Digital Forensics / Incident Response Forms, Policies, and Procedures

For my Master of Science Degree in Information Security and Assurance (MSISA) I wrote my thesis about the overall lack of standards, certifications, and accreditation in the digital forensics discipline (available here).  This lack of rigor within our profession may very well jeopardize the credibility of our discipline.

Over the past decade that I have been involved in the digital forensics field, it has been my experience that many, if not most, digital forensic “labs” lack proper policies and procedures to govern their work.  This is not because of any intentional oversight by digital forensic examiners, but generally because the majority of examiners face a daunting backlog of evidence to examine and the thought of taking time away from the work to create policies and procedures becomes a low priority.

Never being fond of bringing up problems without a suggestion or two, I incorporated a set of model policies, procedures, manuals, forms, and templates for digital forensic and incident response practitioners.  These documents have been vetted by numerous auditors, have been subpoenaed and introduced in courtrooms, have been practically applied and worked to for years, and have withstood all scrutiny they have been placed under.  Some of these documents were used within an ASCLD/LAB accredited laboratory operating to ISO 17025 standards and others have been used within a U.S. Federal Agency in the national security space providing cybersecurity, digital forensics, and incident response for classified and unclassified networks.

Feel free to download these forms, modify them to fit your particular needs, and use them.  If you find them helpful or you have some comments or questions, I encourage you to post them below.

Policies, Procedures, Technical Manuals, and Quality Assurance Manuals

Forms and Templates

Related Posts

Comments (41)

Hi Josh, just want to let you know thanks very much for the knowledge, my question, should I set up my lab at work in a network environment or stand-alone? Also, what do you recommend for storage for all the data?

You’re welcome. The answer to your question really depends on your budget and workload. Storing cases on internal hard drives or external drives is cheap, but not scalable or provide for any disaster recovery. It might be a good option if you are just starting out or don’t work many cases. If you have some money and some know-how with networking and network attached storage (NAS) devices, then I would recommend creating your own local area network (LAN) for your forensic lab. By using a NAS to store your digital evidence, it gives you some great flexibility to access forensic images and case files on a number of systems, work on the case simultaneously, have redundant disks storing the data, and provide for easy backup. I highly recommend Synology NAS devices. I’ve used several and have other colleagues using them too and they are great. You can get a Synology NAS and several TBs of storage (depending on what disks you buy) for less than $2,000. The type and speed of disks are important though, so don’t just automatically go with the cheapest unless those match your requirements. You can also scale Synology devices, so if your lab grows, you can add additional disks or an entire new array. You can build disk arrays yourself cheaper (Google JBOD), but unless you have some experience and a lot of time, I would not recommend it. Hope this helps and let me know if you have any other questions.

Hello Josh,

i am now starting a cybercrime Unit/ digital forensic lab and need advise on way forward. my email hiltonm@gov.ms. i would really like to discuss with you ideas / advice and recommendations. i am very impress with what you have provided and your knowledge in that area.

Hi Micah,

Sure, I’m happy to help how I can. Feel free to send your questions to me via email: josh@joshmoulin.com.

orodz.mmm@gmail.com

Hi Josh,

Thank you very much for sharing this information. It would be possible to use this information as a reference since I am working in a forensic program.

Regards,

You are very welcome and I’m glad you found this useful. I hope it helps your forensic program and good luck with it!

orodz.mmm@gmail.com

Thank you! Greetings and respect from Puerto Rico

Oh my goodness! I love you for putting this information together. This is exactly what I have been looking for. This is so helpful. I’m having a hard time finding information on creating a digital forensic examination plan, most of the sources begin as a first responder and barely touch on the examination/analysis phases, would you have any suggestions?

Thank you for your comment and I’m glad you found the information helpful. By digital forensic examination plan, are you talking about how to approach a forensic examination once evidence has been submitted to you for analysis? I do have a checklist (albeit a little outdated) but you can check that to see if it would help: https://www.joshmoulin.com/?ddownload=426

Do you have any advice for setting up a new digital forensics lab (not a mobile one)? Mainly looking for must have equipment and software and the best way to set the lab up for functionality. This would be a small lab with one, maybe two examiners. Thanks!

Hi Jennifer, I have lots of ideas about setting up a lab. My first lab was in a small closet (literally) in the police department and I even had to buy my own furniture. Over the years I have built multiple labs from two people to a dozen and learned some lessons along the way. I could write an entire post on this subject, but at a high-level I would say the following: invest in good furniture (I used Herman Miller) and a nice office chair (it is well worth $600 to $800) because you’re going to be in it all day, every day, make sure you have plenty of electrical outlets, power capacity, cooling (A/C), network drops (CAT 5e or 6), a locked area for evidence pending examination, excellent lighting, a good tool set, digital camera, small vacuum (to vacuum out nasty computers that come into the lab), evidence bags, markers, at least one purpose-built forensic computer (I used to build my own for much less money than commercially made “forensic” systems) storage to store your evidence, exports, and forensic images on, something for mobile device forensics (e.g., Cellebrite, Paraben, Susteen, etc.), and at least one forensic suite that you are comfortable with (EnCase, FTK, X-Ways, etc.). I would be happy to answer more questions, go into detail on anything, and show some pictures of labs I have created if you are interested.

Hello Josh,
I am in the process of setting up a forensics lab and appreciate the information that you provided above. Any additional information that you can provide would be GREATLY appreciated. Pics etc would be great if the offer is still open.

Hi Bob, I’m glad you found the article helpful and I would be happy to provide you some pictures of previous labs I have designed. I will get them together and send you an email using the address you used with my website.

This information was very helpful for me.

Thanks for the comment and I’m glad it was helpful!

The forms and procedures are a great resource while I am working on Incident Response plan. Is it possible to get a copy of the PowerPoint slide deck that you had referenced in an earlier comment you created to brief executives on a cyber incident?
Thank You!

I’m glad you found the information helpful and thanks for the comment. I sanitized a presentation I have used a few times before and you can download it here: https://www.joshmoulin.com/?ddownload=855. It’s very basic, but answers the questions that executives always ask. You can delete or hide any slides that you don’t know the answer too and as you continue your investigation, start adding the missing information. You may also want to add a slide about any outside resources you are enlisting (e.g., external incident response teams or law enforcement). Let me know if you need anything else. Josh

In the field, which is more prefered for taking notes?. Hand written or produced electronically?
And if produced electronically, which software would you suggest on being reliable in terms of integrity of the notes taken?

Also during an investigation is it a must to create a separate exhibit form to mention findings, or is it fine placing all exhibits findings with the report?

Thank you

Hi Sam, I think the preference boils down to personal and agency preferences. Either way, the agency must have a policy that covers the proper use, retention, and authenticity of notes. Written notes are usually easy to authenticate and cheap to implement, but aren’t easy to retain or search. Electronic notes of course require some device to take the notes, requires digital archiving, allows for searching, requires cybersecurity considerations, and costs more money. I don’t have a recommended software other than to say it should always be provided by the agency and people should never be allowed to use personal cloud-apps (like DropBox, OneNote, Evernote, etc.) for agency work for a variety of control reasons. If you implement software, make sure it is one that does not allow for alteration of notes when submitted, something that is date/time stamped, retained by the agency, and uses some sort of validation from both a data integrity standpoint as well as a verification standpoint (e.g., using hashing to ensure notes have not changed since being submitted, just like is done for photos and videos).

As for your report question – it is again a matter of preference. I include findings and screenshots in my main forensic report, but mention additional exhibits for larger items. For example, I may have a sampling of 10 or so relevant images in my report that includes a medium sized image with metadata associated (MAC dates/times, file path, MD5, any notes), but then state “to view all relevant images click on the bookmark titled Item 1 Images in the bookmark section. I always provide my report as locked PDFs with links to bookmarked evidence. I used to provide them as HTML, but it caused too many problems with different security settings on client computers.

I’m happy to answer any other questions, feel free to ask.

Josh

I appreciate the answer very direct and informative. I will be around for more questions.
Thank you ,

You are very welcome and looking forward to your additional questions.

Thanks for the guide…It helps having a template to follow when putting together a DFIR policy….Thanks for all your work.

Joe, you are very welcome. Thank you for the comment and I am glad it was helpful!

Thanks a lot, you helped me a lot.

You are very welcome, thanks for letting me know!

Thank you for sharing this information!

You are very welcome, I hope you found it useful.

Thanks for sharing!

Josh – just wanted to say thanks for consolidation of great re-usable resources! I found them extermely valuable reads in support of my MS Degree in Digital Forensics.

Michelle – you are very welcome and it is nice to hear they were helpful! Good luck on your degree and let me know if I can help with anything else.

Josh, do you have a manual specific only to the standard operating procedures for digital evidence collections?

Hi Cory: The information is in some of the manuals, but I don’t have a specific manual solely dedicated to the collection of digital evidence. I would recommend looking at the CIRT Forensics Technical Manual for seizing some evidence (https://www.joshmoulin.com/?ddownload=413) as well as the Digital Forensic Lab Quality Assurance Manual (https://www.joshmoulin.com/?ddownload=420). Let me know if you have any other questions; I have written digital evidence collection policies in the past for law enforcement agencies as well as civilian agencies and might be able to provide some suggestions if you don’t find what you are looking for in the above.

Great and very helpful indeed.
Was wondering if you have a template for a First Information Report an IT executive would create once he/she does a preliminary investigation of a cyber incident?

I have a PowerPoint slide deck that I have created to brief executives on a cyber incident. Is that something you would be interested in?

I would be. Currently convincing our organization and a slide deck may help when incidents occur.
Thank you

You can check out the presentation here if you’re interested. It’s a shell basically, but answers all the questions that you will be asked by senior leadership if you have a large incident: https://www.joshmoulin.com/?ddownload=855

Good material for reference, thanks for sharing.

You are very welcome, thanks for the comment.

Great helpful forms and manuals for any forensic service.

Thank you!

You are very welcome. Thank you for taking the time to comment and I’m glad the information was helpful to you!

Comment to Prashant Khanna Cancel reply

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.