Digital Data Forensic Analysis Procedure for IT Security Management and Lawful Interception

Network Forensic System from Decision Group by ISO/IEC27037 Guidelines


Lots of law enforcement staff and corporate IT security officers fail to present acceptable digital evidence of cyber criminals, which is collected from the field diligently, in the court, because those presented lack of compliance with standard procedure of digital evidence identification, collection, acquisition, and preservation. Without the standard of network forensic procedure, all collected digital evidence are unauthenticated and less admissible during verdict process in the court.

Digital data, like other written and graphic data, by nature is one type of information mankind uses for communication. All criminal evidence must be first identified whether it has something to do with crime or criminal suspects related. Once it is identified and confirmed with criminal facts, it should be collected from criminal place, tool, witness or victims…etc. For digital evidence, it is usually collected from the media, which digital data passes through or is saved inside. All these media must be kept “clean” from contamination after confiscated if data is of non-volatile type or all these media should be capable of target provision transaction and content provided by proven intact fidelity if data is of volatile type. Of course, if digital data is in the form of machine format, it should be translated into human recognizable format word by word with alignment of original source. All data, whatever machine or human-recognized type, should be preserved safely and used authentically. All the above digital data processing by digital forensic way is now well defined by Guidelines of ISO/IEC27037 standard.

All people among law enforcement staff, corporate auditor, enterprise IT security officer, prosecutor and barrister, jury staff and judge in the court have the common guideline to verify and assess all digital data for cybercriminal cases and IT security risk assessment.

“When Decision Group digital forensic systems were launched in the first day, we were questioned by clients how you prove the data available by your system is authenticated.” Said by Casper Kan Chang, CEO of Decision Group “That’s why we pay much more attention on the digital data analysis processing in our network forensic system during system development stage in order to fulfill the requirement of ISO/IEC27037 Guidelines.”
For all Decision Group network forensic systems, data management processing starting from collection stage must keep up with those in ISO/IEC27037 guidelines. All digital data collected from network must be kept bit by bit in the original PCAP format, an industrial standard raw data form. During content reconstruction processing, all transaction data by timestamps, IP addresses, network account IDs, online application IDs, and message titles, if available, will be retained by each transaction session in the database. In the meantime, content information will also be retained in the file of its original format as possible as it could. Both raw data and reconstructed information are kept side by side for cross reference by user in order to validate the authentication of reconstructed content with raw data.

For data identification, the most important procedure is the data scoping processing, which is to locate the scope of criminal evidence by the available clues, which may be keywords, account ID, telephone number…etc. during a certain period of time. Decision Group system provides powerful data look-up function by multiple keywords, and allows user to set up different rules of data look-up by different cases for data scoping operation. All scoped data chunk can be downloaded by case and user authorization into portable optical media, DVD or CD, hashed for data safety and confidentiality.

The hidden facts behind all these transaction data can be easily verified by the link analysis tool built in Decision Group network forensic systems. Link analysis, aka association search operation on transaction data, is a graphic tool for exposure of hidden relationship among all transaction data, such as the relation between IP address and account ID, the ownership of different online services, the proximity of different targets by communication frequency …etc. All these linkage data can map the development of crime and IT security issue by cascades of collected digital evidence logically at different timestamp.

All the above data analysis processes in Decision Group network forensic systems, which are E-Detective, ED2S, Wireless-Detective, NIT, iMediator, iMonitor, EDDM and EDGS, are well designed by those guidelines in ISO/IEC27037 standard. These processes are also very critical for law enforcement staff, corporate auditor, enterprise IT security officer, prosecutor and barrister, jury staff and judge in the court, when they assess the collected digital data for verification of criminal facts.

If you are interested in how the data analysis process in Decision Group network forensic systems fulfills the requirement of ISO/IEC27037 guidelines, please send your email to for more detail information. You may also check out our website: for our regular training program – Network Packets for Forensic Analysis (NPFAT), which has already covered ISO/IEC27037 guideline in lawful interception and IT security risk assessment with Decision Group network forensic systems.    


About Decision Group, Inc.
Decision Group is a company focused on worldwide renowned DPI application of E-Detective.  Decision Group, established in Taipei, Taiwan since 1986, is one of the leaders in manufacturing of PC-Based Multi-Port RS232/422/425 Serial Cards, Data Acquisition & Measurement Products and Industrial Automation and Control Systems.
Decision Group, in the year 2000, started a new line involved in designing and developing equipment and software for Internet Content Monitoring and Network Forensics Analysis Solutions. Now, Decision Group has positioned itself as a total-solution provider with a full-spectrum of products in its portfolio for network forensic and lawful interception.

More Information and Contact by Email:
URL: (Global), (Taiwan), (China), (Japan) , (Germany), (France), (Spain and Latin America)

More Information and Contact - Ms. Isabelle Huang
Email address :
Skype: decision-computer
Phone: +886 2 2766 5753
FAX: +886 2 2766 5702