Skip to content

June 9, 2026 · Digital Forensics

Digital Evidence Standards: ISO/IEC 27037 and NIST SP 800-86

Two frameworks define modern digital-evidence handling: ISO/IEC 27037 for identification, collection, acquisition, and preservation, and NIST SP 800-86 for the forensic process. Here is how they fit together.

Handling digital evidence well is not improvisation — it follows published standards. Two are foundational: ISO/IEC 27037 and NIST SP 800-86. They address different parts of the same problem, and together they describe what a defensible digital-evidence workflow looks like.

ISO/IEC 27037: handling evidence at the scene

ISO/IEC 27037:2012 provides guidelines for the identification, collection, acquisition, and preservation of digital evidence — the earliest and most fragile stage, where mistakes are irreversible. Its core principles:

  • Identification — locating potential evidence, including volatile data that disappears when a device is powered off.
  • Collection — gathering devices and media, or
  • Acquisition — creating a forensic copy (image) when the original cannot be removed.
  • Preservation — protecting the evidence and its integrity throughout.

27037 also defines the people who do this work: the Digital Evidence First Responder (DEFR), who handles evidence at the scene, and the Digital Evidence Specialist (DES), who has deeper technical expertise. A central theme is that every action should be documented, justified, and — where possible — reproducible, so an independent examiner could follow the same steps and reach the same result.

NIST SP 800-86: the forensic process

NIST Special Publication 800-86, Guide to Integrating Forensic Techniques into Incident Response, describes a four-phase forensic process that applies once evidence is in hand:

  1. Collection — identify, label, record, and acquire data from sources while preserving integrity.
  2. Examination — process the collected data, extracting information of interest while protecting the original.
  3. Analysis — draw conclusions from the examined data using justifiable methods.
  4. Reporting — describe the actions taken, explain the results, and document the reasoning.

The guide's throughline is integrity and repeatability: work from copies, never originals; document tools and methods; and preserve the ability for someone else to verify the findings.

For mobile devices specifically, NIST SP 800-101 Rev. 1 extends these principles to the particular challenges of phones and tablets — volatile state, proprietary formats, and rapidly changing hardware.

Where hashing fits

Both frameworks depend on being able to prove that acquired data has not changed. The mechanism is a cryptographic hash computed at acquisition: a fixed-length fingerprint of the data. Recompute the hash later and compare — if it matches, the data is bit-for-bit identical; if it differs by even one bit, the values diverge completely. This is what lets an examiner work from a copy while proving the copy faithfully represents the original.

Turning standards into a record

Standards describe what to do; a chain-of-custody record proves you did it. A record aligned with 27037 and 800-86 should capture:

  • The acquisition method (imaged, logically extracted, live-acquired) and the tool used
  • The acquisition hash and algorithm, recorded at the time of acquisition
  • The source device and the legal authority for collection
  • Each subsequent transfer and examination, documented contemporaneously

CustodyTrack captures these forensic fields directly on the form and seals them into a tamper-evident hash chain, so the record itself reflects the standards the work was supposed to follow.

Sources

  1. [1] SP 800-86: Guide to Integrating Forensic Techniques into Incident Response National Institute of Standards and Technology
  2. [2] ISO/IEC 27037:2012 — Guidelines for identification, collection, acquisition and preservation of digital evidence International Organization for Standardization
  3. [3] SP 800-101 Rev. 1: Guidelines on Mobile Device Forensics National Institute of Standards and Technology

Every factual claim in this briefing was checked against these sources before publication. Sources are limited to courts, government and law-enforcement agencies, standards bodies, and open-access scholarship.