common procedures for the
reference guideline preservation, acquisition,
for identification, examination, analysis and
References
collection, reporting of digital
acquisition, and evidence. It gives an in-
preservation of depth look into forensic
digital evidence. analysis of mobile devices.
No of Phases 4 4
Deals with the initial
Includes Examination and
stages of digital
Analysis.
Scope investigation.
The scope covered by 4 phases in both standards is
compared in Table III.
Identification Preservation *
Collection Acquisition
Phases
Figure 3. NIST SP 800-101 Forensic Process Acquisition Examination & Analysis
Preservation' Reporting
Phase 1: Preservation
IV. COMPARATIVE ANALYSIS OF ISO/IEC 27037 AND NIST
Preservation involves the search, recognition, documentation SP 800-100
and collection of electronically based evidence. According to
NIST SP 800-101, this is the fIrst step in digital recovery [4]. While ISO 27037 is a comparatively new standard, published
in October 2012, it represents an international public and
Phase 2: Acquisition
private sector agreement on how potential digital evidence
Acquisition is the process by which digital evidence is should be handled in the critical initial stages of an
duplicated, copied, or imaged from a mobile device [4]. investigation [6].
Performing acquisition at the scene of crime is advantageous,
In addition to the phases of forensic investigation shown in
as it eliminates the loss of information as a result of power
Fig. 2 and Fig. 3, the following tables highlight main features
switch off from the device in case of transportation.
and provide a summary of general requirements and the digital
evidence handling process of both standards.

978-1-908320-42/1/©2014 IEEE 69
 World Congress on Internet Security (WorldCIS-2014)

the life cycle of digital evidence, and therefore is present in all

The high level requirements of Auditability, Repeatability, phases of digital handling processes of the two standards.
Reproducibility, and Justifiability are relevant in both The tables below shows the comparisons general requirements
standards and are summarized in Table II below. As shown in and summary of ISO/IEC 27030 and NIST SP 800-10 l.
Fig.2 and Fig.3, Preservation is an ongoing process throughout

TABLE II. GENERAL REQUIREMENTS AND SUMMARY OF ISO/IEC 27037 AND NIST SP 800-101

General Requirements Summary ISO/IEC 27037 NIST SP 800-101

It should be possible for an independent assessor or other authorised interested parties to

evaluate the activities performed by Digital Evidence First Responders (DEFRs) or
Auditability ./ ./
Digital Evidence Specialists (DESs). Appropriate documentation is necessary to make
this possible.

Repeatability is established when the same test results are produced using the same
Repeatability measurement procedure and method, using the same instruments and under the same ./ ./
conditions and can be repeated at any time after the initial test.

Reproducibility is established when the same test results are produced using the same
Reproducibility measurement method, using different instruments and under different conditions and can ./ ./
be produced at any time after the original test.

Both the Digital Evidence First Responders (DEFRs) and the Digital Evidence
Justifiability Specialists (DESs) should be able to justify all actions and methods used in handling the ./ ./
potential digital evidence.

Digital
ISO/IEC NIST SP
Evidence Summary
27037 800-101
Handlin�
The Table III below shows the comparison of the digital Process of preparing a
handling processes of both NIST SP 800-101 Rev.1:2014 and detailed summary of all the
ISO/IEC 27037:2012. The comparison highlights what is Reporting steps taken and * ./
conclusions reached in the
missing in one standard but available in the other.
investigation of the case.

TABLE III. SUMMARY OF THE DIGITAL EVIDENCE HANDLING

PROCESS OF THE Two STANDARDS V. CIA TRIAD
Confidentiality, Integrity and Availability are very important
Digital
ISO/IEC NIST SP throughout the life cycle of potential digital evidence and are
Evidence Summary
27037 800-101
Handlin� emphasized in both standards.
Process involving the
search for, recognition and
Identification ./ * TABLE IV. COMPARISION AND SUMMARY OF CIA TRIAD IN
documentation of potential
digital evidence.
THE Two STANDARDS
Process of gathering the ISO/IEC NIST SP
Collection physical items that contain ./ * Activities Summary
27037 800-101
potential digital evidence. Protecting sensitive
Process of creating a copy information from
of data within the defined unauthorized access. The
Acquisition set. The product of an ./ ./ potential digital evidence
Confidentiality ./ ./
acquisition is a potential should be preserved in a
digital evidence copy. manner that ensures the
Process to maintain and confidentiality of the
safeguard the integrity and data.
Preservation ./ ./
or original condition of the The assurance that the
potential digital evidence. digital evidence is
Examination, the technical Integrity trustworthy, accurate and ./ ./
review that makes the not inappropriately
evidence visible and modified.
Examination & suitably analyzed, and The potential digital
* ./
Analysis analysis, the examination evidence should be
of acquired data for its Availability ./ ./
available when it is
significance and probative needed.
value to the case.

978-1-908320-42/1/©2014 IEEE 70
 World Congress on Internet Security (WorldCIS-2014)
VI. COMMONALITIES AND DIFFERENCES IN THE Two
STANDARDS AND THEIR LIMIT ATlONS
A. Commonalities in the two standards
• Both standards have guidelines on four (4) phases of
forensic investigation.
• Preservation is an ongoing process throughout the life
cycle of digital evidence, and therefore is present in all
phases of digital handling processes both standards.
• NIST SP 800-101 provides guidelines on mobile
devices; ISO/IEC 27037 also gives guidance for wide
varieties of devices including mobile phones, personal
Digital Assistants (PDAs), Personal Electronic Devices
(PEDs), memory cards, etc.
• Both standards have Acquisition and Preservation
phases in their forensic investigation process.
• The two standards recognize that forensic examination
begins with the identification of the device.
• Both standards emphasize Confidentiality, Integrity,
and Availability of potential digital evidence
throughout the process of forensic investigation.
B. Differences in the two standardss
• ISO/IEC 27037 applies globally, and is intended for
both public and private sectors; NIST SP 800-101 is
the United States' recommendations for forensic
examiners, response teams and private organizations
on a voluntary basis.
• ISO/IEC 27037 emphasizes non-technical processes of
forensic investigation; NIST SP 800-101 dwells on
both technical and non-technical processes of forensic
investigation.
• NIST SP 800-101 provides basic information on
mobile forensic tools and preservation, acquisition,
examination and analysis, reporting of digital evidence
on mobile devices. ISO/IEC 27037 provides guidelines
for identification, collection, acquisition, and
preservation of digital evidence.
• NIST SP 800-101 explains in detail the forensic tools
used in forensic investigation, while ISO does not
extend to the analysis of digital evidence.
• ISO/IEC 27037 only pertains to the initial stages of
digital investigation; NIST SP 800-101 is detailed in its
mobile device forensics.
• NIST SP 800-101 has an Examination and Analysis
phase as well as a Reporting phase in its investigation
process, while this phase is not present in ISO/IEC
27037.
• ISO/IEC 27037 has Identification and Collection
phases; NIST SP 800-101 assumes that the mobile
device on which the forensic investigation is to be
performed has been identified and collected.
978-1-908320-42/1/©2014 IEEE
C. Limitations of both standards
• ISOIIEC 27037 provides a general overview of
forensic investigations so it is not detailed enough on a
specific device or system, while NIST SP 800-101
provides guidelines for mobile device forensic only.
• There are scope limitations in both standards regarding
specific systems, devices and architectures: for
example, the challenges of applying the guidelines in
forensic investigations in (private, public) cloud
environments.
• Both standards are limited in scope because they do
not prescribe how law enforcement and incident
response communities should handle digital evidence
during investigation or incident.
• Litigation can clearly be criminal or civil, but none of
the standards discuss this aspect and perhaps the advice
the internal legal department in an organization should
offer in order to minimize costs of forensic
investigation.
• Both standards are essentially describing reactive
measures and do not include a guidance on proactive
forensic investigation processes.
• ISOIIEC 27037 does not extend to the analysis of
digital evidence.
• Combining the two standards still may not provide a
holistic approach. For example, Planning is very vital
in forensic investigation and this is not addressed in
either standards.
• The two documents are to be read in conjunction with
other standards.
VII. DISCUSSION OF RESULTS
In reviewing and undergoing a comparative evaluation of
ISO/IEC 27037 and NIST SP 800-101 to examine the
commonalities and differences in the two standards and their
limitations, it is evident that neither of these two standards
addresses all processes of digital forensic investigations. While
ISO/IEC focuses on the initial handling process and addresses
the non-technical aspect of digital forensic investigation of
crime, NIST SP 800-101 is technical and more detailed in the
selection and use of forensic tools. An integrated
implementation of ISO/IEC 27037 and NIST SP 800-101 is
possible and will be more comprehensive than a single
standard.
Since neither of the two standards addresses the forensic
investigation process comprehensively, it would be
advantageous to individual investigators, organizations and
jurisdictions that are compliant in one standard to realize the
benefits of the other standard and integrate the two. NIST SP
800-101 is specifically a guideline for Mobile Device Forensics
while the ISO/IEC 27037 standard provides guidelines on
identification, collection, acquisition, and preservation of
digital evidence for information technology in general.
71
 World Congress on Internet Security (WorldCIS-2014)

Table V below shows phases of forensics investigation

processes addressed by the two standards. The integrated
unplementation of both standards is discussed in the following
section:

TABLE V. PHASES OF FORENSIC INVESTIGATION COVERED

BY ISOIIEC 27037 AND NIST SP 800-101
ISO/lEe 27037 NIST SP 800-101

Identification Preservation

Collection Acquisition

Acquisition Examination & Analysis

Preservation Reporting

VIII. INTEGRATED IMPLEMENTATION OF NIST SP 800-101 Figure 4. Phases of both standards

REv.1:2014 AND ISO/IEC 27037:2012
As discussed above, each of the two standards has its The preservation phase is critical in both standards to maintain
limitations. Various perspectives are necessary to provide a the integrity of the potential digital evidence. It is therefore a
formidable investigation. In the proposed guideline, a single set continuous process and should be maintained throughout the
of phases of forensic investigation is created for the integrated chain of custody or life cycle of the potential digital evidence.
implementation of both standards. Both standards should be
referenced and complement each other. In this section, the proposed model will be discussed. The
model consists of five phases and the structure as illustrated in
TABLE VI. PHASES AND ACTIVITIES OF INTEGRATED Fig. 4 above.
IMPLEMENTATION OF ISOIIEC 27037 AND NIST SP 800-101
Phases
Phase I: Identification
Phases Activities
Number
Physical and logical forms
The identification phase involves the search for, recognition,
representation of digital evidence, and documentation of potential digital evidence. This
1. Identification search for, recognition and identification process includes the prioritization of evidence
documentation, identification of collection, based on volatility, which is crucial in ensuring the
volatility of data. correct order of the collection and acquisition processes to
Decision to collect or acquire digital
minimize the damage to the potential evidence and to obtain
evidence for acquisition and analysis.
Collection and/or Involves digital evidence copy,
the best evidence. [5].
2.
Acquisition documenting the methods used and
The identification phase in the DFRWS Investigative model is
activities performed. Verification is also
performed here in full or in part. the phase in which profile detection, system monitoring, audit
Potential digital evidence is preserved to analysis is performed [10].
ensure its usefulness in the
3. Preservation investigation. Preservation should be Phase 2: Collection and/or Acquisition
maintained throughout the digital
The chain of custody of potential digital evidence starts in the
handling processes.
Examination and Analysis processes are
Collection and/or Acquisition phase. This is where digital
Examination & devices that may contain potential digital evidence are
4. accomplished using appropriate forensic
Analysis
tools. identified, and the decision to either collect or acquire should
Preparation of a detailed summary of all be made by the DEFR and DES.
steps taken and conclusions reached in
5. Reporting the investigation of the case. This will Collection is a process in digital evidence handling where
involve forensic tools and techniques devices that may contain potential digital evidence are removed
used.
from their original location to a laboratory or another
controlled environment for later acquisition and analysis [5].
IX. INTEGRATED IMPLEMANTATION OF BOTH STANDARDS.
This process involves documenting the whole approach.
The proposed model explains the forensic investigation in
five phases. Once the digital devices that may contain potential The Acquisition process involves creating of digital evidence
digital evidence are identified, the forensic investigator should copy such as complete hard disk, partition, selected files and all
decide whether to collect or acquire evidence in the next phase actions and methods. All unavoidable alteration during
[5]. These two phases, collection and acquisition, could overlap acquisition should be clearly documented [5]. In a situation
as one phase. where it is not feasible or permissible to create a digital
evidence copy of the evidence source, such as when the source
As shown in Fig. 4 below, the proposed integrated is too large, then logical acquisition which targets only specific
implementation of both standards is not a waterfall model. data types, directories or locations should be performed. This
process involves maintaining the integrity of data acquired to

978-1-908320-42/1/©2014 IEEE 72
 World Congress on Internet Security (WorldCIS-2014)
ensure that a copy acquired has not been modified since
acquisition.
Phase 3: Preservation
Evidence preservation is the process of securely maintaining an
acceptable chain of custody of property without altering or
changing the content of data that resides on devices and
removable media [4]. Preservation involves the search,
recognition, documentation, and collection of electronically
based evidence which must be preserved and free from
contamination.
The preservation process is critical for potential digital
evidence to be useful in the investigation. It is also important to
protect the integrity of the evidence [5]. The preservation
process should be initiated and maintained throughout the
digital evidence handling processes. Potential digital evidence
helps admissibility in a court of law; it should therefore be
preserved in a manner that ensures the integrity of the data.
Phase 4: Examination and Analysis
The Examination and Analysis process uncovers digital
evidence, both volatile and non-volatile, including that which
may be hidden or obscured. The process begins with a copy of
the evidence acquired from the device. The analysis process
looks at the result of examination for its direct significance and
probative value to the case. The Examination and Analysis
process is accomplished using approved guidelines and the
right forensic tools.
Phase 5: Reporting
The Reporting process prepares a detailed summary of all steps
taken and conclusions reached in the investigation of the case.
The tasks related to this phase involve forensic tools and
techniques used, documentation, and forensic expert testimony.
Irrespective of how the reports are generated, making sure that
the final report is consistent with the data presented in the user
interface representation is vital to identify and eliminate any
possible inconsistencies that may surface [16]. The reporting
phase of NIST SP 800-101 will help in reporting anything
learned about the investigation which can improve forensics
processes. Lessons learned during the investigation should
also be documented.
X. CONCLUSION
The objective of this paper is to undertake a review and
comparative evaluation of forensics guidelines of NIST SP
800-101, Revision 1 Guidelines on mobile device forensics and
ISO/IEC 27037 Guideline for identification, collection,
acquisition and preservation of digital evidence in order to
identify commonalities and differences in the two standards
and their limitations. It is evident that no single standard
addresses all processes of digital forensic investigations.
Scenarios are shown to illustrate that the two standards can
complement one another for digital forensic investigation. For
example, while NIST SP 800-101 was not published
necessarily for a situation where litigation would or might be
the purpose, it shares elements which would make it partially
suitable. So when NIST SP 800-101 is integrated with
ISO/IEC 27037, then the missing areas are filled in. The
978-1-908320-42/1/©2014 IEEE
integrated implementation model of both ISO/IEC 27037 and
NIST SP 800-101 will provide individual investigators,
organizations and jurisdictions the benefits of both standards.
Also, a forensics guideline best practice/standard could be
developed, based on the concepts of integrated implementation
of ISO/IEC 27037 and NIST SP 800-101.
REFERENCES
[I] ISO/IEC 27041 - Infonnation technology - Security techniques -­
Guidance on assuring suitability and adequacy of incident investigative
methods (FDTS) Available: http://www.iso.org
[2] P.Henry, J. Williams, and B. Wright, Ihe SANS Survey of Digital
Forensics and Incident Response, 2013 Available:
https:llblogs.sans.orglcomputer-
forensics/files/2013/07/sans_dfir_surveL2013. pdf
[3] OLAF European Commission Anti- Fraud Office, 2014 Guidelines on
Digital Forensic Procedures for OLAF Staff, Available:
http://ec.europa.eu/anti_fraudldocuments/forensics/guidelines_en. pdf
[4] NISI SP 800-101, Revision I "Guidelines on Mobile Device forensics"
May 2014, Available: http://www.nist.gov
[5] ISO/IEC FDIS 27037, "Guideline for identification, collection,
acquisition and preservation of digital evidence," 2012, Available:
http://www.iso.org
[6] Incident Management and Forensics Working Group , 2013, Mapping
the Forensic Standard ISO/IEC 27037 to Cloud Computing Available:
https:!/downloads.c1oudsecurityalliance.orgiinitiatives/imf/Mapping-the­
ForensicoStandard-ISO-IEC-27037-to-Cloud-Computing. pdf
[7] ACPO Good Practice Guide for Digital Evidence, 2012, Available:
http://www.acpo.police. ukldocuments/crime/2011l20111 O-cba-digital­
evidence-v5.pdf
[8] Sundresan Perumal (2009) Digital Forensic Model Based On Malaysian
Investigation Process. IJCSNS International Journal of Computer
Science and Network 38 Security, vol .9 No.8, 2009. Available:
http://paper.ijcsns.orgl07_bookl200908/20090805.pdf
[9] Electronic Crime Scene Investigation: A guide for first responders.
Publication info: 2nd ed.; Washington, DC: U.S. Dept. of Justice, Office
of Justice Programs, National Institute of Justice, 2008, Available:
https:llwww.ncjrs.gov/pdffilesl/nij/219941.pdf
[10] Yunus Yusoff, Roslan Ismail and Zainuddin Hassan, 2011, Common
Phases of Computer Forensics Investigation Models. Available:
http://airccse.orgljournal!jcsitl061Icsit02.pdf
[Il] Digital Forensic Research Workshop (DFRWS) August 7-8, 2001,
Utica, New York. A Road Map for Digital Forensic Research. Available:
http://www.dfrws.orgl200 I/dfrws-rm-final.pdf
[12] Mark Reith, Clint Carr, Gregg Gunsch, 2002, An Examination of
Digital Forensic Models. International Journal of Digital Evidence Fall
vol. I, Issue 3. Available:
http://www. utica. edulacademic/instituteslecii/pubIications/articleslA04A
40DC-A6F6-F2C1-98F94F16AF57232D.pdf
[13] Brian Carrier and Eugene H. Spafford, 2003, International Journal of
Digital Evidence. Getting Physical with the Digital Investigation
Process. Available:
http://www. utica. edulacademic/instituteslecii/pubIications/articleslA0A
C5A7A-FB6C-325D-BF5I 5A44FDEE7459.pdf
[14] NISI-- U.S. Departments of Justice and Commerce Name Experts to
First-Ever National Commission on Forensic Science, Jan 2014,
Available: http://www. nist.govIforensics/forensic-science-commission-
01l014.cfrn
[15] Kwaku, K., Zavarsky, P., Lindskog, D., Ruhl, R.: A Review and
Comparative Study of Digital Forensic Investigation Models, 2012,
Available: http://link.springer.com/chapterII0.1007%2F978-3-642-
39891-9_20
[16] Rick Ayers, 2014, Mobile Device Forensics. Available:
http://www.cftt.nist.gov/presentations/RickAyers_AAFS_Mobile-
2014.pdf
73