Digital Forensics / Incident Response Forms, Policies, and Procedures


For my Master of Science Degree in Information Security and Assurance (MSISA) I wrote my thesis about the overall lack of standards, certifications, and accreditation in the digital forensics discipline (available here).  This lack of rigor within our profession may very well jeopardize the credibility of our discipline.

Over the past decade that I have been involved in the digital forensics field, it has been my experience that many, if not most, digital forensic “labs” lack proper policies and procedures to govern their work.  This is not because of any intentional oversight by digital forensic examiners, but generally because the majority of examiners face a daunting backlog of evidence to examine and the thought of taking time away from the work to create policies and procedures becomes a low priority.

Never being fond of bringing up problems without a suggestion or two, I incorporated a set of model policies, procedures, manuals, forms, and templates for digital forensic and incident response practitioners.  These documents have been vetted by numerous auditors, have been subpoenaed and introduced in courtrooms, have been practically applied and worked to for years, and have withstood all scrutiny they have been placed under.  Some of these documents were used within an ASCLD/LAB accredited laboratory operating to ISO 17025 standards and others have been used within a U.S. Federal Agency in the national security space providing cybersecurity, digital forensics, and incident response for classified and unclassified networks.

Feel free to download these forms, modify them to fit your particular needs, and use them.  If you find them helpful or you have some comments or questions, I encourage you to post them below.

Policies, Procedures, Technical Manuals, and Quality Assurance Manuals

Forms and Templates

39 thoughts on “Digital Forensics / Incident Response Forms, Policies, and Procedures

  1. Hello Josh,

    i am now starting a cybercrime Unit/ digital forensic lab and need advise on way forward. my email i would really like to discuss with you ideas / advice and recommendations. i am very impress with what you have provided and your knowledge in that area.

  2. Hi Josh,

    Thank you very much for sharing this information. It would be possible to use this information as a reference since I am working in a forensic program.


  3. Oh my goodness! I love you for putting this information together. This is exactly what I have been looking for. This is so helpful. I’m having a hard time finding information on creating a digital forensic examination plan, most of the sources begin as a first responder and barely touch on the examination/analysis phases, would you have any suggestions?

    • Thank you for your comment and I’m glad you found the information helpful. By digital forensic examination plan, are you talking about how to approach a forensic examination once evidence has been submitted to you for analysis? I do have a checklist (albeit a little outdated) but you can check that to see if it would help:

  4. Do you have any advice for setting up a new digital forensics lab (not a mobile one)? Mainly looking for must have equipment and software and the best way to set the lab up for functionality. This would be a small lab with one, maybe two examiners. Thanks!

    • Hi Jennifer, I have lots of ideas about setting up a lab. My first lab was in a small closet (literally) in the police department and I even had to buy my own furniture. Over the years I have built multiple labs from two people to a dozen and learned some lessons along the way. I could write an entire post on this subject, but at a high-level I would say the following: invest in good furniture (I used Herman Miller) and a nice office chair (it is well worth $600 to $800) because you’re going to be in it all day, every day, make sure you have plenty of electrical outlets, power capacity, cooling (A/C), network drops (CAT 5e or 6), a locked area for evidence pending examination, excellent lighting, a good tool set, digital camera, small vacuum (to vacuum out nasty computers that come into the lab), evidence bags, markers, at least one purpose-built forensic computer (I used to build my own for much less money than commercially made “forensic” systems) storage to store your evidence, exports, and forensic images on, something for mobile device forensics (e.g., Cellebrite, Paraben, Susteen, etc.), and at least one forensic suite that you are comfortable with (EnCase, FTK, X-Ways, etc.). I would be happy to answer more questions, go into detail on anything, and show some pictures of labs I have created if you are interested.

      • Hello Josh,
        I am in the process of setting up a forensics lab and appreciate the information that you provided above. Any additional information that you can provide would be GREATLY appreciated. Pics etc would be great if the offer is still open.

        • Hi Bob, I’m glad you found the article helpful and I would be happy to provide you some pictures of previous labs I have designed. I will get them together and send you an email using the address you used with my website.

  5. The forms and procedures are a great resource while I am working on Incident Response plan. Is it possible to get a copy of the PowerPoint slide deck that you had referenced in an earlier comment you created to brief executives on a cyber incident?
    Thank You!

    • I’m glad you found the information helpful and thanks for the comment. I sanitized a presentation I have used a few times before and you can download it here: It’s very basic, but answers the questions that executives always ask. You can delete or hide any slides that you don’t know the answer too and as you continue your investigation, start adding the missing information. You may also want to add a slide about any outside resources you are enlisting (e.g., external incident response teams or law enforcement). Let me know if you need anything else. Josh

  6. In the field, which is more prefered for taking notes?. Hand written or produced electronically?
    And if produced electronically, which software would you suggest on being reliable in terms of integrity of the notes taken?

    Also during an investigation is it a must to create a separate exhibit form to mention findings, or is it fine placing all exhibits findings with the report?

    Thank you

    • Hi Sam, I think the preference boils down to personal and agency preferences. Either way, the agency must have a policy that covers the proper use, retention, and authenticity of notes. Written notes are usually easy to authenticate and cheap to implement, but aren’t easy to retain or search. Electronic notes of course require some device to take the notes, requires digital archiving, allows for searching, requires cybersecurity considerations, and costs more money. I don’t have a recommended software other than to say it should always be provided by the agency and people should never be allowed to use personal cloud-apps (like DropBox, OneNote, Evernote, etc.) for agency work for a variety of control reasons. If you implement software, make sure it is one that does not allow for alteration of notes when submitted, something that is date/time stamped, retained by the agency, and uses some sort of validation from both a data integrity standpoint as well as a verification standpoint (e.g., using hashing to ensure notes have not changed since being submitted, just like is done for photos and videos).

      As for your report question – it is again a matter of preference. I include findings and screenshots in my main forensic report, but mention additional exhibits for larger items. For example, I may have a sampling of 10 or so relevant images in my report that includes a medium sized image with metadata associated (MAC dates/times, file path, MD5, any notes), but then state “to view all relevant images click on the bookmark titled Item 1 Images in the bookmark section. I always provide my report as locked PDFs with links to bookmarked evidence. I used to provide them as HTML, but it caused too many problems with different security settings on client computers.

      I’m happy to answer any other questions, feel free to ask.


  7. Thanks for the guide…It helps having a template to follow when putting together a DFIR policy….Thanks for all your work.

  8. Josh – just wanted to say thanks for consolidation of great re-usable resources! I found them extermely valuable reads in support of my MS Degree in Digital Forensics.

    • Hi Cory: The information is in some of the manuals, but I don’t have a specific manual solely dedicated to the collection of digital evidence. I would recommend looking at the CIRT Forensics Technical Manual for seizing some evidence ( as well as the Digital Forensic Lab Quality Assurance Manual ( Let me know if you have any other questions; I have written digital evidence collection policies in the past for law enforcement agencies as well as civilian agencies and might be able to provide some suggestions if you don’t find what you are looking for in the above.

Leave a Reply to Josh Moulin Cancel reply

Your email address will not be published. Required fields are marked *

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.