Computer Forensics Policy

Version: 1.00Issue Date: 12/23/2014

Computer forensics is practiced to preserve and obtain forensic computer evidence of outside intrusions, inappropriate use, or other security incidents. Computer forensics methods and results must be able to be presented as part of legal cases and must sustain arguments against it. Therefore computer forensic methods must follow standard and acceptable methods of proof and preservation required by traditional forensic science.

1.0 Overview

Computer forensics is practiced to preserve and obtain forensic computer evidence of outside intrusions, inappropriate use, or other security incidents. This Computer Forensics Policy should be used in conjunction with the Security Incident Policy and Procedures.

2.0 Purpose

This Computer Forensics Policy is intended to ensure a proper process is followed for investigations and that the users aware of simple computer forensic issues.

3.0 Scope

This Computer Forensics Policy applies to the entire organization, its computer equipment whether owned or leased, and all staff. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Uniqueness

Computer forensic techniques must be able to be effective even considering the uniqueness of operating systems, application programs, and data storage media or storage methods. Various methods of proof and evidense preservation will be required from operating system to operating system and from application to application. Forensic procedures must be created to support the organizational environment.

5.0 Computer Evidence

Computer evidence may be stored on electronic items such as memory chips, tapes, hard drives, circuit boards, monitors, processors, and printers. Organizational forensic officers should check with law enforcement officials to obtain information and plans about obtaining acceptable and legal ways for obtaining, preserving, and handling evidence so it can be shown the evidence is not fabricated. Computer evidence must be discovered or exposed and is considered latent prior to the investigation.

Computer evidence is a combination of the computer system that the evidence was created on, the programs used to monitor that system, applications used on the system, the data stored, and the tools used to extract the evidence. If one is faulty, the evidence may be considered faulty.

6.0 Evidence Extraction and Preservation

Requirements for proper evidence extraction and preservation are listed below.

  • Proven and documented laboratory practices must be used to extract evidence.
  • Examinations of systems for evidence must be planned, recorded, monitored, and reported to be sure the evidence is of good quality and withstand legal scrutiny.
  • The original evidence shall be preserved and the evidence extraction shall be done on a copy of the original media containing the evidence whenever possible. A proven useful method of copying the evidence must be used. The method must be accurate and reliable.
  • Information relating to the investigation and additional unrelated data must be protected from exposure depending on the needs of the data and the investigation.
  • Forensic staff must have proper training, technical knowledge, and investigative details about the situation to properly extract and preserve evidence.

7.0 Evidence Chain

  1. Any item containing evidence to be examined shall immediately be placed in an area that is physically secure and intended for the purpose of securing forensic evidence. The evidence shall be logged in a security log indicating who checked it in, time and date, type of evidence, and ID of evidence. If evidence is checked out, it must be logged and proper ID and authorization must be shown along with the purpose for checking evidence out.
  2. For legal purposes, a third party should conduct or witness the investigation.

10.0 Enforcement

Since proper computer forensics is important for catching those attacking the organization electronically and to maintain security of systems and data, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

11.0 Other Requirements

  • Forensic procedures must be developed to support the operating systems, applications, and storage media used in the organization.


Approved by:__________________________ Signature:_____________________ Date:_______________