ISO/IEC 27037: The International Standard for Digital Evidence

When digital evidence is challenged in court, opposing counsel rarely attacks the content first: the first line of attack is the method used to acquire it. ISO/IEC 27037 defines how to identify, collect, acquire and preserve digital evidence so the artefacts withstand scrutiny in front of a judge or supervisory authority. Published by ISO in 2012 and adopted across the European Union as EN ISO/IEC 27037:2017, it is the operational reference for expert reports, litigation, regulatory investigations and incident response. This guide explains what ISO 27037 requires, the roles it defines, its principles and processes, the legal frameworks it intersects, and the mistakes that strip digital evidence of probative value.

What ISO/IEC 27037 Is and Why It Exists

ISO/IEC 27037 is an international guideline establishing minimum rules for handling digital evidence in the early phases. It is not certifiable like ISO 27001: it is a methodology professionals and organisations must demonstrate they have followed, with verifiable artefacts.

Operational definition ISO/IEC 27037:2012, adopted across Europe as EN ISO/IEC 27037:2017, is the international standard that provides guidelines for the identification, collection, acquisition and preservation of digital evidence so that the resulting material is admissible in court and usable in criminal proceedings, civil and commercial litigation, administrative disputes and internal investigations. The standard defines two operational roles, the Digital Evidence First Responder (DEFR) and the Digital Evidence Specialist (DES), together with four quality principles: auditability, repeatability, reproducibility and justifiability. It applies to any medium: mobile devices, computers, video surveillance systems, network logs, web content and cloud systems reachable through a controlled endpoint. ISO 27037 sits inside a family of four standards (27037, 27041, 27042, 27043) that together cover the full lifecycle of digital evidence, from identification through to presentation, and integrates with the eIDAS framework for qualified timestamping and qualified electronic seals.

The Official Definition of the Standard

The official title, listed in the ISO catalogue, is "Information technology, Security techniques, Guidelines for identification, collection, acquisition and preservation of digital evidence". Developed by ISO/IEC JTC 1/SC 27, it covers "potential" digital evidence regardless of medium: mobile devices, laptops, hard drives, network logs, web content, cloud systems. It does not address forensic laboratory analysis, the remit of ISO/IEC 27042.

The Problem It Solves: Fragile Digital Evidence and Admissibility

Digital evidence is fragile. A timestamp can be altered, a file overwritten without trace, a hurried acquisition can destroy volatile data. Without a shared protocol, every expert acts differently and the opposing party can claim contamination.

The problem the standard solves Before ISO/IEC 27037, digital evidence acquisition in Europe followed heterogeneous methods drawn from national guidelines such as the ACPO Good Practice Guide in the United Kingdom, SWGDE recommendations in the United States, and NIST SP 800-86 for technical incident response. The consequence was frequent inadmissibility challenges for evidence acquired without a documented chain of custody, and systematic difficulty in cross-border litigation where each party invoked a different guideline. The standard resolved the problem by providing a common vocabulary, defined roles, measurable quality principles and sequential processes. For the first time, an Italian expert, a German investigator and a French consultant can declare they followed the same protocol, reducing the surface area for methodological challenges. Admissibility becomes defensible when the four principles are documented step by step with technical artefacts verifiable by a qualified third party.

Who It Targets: Professionals, Experts, Organizations

ISO 27037 addresses several audiences: forensic experts and court-appointed consultants in expert reports; incident response teams during cyber attacks and breaches; legal counsel and DPOs in supplier contracts; law enforcement during digital device seizure; regulated organisations (banks, insurance, healthcare, telecoms) embedding its principles into compliance.

Structure of the Standard and Core Principles

ISO/IEC 27037 is organised into five parts: scope, normative references, terms and definitions, overview, operational processes. The processes are the most cited section, but the conceptual engine is the set of core principles, translating admissibility into verifiable technical requirements.

History: From ISO/IEC 27037:2012 to EN ISO/IEC 27037:2017

ISO published the standard on 15 October 2012. CEN adopted it in 2016 and member states published EN ISO/IEC 27037:2017. A revision opened in 2024 has not been published. Practitioners reference the 2012 edition with the 2017 European adoption as canonical.

Scope and What the Standard Does NOT Cover

The standard covers initial handling: identification, collection, acquisition, preservation. It does not cover analysis and interpretation (ISO/IEC 27042) nor presentation in court, governed by national procedure. It also does not address local legal liability, a matter for national law and instruments such as the EU e-Evidence Regulation 2023/1543 and the Budapest Convention.

The Four Fundamental Principles

The four quality principles are the heart of the standard. They recur in every process and are what a judge or supervisory authority looks for in an expert report. An acquisition that violates any of the four is exposed.

The four principles of ISO/IEC 27037 1. Auditability: every action performed on the evidence must be reconstructible by a qualified third party, through logs, screenshots, hash values and written records. It is not enough to state what was done; it must be demonstrable with technical artefacts that can be verified at any later point in time. 2. Repeatability: the same procedure, executed by the same person on the same system with the same tools, must produce the same results. This is the laboratory criterion, essential for internal verification and quality assurance. 3. Reproducibility: the same procedure, executed by different people with equivalent tools, must produce comparable results. This is the scientific criterion, essential for external verification by a second expert or by a court-appointed technical consultant. 4. Justifiability: every technical choice, including any departure from the principles above (for example systems that cannot be powered off, or perishable evidence captured under operational constraints), must be motivated and documented in the acquisition record.

The principles reinforce each other. An auditable but non-reproducible acquisition, executed with an undocumented script, remains exposed: a second expert cannot verify the result.

The Operational Roles: DEFR and DES

ISO 27037 defines two operational roles. They are roles, not job titles: one person can occupy both, depending on training and authorisation. The distinction clarifies who does what during the first hours of an investigation, when mistakes are hardest to undo.

Who Is the Digital Evidence First Responder (DEFR)

The Digital Evidence First Responder intervenes on the scene, identifies relevant systems, and collects or acquires them safely. The DEFR does not analyse the evidence: the role puts it in a condition where it can be analysed later. Required competencies: device knowledge, data volatility assessment, write blockers, forensic imaging, scene documentation.

Who Is the Digital Evidence Specialist (DES)

The Digital Evidence Specialist operates on complex systems: RAID arrays, virtualised environments, cloud infrastructure, enterprise network devices, industrial controls. The DES is brought in when specialist intervention is needed to avoid losing volatile data or when target architecture exceeds DEFR competencies.

DEFR vs DES: Differences, Skills, Responsibilities

In practice the distinction is less rigid: a single consultant often covers both. The standard remains useful as a responsibility grid: separating DEFR and DES forces documentation of who is authorised to do what, critical when the acquisition is challenged.

Characteristic	DEFR	DES
Scope	Identification, collection and base acquisition	Acquisition on complex systems (RAID, cloud, virtualised, industrial)
Competencies	Devices, write blockers, imaging, scene photography, written records	Enterprise architectures, memory dump, live acquisition, distributed systems
Authority	Mandate from principal (organisation, magistrate, authority)	Acts under DEFR delegation or direct mandate
Typical output	Scene report, forensic copy, hash values, chain of custody log	Bit-stream image of complex systems, volatile memory dumps
Example	Seized laptop: seal photography, write blocker, imaging	Hyper-V cluster with live VMs to preserve in running state

The Four Processes of ISO/IEC 27037

The operational core of the standard is the sequence of four processes. The sequence is not strictly linear: in real scenarios processes iterate. Each must be documented as a distinct activity.

Identification: What to Look For and Where

The first process maps relevant systems, evaluates their state (powered on or off, network-connected, encrypted) and assesses the risk of losing volatile data. In a ransomware attack, powering down destroys RAM, processes and in-memory decryption keys. The DEFR decides what to acquire first based on the "order of volatility" of RFC 3227.

Collection: Moving the Evidence Off the Scene

Collection transfers the evidence to the secure environment where acquisition takes place. It requires labelling, tamper-evident seals, photographic documentation and continuous custody. Without seals the evidence loses probative value: the opposing party can argue a chain break in transit.

Acquisition: Creating the Forensic Copy (bit-stream image)

Acquisition is the most delicate moment. The standard requires a bit-by-bit copy (the bit-stream image) with a cryptographic hash. The copy must not alter the original: hence write blockers. When the system cannot be powered off, live acquisition is performed and the deviation is documented. For web content, acquisition takes specific forms: DOM capture, MHTML, certified screenshots, network metadata.

Preservation: Long-Term Custody

Preservation accompanies the other three processes. Integrity must remain verifiable at any subsequent moment. It covers physical custody (secure storage, controlled servers), logical custody (hash values, electronic seals, qualified timestamps) and documentary custody (records, access logs).

Process	Purpose	Output	Principle	Deliverable
Identification	Map digital evidence and decide order of intervention	System inventory, volatility assessment	Justifiability	Scene report
Collection	Transfer evidence to a controlled environment	Labelling, seals, collection record	Auditability	Collection record, custody receipt
Acquisition	Create a verifiable bit-stream copy	Forensic imaging, hash calculation	Repeatability + Reproducibility	Forensic copy, SHA-256 hash, report
Preservation	Maintain integrity over time	Physical and logical custody, access logs	Continuous auditability	Custody register, electronic seal

The four processes explained Digital evidence handling under ISO/IEC 27037 is structured around four processes that interleave in everyday practice. Identification maps the scene and locates the relevant evidence, assessing volatility and the order of intervention on the basis of the order of volatility described in RFC 3227 and referenced by the standard. Collection physically transfers the evidence to a controlled environment using seals, labels and written records, when the system can be powered off and removed. Acquisition creates a verifiable bit-stream copy through a cryptographic hash function (typically SHA-256) and, when necessary, hardware or software write blockers to avoid alterations of the original medium. Preservation accompanies the other processes and keeps the evidence intact over time through physical custody (secure storage, controlled servers), logical custody (qualified electronic seal, qualified timestamp, periodic hash recalculation) and documentary custody (records, access logs). Every process is subject to the four quality principles and must be documented with verifiable artefacts.

Chain of Custody, Hash and Evidence Integrity

The chain of custody binds the four processes together. If the digital chain of custody breaks at one point, even a flawless acquisition can be challenged. It is the technical mechanism that proves the evidence presented today is the same collected on the scene.

What the Chain of Custody Documents

The chain documents four elements. Identification: who performed the action, with which tool, where and when. Preservation: SHA-256 hash, qualified timestamp, electronic seal. Transfer: a signed log of every passage between custodians. Presentation: the expert report referencing the acquisition. The certified chain of custody combines these elements into a single package verifiable by a third party.

Hash Functions for Integrity Verification (SHA-256, SHA-1, MD5)

A hash function transforms a file into a fixed-length fingerprint: one bit changed produces a different fingerprint. ISO 27037 does not impose an algorithm; forensic practice has converged on SHA-256. SHA-1 was deprecated after the SHAttered collisions of 2017, MD5 after collisions in 2004 and 2008. An expert report presenting MD5 as the sole integrity check exposes the evidence to a hard challenge.

Qualified Timestamp and Electronic Seal: The eIDAS Bridge

A hash proves a file has not changed, but not when. To fix the "when" binding on third parties, the community uses qualified timestamps, defined by EU Regulation 910/2014 (eIDAS) as timestamps issued by a Qualified Trust Service Provider (QTSP), with presumption of accuracy under article 41. The qualified electronic seal adds the identity of the issuing organisation, affixed through an integrated QTSP.

Chain of custody and hash: the technical formula Under ISO/IEC 27037, a chain of custody that holds up against a third party combines four technical elements verifiable independently. The SHA-256 hash of the forensic copy, computed at acquisition and recorded in the written report, guarantees the integrity of the content bit by bit. The qualified eIDAS timestamp, which fixes the moment of acquisition verifiably by the issuing QTSP, satisfies the "when" requirement of article 41 of Regulation 910/2014 and is opposable to third parties across the European Union. The qualified electronic seal identifies the organisation responsible for the acquisition and certifies the integrity of the package. The custody register documents every subsequent access, transfer or copy with a timestamp and signature. The loss of any single element does not invalidate the evidence, but reduces its defensibility against opposing-party objections. SHA-1 is deprecated for new acquisitions; MD5 should never be used as sole verification.

The ISO/IEC 27037-27041-27042-27043 Family

ISO/IEC 27037 sits inside a family of four standards covering the full lifecycle of digital evidence. Expert reports that withstand challenge reference the entire family, anchoring each phase to the governing standard.

Standard	Year	Scope	Role in the forensic cycle
ISO/IEC 27037	2012 (EN 2017)	Identification, collection, acquisition, preservation	Initial handling of evidence
ISO/IEC 27041	2015	Assurance of suitability of investigative methods	Methodological validation
ISO/IEC 27042	2015	Analysis and interpretation of digital evidence	Laboratory examination
ISO/IEC 27043	2015	Incident investigation principles and processes	Overall procedural framework

The relationship across the four standards The four standards of the ISO/IEC 27037 family are complementary and apply in sequence along the lifecycle of digital evidence. ISO 27037 provides the operational guidelines for the initial phases (identification, collection, acquisition, preservation) and is the reference for the first response on the scene. ISO 27041 sets out how to demonstrate that the investigative method is fit for purpose, through assurance, validation and verification processes, and is the reference for methodological justification. ISO 27042 governs the analysis and interpretation of evidence content after it has been acquired under ISO 27037, and is the reference for laboratory work. ISO 27043 supplies the overall procedural framework for incident investigations, integrating the other three into a single process. A well-structured expert report references all four standards, making the methodological chain transparent.

ISO/IEC 27041: Assurance of the Investigative Methodology

ISO/IEC 27041 explains how to demonstrate that the method is fit for purpose. It distinguishes assurance (correct design), validation (works as intended) and verification (result matches the objective). Without 27041, the justifiability principle of 27037 risks remaining a formal declaration.

ISO/IEC 27042: Analysis and Interpretation of Evidence

ISO/IEC 27042 governs the phase after acquisition: examination of content, interpretation of findings, documentation of analytical limits. It is the reference for the "technical reconstruction" section of expert reports.

ISO/IEC 27043: Incident Investigation Principles and Processes

ISO/IEC 27043 provides the investigative framework in seven phases, from initial detection to post-incident analysis. It applies to enterprise security incidents (coordinated with NIS2 and DORA) and criminal investigations.

Related Standards (ISO/IEC 27035, ISO/IEC 27050)

ISO/IEC 27035 governs information security incident management and provides the broader context for 27037. ISO/IEC 27050 covers electronic discovery and complements 27037 in cross-border litigation toward common-law jurisdictions.

ISO 27037 in the European and International Legal Framework

The practical strength of ISO/IEC 27037 comes from how it interlocks with positive law. When a statute or court refers to "best forensic practice", the judge looks for a reference: ISO 27037 has become that standard across most EU jurisdictions and cross-border procedures.

National Adoptions: UNI CEI EN ISO/IEC 27037:2017 and Beyond

CEN adopted ISO/IEC 27037 in 2016 and member states published national versions of EN ISO/IEC 27037:2017 thereafter. Italy adopted UNI CEI EN ISO/IEC 27037:2017; Germany, France, Spain and others followed. Referencing the national adoption signals compliance with a controlled-source standard, relevant in public tenders, contracts with compliance clauses, and proceedings requiring methodology traceable to a recognised source.

eIDAS, eIDAS 2.0 and Qualified Timestamps

EU Regulation 910/2014 (eIDAS) sets the European framework for trust services delivered by QTSPs: qualified electronic seals, qualified timestamps, qualified electronic signatures. Article 41 grants qualified timestamps a presumption of accuracy of date, time and integrity. EU Regulation 2024/1183 (eIDAS 2.0), published April 2024 with QTSP compliance deadline September 2026, extends the framework with the EUDI Wallet and qualified electronic archiving.

GDPR, NIS2 and DORA: When the Standard Becomes an Operational Requirement

Three European regulations have made ISO 27037 increasingly binding. The GDPR (EU Regulation 2016/679) requires appropriate technical measures (article 32) and breach notification within 72 hours (article 33). The NIS2 Directive (EU 2022/2555) imposes a three-stage reporting timeline (early warning 24h, notification 72h, final report one month). The DORA Regulation (EU 2022/2554), applied from January 2025, requires formalised ICT incident management. Under all three, the forensic methodology of ISO 27037 becomes a compliance requirement.

Cross-Border Procedural References (Budapest Convention, e-Evidence Regulation)

The Budapest Convention on Cybercrime (CETS 185, 2001) provides the international framework for cross-border digital evidence collection, ratified by more than 70 states. The EU e-Evidence Regulation 2023/1543 and Directive 2023/1544 introduce European Production and Preservation Orders, allowing authorities to request electronic evidence directly from service providers across the EU.

International regulatory mapping ISO/IEC 27037 is not formally mandatory in the European Union, but it becomes binding through four converging regulatory channels worth knowing in detail. National criminal procedure codes (such as the Italian Code of Criminal Procedure, the German StPO, the French CPP) require technical measures to prevent the alteration of seized digital data: ISO 27037 supplies those measures and is the reference cited in expert reports across member states. National civil procedure rules grant probative value to electronic reproductions subject to challenge: the traceability of ISO 27037 makes the challenge harder for the opposing party. The eIDAS Regulation (EU 910/2014) and eIDAS 2.0 (EU 2024/1183) complement the standard with qualified timestamps and qualified electronic seals issued by QTSPs. The European compliance package (GDPR, NIS2, DORA) transforms the forensic methodology into an operational requirement for breach notification and management of significant incidents, including reporting obligations toward supervisory authorities and CSIRTs.

When ISO/IEC 27037 Applies in the Enterprise

ISO 27037 applies in scenarios internal teams often do not recognise as "forensic". The admissibility of digital evidence depends on whether the methodology is embedded in everyday processes before the incident. For the operational application of the standard to web pages, see our dedicated guide.

Incident Response and Data Breach Management

During an incident, the response team must (under NIS2, DORA, GDPR) document the breach. The difference between good and defensible documentation is ISO 27037: identify compromised systems, acquire logs and images with hashes, preserve volatile memory, maintain a chain of custody. Without this discipline, the notification to the supervisory authority becomes narrative rather than probative.

Civil and Commercial Litigation

In litigation, parties produce as evidence an email, a server file, online content. A printed email without seal or hash is challengeable. Acquiring it as a sealed package (original file, SHA-256 hash, qualified timestamp, network metadata) shifts the burden of proof to the opposing party.

Internal Investigations: Fraud, Misconduct, IP Theft

ISO 27037 governs internal acquisitions that, if they reach legal action, must withstand external examination. Even when the matter stays internal, the standard protects the organisation from objections in disciplinary proceedings, particularly in disputes involving public statements, online defamation or data provenance issues.

eDiscovery and Cross-Border Evidence Collection

In cross-border litigation toward common-law jurisdictions, eDiscovery requires systematic collection with full traceability. ISO 27037 combines with ISO/IEC 27050 to provide a framework holding across legal systems. The EU e-Evidence Regulation raises the bar by requiring evidence transferred between member states to comply with recognised forensic standards.

Frequent Errors That Invalidate Digital Evidence

In the most contested disputes, the same errors recur. Avoiding them requires discipline and an internal policy embedding ISO 27037 principles into daily operations.

Unauthenticated Screenshot as Sole Evidence

A screenshot saved on a desktop and produced in court is almost always vulnerable: no metadata, no hash, no qualified timestamp, no context. Public archives such as the Wayback Machine cannot substitute for a forensic acquisition: useful for context, not as sole probative source.

Missing Hash or Deprecated Algorithm

An acquisition without a hash cannot be verified over time. MD5 alone is barely better: collisions documented since 2004, practical since 2008. The rule: SHA-256 for every new acquisition, never SHA-1 or MD5 alone.

Broken or Undocumented Chain of Custody

The chain breaks at trivial points: a file copied via email without a log, a disk in a drawer without a seal, a shared laboratory machine without access control. The remedy: automated logging, verifiable seals, periodic hash recalculation, controlled-access storage.

DEFR/DES Roles Not Formally Defined

Organisations often skip a bureaucratic step: defining DEFR and DES roles in writing, with training records and authorisations. In litigation, the absence of a written mandate is the first objection raised by opposing counsel. An internal policy referencing ISO 27037 prevents the problem.

ISO 27037 and TrueScreen: The Standard's Principles Applied to the Data Authenticity Platform

TrueScreen is the Data Authenticity Platform that translates the principles of ISO/IEC 27037 into an automated, repeatable workflow for the acquisition and certification of digital evidence. Every acquisition produces a sealed evidential package containing the SHA-256 hash of the captured content, a qualified timestamp issued by a third-party QTSP integrated via API, a qualified electronic seal applied by the same QTSP, and a complete chain of custody log. The four principles of the standard (auditability, repeatability, reproducibility, justifiability) are embedded in the architecture: every action recorded in immutable logs, the same acquisition producing equivalent results across independent executions, and technical choices documented in the acquisition record. TrueScreen is used by legal counsel, court-appointed experts, compliance officers and incident response teams to produce evidence aligned with the standard and admissible across the European Union and in cross-border procedures.

Acquisition Aligned with the Standard's Principles

A TrueScreen acquisition produces a package that maps onto the four processes. Identification captures network metadata (server IP, SSL/TLS certificate, HTTP headers, redirect chain). Collection downloads content in verifiable formats (DOM, MHTML, screenshots, attachments). Acquisition produces a bit-stream copy with SHA-256 hash. Preservation is guaranteed by the sealed package and custody register.

Electronic Seal and Qualified Timestamp via Integrated QTSPs

TrueScreen is not a Qualified Trust Service Provider. The qualified electronic seal and qualified timestamp are issued by third-party QTSPs under eIDAS and integrated via API. The evidence carries the legal weight of a European qualified trust service and is admissible across the European Union.

Immutable Evidential Package and Automated Chain of Custody

The package is immutable by construction: any modification produces a different hash and invalidates the seal. Every access, download and share is recorded in a sealed log with a qualified timestamp. The result is a verifiable trail aligned with the auditability and repeatability principles.

TrueScreen and ISO principles: the operational model The integration of documented forensic methodology with qualified seals issued by third-party QTSPs is the operational model TrueScreen implements to apply ISO/IEC 27037 to the acquisition of digital evidence. The platform embeds the four principles (auditability, repeatability, reproducibility, justifiability) in its workflow and produces, for every acquisition, a sealed package verifiable by an expert or judge through standard eIDAS verification tools, without requiring access to TrueScreen infrastructure. The separation of roles is explicit and traceable: TrueScreen acquires and certifies the process by applying the methodology, while the integrated QTSP issues the qualified timestamp and qualified electronic seal under eIDAS. The result is evidence usable in judicial proceedings, regulatory notifications (data protection authorities, national CSIRTs under NIS2, financial supervisory authorities under DORA), international arbitration and cross-border eDiscovery across common-law and civil-law jurisdictions, with equivalent probative value in every EU member state.

FAQ: Common Questions About ISO/IEC 27037

What is ISO/IEC 27037?

ISO/IEC 27037 is the international standard that defines how to identify, collect, acquire and preserve digital evidence so the resulting material is admissible in court. Published in 2012 and adopted in Europe as EN ISO/IEC 27037:2017, it defines two roles (DEFR and DES), four processes (identification, collection, acquisition, preservation) and four quality principles (auditability, repeatability, reproducibility, justifiability). It is not certifiable: it establishes a methodology. It is the technical reference cited in national criminal procedure codes and by the eIDAS Regulation.

What is the difference between ISO 27037 and ISO 27001?

ISO 27001 governs Information Security Management Systems (ISMS) and is certifiable by an accredited body. ISO 27037 governs digital evidence handling, is a technical guideline not certifiable, and applies to professionals and processes. The two are complementary: an organisation certified under ISO 27001 that suffers an incident applies ISO 27037 to acquire evidence defensibly. The first describes how you protect information; the second, how you prove what happened to it.

Is ISO 27037 mandatory?

Formally no, but in practice it has become binding. National criminal procedure rules require technical measures to prevent alteration of seized digital data: ISO 27037 supplies those measures. Civil procedure grants probative value to electronic reproductions subject to challenge, and the traceability of ISO 27037 makes challenges harder to sustain. NIS2, DORA and GDPR have made the standard operationally necessary for organisations subject to incident reporting. National adoptions such as UNI CEI EN ISO/IEC 27037:2017 are widely cited.

Who is the DEFR (Digital Evidence First Responder)?

The Digital Evidence First Responder is the person authorised to intervene first on the scene, with the duty to identify relevant systems, collect or acquire them safely, and document the actions taken. Required competencies include device knowledge, write blockers and forensic imaging software, scene documentation, and assessment of data volatility. The DEFR does not analyse the evidence: the role is to secure it for later analysis by the DES or by a forensic laboratory.

What is the difference between ISO 27037 and ISO 27042?

The two are complementary. ISO 27037 governs the initial phases (identification, collection, acquisition, preservation). ISO 27042 governs the subsequent phase: analysis and interpretation of content in the laboratory, technical reporting, documentation of analytical limits. A complete expert report references both and applies them in temporal sequence, making the methodological chain transparent to the court.

Does ISO 27037 apply to WhatsApp chats and social media?

Yes, the standard applies to any digital evidence. A WhatsApp chat can be acquired in three ways: device dump, encrypted backup, live acquisition of the displayed conversation. In all three cases the standard requires hash values, a qualified timestamp and a documented chain of custody. For social media and web pages, acquisition requires tools that capture DOM, MHTML and network metadata: flat screenshots fail to preserve the contextual data needed for authentication.

Which hash algorithm should be used per ISO 27037?

The standard does not impose an algorithm, but forensic practice has converged on SHA-256. SHA-1 has been deprecated since the SHAttered collisions of 2017, MD5 since 2008. The rule: SHA-256 for every new acquisition, calculated at acquisition, recorded in the report, and recalculated at intervals. Some practitioners calculate SHA-512 in parallel as defence against future cryptographic attacks.

Is ISO 27037 compatible with eIDAS and qualified electronic seals?

Yes, and the integration of the two produces evidence opposable to third parties across the European Union. ISO 27037 supplies the acquisition methodology. The eIDAS Regulation (EU 910/2014) and eIDAS 2.0 (EU 2024/1183) supply qualified trust services: qualified timestamp and qualified electronic seal issued by QTSPs. The timestamp benefits from the presumption of accuracy under article 41. Combining ISO 27037 methodology with qualified eIDAS services is the de facto reference model in the European Union.

Acquire digital evidence with forensic methodology

TrueScreen applies the principles of ISO/IEC 27037 to every acquisition of web, video, audio, document and chat evidence, producing an immutable evidential package with hash, qualified timestamp, electronic seal and automated chain of custody.

Start now

Request a demo