Skip to content

Evidence

ISO/IEC 27037: the standard behind defensible digital evidence

Zvonimir Cvetko Damnjanović6 min read

When digital evidence collapses in court, the cause is rarely the forensic science. It is the handling. Nobody can say from records who touched the device first, why a server was imaged rather than seized, or whether today's copy still matches what was captured. ISO/IEC 27037:2012 exists to close those gaps. Published in 2012 and still the reference for evidence handling, it offers guidelines, not mandates, for the earliest and most fragile phase of an investigation: recognising potential digital evidence and getting it under control without damaging what makes it valuable.

Four processes, two of them alternatives

Its full title promises guidelines for identification, collection, acquisition and preservation of digital evidence, and those four processes are the whole architecture. Identification means recognising which devices and data might hold evidence at all, harder than it sounds in a room containing routers, wearables and somebody's signed-in cloud session. Collection means taking the device or medium itself. Acquisition means producing a copy of the data with verification, in practice hash values computed at capture. Preservation means protecting integrity over time, through storage, transport and every handover.

ISO/IEC 27037 evidence handling processesIdentification, collection, acquisition and preservation shown as a flow, with a chain of custody record underneath receiving entries from every step, and the four verifiability principles listed at the bottom.Identificationrecognise potentialdigital evidenceCollectiontake the device ormedium itselfAcquisitionproduce a verifiablecopy (hash at capture)Preservationprotect integrityover timecollection and acquisition are alternatives — one, the other, or bothCHAIN OF CUSTODY RECORDwho · what · when (UTC) · where · how · hash valuesAuditabilityRepeatabilityReproducibilityJustifiabilitythe four properties every 27037 process must preserve
Fig. 1 — The four ISO/IEC 27037 processes. Every handover lands in the custody record.

Collection and acquisition are alternatives, not consecutive steps. Teams do one, the other, or both, and the standard expects the choice to be reasoned. A production system that can't be powered down gets acquired live. Volatile memory disappears at shutdown, so it is captured first or not at all. Proportionality counts too: seizing a hospital's storage array to obtain one mailbox helps nobody.

Two roles, four properties

The standard names two roles. The Digital Evidence First Responder, DEFR, arrives first and performs the initial handling. The Digital Evidence Specialist, DES, brings deeper technical capability and takes over where a situation exceeds first-response competence, an unfamiliar operating system, say, or a live acquisition that cannot be repeated. The split is practical. The person securing a scene at three in the morning is rarely the right person to image a running database, and 27037 doesn't pretend otherwise.

Whatever the process and whoever performs it, four properties have to survive:

  • Auditability. A third party can examine the record of what was done and form a view on it.
  • Repeatability. The same procedure under the same conditions produces the same result.
  • Reproducibility. Where applicable, a different tool or environment still produces the same result.
  • Justifiability. The practitioner can defend why each choice was made, including the options rejected.

The weight evidence eventually carries rests on relevance, reliability and sufficiency: it bears on the question, it can be trusted, and there is enough of it. Companion standards continue the process, with ISO/IEC 27041 covering assurance of investigation methods, 27042 analysis and interpretation, and 27043 the wider investigation principles.

What it looks like online

27037 was written with devices and storage media in mind. Online investigation stretches it, but the mapping holds. Acquisition becomes capturing content together with cryptographic hashes and UTC timestamps recorded at the moment of capture, plus the URL, the method and the environment used. Preservation means originals stay unaltered and analysis happens on working copies. And because a page or a hidden service can vanish overnight, the first capture is often the only one anyone will ever get.

For the online-specific craft, the Berkeley Protocol on Digital Open Source Investigations, published by the UN Human Rights Office with the Human Rights Center at UC Berkeley, is the companion text; 27037 supplies the handling backbone underneath it. That pairing is how we work. Next Sight aligns its evidence handling with ISO/IEC 27037 across engagements, documented on our compliance page, and Nexus writes hashes, timestamps and custody entries as collection happens rather than leaving them for a tired analyst to reconstruct at reporting time.

Frequently asked questions

What is ISO/IEC 27037?

ISO/IEC 27037:2012 is the international standard giving guidelines for the identification, collection, acquisition and preservation of potential digital evidence. It defines the DEFR and DES roles and expects handling to remain auditable, repeatable, reproducible and justifiable, whatever tools a team uses.

What is the difference between collection and acquisition?

Collection takes the physical device or medium itself. Acquisition produces a verified copy of the data, fixed with hash values, while the source may stay where it is. They are alternatives rather than sequential steps: live systems, volatile data and proportionality decide whether a team collects, acquires, or does both.

Does ISO/IEC 27037 apply to online evidence?

It transfers well. Applied to online material, acquisition means capturing content with cryptographic hashes and UTC timestamps, recording the URL, method and environment, and preserving originals unaltered. The Berkeley Protocol covers the online-specific craft; ISO/IEC 27037 provides the handling discipline underneath it.

Put this into practice

Next Sight delivers these workflows as services, platforms, and training — lawful, documented, and built for teams who carry consequences.