Update – October, 2021
After nearly 70,000 downloads of my templates, policies, and procedures, I have decided to take the documents offline and refresh them based upon new caselaw, standards, and information.
Many of them have already been updated and are now available as part of an online course I have created on creating a digital forensic capability. This course is available on my company’s website here.
As I complete the remainder of the forms, they will be posted on Natsar.com. I encourage you to create an account on that site and sign up for our email list to be notified as things become available.
For my Master of Science Degree in Information Security and Assurance (MSISA) I wrote my thesis about the overall lack of standards, certifications, and accreditation in the digital forensics discipline (available here). This lack of rigor within our profession may very well jeopardize the credibility of our discipline.
Over the past nearly two decades that I have been involved in the digital forensics field, it has been my experience that many, if not most, digital forensic “labs” lack proper policies and procedures to govern their work. This is not because of any intentional oversight by digital forensic examiners, but generally because the majority of examiners face a daunting backlog of evidence to examine and the thought of taking time away from the work to create policies and procedures becomes a low priority.
Never being fond of bringing up problems without a suggestion or two, I incorporated a set of model policies, procedures, manuals, forms, and templates for digital forensic and incident response practitioners. These documents have been vetted by numerous auditors, have been subpoenaed and introduced in courtrooms, have been practically applied and worked to for years, and have withstood all scrutiny they have been placed under. Some of these documents were used within an ASCLD/LAB accredited laboratory operating to ISO 17025 standards and others have been used within a U.S. Federal Agency in the national security space providing cybersecurity, digital forensics, and incident response for classified and unclassified networks.
Thanks for sharing all the manuals on this subject! I didn’t know that digital forensics is becoming such a widely used tool. It seems like a great way to protect people though.
You are welcome!
Thank you very much for sharing this information. It would be possible to use this information as a reference since I am working in a forensic program.
You are very welcome and I’m glad you found this useful. I hope it helps your forensic program and good luck with it!
Thank you! Greetings and respect from Puerto Rico
You are very welcome!
Oh my goodness! I love you for putting this information together. This is exactly what I have been looking for. This is so helpful. I’m having a hard time finding information on creating a digital forensic examination plan, most of the sources begin as a first responder and barely touch on the examination/analysis phases, would you have any suggestions?
Thank you for your comment and I’m glad you found the information helpful. By digital forensic examination plan, are you talking about how to approach a forensic examination once evidence has been submitted to you for analysis? I do have a checklist (albeit a little outdated) but you can check that to see if it would help: https://www.joshmoulin.com/?ddownload=426
Do you have any advice for setting up a new digital forensics lab (not a mobile one)? Mainly looking for must have equipment and software and the best way to set the lab up for functionality. This would be a small lab with one, maybe two examiners. Thanks!
Hi Jennifer, I have lots of ideas about setting up a lab. My first lab was in a small closet (literally) in the police department and I even had to buy my own furniture. Over the years I have built multiple labs from two people to a dozen and learned some lessons along the way. I could write an entire post on this subject, but at a high-level I would say the following: invest in good furniture (I used Herman Miller) and a nice office chair (it is well worth $600 to $800) because you’re going to be in it all day, every day, make sure you have plenty of electrical outlets, power capacity, cooling (A/C), network drops (CAT 5e or 6), a locked area for evidence pending examination, excellent lighting, a good tool set, digital camera, small vacuum (to vacuum out nasty computers that come into the lab), evidence bags, markers, at least one purpose-built forensic computer (I used to build my own for much less money than commercially made “forensic” systems) storage to store your evidence, exports, and forensic images on, something for mobile device forensics (e.g., Cellebrite, Paraben, Susteen, etc.), and at least one forensic suite that you are comfortable with (EnCase, FTK, X-Ways, etc.). I would be happy to answer more questions, go into detail on anything, and show some pictures of labs I have created if you are interested.
This information was very helpful for me.
Thanks for the comment and I’m glad it was helpful!
The forms and procedures are a great resource while I am working on Incident Response plan. Is it possible to get a copy of the PowerPoint slide deck that you had referenced in an earlier comment you created to brief executives on a cyber incident?
I’m glad you found the information helpful and thanks for the comment. I sanitized a presentation I have used a few times before and you can download it here: https://www.joshmoulin.com/?ddownload=855. It’s very basic, but answers the questions that executives always ask. You can delete or hide any slides that you don’t know the answer too and as you continue your investigation, start adding the missing information. You may also want to add a slide about any outside resources you are enlisting (e.g., external incident response teams or law enforcement). Let me know if you need anything else. Josh
In the field, which is more prefered for taking notes?. Hand written or produced electronically?
And if produced electronically, which software would you suggest on being reliable in terms of integrity of the notes taken?
Also during an investigation is it a must to create a separate exhibit form to mention findings, or is it fine placing all exhibits findings with the report?
Hi Sam, I think the preference boils down to personal and agency preferences. Either way, the agency must have a policy that covers the proper use, retention, and authenticity of notes. Written notes are usually easy to authenticate and cheap to implement, but aren’t easy to retain or search. Electronic notes of course require some device to take the notes, requires digital archiving, allows for searching, requires cybersecurity considerations, and costs more money. I don’t have a recommended software other than to say it should always be provided by the agency and people should never be allowed to use personal cloud-apps (like DropBox, OneNote, Evernote, etc.) for agency work for a variety of control reasons. If you implement software, make sure it is one that does not allow for alteration of notes when submitted, something that is date/time stamped, retained by the agency, and uses some sort of validation from both a data integrity standpoint as well as a verification standpoint (e.g., using hashing to ensure notes have not changed since being submitted, just like is done for photos and videos).
As for your report question – it is again a matter of preference. I include findings and screenshots in my main forensic report, but mention additional exhibits for larger items. For example, I may have a sampling of 10 or so relevant images in my report that includes a medium sized image with metadata associated (MAC dates/times, file path, MD5, any notes), but then state “to view all relevant images click on the bookmark titled Item 1 Images in the bookmark section. I always provide my report as locked PDFs with links to bookmarked evidence. I used to provide them as HTML, but it caused too many problems with different security settings on client computers.
I’m happy to answer any other questions, feel free to ask.
I appreciate the answer very direct and informative. I will be around for more questions.
Thank you ,
You are very welcome and looking forward to your additional questions.
Thanks for the guide…It helps having a template to follow when putting together a DFIR policy….Thanks for all your work.
Joe, you are very welcome. Thank you for the comment and I am glad it was helpful!
Thanks a lot, you helped me a lot.
You are very welcome, thanks for letting me know!
Thank you for sharing this information!
You are very welcome, I hope you found it useful.
Thanks for sharing!
Josh – just wanted to say thanks for consolidation of great re-usable resources! I found them extermely valuable reads in support of my MS Degree in Digital Forensics.
Michelle – you are very welcome and it is nice to hear they were helpful! Good luck on your degree and let me know if I can help with anything else.
Josh, do you have a manual specific only to the standard operating procedures for digital evidence collections?
Hi Cory: The information is in some of the manuals, but I don’t have a specific manual solely dedicated to the collection of digital evidence. I would recommend looking at the CIRT Forensics Technical Manual for seizing some evidence (https://www.joshmoulin.com/?ddownload=413) as well as the Digital Forensic Lab Quality Assurance Manual (https://www.joshmoulin.com/?ddownload=420). Let me know if you have any other questions; I have written digital evidence collection policies in the past for law enforcement agencies as well as civilian agencies and might be able to provide some suggestions if you don’t find what you are looking for in the above.
Great and very helpful indeed.
Was wondering if you have a template for a First Information Report an IT executive would create once he/she does a preliminary investigation of a cyber incident?
I have a PowerPoint slide deck that I have created to brief executives on a cyber incident. Is that something you would be interested in?
I would be. Currently convincing our organization and a slide deck may help when incidents occur.
You can check out the presentation here if you’re interested. It’s a shell basically, but answers all the questions that you will be asked by senior leadership if you have a large incident: https://www.joshmoulin.com/?ddownload=855
Good material for reference, thanks for sharing.
You are very welcome, thanks for the comment.
Great helpful forms and manuals for any forensic service.
You are very welcome. Thank you for taking the time to comment and I’m glad the information was helpful to you!