دسترسی نامحدود
برای کاربرانی که ثبت نام کرده اند
دانلود کتاب Digital Forensics Processing and Procedures: Meeting the Requirements of ISO 17020, ISO 17025, ISO 27001 and Best Practice Requirements
دانلود کتاب پردازش و رویه های پزشکی قانونی دیجیتال: برآورده کردن الزامات ISO 17020، ISO 17025، ISO 27001 و الزامات بهترین عمل
مشخصات کتاب
Digital Forensics Processing and Procedures: Meeting the Requirements of ISO 17020, ISO 17025, ISO 27001 and Best Practice Requirements
ویرایش: 1
نویسندگان: David Lilburn Watson. Andrew Jones
سری:
ISBN (شابک) : 9781597497428, 1597497428
ناشر: Syngress
سال نشر: 2013
تعداد صفحات: 914
زبان: English
فرمت فایل : PDF (درصورت درخواست کاربر به PDF، EPUB یا AZW3 تبدیل می شود)
حجم فایل: 14 مگابایت
قیمت کتاب (تومان) : 88,000
در صورت تبدیل فایل کتاب Digital Forensics Processing and Procedures: Meeting the Requirements of ISO 17020, ISO 17025, ISO 27001 and Best Practice Requirements به فرمت های PDF، EPUB، AZW3، MOBI و یا DJVU می توانید به پشتیبان اطلاع دهید تا فایل مورد نظر را تبدیل نمایند.
توجه داشته باشید کتاب پردازش و رویه های پزشکی قانونی دیجیتال: برآورده کردن الزامات ISO 17020، ISO 17025، ISO 27001 و الزامات بهترین عمل نسخه زبان اصلی می باشد و کتاب ترجمه شده به فارسی نمی باشد. وبسایت اینترنشنال لایبرری ارائه دهنده کتاب های زبان اصلی می باشد و هیچ گونه کتاب ترجمه شده یا نوشته شده به فارسی را ارائه نمی دهد.
توضیحاتی درمورد کتاب به خارجی
فهرست مطالب
Front Cover Digital Forensics Processing and Procedures: Meeting the Requirements of ISO 17020, ISO 17025, ISO 27001 and Best Practic ... Copyright Contents About the Authors Technical Editor Bio Acknowledgments Preface Chapter 1: Introduction 1.1. Introduction 1.1.1. What is Digital Forensics? 1.1.2. The Need for Digital Forensics 1.1.3. The Purpose of This Book 1.1.4. Book Structure 1.1.5. Who Should Read This Book? 1.1.6. The Need for Procedures in Digital Forensics 1.1.7. Problems with Electronic Evidence 1.1.8. The Principles of Electronic Evidence 1.1.9. Nomenclature Used in This Book Appendix 1 - Some types of cases involving Digital Forensics Criminal cases Civil cases Appendix 2 - Growth of hard disk drives for personal computers Appendix 3 - Disk drive size nomenclature Chapter 2: Forensic Laboratory Accommodation 2.1. The building 2.1.1. General 2.1.2. Business Case 2.1.3. Standards 2.2. Protecting against external and environmental threats 2.3. Utilities and services 2.3.1. Signage 2.3.2. Power and Cabling 2.3.3. Heating, Ventilation, and Air Conditioning 2.3.4. Fire Detection and Quenching 2.3.5. Close Circuit Television and Burglar Alarms 2.3.6. Communications 2.3.7. Water 2.4. Physical security 2.4.1. General 2.4.2. Building Infrastructure 2.4.3. Access Control 2.4.4. On-Site Secure Evidence Storage 2.4.5. Clean Room 2.4.6. Fire Safes 2.4.7. Secure Off-Site Storage 2.5. Layout of the Forensic Laboratory 2.5.1. Separation of Space for Specific Roles and Tasks 2.5.2. Ergonomics 2.5.3. Personal Workspace 2.5.4. Size Estimating 2.5.5. Infrastructure Rooms Appendix 1 - Sample outline for a business case Appendix 2 - Forensic Laboratory Physical Security Policy Introduction Purpose Definitions Scope Audience Policy statements Responsibilities Enforcement, monitoring, and breaches Ownership Review and maintenance Approval Chapter 3: Setting up the Forensic Laboratory 3.1. Setting up the Forensic Laboratory 3.1.1. Forensic Laboratory Terms of Reference 3.1.2. The Status of the Forensic Laboratory 3.1.3. The Forensic Laboratory Principles 3.1.3.1. Responsibilities 3.1.3.2. Integrity 3.1.3.3. Quality 3.1.3.4. Efficiency 3.1.3.5. Productivity 3.1.3.6. Meet Organizational Expectations 3.1.3.7. Health and Safety 3.1.3.8. Information Security 3.1.3.9. Management Information Systems 3.1.3.10. Qualifications 3.1.3.11. Training 3.1.3.12. Maintaining Employee Competency 3.1.3.13. Employee Development 3.1.3.14. Environment 3.1.3.15. Supervision 3.1.3.16. Conflicts of Interest 3.1.3.17. Legal Compliance 3.1.3.18. Accountability 3.1.3.19. Disclosure and Discovery 3.1.3.20. Work Quality 3.1.3.21. Accreditation and Certification 3.1.3.22. Membership of Appropriate Organizations 3.1.3.23. Obtain Appropriate Personal Certifications 3.1.4. Laboratory Service Level Agreements 3.1.5. Impartiality and Independence 3.1.6. Codes of Practice and Conduct 3.1.7. Quality Standards 3.1.8. Objectivity 3.1.9. Management Requirements 3.1.10. Forensic Laboratory Policies 3.1.11. Documentation Requirements 3.1.12. Competence, Awareness, and Training 3.1.13. Planning 3.1.13.1. Risk Assessment and Management 3.1.13.2. Business Impact Analysis 3.1.13.3. Legal and Regulatory Considerations 3.1.14. Insurance 3.1.15. Contingency Planning 3.1.16. Roles and Responsibilities 3.1.17. Business Objectives 3.1.18. Laboratory Accreditation and Certification 3.1.19. Policies 3.1.20. Guidelines and Procedures Appendix 1 - The Forensic Laboratory ToR The vision Scope and objectives Deliverables Boundaries, risks, and limitations Roles, responsibilities, authority, accountability, and reporting requirements Stakeholders Regulatory framework Resources Work breakdown structure and schedule Success Factors Intervention strategies Appendix 2 - Cross reference between ISO 9001 and ISO 17025 Appendix 3 - Conflict of Interest Policy Appendix 4 - Quality Policy Chapter 4: The Forensic Laboratory Integrated Management System 4.1. Introduction 4.2. Benefits 4.3. The Forensic Laboratory IMS 4.3.1. General Requirements 4.3.1.1. Overview 4.3.1.2. Plan 4.3.1.3. Do 4.3.1.4. Check 4.3.1.5. Act 4.3.2. Goals 4.4. The Forensic Laboratory Policies 4.4.1. Policies 4.4.1.1. Legislative 4.4.1.2. ISO High-Level Policy Documents 4.4.1.3. ISO Detailed Policy Documents 4.4.1.4. Forensic Laboratory-Specific Policy Documents 4.4.2. Policy Review 4.4.3. Management Committees 4.5. Planning 4.5.1. Identification and Evaluation of Aspects, Impacts, and Risks 4.5.2. Identification of Legal, Regulatory, and Other Requirements 4.5.3. Contingency Planning 4.5.4. Objectives 4.5.5. Organizational Structures, Roles, Responsibilities, and Authorities 4.6. Implementation and Operation 4.6.1. Operational Control 4.6.2. Management of Resources 4.6.2.1. Provision of Resources 4.6.2.2. Competence, Training, and Awareness 4.6.2.2.1. General Human Resources Training 4.6.2.2.2. Project Training 4.6.2.2.3. Management System-Specific Training 4.6.2.3. Training Records 4.6.2.4. Infrastructure 4.6.2.5. Environment 4.6.3. Documentation Requirements 4.6.3.1. General 4.6.3.2. System Documentation 4.6.3.3. Control of Documents 4.6.3.3.1. Roles and Responsibilities 4.6.3.3.1.1. Document Owner Responsibilities 4.6.3.3.1.2. Document Author Responsibilities 4.6.3.3.1.3. Reviewer Responsibilities 4.6.3.3.1.4. Quality Assurance Manager Responsibilities 4.6.3.3.1.5. Site Owners Responsibilities 4.6.3.3.1.6. Document Registrar Responsibilities 4.6.3.4. Writing and Updating Documents 4.6.3.4.1. Generating a Request 4.6.3.4.2. Researching and Writing/Updating a Document 4.6.3.4.3. Reviewing a Document and Implementing Edits 4.6.3.4.4. Reviewing a Proposal or Work Product and Implementing Edits 4.6.3.4.5. Issuing a Document 4.6.3.4.5.1. Word Documents 4.6.3.4.5.2. HTML Documents 4.6.3.4.6. Reviewing Management System or Business Process Documents 4.6.4. Control of Records 4.6.5. Communication 4.7. Performance assessment 4.7.1. Monitoring and Measurement 4.7.2. Evaluation of Compliance 4.7.3. Internal Auditing 4.7.3.1. Overview 4.7.3.2. Audit Responsibilities 4.7.3.2.1. Owners 4.7.3.2.2. Auditors 4.7.3.2.3. Auditees 4.7.3.3. Auditing Management System(s) 4.7.3.4. Audit Planning Charts 4.7.3.5. Audit Non-Compliance Definitions 4.7.3.5.1. Major Non-Compliance 4.7.3.5.1.1. Definition 4.7.3.5.1.2. Examples 4.7.3.5.2. Minor Non-Compliance 4.7.3.5.2.1. Definition 4.7.3.5.2.2. Examples 4.7.3.5.3. Observation 4.7.3.6. Planning an Internal Audit 4.7.3.7. Conducting an Internal Audit 4.7.3.8. Preparing the Audit Report 4.7.3.9. Completing the Audit 4.8. Continuous improvement 4.8.1. Handling of Non-Conformities 4.8.2. Planning and Implementing Corrective Actions 4.8.3. Determining Preventive Action 4.8.4. Corrective and Preventive Action Requests 4.8.5. Corrective and Preventive Action Ownership 4.8.6. Corrective and Preventive Action Oversight 4.9. Management Reviews 4.9.1. General 4.9.2. Review Input 4.9.3. Review Output 4.9.4. Agendas Appendix 1 - Mapping ISO Guide 72 requirements to PAS 99 Appendix 2 - PAS 99 glossary Appendix 3 - PAS 99 mapping to IMS procedures Appendix 4 - The Forensic Laboratory Goal Statement Appendix 5 - The Forensic Laboratory Baseline Measures Appendix 6 - Environment Policy Appendix 7 - Health and Safety Policy Appendix 8 - Undue Influence Policy Gifts Corporate Hospitality Hospitality and Gifts Register Breaches of this Policy Appendix 9 - Business Continuity Policy Appendix 10 - Information Security Policy Appendix 11 - Access Control Policy Appendix 12 - Change or Termination Policy Appendix 13 - Clear Desk and Clear Screen Policy Clear Desk Policy Clear Screen Policy Appendix 14 - Continuous Improvement Policy Appendix 15 - Cryptographic Control Policy Appendix 16 - Document Retention Policy Business and Regulatory Contracts and Contractors Property and land Premises operations and maintenance inspections Waste management Assets Training records Appendix 17 - Financial Management Policy Appendix 18 - Mobile Devices Policy Users The Forensic Laboratory USB devices Protection of data General information Appendix 19 - Network Service Policy Appendix 20 - Personnel Screening Policy Screening employees at recruitment stage Temporary and contract staff Appendix 21 - Relationship Management Policy Appendix 22 - Release Management Policy Appendix 23 - Service Management Policy Appendix 24 - Service Reporting Policy Appendix 25 - Third-Party Access Control Policy Appendix 26 - Acceptable Use Policy General Purpose Applicability Responsibilities Acceptable use Personal use Unacceptable use E-mail policy Loss and damage Deletion of data Backup services Software and hardware auditing Removal of equipment Telephone systems Access by third parties Investigation of information security incidents Reporting information security incidents Some relevant legislation and regulation Appendix 27 - Audit Committee Title Constitution Authority Membership Agenda and minutes Attendance at meetings Frequency of meetings Responsibilities Financial Reporting Internal Controls and Management Systems Whistle Blowing and the Code of Conduct Internal Audit External Audit Other Reporting Procedures Review of Terms of Reference Appendix 28 - Business Continuity Committee Title Constitution Authority Membership Agenda and minutes Attendance at meetings Frequency of meetings Responsibilities Reporting procedures Review of Terms of Reference Appendix 29 - Environment Committee Title Constitution Authority Membership Agenda and minutes Attendance at meetings Frequency of meetings Responsibilities Reporting procedures Review of Terms of Reference Appendix 30 - Health and Safety Committee Title Constitution Authority Membership Agenda and minutes Attendance at meetings Frequency of meetings Responsibilities Reporting procedures Review of Terms of Reference Appendix 31 - Information Security Committee Title Constitution Authority Membership Agenda and minutes Attendance at meetings Frequency of meetings Responsibilities Reporting procedures Review of Terms of Reference Appendix 32 - Quality Committee Title Constitution Authority Membership Agenda and minutes Attendance at meetings Frequency of meetings Responsibilities Reporting procedures Review of Terms of Reference Appendix 33 - Risk Committee Title Constitution Authority Membership Agenda and minutes Attendance at meetings Frequency of meetings Responsibilities Reporting procedures Review of Terms of Reference Appendix 34 - Service Delivery Committee Title Constitution Authority Membership Agenda and minutes Attendance at meetings Frequency of meetings Responsibilities Reporting procedures Review of Terms of Reference Appendix 35 - Whistle Blowing Policy Appendix 36 - Management Review Agenda Appendix 37 - Document control checklist Digital Forensics Procedures Appendix 38 - Document metadata Header Classification Logo Subject Document Details Table Title Subject Synopsis Author(s) Keywords Issue Release Date File Name Status Deliverability Page Count Signature Proposal Wording Footer Copyright Copy Number Page Number Classification Second and subsequent pages Appendix 39 - File-naming standards Documents and records Draft documents Issued documents The IMS Appendix 40 - Watermarks in use in the Forensic Laboratory Appendix 41 - Document review form Appendix 42 - IMS calendar Appendix 43 - Audit Plan Letter Objectives of the audit Scope of the audit Audit schedule Audit report Appendix 44 - Audit reporting form Appendix 45 - CAR/PAR form Appendix 46 - Opening meeting agenda Appendix 47 - Closing meeting agenda Appendix 48 - Audit report template Appendix 49 - Root Causes for Non-Conformity Chapter 5: Risk Management 5.1. A Short History of Risk Management 5.2. An Information Security Risk Management Framework 5.2.1. Some Definitions 5.2.2. Overview 5.2.3. Critical Success Factors 5.2.4. Information Security Risk Components 5.2.4.1. The Components 5.2.4.2. Relationship Between the Components 5.3. Framework Stage 1-ISMS Policy 5.3.1. Overview 5.3.2. Establish the Context and Scope 5.3.2.1. External Context 5.3.2.2. Internal Context 5.3.2.3. Establish the Scope 5.3.2.4. Risk Evaluation Criteria 5.3.3. ISMS Policy Content and Format 5.3.3.1. Statement of Executive Intent 5.3.3.2. Responsibilities and Accountabilities 5.3.3.3. General Direction 5.3.3.4. Policy Review and Ownership 5.3.4. Information Security Policy Communication 5.4. Framework Stage 2: Planning, Resourcing, and Communication 5.4.1. Management Commitment 5.4.2. Planning 5.4.3. Responsibility and Authority 5.4.3.1. Cross-Functional Fora 5.4.3.2. Information Security Manager 5.4.3.3. Information Security Management Team 5.4.3.4. Resource Owners 5.4.3.5. Custodians 5.4.3.6. Information Users 5.4.4. Resourcing 5.4.5. Communications and Consultation 5.4.5.1. Communications 5.4.5.2. Consultation 5.5. Framework Stage 3: Information Security Risk Management Process 5.5.1. Overview 5.5.2. Benefits to the Organization of Risk Management 5.5.3. Principles for Managing Risks 5.5.4. A Generic Approach to Risk Management 5.5.5. Step 1: Communication and Consultation 5.5.5.1. Overview 5.5.5.2. Defining Communication and Consultation 5.5.5.3. The Importance of Communication and Consultation 5.5.5.4. Developing Trust 5.5.5.5. Developing a Process of Risk Communication and Consultation 5.5.5.5.1. Stakeholder Identification 5.5.5.5.2. The Risk Communication and Consultation Plan 5.5.6. Step 2: Define the Approach to Risk Assessment 5.5.6.1. Establish the Strategic Context 5.5.6.2. Establish the Organizational Context 5.5.6.3. Establish the Risk Management Context 5.5.6.4. Develop Risk Evaluation Criteria 5.5.6.5. Define the Information Assets 5.5.6.6. Information Classification and Labeling 5.5.6.7. Outputs 5.5.7. Step 3: Undertake a Risk Assessment 5.5.7.1. Risk Identification 5.5.7.2. Risk Analysis 5.5.7.3. Recommended Approach 5.5.7.3.1. High-level risk analysis 5.5.7.3.2. Inter-dependencies 5.5.7.3.3. Detailed risk analysis 5.5.7.4. Risk Evaluation 5.5.7.5. Outputs 5.5.8. Step 4: Manage the Risk 5.5.8.1. Managing the Risk 5.5.8.2. Outputs 5.5.9. Step 5: Select Controls 5.5.9.1. Risk Appetite 5.5.9.2. Baseline Approach 5.5.9.3. Factors Influencing Control Selection 5.5.9.4. Some Constraints Affecting Control Selection 5.5.9.5. Outputs 5.5.10. Step 6: Prepare Statement of Applicability 5.5.11. Step 7: Management Approval 5.5.12. Records and Documentation 5.6. Framework Stage 4: Implementation and Operational Procedures 5.6.1. Implementation of the Risk Treatment Plan 5.6.2. Implementation of Controls 5.6.3. Training 5.7. Framework Stage 5: Follow-up Procedures 5.7.1. Follow-Up 5.7.1.1. Compliance Checking 5.7.1.2. Configuration Management 5.7.1.3. Information Security Incident Handling 5.7.1.4. Maintenance 5.7.1.5. Monitoring Appendix 1 - Sample Communication Plan Appendix 2 - Sample Information Security Plan Describe the Asset Information Security Requirements Risk Assessment Methodology Review of Security Controls Threats and Vulnerabilities Value of Assets Level of Protection Required Acceptable Level of Risk Organizational and Management Controls Appendix 3 - Asset Type Examples Appendix 4 - Asset Values Appendix 5 - Consequences Table Appendix 6 - Some Common Business Risks Appendix 7 - Some Common Project Risks Appendix 8 - Security Threat Examples Appendix 9 - Common Security Vulnerabilities Communications Documents Environment and Infrastructure Generally Applying Vulnerabilities Hardware Human Resources Software and System Management Appendix 10 - Risk Management Policy Appendix 11 - The IMS and ISMS Scope Document General Overview of the Forensic Laboratory Organization Location Assets Technology Hardware Computers Network Equipment Servers Printers Other Peripherals Operating Systems Desktop Server Network Operating System Desktop Applications Diagrams Exclusions (ISO 9001) Scope Statement Appendix 12 - Criticality Ratings Appendix 13 - Likelihood of Occurrence Five-Level Likelihood Table Ten-level Likelihood Table Appendix 14 - Risk Appetite Appendix 15 - Security controls from CobIT and NIST 800-53 CobIT Controls Planning and Organization Acquisition and Implementation Delivery and Support Monitoring NIST SP 800-53 Appendix 16 - Information Classification Public Internal Use Only Confidential Strictly Confidential Appendix 17 - The Corporate Risk Register Appendix 18 - Comparison Between Qualitative and Quantitative Methods Appendix 19 - Mapping Control Functions to ISO 27001 Appendix 20 - Mapping Security Concerns to ISO 27001 Appendix 21 - SoA Template Mandatory SoA Annex A Controls not in Annex A Appendix 22 - The Forensic Laboratorys Security Metrics report Appendix 23 - Mapping ISO 31000 and ISO 27001 to IMS Procedures Chapter 6: Quality in the Forensic Laboratory 6.1. Quality and Good Laboratory Practice 6.2. Management Requirements for Operating the Forensic Laboratory 6.2.1. Forensic Laboratory Organization 6.2.1.1. Legal Status 6.2.1.2. Ownership 6.2.1.3. Organization 6.2.1.4. Job Descriptions 6.2.1.5. Authorities and Responsibilities 6.2.1.6. Impartiality and Independence 6.2.1.7. Finances 6.2.1.8. Insurance 6.2.1.9. Accreditation and Certification 6.2.2. Operations 6.2.2.1. Business Planning Within the Forensic Laboratory 6.2.2.2. Managing the Forensic Laboratory 6.2.2.3. Service to Clients 6.2.2.4. Management System (The IMS) 6.2.2.5. Applicability of the IMS 6.2.2.6. Confidentiality of Information 6.3. ISO 9001 for the Forensic Laboratory 6.3.1. Goal 6.3.2. Quality Policy 6.3.3. Quality Policy Statements 6.3.4. Scope of the Quality Management System 6.3.5. Using a Client\'s QMS 6.3.6. Benefits to the Forensic Laboratory of ISO 9001 Certification 6.4. The Forensic Laboratorys QMS 6.5. Responsibilities in the QMS 6.6. Managing Sales 6.6.1. Handling a Sales Enquiry 6.6.2. A New Client 6.6.2.1. Attending an Initial Meeting for a New Client 6.6.2.2. Setting up a Client Virtual File 6.6.2.3. The Proposal Creation Life Cycle 6.6.2.3.1. Planning for the Information Gathering Meeting 6.6.2.3.2. Attending an Information Gathering Meeting 6.6.2.3.3. Writing the First Draft of the Proposal 6.6.2.3.4. Internally Reviewing the Proposal 6.6.2.3.5. Issuing the Proposal 6.6.2.4. The Proposal Review Life Cycle 6.6.2.4.1. Planning the Review 6.6.2.4.2. Reviewing the Proposal with the Client 6.6.2.4.3. Approving the Case 6.6.2.4.4. Following up the Review 6.6.3. An Existing Client 6.7. Product and Service Realization 6.7.1. Planning of Product Realization 6.7.2. Client-Related Processes 6.7.3. Design and Development 6.7.4. Purchasing 6.7.5. Product and Service Provision 6.8. Reviewing Deliverables 6.8.1. Reviewing the Document Internally 6.8.2. Implementing Edits Internally 6.8.3. Issuing the Document 6.8.4. Reviewing the Document with the Client 6.8.5. Following up the Review 6.9. Signing off a Case 6.10. Archiving a Case 6.11. Maintaining Client Confidentiality 6.12. Technical Requirements for the Forensic Laboratory 6.12.1. General 6.12.2. Benefits of ISO 17025 6.12.3. The Laboratory Manager 6.12.4. Key Questions ISO 17025 Answers 6.12.5. Technical Qualifications 6.12.6. Accommodation and Environmental Conditions 6.12.6.1. Accommodation 6.12.6.2. Environment 6.12.6.3. Health and Safety 6.12.6.4. Off-Site Issues 6.12.6.5. Other Issues 6.12.7. Test Methods and Validation 6.12.8. Equipment 6.12.9. Measurement Traceability 6.12.10. Administration of Forensic Case Work and Sampling 6.12.11. Assuring Technical Quality of Products and Services 6.12.12. Case Processing Reports 6.13. Measurement, Analysis, and Improvement 6.13.1. Monitoring and Measurement 6.13.2. Control of Non-conforming Product 6.13.3. Case Processing Audits 6.13.4. Analysis of Data 6.13.5. Improvement 6.14. Managing Client Complaints 6.14.1. Responsibilities for Managing Client Complaints 6.14.1.1. Laboratory Manager 6.14.1.2. Service Desk 6.14.1.3. Client Complaint Process Appendix 1 - Mapping ISO 9001 to IMS Procedures Appendix 2 - Mapping ISO 17025 to IMS Procedures Appendix 3 - Mapping SWGDE Quality Requirements to IMS Procedures Appendix 4 - Mapping NIST-150 Quality Requirements to IMS Procedures Appendix 5 - Mapping ENFSI Quality Requirements to IMS Procedures Appendix 6 - Mapping FSR Quality Requirements to IMS Procedures Appendix 7 - Quality Manager, Job Description Objective and Role Problems and Challenges Principal Accountabilities Authority Contacts Internal External Reports to Appendix 8 - Business Plan Template Executive Summary Description of the Forensic Laboratorys Business Situational Audit (Current Situation) Aims and Objectives (Target Situation) Strategy and Tactics (How to Get There) Marketing Plan Operations Plan Management, Staffing, and Organization Financial Plan Appendix 9 - Business KPIs Appendix 10 - Quality Plan Contents Appendix 11 - Induction Checklist Contents Prior to Employee Starting On the First Day Company and Role Details Introduction to the Forensic Laboratory Role Details General Information Capture Personal Details Work Details Bank Details Next of Kin Details Comments Employee Number and Identity Documentation Received Issued Training General Training Management System Training Appendix 12 - Induction Feedback Appendix 13 - Standard Proposal Template Appendix 14 - Issues to Consider for Case Processing Appendix 15 - Standard Quotation Contents Appendix 16 - Standard terms and conditions Appendix 17 - ERMS Client Areas Appendix 18 - Cost Estimation Spreadsheet Case Start Up Case Processing Maintaining Cases After Processing has Finished Appendix 19 - Draft Review Form Appendix 20 - Client Sign-off and Feedback Form Case Details Feedback Case Result Sign-Off Appendix 21 - Information Required for Registering a Complaint Appendix 22 - Complaint Resolution Timescales Appendix 23 - Complaint Metrics Appendix 24 - Laboratory Manager, Job Description Objective and Role Problems and Challenges Principal Accountabilities Authority Contacts Internal External Reports to Appendix 25 - Forensic Analyst, Job Description Objective and Role Problems and Challenges Principal Accountabilities Authority Contacts Internal External Reports to Appendix 26 - Training Agenda Digital Evidence Recovery Staff Network investigators Appendix 27 - Some Individual Forensic Certifications Appendix 28 - Minimum Equipment Records Required by ISO 17025 Appendix 29 - Reference Case Tests Appendix 30 - ISO 17025 Reporting Requirements Appendix 31 - Standard Forensic Laboratory Report Chapter 7: IT Infrastructure 7.1. Hardware 7.1.1. Accommodation 7.1.2. Servers 7.1.3. Desktop Workstations 7.1.4. Mobile Devices 7.1.5. Business Peripherals 7.1.6. Forensic Servers 7.1.7. Desktop Forensic Workstations 7.1.8. Mobile Forensic Workstations 7.1.9. Building Forensic Workstations 7.1.10. Dedicated Forensic Hardware 7.1.11. Forensic Peripherals 7.2. Software 7.2.1. Operating Systems 7.2.2. Desktop Applications 7.2.3. COTS Forensic Tools 7.2.4. VM Ware 7.2.5. Open Source Tools 7.2.6. Updates 7.2.7. Upgrades 7.3. Infrastructure 7.3.1. Equipment 7.3.2. Securing of Cabling 7.3.2.1. Procedure for Siting and Protecting IT Cabling 7.3.3. Isolating Sensitive Systems 7.3.4. Siting and Protecting IT Equipment 7.3.4.1. Procedure for Siting and Protecting IT Equipment 7.3.5. Securing Supporting Utilities 7.4. Process management 7.4.1. Incident Management 7.4.1.1. Role of the Service Desk 7.4.1.2. Classification of Incidents and Resolution Times 7.4.1.3. Incident Management Responsibilities 7.4.1.3.1. Service Desk 7.4.1.3.2. Service Desk Manager 7.4.1.3.3. Management System Manager(s) 7.4.1.3.4. IT Department 7.4.1.3.5. Other Specialist Employees 7.4.1.3.6. Employees 7.4.1.3.7. Clients 7.4.1.4. Incident Management Procedures 7.4.1.4.1. Receiving and Categorizing an Incident 7.4.1.4.2. Investigating an Incident 7.4.1.4.3. Resolving an Incident 7.4.1.4.4. Closing an Incident 7.4.1.5. Critical Incident Management 7.4.1.6. Reviewing Incidents 7.4.1.7. Evidence Collection 7.4.2. Problem Management 7.4.2.1. Responsibilities 7.4.2.1.1. Problem Manager 7.4.2.1.2. Service Desk 7.4.2.1.3. IT Department 7.4.2.2. Recording and Classifying a Problem 7.4.2.3. Investigating and Diagnosing a Problem 7.4.2.4. Resolving a Problem 7.4.2.5. Closing a Problem 7.4.2.6. Reviewing Problems 7.4.3. Change Management 7.4.3.1. General 7.4.3.2. Types of Change 7.4.3.3. Change Status 7.4.3.4. Change Management Responsibilities 7.4.3.4.1. Change Manager 7.4.3.4.2. Requestor 7.4.3.4.3. Change Advisory Board 7.4.3.4.4. The IT Department 7.4.3.5. Managing a Standard Change 7.4.3.6. Managing a Normal Change 7.4.3.7. Managing an Emergency Change 7.4.3.7.1. Managing an Emergency Change 7.4.3.8. Managing Changes to Third Party Services 7.4.3.9. Managing Changes to Forensic Workstations 7.4.3.10. Outsource Providers 7.4.4. Release Management 7.4.4.1. Roles and Responsibilities 7.4.4.1.1. Release Manager 7.4.4.1.2. Release Team 7.4.4.1.3. Users 7.4.4.2. Managing a Release 7.4.5. Configuration Management 7.4.5.1. Configuration Management and Information Security 7.4.5.1.1. Information Assets 7.4.5.1.2. Software Assets 7.4.5.1.3. Physical Assets 7.4.5.1.4. Services 7.4.5.2. Roles and Responsibilities 7.4.5.2.1. Resource Owner 7.4.5.2.2. Custodian 7.4.5.2.3. Configuration Manager 7.4.5.2.4. Configuration Librarian 7.4.5.3. Producing a Configuration Management Plan 7.4.5.4. Implementing Configuration Management 7.4.5.5. Maintaining Configuration Items 7.4.5.5.1. Adding a New Configuration Item 7.4.5.5.2. Changing a Configuration Item 7.4.5.5.3. Deleting a Configuration Item 7.4.5.6. Maintaining the Definitive Libraries 7.4.5.7. Auditing Configuration Items 7.4.5.8. Producing Configuration Reports 7.4.6. Capacity Management 7.4.6.1. Roles and Responsibilities 7.4.6.1.1. Capacity Manager 7.4.6.1.2. IT Manager 7.4.6.2. Scope of Capacity Planning 7.4.6.3. Monitoring System Capacity 7.4.6.4. Reviewing System Capacity 7.4.7. Service Management 7.4.7.1. Planning for Service Management 7.4.7.2. Implementing Service Management 7.4.7.3. Monitoring and Reviewing Service Management 7.4.8. Managing Service Improvement 7.4.8.1. Planning and Implementing Service Improvements 7.4.9. Service Reporting 7.4.9.1. Producing Service Reports 7.4.10. Managing Logs 7.4.10.1. Roles and Responsibilities 7.4.10.1.1. Information Security Manager 7.4.10.1.2. Asset Owners 7.4.10.1.3. IT Department 7.4.10.2. Audit, Operator, and Administrator Logging Guidelines 7.4.10.3. Checking Operator and Administrator Logs Procedure 7.4.10.4. Reviewing Event Logs 7.4.10.5. Protection of Log Information 7.4.10.6. Managing Fault Logs 7.4.10.6.1. Guidelines for Fault Logging 7.4.10.6.2. Resolving Faults 7.4.10.6.3. Reviewing Faults 7.4.10.6.4. Checking Fault Logs 7.5. Hardware Management 7.5.1. Maintaining IT Equipment 7.5.1.1. Maintaining and Servicing IT Equipment 7.5.2. Managing Voice Communications 7.5.2.1. Guidelines for Voice Communications 7.5.2.2. Reviewing Voice Communications Security 7.5.2.3. Voice Recording System 7.5.2.4. Voice Recording System Guidelines 7.5.2.5. Procedures for Retrieving Calls 7.5.3. Managing the Video Surveillance System 7.5.3.1. Roles and Responsibilities 7.5.3.1.1. Information Security Manager 7.5.3.1.2. IT Department 7.5.3.2. Video Surveillance System Guidelines 7.5.3.3. Procedures for Retrieving Video Recordings 7.5.4. Equipment Maintenance 7.5.5. Tool Validation 7.5.5.1. Requirements 7.5.5.2. Benefits of Independent Validation and Testing 7.5.5.3. Tool Testing and Validation in the Forensic Laboratory 7.5.5.4. Roles and Responsibilities 7.5.5.4.1. Laboratory Manager 7.5.5.4.2. Forensic Analyst 7.5.5.5. Planning for Validation and Testing 7.5.5.6. Testing and Validating Procedure 7.5.5.7. Review, Retesting, and Revalidating 7.6. Software Management 7.6.1. Controlling Malicious Software 7.6.1.1. An Overview of Malicious Software Control 7.6.1.2. Roles and Responsibilities 7.6.1.2.1. Service Desk 7.6.1.2.2. IT Department 7.6.1.2.3. IT Manager 7.6.1.3. Maintaining Malware Protection 7.6.1.4. Handling a Malware Outbreak 7.6.1.5. Processing Bounced E-mails 7.6.1.6. Maintaining Blacklists and Graylists 7.6.1.7. Information Leakage 7.6.2. Control of Technical Vulnerabilities 7.6.2.1. Roles and Responsibilities 7.6.2.1.1. IT Department 7.6.2.1.2. Information Security Manager 7.6.2.2. Evaluation of Assets at Risk 7.6.2.3. Vulnerability Management Process 7.6.3. Implementing Software Patches and Updates 7.6.3.1. An Overview of Software Patches and Updates 7.6.3.2. Roles and Responsibilities 7.6.3.2.1. IT Department 7.6.3.2.2. IT Manager 7.6.3.3. Implementing Patches and Updates on Servers 7.6.3.4. Implementing Patches and Updates on Workstations, PCs, and Laptops 7.7. Network Management 7.7.1. Managing Network Security 7.7.1.1. Guidelines for Network Management 7.7.1.2. Network Design 7.7.1.3. Network Resilience 7.7.1.4. Network Documentation 7.7.1.5. Traffic Management and Control 7.7.1.6.Device Configuration 7.7.1.7. Traffic Filtering 7.7.1.8. Monitoring the Network 7.7.1.9. Reviewing and Assessing Network Security 7.7.2. Controlling Network Access 7.7.2.1. Segregation in Networks 7.7.2.2. Network Connection Control 7.7.2.3. Network Routing Control 7.7.2.4. Reviewing and Assessing Network Access Controls 7.7.3. Remote Connections 7.7.3.1. Guidelines for Remote Connections 7.7.3.2. Managing Remote Connections 7.7.3.3. Managing Third Party Remote Access 7.7.3.3.1. Roles and Responsibilities 7.7.3.3.1.1. Service Desk 7.7.3.3.1.2. IT Manager Information Security Manager 7.7.3.3.1.3. Granting Remote Access 7.7.3.4. Reviewing and Revoking Remote Access 7.7.4. Managing Backups 7.7.4.1. An Overview of Backups 7.7.4.2. Roles and Responsibilities 7.7.4.2.1. IT Manager 7.7.4.2.2. Information Owners 7.7.4.3. Checking Daily Backups 7.7.4.4. Performing Restores from a Backup 7.7.4.6. Disposing of Damaged Backup Media 7.7.4.6. Tape Cleaning and Retensioning 7.7.5. Synchronizing System Clocks Appendix 1 - Some Forensic Workstation Providers Appendix 2 - Some Mobile Forensic Workstation Providers Appendix 3 - Standard Build for a Forensic Workstation Appendix 4 - Some Case Processing Tools Appendix 5 - Policy for Securing IT Cabling Appendix 6 - Policy for Siting and Protecting IT Equipment Appendix 7 - ISO 20000-1 Mapping Appendix 8 - Service Desk Manager, Job Description Objective and Role Problems and Challenges Principal Accountabilities Authority Contacts Internal External Reports to Appendix 9 - Incident Manager, Job Description Objective and Role Problems and Challenges Principal Accountabilities Authority Contacts Internal External Reports to Appendix 10 - Incident Status Levels Appendix 11 - Incident Priority Levels Appendix 12 - Service Desk Feedback Form Appendix 13 - Problem Manager, Job Description Objective and Role Problems and Challenges Principal Accountabilities Authority Contacts Internal External Reports to Appendix 14 - Contents of the Forensic Laboratory SIP Appendix 15 - Change Categories Appendix 16 - Change Manager, Job Description Objective and Role Problems and Challenges Principal Accountabilities Authority Contacts Internal Contacts External Contacts Reports to Appendix 17 - Standard Requirements of a Request for Change Appendix 18 - Emergency Change Policy Appendix 19 - Release Management Policy Appendix 20 - Release Manager, Job Description Objective and Role Problems and Challenges Principal Accountabilities Authority Contacts Internal External Reports to Appendix 21 - Configuration Management Plan Contents Appendix 22 - Configuration Management Policy Appendix 23 - Configuration Manager, Job Description Objective and Role Problems and Challenges Principal Accountabilities Authority Contacts Internal Contacts External Contacts Reports to Appendix 24 - Information Stored in the DSL and DHL Definitive Hardware Library Definitive Software Library Appendix 25 - Capacity Manager, Job Description Objective and Role Problems and Challenges Principal Accountabilities Authority Contacts Internal Contacts External Contacts Reports to Appendix 26 - Capacity Management Plan Appendix 27 - Service Management Policy Appendix 28 - Service Level Manager, Job Description Objective and Role Problems and Challenges Principal Accountabilities Authority Contacts Internal External Reports to Appendix 29 - Service Reporting Policy Appendix 30 - Policy for Maintaining and Servicing IT Equipment Appendix 31 - ISO 17025 Tool Test Method Documentation Appendix 32 - Standard Forensic Tool Tests Appendix 33 - Forensic Tool Test Report Template Appendix 34 - Overnight Backup Checklist Chapter 8. Incident Response 8.1. General 8.1.1. Overview 8.1.2. Legislative Considerations 8.1.3. Work Standards 8.1.4. Health and Safety Issues 8.1.5. Competence 8.1.6. Consent 8.2. Evidence 8.3. Incident Response as a Process 8.4. Initial Contact 8.5. Types of First Response 8.5.1. First Response for System Administrators 8.5.2. First Response by Client Management 8.5.3. Forensic Laboratory First Responder Team 8.5.4. Planning the Next Steps 8.6. The Incident Scene 8.6.1. Forensic Laboratory First Response Team Taking Over an Incident Scene 8.6.2. Physical Security of the Scene 8.6.3. Health and Safety at the Scene 8.6.4. The Chain of Custody 8.6.5. Searches and Recovery 8.6.6. Photographing the Scene 8.6.7. Sketching the Scene 8.6.8. Initial Interviews 8.6.9. Evidence Collection 8.6.10. Exhibit Numbering 8.6.11. What to Take? 8.6.11.1. Mainframes, Minis, and Servers 8.6.11.1.1. Description 8.6.11.1.2. Primary Use 8.6.11.1.3. Potential Evidence Obtainable 8.6.11.1.4. Possible Issues with the Evidence 8.6.11.1.5. Process of Seizing the Evidence 8.6.11.2. Desktop Computers 8.6.11.2.1. Description 8.6.11.2.2. Primary Use 8.6.11.2.3. Potential Evidence Obtainable 8.6.11.2.4. Possible Issues with the Evidence 8.6.11.2.5. Process of Seizing the Evidence 8.6.11.3. Laptop Computers and Tablet Computers 8.6.11.3.1. Description 8.6.11.3.2. Primary Use 8.6.11.3.3. Potential Evidence Obtainable 8.6.11.3.4. Possible Issues with the Evidence 8.6.11.3.4. Process of Seizing the Evidence 8.6.11.4. Monitors 8.6.11.4.1. Description 8.6.11.4.2. Primary Use 8.6.11.4.3. Potential Evidence Obtainable 8.6.11.4.4. Possible Issues with the Evidence 8.6.11.4.5. Process of Seizing the Evidence 8.6.11.5. Keyboards 8.6.11.5.1. Description 8.6.11.5.2. Primary Use 8.6.11.5.3. Potential Evidence Obtainable 8.6.11.5.4. Possible Issues with the Evidence 8.6.11.5.5. Process of Seizing the Evidence 8.6.11.6. Pointing Devices (Mouse, Light pen, etc.) 8.6.11.6.1. Description 8.6.11.6.2. Potential Evidence Obtainable 8.6.11.6.3. Possible Issues with the Evidence 8.6.11.6.4. Process of Seizing the Evidence 8.6.11.7. External Drives 8.6.11.7.1. Description 8.6.11.7.2. Primary Use 8.6.11.7.3. Potential Evidence Obtainable 8.6.11.7.4. Possible Issues with the Evidence 8.6.11.7.5. Process of Seizing the Evidence 8.6.11.8. Printers 8.6.11.8.1. Description 8.6.11.8.2. Primary Use 8.6.11.8.3. Potential Evidence Obtainable 8.6.11.8.4. Possible Issues with the Evidence 8.6.11.8.5. Process of Seizing the Evidence 8.6.11.9. Scanners 8.6.11.9.1. Description 8.6.11.9.2. Primary Use 8.6.11.9.3. Potential Evidence Obtainable 8.6.11.9.4. Possible Issues with the Evidence 8.6.11.9.5. Process of Seizing the Evidence 8.6.11.10. Fax Machines 8.6.11.10.1. Description 8.6.11.10.2. Primary Use 8.6.11.10.3. Potential Evidence Obtainable 8.6.11.10.4. Possible Issues with the Evidence 8.6.11.10.5. Process of Seizing the Evidence 8.6.11.11. Copiers 8.6.11.11.1. Description 8.6.11.11.2. Primary Use 8.6.11.11.3. Potential Evidence Obtainable 8.6.11.11.4. Possible Issues with the Evidence 8.6.11.11.5. Process of Seizing the Evidence 8.6.11.12. Multifunction Devices 8.6.11.12.1. Description 8.6.11.12.2. Primary Use 8.6.11.12.3. Potential Evidence Obtainable 8.6.11.12.4. Possible Issues with the Evidence 8.6.11.12.5. Process of Seizing the Evidence 8.6.11.13. Access Control Devices 8.6.11.13.1. Description 8.6.11.13.2. Primary Use 8.6.11.13.3. Potential Evidence Obtainable 8.6.11.13.4. Possible Issues with the Evidence 8.6.11.13.5. Process of Seizing the Evidence 8.6.11.14. Photographic Recording Devices 8.6.11.14.1. Description 8.6.11.14.2. Primary Use 8.6.11.14.3. Potential Evidence Obtainable 8.6.11.14.4. Possible Issues with the Evidence 8.6.11.14.5. Process of Seizing the Evidence 8.6.11.15. Closed-Circuit Television 8.6.11.15.1. Description 8.6.11.15.2. Primary Use 8.6.11.15.3. Potential Evidence Obtainable 8.6.11.15.4. Possible Issues with the Evidence 8.6.11.15.5. Process of Seizing the Evidence 8.6.11.16. Removable Media 8.6.11.16.1. Description 8.6.11.16.2. Primary Use 8.6.11.16.3. Potential Evidence Obtainable 8.6.11.16.4. Possible Issues with the Evidence 8.6.11.16.5. Process of Seizing the Evidence 8.6.11.17. Network Management Devices 8.6.11.17.1. Description 8.6.11.17.2. Primary Use 8.6.11.17.3. Potential Evidence Obtainable 8.6.11.17.4. Possible Issues with the Evidence 8.6.11.17.5. Process of Seizing the Evidence 8.6.11.18. Cabling 8.6.11.18.1. Description 8.6.11.18.2. Primary Use 8.6.11.18.3. Potential Evidence Obtainable 8.6.11.18.4. Possible Issues with the Evidence 8.6.11.18.5. Process of Seizing the Evidence 8.6.11.19. Telephones 8.6.11.19.1. Description 8.6.11.19.2. Primary Use 8.6.11.19.3. Potential Evidence Obtainable 8.6.11.19.4. Possible Issues with the Evidence 8.6.11.19.5. Process of Seizing the Evidence 8.6.11.20. Pagers 8.6.11.20.1. Description 8.6.11.20.2. Primary Use 8.6.11.20.3. Potential Evidence Obtainable 8.6.11.20.4. Possible Issues with the Evidence 8.6.11.20.5. Process of Seizing the Evidence 8.6.11.21. PDAs 8.6.11.21.1. Description 8.6.11.21.2. Primary Use 8.6.11.21.3. Potential Evidence Obtainable 8.6.11.21.4. Possible Issues with the Evidence 8.6.11.21.5. Process of Seizing the Evidence 8.6.11.22. Global Positioning Systems 8.6.11.22.1. Description 8.6.11.22.2. Primary Use 8.6.11.22.3. Potential Evidence Obtainable 8.6.11.22.4. Possible Issues with the Evidence 8.6.11.22.5. Process of Seizing the Evidence 8.6.11.23. Audio Devices 8.6.11.23.1. Description 8.6.11.23.2. Primary Use 8.6.11.23.3. Potential Evidence Obtainable 8.6.11.23.4. Possible Issues with the Evidence 8.6.11.23.5. Process of Seizing the Evidence 8.6.11.24. Other Devices 8.6.11.24.1. Description 8.6.11.24.2. Primary Use 8.6.11.24.3. Potential Evidence Obtainable 8.6.11.24.4. Possible Issues with the Evidence 8.6.11.24.5. Process of Seizing the Evidence 8.6.11.25. Seizing Paperwork 8.6.11.25.1. Description 8.6.11.25.2. Primary Use 8.6.11.25.3. Potential Evidence Obtainable 8.6.11.25.4. Possible Issues with the Evidence 8.6.11.25.5. Process of Seizing the Evidence 8.6.12. Interviews 8.6.13. Evidence Bags 8.6.14. Faraday Bags and Boxes 8.6.15. Seizure Records 8.6.15.1. Personal Notebooks 8.6.15.2. Evidence Bag Contents List 8.6.15.3. Seizure Records 8.6.15.4. Witness Signatures 8.6.15.5. Evidence Bags and Tags 8.6.16. Forensic Previewing 8.6.17. On-Site Imaging 8.6.17.1. Performing Imaging on-Site with Dedicated Hardware 8.6.17.2. Performing Imaging on-Site with a Traveling Laboratory 8.6.18. Direct Data Access and Live Acquisition 8.6.18.1. The Need for Live Acquisition 8.6.18.2. The Order of Volatility 8.6.18.3. Procedure for Live Capture 8.6.19. Secondary Search of Scene 8.6.20. Release of Scene 8.7. Transportation to the Forensic Laboratory 8.7.1. Minimum Handling of Exhibits 8.7.2. Packing 8.7.3. Transport 8.7.4. Movement Records 8.8. Crime Scene and Seizure Reports 8.9. Postincident Review Appendix 1 - Mapping ISO 17020 to IMS Procedures Appendix 2 - First Response Briefing Agenda Appendix 3 - Contents of the Grab Bag Essential kit Search kit Imaging kit Package and Transport Supplies Appendix 4 - New Case Form Appendix 5 - First Responder Seizure Summary Log Appendix 6 - Site Summary Form Appendix 7 - Seizure Log Case Details Details of Evidence Seized Appendix 8 - Evidence Locations in Devices and Media Computer Files User-Created Files User-Protected Files Computer-Created Files Other Data Areas Other Devices Appendix 9 - Types of Evidence Typically Needed for a Case Appendix 10 - The On/Off Rule General The Issues If Unable to Determine Power State If Unsure of Activity Status Options Information Processing Equipment Powered off on Arrival Information Processing Equipment Powered on on Arrival Pulling the Plug Live Systems Appendix 11 - Some Types of Metadata That may be Recoverable from Digital Images Appendix 12 - Countries with Different Fixed Line Telephone Connections Appendix 13 - Some Interview Questions The Individual System Administrators and Management Basic Information Network Information Storing Information Other Peripherals Internet Access E-Mail Messaging and Chatting Other Appendix 14 - Evidence Labeling Appendix 15 - Forensic Preview Forms Appendix 16 - A Traveling Forensic Laboratory Laptop Software Appendix 17 - Movement Sheet Appendix 18 - Incident Response Report Appendix 19 - Postincident Review Agenda Appendix 20 - Incident Processing Checklist Chapter 9: Case Processing 9.1. Introduction to Case Processing 9.1.1. General 9.1.2. Case Processing Overview 9.1.3. Contractual Requirements 9.1.4. Work Standards 9.1.5. Good Digital Evidence Principles 9.1.6. Health and Safety Issues 9.1.7. Laboratory Accreditation and Certification 9.1.8. Caveat 9.2. Case types 9.2.1. Inappropriate use 9.2.1.1. Containment 9.2.1.2. Gathering Evidence 9.2.1.3. Follow up 9.2.1.4. Post Incident Review 9.2.2. Unauthorized Access 9.2.2.1. Examples 9.2.2.2. Containment 9.2.2.3. Gathering Evidence 9.2.2.4. Recovery 9.2.2.5. Post Incident Review 9.2.3. Malware Attack 9.2.3.1. Examples 9.2.3.2. Containment 9.2.3.3. Gathering Evidence 9.2.3.4. Recovery 9.2.3.5. Post Incident Review 9.2.4. Denial of Service Attack 9.2.4.1. Examples 9.2.4.2. Containment 9.2.4.3. Gathering Evidence 9.2.4.4. Recovery 9.2.4.5. Post Incident Review 9.2.5. Multiple Incidents 9.3. Precase Processing 9.3.1. Use of Digital Media in Forensic Cases 9.3.1.1. Hard Disks 9.3.1.1.1. Wiping disks prior to use 9.3.1.1.2. Issuing a disk for use 9.3.1.1.3. Disk labeling 9.3.1.1.4. Disks and caddies 9.3.1.1.5. Transfer of disks 9.3.1.1.6. Disk reuse 9.3.1.1.7. Forensics disk disposal 9.3.1.2. Tapes 9.3.1.2.1. Wiping tapes prior to use 9.3.1.2.2. Issuing a tape 9.3.1.2.3. Tape labeling 9.3.1.2.4. Transfer of tapes 9.3.1.2.5. Tape reuse 9.3.1.2.6. Tape disposal 9.3.1.3. Other Digital Media 9.3.1.3.1. Wiping small digital media prior to use 9.3.1.3.2. Issuing small digital media 9.3.1.3.3. Small digital media labeling 9.3.1.3.4. Transfer of small digital media 9.3.1.3.5. Small digital media reuse 9.3.1.3.6. Small digital media disposal 9.4. Equipment Maintenance 9.4.1. Hard Disk Drives 9.4.2. Tapes 9.4.3. Small Digital Media 9.4.4. Software 9.4.5. Spares 9.4.6. Validating Forensic Tools 9.4.7. Forensic Workstation anti-contamination Procedures 9.4.8. Hash Sets 9.4.9. Asset Register 9.4.10. Previous Versions 9.5. Management Processes 9.5.1. Authorities 9.5.2. Liaison with Law Enforcement 9.5.3. Other External Bodies 9.5.4. Service Levels, Priorities, and Turn Round Times 9.5.4.1. Service Level Agreements 9.5.4.2. Priorities 9.5.4.3. Changing Priorities and TRTs 9.5.5. Case Monitoring 9.5.6. Audit 9.5.7. Outsourcing 9.5.8. Performance Monitoring 9.5.9. Tool Selection 9.6. Booking Exhibits in and out of the Secure Property Store 9.6.1. Booking in Exhibits 9.6.2. Booking out Exhibits 9.6.3. Returning an Exhibit 9.7. Starting a new Case 9.7.1. Case Numbering 9.7.2. Assigning the Case 9.7.3. Priorities and TRTs 9.7.4. Cost Revision and Confirmation 9.7.5. Creating a new Client Paper Case File 9.7.6. Creating a new Client Virtual Case File 9.8. Preparing the Forensic Workstation 9.9. Imaging 9.9.1. Physical Imaging in the Forensic Laboratory 9.9.1.1. Book out the Exhibit(s) 9.9.1.2. External Examination of Exhibits 9.9.1.3. Examination of Exhibits 9.9.1.3.1. Servers, PCs, and laptops 9.9.1.3.2. Obtaining BIOS information 9.9.1.3.3. Tablet computers 9.9.1.3.4. Cell phones 9.9.1.3.5. Other devices 9.9.1.3.6. Other media 9.9.1.4. General Forensic Acquisition 9.9.1.4.1. Acquiring a hard disk 9.9.1.4.2. Acquiring a tablet computer 9.9.1.4.3. Acquiring cell phones 9.9.1.4.4. Acquiring other devices 9.9.1.4.5. Acquiring other media 9.9.1.4.6. Acquiring volatile memory 9.9.1.5. Evidence Integrity 9.9.1.6. Backing up the Images 9.9.1.7. Reassembly and Resealing the Exhibit(s) 9.9.1.7.1. Storing media and carcass together 9.9.1.7.2. Storing media and carcass separately 9.9.2. On-Site Imaging 9.9.3. Remote Imaging 9.10. Examination 9.10.1. Initial Examination 9.10.1.1. Loading Images into the Virtual Case File 9.10.1.2. PDAs and Cell Phones 9.10.1.2.1. PDAs 9.10.1.2.2. Cell phones 9.10.1.3. Images Acquired to Media (e.g., Hard Disks, Floppy Disks, Thumb Drives, etc.) 9.10.2. First-Stage Examination 9.10.2.1. Determine Appropriate Method 9.10.2.2. Using Hash Sets for First-Stage Examinations 9.10.2.2.1. ``Known´´ or ``safe´´ files 9.10.2.2.2. ``Notable´´ files 9.10.2.3. Some File Systems Encountered 9.10.2.4. Automated Scripts and Tasks in Encase 9.10.2.5. Extracting Files in File Structure 9.10.2.6. Extracting Files 9.10.2.7. Text Searches 9.10.2.8. Where to Find the ``Smoking gun´´ 9.10.2.9. Deliberately Hidden Evidence 9.10.2.10. Virtualization 9.10.2.11. Investigating Peripherals and Other Devices 9.10.2.12. Covert and Remote Investigations 9.10.2.13. Records 9.10.2.14. End of day Processes 9.10.3. Second-Stage Examination 9.10.4. Best Evidence 9.10.5. Case Progress 9.10.6. Choosing an Expert Witness 9.10.7. Re-Hashing the Image 9.10.8. Using a Forensic Workstation for Network Investigations 9.10.9. Meeting the Requirements of HB 171 9.11. Dual Tool Verification 9.12. Digital Time Stamping 9.13. Production of an Internal Case Report 9.13.1. The Internal Report 9.13.2. Classification 9.14. Creating Exhibits 9.14.1. What is an Exhibit? 9.15. Producing a Case Report for External use 9.15.1. The Report 9.15.2. Report Checklist 9.15.3. Peer Review 9.15.4. Release of a Case Report 9.15.5. Affidavits 9.16. Statements, Depositions, and Similar 9.17. Forensic Software Tools 9.18. Backing up and Archiving a Case 9.18.1. Initial Forensic Case Images 9.18.2. Work in Progress 9.18.3. ``Finished´´ Cases 9.18.4. Archiving a Forensic Case 9.18.5. Recoverability of Archives and Backups 9.19. Disclosure 9.19.1. The law 9.19.2. ``Unlawful´´ Material 9.19.3. Viewing of Material by Defence or Prosecution 9.19.4. Client Attorney Privileged Information 9.20. Disposal Appendix 1 - Some International Forensic Good Practice Appendix 2 - Some International and National Standards Relating to Digital Forensics Appendix 3 - Hard Disk log Details Appendix 4 - Disk History log Appendix 5 - Tape log Details Appendix 6 - Tape History log Appendix 7 - Small Digital Media log Details Appendix 8 - Small Digital Media Device log Appendix 9 - Forensic Case Work Log Appendix 10 - Case Processing KPIs Appendix 11 - Contents of Sample Exhibit Rejection Letter Appendix 12 - Sample Continuity Label Contents Appendix 13 - Details of the Forensic Laboratory Property Log Booking in Property On Resealing Property Booking Out Property Appendix 14 - Exhibit Acceptance Letter Template Appendix 15 - Property Special Handling Log Appendix 16 - Evidence Sought Appendix 17 - Request for Forensic examination Appendix 18 - Client Virtual Case File Structure Appendix 19 - Computer Details Log Appendix 20 - Other Equipment Details Log Appendix 21 - Hard Disk Details Log Appendix 22 - Other Media Details Log Appendix 23 - Cell Phone Details Log Appendix 24 - Other Device Details Log Appendix 25 - Some Evidence Found in Volatile Memory Appendix 26 - Some File Metadata Appendix 27 - Case Progress Checklist Appendix 28 - Meeting the Requirements of HB 171 Appendix 29 - Internal Case Report Template Appendix 30 - Forensic Laboratory Exhibit log Appendix 31 - Report Production Checklist Chapter 10: Case Management 10.1. Overview 10.2. Hard Copy Forms 10.3. MARS 10.3.1. Initial Forensic Laboratory Setup 10.3.2. Setting up the Administrator 10.3.3. MARS Users 10.3.4. Audit Tracking 10.3.5. Administrator Tasks 10.3.5.1. Manage Users 10.3.5.1.1. Add a User 10.3.5.1.2. Amend a User 10.3.5.1.3. Delete a User 10.3.5.2. Manage a Manufacturer 10.3.5.2.1. Add a Manufacturer 10.3.5.2.2. Amend a Manufacturer 10.3.5.2.3. Delete a Manufacturer 10.3.5.3. Manage a Supplier 10.3.5.3.1. Add a Supplier 10.3.5.3.2. Amend a Supplier 10.3.5.3.3. Delete a Supplier 10.3.5.4. Manage a Client 10.3.5.4.1. Add a Client 10.3.5.4.2. Amend a Client 10.3.5.4.3. Delete a Client 10.3.5.5. Manage an Investigator 10.3.5.5.1. Add an Investigator 10.3.5.5.2. Amend an Investigator 10.3.5.5.3. Delete an Investigator 10.3.5.6. Manage a Disk 10.3.5.6.1. Add a Disk 10.3.5.6.2. Amend a Disk 10.3.5.6.3. Delete a Disk 10.3.5.6.4. Wiping a Disk 10.3.5.6.5. Disposing of a Disk 10.3.5.6.6. Assigning a Disk 10.3.5.7. Manage a Tape 10.3.5.7.1. Add a Tape 10.3.5.7.2. Amend a Tape 10.3.5.7.3. Delete a Tape 10.3.5.7.4. Wiping a Tape 10.3.5.7.5. Disposing of a Tape 10.3.5.7.6. Assigning a Tape 10.3.5.8. Manage Small Digital Media 10.3.5.8.1. Add an Item of Small Digital Media 10.3.5.8.2. Amend an Item of Small Digital Media 10.3.5.8.3. Delete an Item of Small Digital Media 10.3.5.8.4. Wiping an Item of Small Digital Media 10.3.5.8.5. Disposing of an Item of Small Digital Media 10.3.5.8.6. Assigning an Item of Small Digital Media 10.3.5.9. Manage Methods and Miscellaneous Items 10.3.5.9.1. Wipe Methods 10.3.5.9.1.1. Add a New Wipe Method 10.3.5.9.1.2. Amend a Wipe Method 10.3.5.9.1.3. Delete a Wipe Method 10.3.5.9.2. Disposal Methods 10.3.5.9.2.1. Add a New Disposal Method 10.3.5.9.2.2. Amend a Dispose Method 10.3.5.9.2.3. Delete a Disposal Method 10.3.5.9.3. Imaging Methods 10.3.5.9.3.1. Add a New Imaging Method 10.3.5.9.3.2. Amend an Imaging Method 10.3.5.9.3.3. Delete an Imaging Method 10.3.5.9.4. Operating Systems 10.3.5.9.4.1. Add New Operating System 10.3.5.9.4.2. Amend an Operating System 10.3.5.9.4.3. Delete an Operating System 10.3.5.9.5. Media Types 10.3.5.9.5.1. Add New Media Type 10.3.5.9.5.2. Amend a Media Type 10.3.5.9.5.3. Delete a Media Type 10.3.5.9.6. Exhibit Types 10.3.5.9.6.1. Add New Exhibit Type 10.3.5.9.6.2. Amend a Exhibit Type 10.3.5.9.6.3. Delete a Exhibit Type 10.3.5.10. Assign A Case 10.4. Setting up a New Case 10.4.1. Creating a New Case 10.4.1.1. Case Number 10.4.1.2. Case Name 10.4.1.3. Client Name 10.4.1.4. Investigator 10.4.1.5. Creating the Case 10.4.2. Adding Exhibits 10.4.2.1. Add an Exhibit 10.4.2.2. Entering More Exhibits 10.4.3. Evidence Sought 10.4.3.1. Add Details to the Case 10.4.3.2. Adding More Information 10.4.4. Estimates 10.4.4.1. Add Estimates to the Case 10.4.5. Accepted or Rejected 10.4.5.1. Add Case Status 10.4.6. Amend Case Details 10.4.6.1. Amend Exhibit Details 10.4.6.2. Amend Evidence Sought Details 10.4.6.3. Amend Accept or Reject Status 10.4.7. Delete Case Details 10.5. Processing a Forensic Case 10.5.1. Selecting a Case 10.5.2. Movement Log 10.5.2.1. Add an Exhibit Movement 10.5.2.2. Amend Movements 10.5.2.3. Delete Movements 10.5.3. Exhibit Examination 10.5.3.1. Add an Exhibit\'s Examination Record 10.5.3.2. Amend an Exhibit\'s Details 10.5.3.3. Delete an Exhibit 10.5.4. Computer Exhibit Details 10.5.4.1. Add a Computer Exhibit\'s Details 10.5.4.2. Amend a Computer\'s Details 10.5.4.3. Delete a Computer Exhibit 10.5.5. Non-Computer Exhibit Details 10.5.5.1. Add a Non-Computer Exhibit\'s Details 10.5.5.2. Amend a Non-Computer Exhibit\'s Details 10.5.5.3. Delete a Non-Computer Exhibit 10.5.6. Hard Disk Details 10.5.6.1. Add a Hard Disk 10.5.6.2. Amend a Hard Disk\'s Details 10.5.6.3. Delete a Hard Disk 10.5.7. Other Media Details 10.5.7.1. Add an Other Media Exhibit\'s Details 10.5.7.2. Amend an Other Media Exhibit\'s Details 10.5.7.3. Delete an Other Media Exhibit 10.5.8. Case Work Log 10.5.8.1. Add a Work Record 10.5.8.2. Amend a Work Record 10.5.8.3. Delete a Work Record 10.5.9. Updated Estimates 10.5.9.1. Add Estimate 10.5.9.2. Amend Estimates 10.5.9.3. Delete Estimates 10.5.10. Exhibit(s) Created 10.5.10.1. Add Exhibit 10.5.10.2. Amend Exhibit Created 10.5.10.3. Delete Exhibit Created 10.5.11. Case Result 10.5.11.1. Add Case Result 10.5.11.2. Amend Case Result 10.5.11.3. Delete Case Result 10.5.12. Case Backup 10.5.12.1. Add backup 10.5.12.2. Amend Backups 10.5.12.3. Delete Backups 10.5.13. Billing and Feedback 10.5.13.1. Add Billing and Feedback Selection 10.5.13.2. Amend Billing and Feedback Selection 10.5.13.3. Delete Billing and Feedback Selection 10.5.14. Case Feedback Received 10.5.14.1. Add Case Feedback Received 10.5.14.2. Amend Case Feedback Received 10.5.14.3. Delete Billing and Feedback Selection 10.6. Reports general 10.6.1. Report Types 10.6.2. Reporting General 10.6.3. General Report Layout 10.6.3.1. Report Header 10.6.3.2. Report Sub-header 10.6.3.3. Report Footer 10.7. Administrator\'s reports 10.7.1. Static Information 10.7.1.1. Organization 10.7.1.2. Users 10.7.1.3. Manufacturers 10.7.1.4. Suppliers 10.7.1.5. Clients 10.7.1.6. Investigators 10.7.1.7. Disks 10.7.1.7.1. Disks by Assignment 10.7.1.7.2. Disks by Reference No. 10.7.1.7.3. Wiped Disks 10.7.1.7.4. Disposed Disks 10.7.1.7.5. Disk History 10.7.1.8. Tapes 10.7.1.8.1. Tapes by Assignment 10.7.1.8.2. Tapes by Reference No. 10.7.1.8.3. Wiped Tapes 10.7.1.8.4. Disposed Tapes 10.7.1.8.5. Tape History 10.7.1.9. Small Digital Media 10.7.1.9.1. Small digital media by assignment 10.7.1.9.2. Small Digital Media by Reference Number 10.7.1.9.3. Wiped Small Digital Media 10.7.1.9.4. Disposed Small Digital Media 10.7.1.9.5. Small Digital Media History 10.7.1.10. Wipe Methods 10.7.1.11. Disposal Methods 10.7.1.12. Imaging Methods 10.7.1.13. Operating Systems 10.7.1.14. Media Types 10.7.1.15. Exhibit Types 10.7.2. Case setup Information 10.7.2.1. Case Setup 10.7.2.2. Case Movements 10.7.2.3. Case Computers 10.7.2.4. Case Non-Computer Evidence 10.7.2.5. Case Disks Received 10.7.2.6. Case Other Media Received 10.7.2.7. Case Exhibits Received 10.7.2.8. Case Work Record 10.7.2.9. Cases Rejected 10.7.2.10. Cases Accepted 10.7.2.11. Case Estimates 10.7.3. Case Processing 10.7.3.1. Cases by a Forensic Analyst 10.7.3.2. Cases by Client 10.7.3.3. Cases by Investigator 10.7.3.4. Case Target Dates 10.7.3.5. Cases within ``x´´ days of Target Date 10.7.3.6. Cases past their Target Date 10.7.3.7. Cases Unassigned 10.7.3.8. Case Exhibits Produced 10.7.3.9. Case Results 10.7.4. Case Administration 10.7.4.1. Case Backups 10.7.4.2. Billing Run 10.7.4.3. Feedback Letters 10.7.4.4. Feedback Forms Printout 10.7.4.5. Feedback Reporting Summary by Case 10.7.4.6. Feedback Reporting Summary by Forensic Analyst 10.7.4.7. Feedback Reporting Summary by Client 10.7.4.8. Complete Case Report 10.7.4.9. Processed Report 10.7.4.10. Insurance Report 10.7.5. Audits 10.7.5.1. Exhibit Audit Report 10.7.5.2. Audit Trail User 10.7.5.3. Audit Trail Case 10.7.5.4. Assigned Case History 10.8. User reports 10.8.1. Case Setup Information 10.8.2. Case Processing 10.8.3. Case Administration 10.8.4. Audits Appendix 1 - Setting up Organisational Details Organisation Name Address Postcode Phone number Fax Website URL VAT Number Registered Company Number Logo Unit Name Unit Address Unit Postcode Unit Phone Unit Fax Unit Website URL Unit Email Address Unit Logo Classification of the Reports Case Numbering Copyright Information Hard Disk Reference ID Tape Reference ID Small Digital Media ID Appendix 2 - Set up the Administrator User ID Password Confirm Password Title/Rank First Name Surname Address Postcode Phone Direct Phone Mobile Fax Email Appendix 3 - Audit reports Exhibit Audit Report Paper Type Selection Criteria Sort Order Report Header Report Sub-header Report Contents Audit Trail User Paper Type Report Description Selection Criteria Sort Order Report Header Report Sub-header Report contents Audit trail case Paper Type Report Description Selection Criteria Sort Order Report Header Report Sub-header Report Contents Assigned Case History Paper Type Selection Criteria Sort Order Report Description Report Header Report Sub-header Report Contents Appendix 4 - Manage Users User ID Password Confirm Password Title or Rank First Name Surname Address Postcode Phone Direct Phone Mobile Fax Email Access Rights Appendix 5 - Manage Manufacturers Name Address Postcode Phone Fax Website URL Email Appendix 6 - Manage Suppliers Name Address Postcode Phone Fax Website URL Email Account Number Contacts Appendix 7 - Manage Clients Name Address Postcode Phone Fax Website URL Email Contacts Appendix 8 - Manage Investigators Name Address Postcode Phone Fax Website URL Email Appendix 9 - Manage disks Disk details Manufacturer Serial Number Supplier Forensic Laboratory Disk Reference Model Size Order Number Date Received Delivery Note Auto Clear Entry Wipe a Disk Disk Reference Wipe Method Wiped by Date Notes Dispose of a Disk Disk Reference Disposal Method Disposed by Date Notes Disposal Certificate Assign a disk Disk Reference Assign to Appendix 10 - Manage Tapes Tape details Manufacturer Label Supplier Forensic Laboratory Tape Reference Model Size Order Number Date Received Delivery Note Auto Clear Entry Wipe a Tape Tape Reference Wipe Method Wiped by Date Notes Dispose of a Tape Tape Reference Disposal Method Disposed By Date Notes Disposal Certificate Assign a Tape Tape Reference Assign To Appendix 11 - Manage small digital media Small Digital Media Details Media Type Manufacturer Label Supplier Small Digital Media Reference Model Size Order Number Date Received Delivery Note Auto Clear Entry Wipe a Small Digital Media Device Small Digital Device Reference Wipe Method Wiped by Date Notes Dispose of an Item of Small Digital Media Small Digital Media Reference Disposal Method Disposed by Date Notes Disposal Certificate Assign a Small Digital Media Small Digital Media Reference Assign To Appendix 12 - Exhibit Details Exhibit Number Seal number Description Received by Seized From Received Date Seized Date Received Time Time Seized Insurance Value Owner Reason for Seizing Checkboxes Password? Connected? Switched on at Seizure? Switched on After Seizure? Add document Appendix 13 - Evidence Sought Evidence Sought Comments Add Document Appendix 14 - Estimates Cost Date Misc Hardware Analysis Report Total Case Dates Date Received Target Date Appendix 15 - Accept or Reject Case Accepted Rejected Date Accepted Date Rejected Accepted or Rejected By Reason for Rejection Date Client Advised Advised Client Name Advised Client Method Client Advised By Add document Clear All Appendix 16 - Movement Log Exhibit or Reference Number Log Number Client Seal Number Our Seal Number Our 2nd Seal Number Action Client to the Forensic Laboratory Initial Logging into Store Store to Investigation Investigation to Store Store Return to Client Other Notes Our Forensic Analyst Date Time Add Document Appendix 17 - Examination Log Exhibit Reference Number No. of Hard Disks No. of Floppy Disks No. of CDs No. of DVDs No. of Other Storage Media Total Notes Examined By Date Time Add Photos Add Document Appendix 18 - Computer Hardware Details Exhibit Reference No. of Disks in Computer Make Model Serial Number Floppy Disk (5) Floppy Disk (3) DVD Reader CD Writer CD Reader/Writer DLT Tape DVD Writer DVD Reader/Writer Zip Disk Jazz Drive Disk (Other) CD Reader DDS Tape AIT Tape QIC Tape Video Card RAM Strips SCSI Card Network Card Modem Additional Peripherals Details BIOS Key BIOS Password Boot Sequence Operating System System Date Actual Date System Time Actual Time Examined By Date Time Appendix 19 - Non-Computer Exhibit Details Exhibit Reference Exhibit Type Make Model Serial Number Notes Add Photos Add Document Examined By Date Time Appendix 20 - Hard Disk Details Exhibit Reference Disk ID Make Model Serial Number Size Cylinders Sectors Heads Jumper Settings Image 1 Image Method Operating System Blocker Used Acquisition Hash Verify Hash Image 2 Image Method Operating System Blocker Used Acquisition Hash Verify Hash Notes Add Photos Add Document Examiner Date Time Appendix 21 - Other Media Details Exhibit Reference Media Type Make Model Serial Number Size Image 1 Image Method Operating System Blocker Used Acquisition Hash Verify Hash Image 2 Image Method Operating System Blocker Used Acquisition Hash Verify Hash Notes Add Photos Add Document Examiner Date Time Appendix 22 - Work Record Details Examination process and results Add Photos Add Document Examined By Date Hours Appendix 23 - Updating Case Estimates Cost Date Misc Hardware Analysis Report Total Case Dates Target Date Revised Target Date Authorized By Return Date Add Photos Add Document Appendix 24 - Create Exhibit Exhibit Reference Description Created By Date Appendix 25 - Case Result Defendant Court Date Court Result Custodial Sentence Suspended Sentence Community Service Fine Notes Add Statement Appendix 26 - Case Backup Tape Tape ID Date Disk Disk ID Date Backup Type Appendix 27 - Billing and Feedback Charged Satisfaction Print Appendix 28 - Feedback Received Communication Speed of Delivery Quality of Report Quality of Results Timeliness of Delivery Supporting Material Understandability of Report Meeting Requirements Notes Appendix 29 - Organization Report Paper Type Selection Criteria Sort Order Report Header Report Sub-header Report Contents Appendix 30 - Users Report Paper Type Selection Criteria Sort Order Report Header Report Sub-header Report Contents Appendix 31 - Manufacturers Report Paper Type Selection Criteria Sort Order Report Header Report Sub-header Report Contents Appendix 32 - Supplier report Paper Type Selection criteria Sort order Report header Report Sub-header Report Contents Appendix 33 - Clients report Paper Type Selection criteria Sort Order Report Header Report Sub-header Report Contents Appendix 34 - Investigator\'s report Paper Type Selection Criteria Sort Order Report Header Report Sub-header Report Contents Appendix 35 - Disks by assignment report Paper Type Selection Criteria Sort Order Report Header Report Sub-header Report Contents Appendix 36 - Disks by Reference Number report Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 37 - Wiped Disks Report Paper Type Selection Criteria Sort Order Report Header Report Sub-header Report Contents Appendix 38 - Disposed disks report Paper Type Selection Criteria Sort Order Report Header Report Sub-header Report Contents Appendix 39 - Disk History Report Paper Type Selection Criteria Sort Order Report Header Report Sub-header Report Contents Appendix 40 - Tapes by Assignment Report Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 41 - Tapes by Reference Number Report Paper Type Selection Criteria Sort Order Report Header Report Sub-header Report Contents Appendix 42 - Wiped Tapes Report Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 43 - Disposed Tapes Report Paper Type Selection Criteria Sort Order Report Header Report Sub-header Report Contents Appendix 44 - Tape History Report Paper Type Selection Criteria Report Header Report Sub-header Report Contents Appendix 45 - Small Digital Media by Assignment Report Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 46 - Small Digital Media by Reference Number Report Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 47 - Wiped Small Digital Media Report Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 48 - Disposed Small Digital Media Report Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 49 - Small Digital Media History Report Paper Type Selection Criteria Report Header Report Sub-Header Report Contents Appendix 50 - Wipe Methods Report Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 51 - Disposal Methods Report Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 52 - Imaging Methods Report Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 53 - Operating Systems Report Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 54 - Media Types Report Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 55 - Exhibit Type Report Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 56 - Case Setup Details Report Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 57 - Case Movement Report Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 58 - Case Computers Report Paper Type Sort Order Selection Criteria Report Header Report Sub-Header Report Contents Appendix 59 - Case Non-Computer Evidence Report Paper Type Sort Order Selection Criteria Report Header Report Sub-Header Report Contents Appendix 60 - Case Disks Received Report Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 61 - Case Other Media Received Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 62 - Case Exhibits Received Report Paper Type Selection Criteria Sort Order Report Description Report Header Report Sub-Header Report Contents Appendix 63 - Case Work Record Paper Type Selection Criteria Sort Order Report Description Report Header Report Sub-Header Report Contents Appendix 64 - Cases Rejected Report Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 65 - Cases Accepted Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 66 - Case Estimates Report Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 67 - Cases by Forensic Analyst Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 68 - Cases by Client Report Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 69 - Cases by Investigator Report Paper Type Selection Criteria Sort Order Report Description Report Header Report Sub-Header Report Contents Appendix 70 - Case Target Dates Report Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 71 - Cases within ``X´´ Days of Target Date Report Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 72 - Cases Past Target Date Report Paper Type Selection Criteria Sort Order Report Description Report Header Report Sub-Header Report Contents Appendix 73 - Cases Unassigned Report Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 74 - Case Exhibits Produced Report Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 75 - Case Results Report Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 76 - Case Backups Report Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 77 - Billing Run Report Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 78 - Feedback Letters Paper Type Selection Criteria Sort Order Report Description Report Header Report Sub-Header Report Contents Appendix 79 - Feedback Forms Printout Paper Type Selection Criteria Report Contents Report Header Report Footer Report Order Appendix 80 - Feedback Reporting Summary by Case Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 81 - Feedback Reporting Summary by Forensic Analyst Paper Type Selection Criteria Sort Order Report Description Report Header Report Sub-Header Report Contents Appendix 82 - Feedback Reporting Summary by Client Paper Type Selection Criteria Sort Order Report Header Report Sub-Header Report Contents Appendix 83 - Complete Case Report Paper Type Selection Criteria Report Description Report Header Report Sub-Header Report Contents Appendix 84 - Processed Report Paper Type Selection Criteria Report Header Report Sub-Header Report Contents Appendix 85 - Insurance Report Paper Type Selection Criteria Sort Order Report Header Report Contents Report Order Chapter 11: Evidence Presentation 11.1. Overview 11.2. Notes 11.2.1. Notes for the Forensic Analyst 11.2.2. Notes for Colleagues 11.2.3. Notes for the Case 11.2.4. Note Taking 11.3. Evidence 11.3.1. Rules of Evidence 11.3.2. Authenticity of Evidence 11.3.3. Evidence Handling 11.3.4. Admissibility of Evidence 11.3.5. Types of Evidence 11.3.6. Weight of Evidence 11.3.7. Evidential Continuity 11.3.8. Issues with Digital Evidence 11.4. Types of Witness 11.4.1. An Evidentiary Witness 11.4.2. An Expert Witness 11.4.3. Single Joint Expert Witnesses 11.4.4. Court-Appointed Expert Witnesses 11.4.5. Experts not Acting as Expert Witnesses 11.4.6. Overriding Duty 11.4.7. Codes of Conduct for Expert Witnesses 11.4.8. Code of Conduct for Evidentiary Witnesses 11.4.9. Different Jurisdictions 11.5. Reports 11.5.1. General 11.5.2. Audience Identification 11.5.3. Types of Report 11.5.3.1. Forensic Reports for Criminal Cases 11.5.3.2. Electronic Discovery or eDiscovery 11.5.3.3. Industrial Disciplinary Tribunals 11.5.3.4. Intrusion Investigations 11.5.3.5. Intelligence Gathering 11.5.3.6. Statements and Depositions 11.5.3.7. Report Checklists 11.5.4. Level of Detail in Reports 11.5.5. Duty of Care 11.5.6. Duty to the Client 11.5.7. Duty to the Court 11.6. Testimony in Court 11.6.1. Team Work 11.6.2. Pretrial Meetings 11.6.3. Reviewing Case, Notes, and Reports 11.6.4. First Impressions Count 11.6.5. Being an Effective Witness 11.6.6. Using Visual Aids 11.6.7. Using Feedback 11.6.7.1. During Testimony 11.6.7.2. Posttrial Review 11.7. Why Cases Fail Appendix 1 - Nations Ratifying the Budapest Conventiona Appendix 2 - Criteria for Selection an Expert Witness Appendix 3 - The Forensic Laboratory Code of Conduct for Expert Witnesses Appendix 4 - Report writing Checklist Preparation and Planning Content and Structure Layout Language Used Presentation and Language Final Presentation Appendix 5 - Statement and Deposition Writing Checklist Author\'s Details Layout and Language Content Appendix 6 - Non-Verbal Communication to Avoid Appendix 7 - Etiquette in Court Appendix 8 - Testimony Feedback form Case Details Feedback Personal Impressions Delivery of Testimony Length of Testimony Case Result Corrective Actions Recommended Sign Off Chapter 12: Secure Working Practices 12.1. Introduction 12.2. Principles of Information Security within the Forensic Laboratory 12.2.1. Accountability Principle 12.2.2. Awareness Principle 12.2.3. Ethics Principle 12.2.4. Multidisciplinary Principle 12.2.5. Proportionality Principle 12.2.6. Integration Principle 12.2.7. Timeliness Principle 12.2.8. Assessment Principle 12.2.9. Equity Principle 12.3. Managing Information Security in the Forensic Laboratory 12.3.1. Managing Organizational Security 12.3.1.1. The Forensic Laboratory Information Security Committee 12.3.1.2. Allocation of Information Security Responsibilities 12.3.1.3. Authorization for New Information Processing Facilities 12.3.1.4. Provision for Specialist Security Advice 12.3.1.5. Independent Review of the Information Security System 12.3.2. Educating and Training Employees in Information Security 12.3.2.1. Security Awareness 12.3.2.1.1. Educating New Employees 12.3.2.1.2. Guidelines for Educating New Employees 12.3.2.1.3. Maintaining Employee Awareness 12.3.2.2. Security Training 12.3.3. Managing Information Security for Employees 12.3.3.1. Promoting Information Security in Employees 12.3.3.2. Defining Security Roles in Job Descriptions 12.3.3.3. Issuing Confidentiality Agreements 12.3.3.4. Issuing Terms and Conditions of Employment 12.3.4. Termination or Change of Employment 12.3.5. Segregation of IT Duties 12.3.6. Segregation of Other Duties 12.3.7. Electronic Mail 12.3.7.1. E-mail Accounts 12.3.7.2. Protection of E-mail 12.3.7.3. Acceptable Use of E-mail 12.3.7.4. Unacceptable Use of E-mail 12.3.8. Leaving Equipment Unattended 12.3.9. Mobile Computing 12.3.9.1. General Policy on Mobile Computing 12.3.9.2. User\'s Responsibilities 12.3.9.3. Responsibilities of the Forensic Laboratory IT Department 12.3.9.4. Using Mobile Computing Devices 12.3.10. Securing IT Assets Off-Site 12.3.10.1. General Guidelines for Securing IT Assets Off-Site 12.3.10.2. Securing Mobile Computing Devices Off-Site 12.3.10.3. Securing Mobile Phones Off-Site 12.3.10.4. Securing IT Assets Sent for Maintenance Off-Site 12.3.11. Retaining Documents 12.3.12. Handling and Securing Storage Media 12.3.12.1. Guidelines for Handling the Forensic Laboratory Media 12.3.12.2. Securing Media in Transit 12.3.12.3. Management of Removable Media 12.3.13. Managing Compliance 12.3.13.1. Complying with Legal Requirements 12.3.13.1.1. Identifying Applicable Legislation 12.3.13.1.2. Protecting Intellectual Property Rights 12.3.13.1.3. Safeguarding the Forensic Laboratory Records 12.3.13.1.4. Data Protection and Privacy of Personal Data 12.3.13.1.5. Preventing Misuse of Information Systems 12.3.13.1.6. Collecting Evidence for Compliance 12.3.13.1.7. Regulation of Cryptographic Controls 12.3.13.2. Reviewing the Information Security System Compliance 12.3.13.2.1. Responsibilities 12.3.13.2.2. Review Framework 12.3.13.2.2.1. Internal Audits 12.3.13.2.2.2. Internal BCP Tests 12.3.13.2.2.3. Internal Technical Testing 12.3.13.2.2.4. External Audits 12.3.13.2.2.5. External Technical Testing 12.3.14. Managing Assets in the Forensic Laboratory 12.3.14.1. Establishing Accountability of Assets 12.3.14.2. Purchasing Assets 12.3.14.2.1. Roles and Responsibilities 12.3.14.2.1.1. Individual departments 12.3.14.2.1.2. Finance Department 12.3.14.2.1.3. IT Department 12.3.14.3. Physical Asset Transfer 12.3.14.3.1. Asset Transfer between Individuals 12.3.14.3.2. Asset Transfer from Storage to an Individual 12.3.14.3.3. Asset Transfer between Departments 12.3.14.3.4. Issue of an IT Asset 12.3.14.3.4.1. New IT Assets 12.3.14.3.4.2. Reissued IT Assets 12.3.14.4. Removing Assets from the Forensic Laboratory Premises 12.3.14.4.1. Asset Removals Procedure 12.3.14.5. Managing Information Assets 12.3.14.5.1. Information Assets 12.3.14.5.2. Software Assets 12.3.14.5.3. Physical Assets 12.3.14.5.4. Services 12.3.14.6. Classification of Assets 12.3.14.7. Duties of Information Owners and Custodians 12.3.14.8. Labeling Assets 12.3.14.8.1. Documents 12.3.14.8.2. Physical Assets 12.3.14.8.3. Information Assets 12.3.14.9. Handling Classified Assets 12.3.14.10. Disposing of Assets 12.3.14.10.1. Asset Disposal by Outsourcers 12.3.14.10.2. Physical Assets 12.3.14.10.3. IT Assets 12.3.14.10.3.1. IT Department Roles and Responsibilities 12.3.14.10.3.2. Disposing of an IT Asset Procedure 12.4. Physical Security in the Forensic Laboratory 12.4.1. General Forensic Laboratory Physical Controls 12.4.2. Hosting Visitors 12.4.2.1. Definitions 12.4.2.2. General 12.4.2.3. Levels of Access 12.4.2.3.1. Normal Access 12.4.2.3.2. Access Authorizer 12.4.2.3.3. Escorted Access 12.4.2.3.4. Unescorted Access 12.4.2.4. The Visit Life Cycle 12.4.2.4.1. Prior to the Visit 12.4.2.4.2. On Arrival 12.4.2.4.3. During the Visit 12.4.2.4.4. Accessing Secure Areas 12.4.2.4.5. Ending the Visit 12.4.2.4.5.1. Forensic Laboratory Office 12.4.2.4.5.2. Secure Areas 12.4.2.5. End of Day Procedures 12.4.2.6. Unwanted Visitors 12.4.3. Managing Deliveries 12.4.3.1. Procedure for Receiving Deliveries 12.4.4. Managing Access Control 12.4.4.1. Authorizations 12.4.4.2. Working in Secure Areas 12.4.4.3. Managing Access to Secure Areas 12.4.4.3.1. Roles and Responsibilities 12.4.4.3.1.1. Facilities Manager 12.4.4.3.1.2. IT Manager 12.4.4.3.1.3. Information Security Manager 12.4.4.3.2. Granting Access to Secure Areas 12.4.4.3.3. Revoking Access Rights to Secure Areas 12.4.4.3.4. Reviewing Access to Secure Areas 12.4.5. CCTV in the Forensic Laboratory 12.4.6. Reviewing Physical Access Controls 12.5. Managing Service Delivery 12.6. Managing System Access 12.6.1. Access Control Rules for Users and User Groups 12.6.1.1. Introduction to User Groups 12.6.1.2. Roles and Responsibilities 12.6.1.2.1. IT Manager 12.6.1.2.2. Information Security Manager 12.6.1.2.3. Departmental Managers 12.6.1.2.4. Service Desk 12.6.1.2.5. Application Administrators 12.6.1.3. Reviewing User Groups 12.6.2. Managing Privileges for User Accounts 12.6.3. Maintaining Server Passwords 12.6.3.1. Guidelines for Securing Server Passwords 12.6.3.2. IT Manager Role and Responsibilities 12.6.3.3. Retrieving a Secure Server Password 12.6.3.4. Changing a Secure Server Password 12.6.4. Maintaining User Accounts 12.6.4.1. An Overview of User Accounts 12.6.4.2. Roles and Responsibilities 12.6.4.2.1. Service Desk 12.6.4.2.2. Forensic Laboratory Line Management 12.6.4.2.3. Human Resources Department 12.6.4.3. Creating a New User Account 12.6.4.4. Creating a New Application User Account 12.6.4.5. Amending an Existing User Account 12.6.4.6. Suspending an Existing User Account 12.6.4.7. Deleting an Existing User Account 12.6.5. Managing Application Access Control 12.6.5.1. Restricting Access to Information 12.6.6. Managing Operating System Access Control 12.6.6.1. Automatic Terminal Identification 12.6.6.2. Managing Login 12.6.6.3. User Identification and Authorization 12.6.6.4. Managing User Passwords 12.6.6.5. Use of System Utilities 12.6.6.6. Terminal Time-Outs 12.6.6.7. Limiting Connection Times 12.6.7. Monitoring and Reviewing System Access and Use 12.6.8. Implementing Enforced Paths 12.6.9. Enabling Teleworking for Users 12.6.9.1. Obtaining Approval for Teleworking 12.6.10. Guidelines for Securing Teleworking Environments 12.7. Managing Information on Public Systems 12.7.1. Hardware and Software Standards 12.7.2. Information Security Standards 12.7.3. Published Information Guidelines 12.7.4. Server Management Guidelines 12.7.5. Reviewing Security for Public Systems 12.8. Securely Managing IT Systems 12.8.1. Accepting New Systems 12.8.1.1. Guidelines for System Acceptance 12.8.1.2. Procedures for Assessing and Accepting a New System 12.8.2. Securing Business Information Systems 12.8.2.1. Roles and Responsibilities 12.8.2.1.1. Information Security Manager 12.8.2.1.2. IT Manager 12.8.2.1.3. Information System Owners 12.8.3. Ensuring Correct Data Processing 12.8.3.1. Security During Data Input 12.8.3.2. Security During Data Processing 12.8.3.3. Security during data output 12.8.3.4. Types of Testing 12.8.3.5. Test Records 12.8.4. Information Exchange 12.8.4.1. Information Exchange Procedures and Controls 12.8.4.2. Exchange Agreements 12.8.5. Cryptographic Controls 12.8.5.1. Guidelines for Key Management 12.8.5.2. Managing Keys Procedures 12.9. Information Processing Systems Development and Maintenance 12.9.1. System Development Life Cycle 12.9.2. Program Specification 12.9.3. Security of System Files 12.9.3.1. Control of Operational Software 12.9.3.2. Protection of System Test Data 12.9.3.3. Access to Program Source Library 12.9.4. Security in Development and Support Processes 12.9.4.1. Packaged Solution Use 12.9.4.2. Fixes and Service Packs 12.9.4.2.1. Change Control Procedures 12.9.4.2.2. Technical Review of Operating System Changes 12.9.4.2.3. Restrictions on Changes to Software Packages 12.9.4.2.4. Covert Channels and Trojan Code 12.9.4.2.5. Outsourced Software Development 12.9.5. Developing Software Applications 12.9.5.1. Roles and Responsibilities 12.9.5.1.1. Software Developer 12.9.5.1.2. Quality Assurance 12.9.5.1.3. IT Manager 12.9.5.2. Developing the code 12.9.5.3. Testing the code 12.9.5.4. Releasing the code 12.9.6. Security Standards for Systems Development 12.9.6.1. Standards for Systems Development Projects 12.9.6.2. Standards for Systems Development Methods 12.9.6.3. Standards for System Design 12.9.6.4. Standards for the Development Environment 12.9.6.5. Standards for Software Testing 12.9.7. Standards for System Implementation 12.9.8. Security Standards for Third Party Systems Development 12.9.8.1. Developing System Specifications/Requirements 12.9.8.2. Requests for Proposals and Quotations 12.9.8.3. System Development 12.9.8.4. System Testing 12.9.8.5. System Implementation and Sign-Off 12.9.9. Reviewing Application Systems 12.9.10. Separating Development, Test, and Operational Environments 12.9.10.1. Development, Test, and Operational Environments Separation Standards Appendix 1 - The Forensic Laboratory SOA Mandatory Controls (Section 4-8) Statement of Applicability (Controls in ISO 27001-Section A5-A15) Statement of Applicability (Controls not in ISO 27001) Appendix 2 - Meeting the Requirements of GAISP Appendix 3 - Software License Database Information Held Appendix4 - Information Security Manager, Job Description Objective and Role Problems and Challenges Principal Accountabilities Authority Contacts Internal External Reports to Appendix5 - Logon Banner Appendix6 - The Forensic Laboratory´s Security Objectives Appendix 7 - Asset Details to be Recorded in the Asset Register Asset Details Current Owner Details Validation and Maintenance Details Updated By Appendix 8 - Details Required for Removal of an Asset Appendix 9 - Handling Classified Assets Appendix 10 - Asset Disposal Form Form Condition Codes Reason for Disposal Method of Disposal Appendix 11 - Visitor checklist Visitor Details Host Details Escort Details Visit Details Checklist Signatures New NDAs Appendix 12 - Rules of the Data Center Appendix 13 - User Account Management form Contents Account Owner Details Authorized Requestor Details Request Type Hardware Required Mobile Devices Required Communications Accounts Drive Access Software Required Information Access Forensic Case Processing Setup details Appendix 14 - Teleworking Request Form Contents Proposed Teleworker Details Proposed Teleworker Location Authorized Requestor Details Business Justification Duration of Teleworking Communication Method Teleworking Additional Measures Required Legislative Requirements Training Authority and Approval Chapter 13: Ensuring Continuity of Operations 13.1. Business Justification for Ensuring Continuity of Operations 13.1.1. General 13.1.2. PDCA Applied to the BCMS 13.1.3. BCMS Scope and Purpose 13.1.4. Requirements 13.1.5. Organizational BCP Objectives 13.1.6. Acceptable Level of Risk 13.1.7. Statutory, Regulatory, and Contractual Duties 13.1.8. Interests of Key Stakeholders 13.2. Management Commitment 13.2.1. Provision of Resources 13.3. Training and Competence 13.3.1. Roles and Responsibilities 13.3.1.1. Business Continuity Manager 13.3.1.2. Forensic Laboratory Top Management 13.3.1.3. Forensic Laboratory Employees 13.3.2. Managing Business Continuity Awareness and Education 13.3.2.1. Overview 13.3.2.2. Guidelines for Educating New Employees in Business Continuity 13.3.2.3. Business Continuity Management Education and Information Program 13.3.2.4. Reviewing and Improving Business Continuity Awareness 13.3.3. Managing Skills Training for Business Continuity Management 13.3.3.1. Overview for Managing Skills Training for Business Continuity Management 13.3.3.2. Identifying Employees Skills and Competences for Business Continuity 13.3.3.3. Reviewing Training Outcomes 13.3.4. Training Records 13.4. Determining the Business Continuity Strategy 13.4.1. Overall Activity Strategy 13.4.2. Key Products and Services 13.4.3. Business Continuity Policy 13.4.4. The Approach 13.4.4.1. Reviewing Employee Resource Options 13.4.4.2. Reviewing Work Location and Buildings Options 13.4.5. Reviewing Supporting Technology Options 13.4.6. Reviewing Information and Other Data Options 13.4.7. Reviewing Supplies and Equipment Options 13.4.8. Reviewing Third Parties and Other Stakeholders Options 13.4.9. Reviewing Business Continuity Strategy 13.4.10. Agreeing to a Strategy 13.5. Developing and Implementing a Business Continuity Management Response 13.5.1. BCMS Structure 13.5.2. Incident Management 13.5.3. Forensic Laboratory Business Continuity Response 13.5.4. Developing a Business Continuity Plan 13.5.5. Updating and Approving a BCP 13.5.6. Reviewing and Improving the BCP Development Process 13.5.7. Reviewing and Improving BCP Implementation 13.6. Exercising, Maintaining, and Reviewing Business Continuity Arrangements 13.6.1. Roles and Responsibilities 13.6.1.1. Business Continuity Manager 13.6.1.2. Forensic Laboratory Top Management Responsibilities 13.6.2. Business Continuity Exercise and Test Exercises 13.6.3. Maintaining the Business Continuity Exercise and Test Program 13.6.4. Performing Business Continuity Exercises and Tests 13.6.4.1. Planning a Business Continuity Exercise or Test 13.6.4.2. Performing a Business Continuity Exercise or Test Exercise 13.6.4.3. Reviewing a Business Continuity Exercise or Test 13.7. Maintaining and Improving the BCMS 13.8. Embedding Business Continuity Forensic Laboratory Processes 13.9. BCMS Documentation and Records-General 13.9.1. Documentation 13.9.2. Records 13.9.3. Control of Documents and Records Appendix 1 - Supplier Details Held Appendix 2 - Headings for Financial and Security Questionnaire Finance Management Systems Information Security Quality Appendix 3 - Business Continuity Manager, Job Description Objective and Role Problems and Challenges Principal Accountabilities Authority Contacts Internal External Reports to Appendix 4 - Contents of the Forensic Laboratory BIA Form Appendix 5 - Proposed BCMS Development and Certification Timescales Appendix 6 - Incident Scenarios Appendix 7 - Strategy Options Appendix 8 - Standard Forensic Laboratory BCP Contents Appendix 9 - Table of Contents to the Appendix to a BCP Appendix 10 - BCP Change List Contents Appendix 11 - BCP Scenario Plan Contents Appendix 12 - BCP Review Report Template Contents Appendix 13 - Mapping IMS Procedures to ISO 22301 Appendix 14 - Differences Between ISO 22301 and BS 25999 Chapter 14: Managing Business Relationships 14.1. The Need for Third Parties 14.2. Clients 14.2.1. Forensic Laboratory Mechanisms for Managing Customer Relations 14.2.1.1. Identification of Clients, Products, Services, and Stakeholders 14.2.1.2. Client Service Monitoring and Review 14.2.1.3. Client Complaints 14.2.1.4. Client Feedback 14.2.1.5. Service Desk 14.2.2. Managing Products and Services 14.2.2.1. Creating a Product or Service 14.2.2.2. Implementing a Service 14.2.2.3. Changing an Existing Product or Service 14.2.2.4. Closing a Product or Service 14.3. Third Parties Accessing the Forensic Laboratory 14.3.1. General 14.3.2. Identification of Third Party Risks 14.3.3. Third Party Contractual Terms Relating to Information Security 14.4. Managing Service Level Agreements 14.4.1. Creating an SLA 14.4.2. Monitoring and Reviewing an SLA 14.5. Suppliers of Office and IT Products and Services 14.5.1. Selecting a New Supplier of Office and IT Equipment 14.5.2. Requirements for Office and IT Supplier Contracts 14.5.3. Monitoring Supplier Service Performance 14.5.4. Reviewing Supplier Contracts 14.5.5. Resolving Contractual Disputes with Suppliers 14.5.6. Managing Termination of Supplier Services 14.6. Utility Service Providers 14.7. Contracted Forensic Consultants and Expert Witnesses 14.8. Outsourcing 14.8.1. Determining Objectives of Outsourcing 14.8.1.1. Benefits of Outsourcing 14.8.1.2. Risks of Outsourcing 14.8.2. Selecting an Outsourcing Service Provider 14.8.2.1. Requirements for Outsourcing Contracts 14.8.2.2. Monitoring Outsourcing Service Supplier Performance 14.8.2.3. Reviewing the Outsourcing Contract 14.8.2.4. Resolving Contractual Disputes with an Outsource Service Provider 14.8.2.5. Managing Termination of an Outsourcing Contract 14.9. Use of Sub-contractors 14.9.1. By the Forensic Laboratory 14.9.2. By Suppliers or Outsourcing Service Providers 14.10. Managing Complaints 14.11. Reasons for Outsourcing Failure Appendix 1 - Contents of a Service Plan Appendix 2 - Risks to Consider With Third Parties Appendix 3 - Contract Checklist for Information Security Issues Product or Service Description Roles and Responsibilities Communications and Reporting Between the Parties Information Security Controls Required Legal Matters Miscellaneous Contract Termination and Re-negotiation Appendix 4 - SLA Template for Products and Services for Clients Appendix 5 - RFX Descriptions Request for Information RFQ-Request for Quotation Request for Qualification Request for Proposal Request for Tender Appendix 6 - The Forensic Laboratory RFx template checklist Appendix 7 - RFX Timeline for Response, Evaluation, and Selection Appendix 8 - Forensic Consultants Personal Attributes Appendix 9 - Some Tips for Selecting an Outsourcing Service Provider Appendix 10 - Areas to Consider for Outsourcing Contracts Chapter 15: Effective Records Management 15.1. Introduction 15.1.1. What is a Record? 15.1.2. What is a Vital Record? 15.1.3. What is a Document? 15.1.4. What is Records Management? 15.1.5. What is a Record Keeping System? 15.1.6. Records Life Cycle 15.1.7. Why Records Must be Managed 15.1.8. Benefits of Effective Records Management 15.1.9. Stakeholders in the Forensic Laboratory\'s Record Keeping Process 15.2. Legislative, Regulatory, and Other Requirements 15.2.1. Legislative, Regulatory Requirements, and Codes of Practice 15.2.2. Principles of Record Management Within the Forensic Laboratory 15.3. Record Characteristics 15.3.1. General Requirements 15.3.1.1. Record Authenticity 15.3.1.2. Record Reliability 15.3.1.3. Record Integrity 15.3.1.4. Record Usability 15.4. A Records Management Policy 15.4.1. Why a Record Keeping Policy? 15.4.2. Key Components of a Record Keeping Policy 15.5. Defining the Requirements for Records Management in the Forensic Laboratory 15.5.1. General 15.5.2. Objectives 15.5.3. Choosing a Design and Implementation Methodology 15.5.3.1. Initiation 15.5.3.2. Feasibility Study 15.5.3.3. Business Analysis 15.5.3.4. Existing Records Management System Evaluation 15.5.3.5. Resolution Strategies 15.5.3.6. Selection of an ERMS 15.5.3.7. Pilot Implementation and Testing 15.5.3.8. Full Implementation and Record Migration 15.5.3.9. Decommissioning an old ERMS 15.5.3.10. Post Implementation Review 15.6. Determining Forensic Laboratory records to be Managed by the ERMS 15.6.1. General 15.6.2. General Business Records 15.6.3. Forensic Case Records 15.6.4. Document Retention 15.7. Using Metadata in the Forensic Laboratory 15.7.1. The Benefits of Creating and Using Metadata 15.7.2. Responsibilities 15.7.3. Record Keeping Metadata Needed 15.7.3.1. In the ERMS 15.7.3.2. Microsoft Office Suite 15.7.3.3. E-Mail 15.7.3.4. Hard Copy Records On-Site 15.7.3.5. Hard Copy Records Sent Off-Site 15.7.3.6. Retaining Metadata 15.8. Record Management Procedures 15.8.1. Common Processes 15.8.1.1. Training 15.8.1.2. General 15.8.1.3. Record Capture 15.8.1.4. Indexing 15.8.1.5. Records Stored in the Forensic Laboratory 15.8.1.5.1. Physical Records 15.8.1.5.2. Electronic Records 15.8.1.6. Record Classification 15.8.1.7. Document Control 15.8.1.8. Secure Storage 15.8.1.8.1. Physical Record Storage 15.8.1.8.2. Electronic Record Storage 15.8.1.9. Access to Records 15.8.1.10. Output 15.8.1.11. Transmission 15.8.1.12. Retention 15.8.1.13. Record Review 15.8.1.14. Disposal and Disposition 15.8.1.15. Audit Trails and Tracking 15.8.1.16. Backup 15.8.1.17. Business Continuity 15.8.1.18. ERMS Maintenance 15.8.1.19. Change Management 15.8.1.20. Securely Managing the ERMS 15.8.1.21. Third Parties 15.8.2. Forensic Case Processing 15.8.2.1. Case Creation 15.8.2.2. Adding Records to the Virtual Case File 15.8.3. Record Disposition 15.9. Business Continuity Appendix 1 - MoReq2 Functional Requirements Appendix 2 - Mapping of ISO 15489 part 1 to Forensic Laboratory Procedures Appendix 3 - Types of Legislation and Regulation That Will Affect Record Keeping Appendix 4 - Forensic Laboratory Record keeping Policy Purpose Policy Statement Scope Policy Context Legislation, Regulation, and Standards Record keeping Systems Responsibilities Monitor and Review Appendix 5 - Record Management System objectives Appendix 6 - Business Case Contents Appendix 7 - Outline of the ERMS Project Initiation Phase Implementation Phase Post Implementation Phase Appendix 8 - Selection Criteria for an ERMS Appendix 9 - Initial ERMS Feedback Questionnaire Appendix 10 - Metadata Required in the ERMS Appendix 11 - Sample e-Mail Metadata Appendix 12 - Forensic Case Records Stored in the ERMS Where Received in the Forensic Laboratory Where an on-Site Seizure is Undertaken General Appendix 13 - Dublin Core Metadata Elements Appendix 14 - National Archives of Australia Metadata Standard Appendix 15 - Responsibilities for Records Management in the Forensic Laboratory Top Management Line Managers Employees Records Management Team Audit Manager Quality Manager Appendix 16 - Metadata for Records Stored off-Site Appendix 17 - Records Classification System Appendix 18 - Disposition Authorization Appendix 19 - Additional Requirements for Physical Record Recovery Appendix 20 - Specialized Equipment Needed for Inspection and Recovery of Damaged Records Equipment Clothing Chapter 16: Performance Assessment 16.1. Overview 16.2. Performance Assessment 16.2.1. Monitoring and Measurement 16.2.2. SLAs and TRTs 16.2.3. Evaluation of Conformance 16.2.4. Security Metrics 16.2.5. Internal Audit 16.2.6. Client Feedback 16.2.7. Managing Client complaints 16.2.8. Handling of Non-conformities 16.2.9. Management Reviews Chapter 17: Health and Safety Procedures 17.1. General 17.1.1. The Importance of People and a Safe Workplace 17.1.2. Management Requirements 17.1.3. The Forensic Laboratory OH&S Policy 17.1.4. Responsibilities 17.1.4.1. Top Management 17.1.4.2. Health and Safety Manager 17.1.4.3. Line Managers 17.1.4.4. The Forensic Laboratory, Generally 17.1.4.5. Employees 17.1.5. Benefits 17.1.5.1. Direct Benefits 17.1.5.2. Indirect Benefits 17.1.5.3. Family Benefits 17.2. Planning for OH&S 17.2.1. General 17.2.2. Legal, Regulatory, and Other Requirements 17.2.3. Objectives 17.2.4. Planning for Hazard Identification 17.2.4.1. General Workplace Hazard Identification 17.2.4.2. Performing the Hazard Analysis 17.2.5. Risk Assessment 17.2.6. Control Selection 17.2.6.1. General Controls 17.2.6.1.1. Electrical Hazards 17.2.6.1.2. Falls 17.2.6.1.3. Fire and Other Emergencies 17.2.6.1.4. First Aid and Accident Reporting 17.2.6.1.5. Hand Tools-Powered 17.2.6.1.6. Housekeeping 17.2.6.1.7. Lone Working 17.2.6.1.8. Manual Handling 17.2.6.1.9. Personal Protective Equipment-General 17.2.6.1.10. Safety Signage 17.2.6.1.11. Slips and Trips 17.2.6.1.12. Smoking, Alcohol, and Drug Use 17.2.6.1.13. Stress 17.2.6.1.14. Waste Disposal (General) 17.2.6.2. Incident Response Controls 17.2.6.3. Work Controls for Forensic Case Processing 17.2.6.4. Teleworking Controls 17.2.6.5. Mobile Working Controls 17.2.6.6. Display Screen Equipment 17.2.6.7. Pregnancy Controls 17.2.7. Creating the Risk Register 17.3. Implementation and Operation of the OH&S Management System 17.3.1. Resource Provision 17.3.2. Some Operational Responsibilities and Accountabilities 17.3.2.1. Top Management 17.3.2.2. Health and Safety Manager 17.3.2.3. Forensic Laboratory Line Management 17.3.2.4. Employees 17.3.3. Competence, Training, and Awareness 17.3.4. Communications 17.3.5. OH&S Documentation 17.3.6. Hierarchy of OH&S Controls 17.3.6.1. Engineering Controls 17.3.6.2. Administrative Controls 17.3.6.3. Personal Protective Equipment 17.3.6.4. Implementing Controls 17.3.7. Some Generic Controls 17.3.8. Emergency Preparedness and Response 17.4. Checking Compliance with OH&S Requirements 17.4.1. Monitoring and Measurement of Compliance 17.4.1.1. Active Monitoring Systems 17.4.1.2. Reactive Monitoring Systems 17.4.2. Audits 17.4.3. Incident Reporting, Investigation, and Management 17.5. Improving the OH&S Management System 17.5.1. Management Review Appendix 1 - OH&S Policy Checklist Appendix 2 - The Forensic Laboratory OH&S Policy Appendix 3 - Health and Safety Manager Job Description Objective and Role Problems and Challenges Principal Accountabilities Authority Contacts Internal External Reports to Appendix 4 - Some Examples of OH&S Drivers Appendix 5 - The Forensic Laboratory OH&S Objectives Appendix 6 - Sample Hazards in the Forensic Laboratory Appendix 7 - Hazard Identification Form Appendix 8 - Some Areas for Inspection for Hazards Appendix 9 - Inputs to the Risk Assessment Process Appendix 10 - OH&S Risk Rating Appendix 11 - DSE Initial Workstation Self-Assessment Checklist Chair Desk and Workplace Display Screens Keyboards Pointing Devices Software Furniture General Working Environment Health Concerns Appendix 12 - DSE Training Syllabus Appendix 13 - DSE Assessors Checklist Chair Desk and Workplace Display Screens Keyboards Pointing Devices Software Furniture General Working Environment Health Concerns Appendix 14 - Measurement of OH&S success Management Commitment Organizational and Operational Requirements Competence, Awareness, and Training Operational Processes Emergency and Incident Response Audit Communicating the OH&S Message Appendix 15 - Specific OH&S Incident Reporting Requirements Appendix 16 - OH&S Investigation Checklist and Form Contents Appendix 17 - OH&S Incident Review Appendix 18 - OHSAS 18001 Mapping to IMS Procedures Chapter 18: Human Resources 18.1. Employee Development 18.1.1. Overview of Employee Development 18.1.1.1. Commitment 18.1.1.2. Planning 18.1.1.3. Action 18.1.1.4. Evaluation 18.1.2. Recruitment Overview 18.1.2.1. Employees Roles and Responsibilities 18.1.2.1.1. Roles and Responsibility Definitions for Job Applicants 18.1.2.1.2. General Roles and Responsibilities 18.1.2.1.3. Specific Roles and Responsibilities 18.1.2.1.4. Roles and Responsibilities for Third Parties Employed in the Forensic Laboratory 18.1.2.2. Management Responsibilities 18.1.2.2.1. Prior to Employment 18.1.2.2.2. New Employees 18.1.2.2.3. During Employment 18.1.3. Employee Screening 18.1.3.1. Definitions 18.1.3.2. Overview 18.1.3.3. General Requirements 18.1.3.4. Involvement in the Employee Screening Process 18.1.3.5. Application Forms 18.1.3.6. Employment Screening Levels 18.1.3.6.1. Minimum Level of Employee Security Screening 18.1.3.6.2. Medium Level of Employee Security Screening 18.1.3.6.3. High Level of Employee Security Screening 18.1.3.7. Security Screening Procedures 18.1.3.7.1. The Employment Screening Plan and Records 18.1.3.7.2. Verifying Identity 18.1.3.7.3. Verifying Address 18.1.3.7.4. Verifying the Right to Work 18.1.3.7.5. Verifying Employment History 18.1.3.7.6. Verifying Qualifications 18.1.3.7.7. Verifying Criminal Records 18.1.3.7.7.1. A Criminal Record Declaration 18.1.3.7.7.2. Verifying the Criminal Record Declaration 18.1.3.7.8. Verifying Financial Status 18.1.3.7.9. Personal Character Reference(s) 18.1.3.7.10. Other Reference(s) 18.1.3.7.11. Interviews 18.1.3.7.12. The Employment Decision 18.1.3.7.13. Electronically Cross-Checking Information Provided 18.1.3.8. Using a Third-Party Screening Service Provider 18.1.3.9. Employing Third Parties 18.1.3.10. Individuals Employed in the Screening Process 18.1.3.11. Employee Security Screening Training 18.1.3.12. Employee Screening Records 18.1.4. Contracts, Confidentiality, and Non-Disclosure Agreements 18.1.5. Job Descriptions 18.1.6. Competence on Arrival 18.1.7. Induction 18.1.8. Policies and Procedures 18.2. Development 18.2.1. Ongoing Training 18.2.1.1. Promotion of IMS Awareness 18.2.1.2. Maintaining Employee IMS Awareness 18.2.1.3. Other Business-Related Training 18.2.1.4. Information Security Training 18.2.1.5. Technical Training for Forensic Laboratory Employees 18.2.1.6. Training Development Within the Forensic Laboratory 18.2.1.7. Individual Certification or Not? 18.2.1.8. Training Records 18.2.2. Training Needs Analysis 18.2.2.1. Identifying Business Needs 18.2.2.2. Identifying Training Needs 18.2.2.3. Specifying Training Needs 18.2.2.4. Turning Training Needs into Action 18.2.2.4.1. Formal Training 18.2.2.4.1.1. Out of Doors Training 18.2.2.4.1.2. Computer-Based Training 18.2.2.4.1.3. Distance Learning 18.2.2.4.1.4. Job Rotation 18.2.2.4.1.5. Job Shadowing 18.2.2.4.2. Informal Training 18.2.2.4.2.1. Coaching 18.2.2.4.2.2. Mentoring 18.2.2.5. The Training Specification 18.2.2.5.1. Develop or Purchase? 18.2.2.5.2. Choosing a Supplier 18.2.2.6. Planning the Training 18.2.2.7. Training Evaluation 18.2.2.7.1. Reaction Level Evaluation 18.2.2.7.2. Immediate Level Evaluation 18.2.2.7.3. Intermediate Level Evaluation 18.2.2.7.4. Ultimate Level Evaluation 18.2.3. Monitoring and Reviewing 18.2.4. Employee Appraisals 18.2.5. Competence 18.2.6. Proficiency 18.2.7. Code of Ethics 18.3. Termination 18.3.1. Permanent Employee Terminations 18.3.1.1. Human Resources Department 18.3.1.2. Finance Department 18.3.1.3. IT Department 18.3.1.4. Employees Line Manger 18.3.1.5. Employee 18.3.2. Other Employee Terminations 18.3.2.1. Agency or Outsourcing Partner 18.3.3. Change of Employee Responsibilities 18.3.4. Removal of Access Rights 18.3.4.1. Termination 18.3.4.2. Employment Change 18.3.5. Return of Assets Appendix 1 - Training Feedback Form Appendix 2 - Employee Security Screening Policy Checklist Appendix 3 - Employment Application Form Appendix 4 - Employment Application Form Notes The Application Form Section 1: Personal Details Section 2: Education and Professional Qualifications Section 3: Present Post Section 4: Previous Employment Section 5: Relevant Skills, Abilities, Knowledge, and Experience Section 6: Other Information Section 7: References Section 8: Declaration Appendix 5 - Some Documents That Can Verify Identity Appendix 6 - Document Authenticity Checklist Appendix 7 - Verifying Addresses Appendix 8 - Right To Work Checklist Appendix 9 - Reference Authorization Please Read This Carefully Before Signing The Declaration Appendix 10 - Statutory Declaration Matter to Declare (Examples): Appendix 11 - Employer Reference Form Employee or Applicant Previous Employer Employment Details Miscellaneous Declaration Appendix 12 - Employer\'s Oral Reference Form Employee or Applicant Previous Employer Employment Details Miscellaneous Declaration Appendix 13 - Confirmation of an Oral Reference Letter Appendix 14 - Qualification Verification Checklist Appendix 15 - Criminal Record Declaration Checklist Appendix 16 - Personal Reference Form Employee or Applicant The Reference Giver Relationship Details Miscellaneous Declaration Appendix 17 - Personal Oral Reference Form Employee or Applicant The Reference Giver Relationship Details Miscellaneous Declaration Appendix 18 - Other Reference Form Employee or Applicant The Reference Giver Details Required Miscellaneous Declaration Appendix 19 - Other Reference Form Employee or Applicant The Reference Giver Details Miscellaneous Declaration Appendix 20 - Employee Security Screening File Applicant Details Information Given by the Applicant Codes in Use Documents Seen Processes Undertaken Certification of Identity References Authorization Certification Appendix 21 - Top Management Acceptance of Employment Risk Appendix 22 - Third-Party Employee Security Screening Provider Checklist Appendix 23 - Recruitment Agency Contract Checklist Appendix 24 - Investigation Manager, Job Description Objective and Role Problems and Challenges Principal Accountabilities Authority Contacts Internal External Reports to Appendix 25 - Forensic Laboratory System Administrator, Job Description Objective and Role Problems and Challenges Principal Accountabilities Authority Contacts Internal External Reports to Appendix 26 - Employee, Job Description Objective and Role Problems and Challenges Principal Accountabilities Reports to Appendix 27 - Areas of Technical Competence Appendix 28 - Some Professional Forensic and Security Organizations Specific Forensic Organizations Information Security Organizations Appendix 29 - Training Specification Template Appendix 30 - Training Proposal Evaluation Checklist Appendix 31 - Training Supplier Interview and Presentation Checklist Interviews Presentation Appendix 32 - Training Reaction Level Questionnaire General Precourse Briefing Training Objectives Training Methods Trainers Facilities and Administration Other Comments Marking Scheme Appendix 33 - The Forensic Laboratory Code of Ethics Appendix 34 - Termination Checklist Employee Details General Questions Job Specific Questions Evaluation of Management New Role Return of Assets IT Department Actions Chapter 19: Accreditation and Certification for a Forensic Laboratory 19.1. Accreditation and Certification 19.1.1. Definitions 19.1.2. The International Accreditation Forum 19.1.3. The Hierarchy of ISO Standards for Accreditation and Certification 19.1.3.1. Accreditation Bodies 19.1.3.2. Conformance Assessment Bodies 19.1.4. Standards and Regulations Applicable to the Forensic Laboratory 19.1.4.1. Accreditation 19.1.4.2. Certifications 19.1.4.3. Compliance 19.1.4.4. Regulations and Legislation 19.1.4.5. ISO 9001 and ISO 17025 19.1.5. Benefits of Accreditation and Certification for the Forensic Laboratory 19.1.5.1. Accreditation 19.1.5.2. Certification 19.1.6. Establishing the Need for Accreditation and/or Certification 19.1.7. Requirements for Accreditation and/or Certification 19.2. Accreditation for a Forensic Laboratory 19.2.1. Self-evaluation Prior to Application 19.2.2. Selecting an AB 19.2.3. Accreditation Information to be Made Available 19.2.4. Selection of an AB 19.2.5. Application 19.2.6. Scope of Accreditation 19.2.7. Fees for Accreditation 19.2.8. Processing Applications 19.2.9. Assigning the Lead Assessor 19.2.10. Appointing the Assessment Team 19.2.11. Document Review 19.2.12. Pre-assessment Visit 19.2.13. Scheduling the Initial On-Site Assessment 19.2.14. Logistics of the Initial On-Site Assessment 19.2.15. Opening Meeting 19.2.16. Other Meetings 19.2.17. The Assessment 19.2.18. Recording Assessment Findings 19.2.19. Factors Affecting the Recommendation 19.2.20. Closing Meeting 19.2.21. Quality Assurance of the Assessment Report 19.2.22. Addressing Non-conformances 19.2.23. The Accreditation Decision 19.2.24. Accreditation Certificate 19.2.25. The Accreditation Cycle 19.2.26. Surveillance Visits 19.2.27. Re-assessments 19.2.28. Proficiency Testing 19.2.29. Changes to the Scope 19.2.30. Special Interim Assessments 19.2.31. Conformance Records 19.2.32. Disclosure of Non-conformance 19.2.33. Sanctions 19.2.33.1. Appeal of Sanction 19.2.33.2. Removal of Sanction 19.2.34. Voluntary Termination of Accreditation 19.2.35. Appeals 19.2.36. Obligations of Accredited Laboratories 19.2.37. Obligations of the AB 19.2.38. Use of the ABs Logos and Marks 19.2.39. Misuse of the ABs Logo and Mark 19.2.39.1. By an Accredited Laboratory 19.2.39.2. By Non-clients 19.2.40. Other ABs 19.3. Certification for a Forensic Laboratory 19.3.1. Self-evaluation Prior to Application 19.3.2. Selecting a CAB 19.3.3. Certification Information to be Made Available 19.3.4. Appointing a CAB 19.3.5. Scope of Certification 19.3.6. Application 19.3.7. Fees for Certification 19.3.8. Processing Applications 19.3.9. Assigning the Lead Assessor 19.3.10. Review of the Application 19.3.11. Appointing the Assessment Team 19.3.12. Assessment Duration 19.3.13. Optional Pre-assessment Visits 19.3.14. Scheduling the Stage 1 Assessment 19.3.15. Logistics of the Stage 1 Assessment 19.3.16. Opening Meeting 19.3.17. Other Meetings 19.3.18. Stage 1 Assessment 19.3.19. Recording Stage 1 Assessment Findings 19.3.20. Joint Assessments 19.3.21. Factors Affecting the Recommendation for a Stage 2 Assessment 19.3.22. Closing Meeting 19.3.23. Quality Assurance of the Assessment Report 19.3.24. Addressing Non-conformances 19.3.25. Scheduling the Stage 2 Assessment 19.3.26. Logistics of the Stage 2 Assessment 19.3.27. Opening Meeting 19.3.28. Stage 2 Assessment 19.3.29. Recording Stage 2 Assessment Findings 19.3.30. Factors Affecting the Recommendation 19.3.31. Closing Meeting 19.3.32. Quality Assurance of the Assessment Report 19.3.33. Addressing Non-conformances 19.3.34. Granting Initial Certification 19.3.35. Confidentiality of the Assessment Process 19.3.36. Certification Certificates 19.3.37. Obligations of Certified Organizations 19.3.38. Postassessment Evaluation 19.3.39. Certification Cycle 19.3.40. Extending the Scope of Certification 19.3.41. Surveillance Activities 19.3.41.1. Surveillance Assessments 19.3.41.2. Triennial Assessment 19.3.42. Maintaining Certification 19.3.43. Joint Assessments 19.3.44. Other Means of Monitoring Performance 19.3.45. Sanctions 19.3.45.1. Suspension of a Certificate 19.3.45.2. Withdrawal of Certificates 19.3.45.3. Canceling the Certificate 19.3.46. Appeals and Complaints 19.3.47. Obligations of the CAB 19.3.48. The Forensic Laboratorys Obligations 19.3.49. Use of the CABs Logos and Marks Appendix 1 - Typical Conditions of Accreditation Appendix 2 - Contents of an Audit Response Appendix 3 - Management System Assessment Non-Conformance Examples Major Non-conformance Examples Minor Non-conformance Examples Observation Opportunity for Improvement Appendix 4 - Typical Closeout Periods Chapter 20: Emerging Issues 20.1. Introduction 20.2. Specific Challenges 20.2.1. Legislative Issues 20.2.1.1. Changing Laws 20.2.1.2. Time to Enact Legislation 20.2.1.3. Following Legislative Procedures 20.2.1.4. Evidence in Different Jurisdictions 20.2.1.5. Spoliation 20.2.1.6. Privacy Issues 20.2.1.7. Judicial Decisions 20.2.1.8. Common Language 20.2.2. Technology Issues 20.2.2.1. Rapid Changes in Technology 20.2.2.2. Wireless Connectivity 20.2.2.3. Cloud Computing 20.2.2.4. Mobile Devices 20.2.2.4.1. Standard Mass Market Phones 20.2.2.4.2. Blackberry Devices 20.2.2.4.3. Android Devices 20.2.2.4.4. iPads 20.2.2.4.5. Other Tablets 20.2.2.4.6. Chinese Mobile Phones 20.2.2.5. Large Disks 20.2.2.6. Alternative Technologies 20.2.2.7. Game Consoles 20.2.2.8. Proprietary Operating Systems 20.2.2.9. Non-compliant Hardware 20.2.2.10. Solid-State Devices 20.2.2.11. Detective Tools and Fitness for Forensic Purpose 20.2.2.12. Network Forensic Issues 20.2.3. Human Issues 20.2.3.1. Training 20.2.3.2. Competence and Proficiency 20.2.3.3. Maintaining Records 20.2.3.4. Complying with Procedures 20.2.3.5. Going Beyond the Safety Zone 20.2.3.6. Standard Procedures 20.2.4. Preserving the Evidence 20.2.4.1. Volume of Data 20.2.4.2. Challenging the Chain of Custody 20.2.4.3. Changes Made During Preservation 20.2.5. Identifying the Evidence 20.2.5.1. Numbers of Systems 20.2.5.2. At the Scene 20.2.5.3. During Processing 20.2.6. Collecting the Evidence 20.2.6.1. Completeness of Evidence Seized 20.2.6.2. Transporting the Evidence 20.2.7. Extracting the Evidence 20.2.7.1. Volume of Data 20.2.7.2. Speed of Searching 20.2.7.3. Completeness of Extracting 20.2.8. Documenting How It Was Recovered 20.2.8.1. Chain of Custody 20.2.9. Interpreting the Evidence 20.2.9.1. Difference of Interpretation Opinions 20.2.9.2. Time Issues 20.2.9.3. Consistency 20.2.10. Presenting the Evidence (Either to the Client or a Court) 20.2.10.1. Lack of Visibility 20.2.10.2. Method of Presentation 20.2.10.3. Completeness of the Presentation 20.2.11. Anti-forensics and Counter-Forensics 20.2.11.1. Encryption 20.2.11.2. Data Hiding 20.2.11.2.1. Steganography 20.2.11.2.2. Covert Channels 20.2.11.2.3. Trail Obfuscation 20.2.11.2.4. Disk and File Wiping 20.2.11.2.5. Physical Destruction 20.2.11.2.6. Attacks on Digital Forensics Tools 20.2.12. Miscellaneous 20.2.12.1. Accreditation and Certification 20.2.12.2. Testing and Validation 20.2.12.3. Key Dependence of Digital Evidence 20.2.12.4. Growth in the Need for Digital Forensics 20.2.12.5. Training 20.2.13. Focus Appendix Acronyms Bibliography International Standards National Standards Guidance from Authoritative Sources Index Glossary
