June 9, 2026 · Digital Forensics
Digital Evidence Standards: ISO/IEC 27037 and NIST SP 800-86
Two frameworks define modern digital-evidence handling: ISO/IEC 27037 for identification, collection, acquisition, and preservation, and NIST SP 800-86 for the forensic process. Here is how they fit together.
Handling digital evidence well is not improvisation — it follows published standards. Two are foundational: ISO/IEC 27037 and NIST SP 800-86. They address different parts of the same problem, and together they describe what a defensible digital-evidence workflow looks like.
ISO/IEC 27037: handling evidence at the scene
ISO/IEC 27037:2012 provides guidelines for the identification, collection, acquisition, and preservation of digital evidence — the earliest and most fragile stage, where mistakes are irreversible. Its core principles:
- Identification — locating potential evidence, including volatile data that disappears when a device is powered off.
- Collection — gathering devices and media, or
- Acquisition — creating a forensic copy (image) when the original cannot be removed.
- Preservation — protecting the evidence and its integrity throughout.
27037 also defines the people who do this work: the Digital Evidence First Responder (DEFR), who handles evidence at the scene, and the Digital Evidence Specialist (DES), who has deeper technical expertise. A central theme is that every action should be documented, justified, and — where possible — reproducible, so an independent examiner could follow the same steps and reach the same result.
NIST SP 800-86: the forensic process
NIST Special Publication 800-86, Guide to Integrating Forensic Techniques into Incident Response, describes a four-phase forensic process that applies once evidence is in hand:
- Collection — identify, label, record, and acquire data from sources while preserving integrity.
- Examination — process the collected data, extracting information of interest while protecting the original.
- Analysis — draw conclusions from the examined data using justifiable methods.
- Reporting — describe the actions taken, explain the results, and document the reasoning.
The guide's throughline is integrity and repeatability: work from copies, never originals; document tools and methods; and preserve the ability for someone else to verify the findings.
For mobile devices specifically, NIST SP 800-101 Rev. 1 extends these principles to the particular challenges of phones and tablets — volatile state, proprietary formats, and rapidly changing hardware.
Where hashing fits
Both frameworks depend on being able to prove that acquired data has not changed. The mechanism is a cryptographic hash computed at acquisition: a fixed-length fingerprint of the data. Recompute the hash later and compare — if it matches, the data is bit-for-bit identical; if it differs by even one bit, the values diverge completely. This is what lets an examiner work from a copy while proving the copy faithfully represents the original.
Turning standards into a record
Standards describe what to do; a chain-of-custody record proves you did it. A record aligned with 27037 and 800-86 should capture:
- The acquisition method (imaged, logically extracted, live-acquired) and the tool used
- The acquisition hash and algorithm, recorded at the time of acquisition
- The source device and the legal authority for collection
- Each subsequent transfer and examination, documented contemporaneously
CustodyTrack captures these forensic fields directly on the form and seals them into a tamper-evident hash chain, so the record itself reflects the standards the work was supposed to follow.
Sources
- [1] SP 800-86: Guide to Integrating Forensic Techniques into Incident Response — National Institute of Standards and Technology
- [2] ISO/IEC 27037:2012 — Guidelines for identification, collection, acquisition and preservation of digital evidence — International Organization for Standardization
- [3] SP 800-101 Rev. 1: Guidelines on Mobile Device Forensics — National Institute of Standards and Technology
Every factual claim in this briefing was checked against these sources before publication. Sources are limited to courts, government and law-enforcement agencies, standards bodies, and open-access scholarship.