Digital Forensics / Incident Response Forms, Policies, and Procedures

Facebooktwittergoogle_plusredditlinkedinmailFacebooktwittergoogle_plusredditlinkedinmail

 

For my Master of Science Degree in Information Security and Assurance (MSISA) I wrote my thesis about the overall lack of standards, certifications, and accreditation in the digital forensics discipline (available here).  This lack of rigor within our profession may very well jeopardize the credibility of our discipline.

Over the past decade that I have been involved in the digital forensics field, it has been my experience that many, if not most, digital forensic “labs” lack proper policies and procedures to govern their work.  This is not because of any intentional oversight by digital forensic examiners, but generally because the majority of examiners face a daunting backlog of evidence to examine and the thought of taking time away from the work to create policies and procedures becomes a low priority.

Never being fond of bringing up problems without a suggestion or two, I incorporated a set of model policies, procedures, manuals, forms, and templates for digital forensic and incident response practitioners.  These documents have been vetted by numerous auditors, have been subpoenaed and introduced in courtrooms, have been practically applied and worked to for years, and have withstood all scrutiny they have been placed under.  Some of these documents were used within an ASCLD/LAB accredited laboratory operating to ISO 17025 standards and others have been used within a U.S. Federal Agency in the national security space providing cybersecurity, digital forensics, and incident response for classified and unclassified networks.

Feel free to download these forms, modify them to fit your particular needs, and use them.  If you find them helpful or you have some comments or questions, I encourage you to post them below.

Policies, Procedures, Technical Manuals, and Quality Assurance Manuals

Forms and Templates

25 thoughts on “Digital Forensics / Incident Response Forms, Policies, and Procedures

  1. The forms and procedures are a great resource while I am working on Incident Response plan. Is it possible to get a copy of the PowerPoint slide deck that you had referenced in an earlier comment you created to brief executives on a cyber incident?
    Thank You!

    • I’m glad you found the information helpful and thanks for the comment. I sanitized a presentation I have used a few times before and you can download it here: https://www.joshmoulin.com/?ddownload=855. It’s very basic, but answers the questions that executives always ask. You can delete or hide any slides that you don’t know the answer too and as you continue your investigation, start adding the missing information. You may also want to add a slide about any outside resources you are enlisting (e.g., external incident response teams or law enforcement). Let me know if you need anything else. Josh

  2. In the field, which is more prefered for taking notes?. Hand written or produced electronically?
    And if produced electronically, which software would you suggest on being reliable in terms of integrity of the notes taken?

    Also during an investigation is it a must to create a separate exhibit form to mention findings, or is it fine placing all exhibits findings with the report?

    Thank you

    • Hi Sam, I think the preference boils down to personal and agency preferences. Either way, the agency must have a policy that covers the proper use, retention, and authenticity of notes. Written notes are usually easy to authenticate and cheap to implement, but aren’t easy to retain or search. Electronic notes of course require some device to take the notes, requires digital archiving, allows for searching, requires cybersecurity considerations, and costs more money. I don’t have a recommended software other than to say it should always be provided by the agency and people should never be allowed to use personal cloud-apps (like DropBox, OneNote, Evernote, etc.) for agency work for a variety of control reasons. If you implement software, make sure it is one that does not allow for alteration of notes when submitted, something that is date/time stamped, retained by the agency, and uses some sort of validation from both a data integrity standpoint as well as a verification standpoint (e.g., using hashing to ensure notes have not changed since being submitted, just like is done for photos and videos).

      As for your report question – it is again a matter of preference. I include findings and screenshots in my main forensic report, but mention additional exhibits for larger items. For example, I may have a sampling of 10 or so relevant images in my report that includes a medium sized image with metadata associated (MAC dates/times, file path, MD5, any notes), but then state “to view all relevant images click on the bookmark titled Item 1 Images in the bookmark section. I always provide my report as locked PDFs with links to bookmarked evidence. I used to provide them as HTML, but it caused too many problems with different security settings on client computers.

      I’m happy to answer any other questions, feel free to ask.

      Josh

  3. Thanks for the guide…It helps having a template to follow when putting together a DFIR policy….Thanks for all your work.

  4. Josh – just wanted to say thanks for consolidation of great re-usable resources! I found them extermely valuable reads in support of my MS Degree in Digital Forensics.

    • Hi Cory: The information is in some of the manuals, but I don’t have a specific manual solely dedicated to the collection of digital evidence. I would recommend looking at the CIRT Forensics Technical Manual for seizing some evidence (https://www.joshmoulin.com/?ddownload=413) as well as the Digital Forensic Lab Quality Assurance Manual (https://www.joshmoulin.com/?ddownload=420). Let me know if you have any other questions; I have written digital evidence collection policies in the past for law enforcement agencies as well as civilian agencies and might be able to provide some suggestions if you don’t find what you are looking for in the above.

Leave a Reply

Your email address will not be published. Required fields are marked *