Digital Forensics / Incident Response Forms, Policies, and Procedures



For my Master of Science Degree in Information Security and Assurance (MSISA) I wrote my thesis about the overall lack of standards, certifications, and accreditation in the digital forensics discipline (available here).  This lack of rigor within our profession may very well jeopardize the credibility of our discipline.

Over the past decade that I have been involved in the digital forensics field, it has been my experience that many, if not most, digital forensic “labs” lack proper policies and procedures to govern their work.  This is not because of any intentional oversight by digital forensic examiners, but generally because the majority of examiners face a daunting backlog of evidence to examine and the thought of taking time away from the work to create policies and procedures becomes a low priority.

Never being fond of bringing up problems without a suggestion or two, I incorporated a set of model policies, procedures, manuals, forms, and templates for digital forensic and incident response practitioners.  These documents have been vetted by numerous auditors, have been subpoenaed and introduced in courtrooms, have been practically applied and worked to for years, and have withstood all scrutiny they have been placed under.  Some of these documents were used within an ASCLD/LAB accredited laboratory operating to ISO 17025 standards and others have been used within a U.S. Federal Agency in the national security space providing cybersecurity, digital forensics, and incident response for classified and unclassified networks.

Feel free to download these forms, modify them to fit your particular needs, and use them.  If you find them helpful or you have some comments or questions, I encourage you to post them below.

Policies, Procedures, Technical Manuals, and Quality Assurance Manuals

Forms and Templates

8 thoughts on “Digital Forensics / Incident Response Forms, Policies, and Procedures

    • Hi Cory: The information is in some of the manuals, but I don’t have a specific manual solely dedicated to the collection of digital evidence. I would recommend looking at the CIRT Forensics Technical Manual for seizing some evidence ( as well as the Digital Forensic Lab Quality Assurance Manual ( Let me know if you have any other questions; I have written digital evidence collection policies in the past for law enforcement agencies as well as civilian agencies and might be able to provide some suggestions if you don’t find what you are looking for in the above.

Leave a Reply

Your email address will not be published. Required fields are marked *