A Digital Forensics Capability Maturity Model for Organizations

Digital forensics is continuing to be a vital, expanding, and relevant technology field. Investigations in law enforcement, private investigators, human resources teams, and cybersecurity may heavily rely on digital forensics. Digital forensics may be conducted by an individual or a team in a manner that fails to produce relevant or complete judgments for a stakeholder. To assist in improving the digital forensics method used by a team or individual, this research created a model to provide measurements of key forensic capabilities.

 

1. Introduction

A forensic analyst will commonly proclaim that the technology you own will betray you. Additionally, it can be difficult to find an organization or entity that does not rely on some form of technology for its core processes. According to Garfinkel (2010), digital forensic analysis has become a desirable request for all manner of investigations.  Technology consistently produces data, metadata, and logging evidence. Securing an organization’s sensitive data and infrastructure has become a priority and attacks against those targets are becoming more sophisticated.  Karie and Karume (2017) described the rising threats of cyber-crimes against organizations and the need to implement processes to adequately respond with digital forensic capabilities. With the increase in cyber-crimes, entities will want to provide equal increases in the efforts of maturing forensic investigations.

The purpose of this research was to present a Capability Maturity Model Integration (CMMI) based model for digital forensics. A stakeholder of a digital forensic team may use the model as a mechanism to measure an organization’s digital forensic capabilities. The model could also help teams to understand what gaps may exist in their current state and what steps could be followed to reach a more mature level. The model provides a calculated score that may be used to understand an overall maturity level of the forensics program. This Digital Forensics Capability Maturity Model Integration (DFCMMI) model was tested in multiple organizations by digital forensic experts for usability, clarity, and applicability.

This research is structured in the following format. The first section describes the CMMI and the literature review of the common digital forensic frameworks that provide an understanding of DFIR best practices. The second section describes the research conducted to produce the model and the third section provides the DFCMM and results. The fourth section outlines the use of the tool and the fifth section provides conclusions and directions for future research.

2. LITERATURE REVIEW

This section provides a literature review on the field of digital forensics processes, capability maturity models, and organizational best practices for forensic teams. The concept of digital forensics came about from the body of knowledge on forensic science and digital forensic investigations can have a variety of concentrations. Stemming from the computer revolution in the late 1970s, the most common form of digital forensics was to support criminal or civil cases where evidence could be found in the technology being used. Forensics in the private sector may include corporate investigations of employees, fraud, and cyber-intrusion investigations. The 1978 Florida Computer Crimes Act provided the first legislation by which a person could be prosecuted and was eventually followed by the federal Computer Fraud and Abuse Act of 1986. Since that time, digital forensics on servers, laptops, desktops, networking devices, cloud infrastructure, and mobile phones has greatly increased.

2.1 Capability Maturity Model Integration (CMMI)

The CMMI is a popular framework for evaluating or appraising where an organization’s maturity ranks within a defined program. The CMMI could show where an organizational program is ad-hoc and unorganized as compared to a highly structured and repeatable program. The CMMI was originally developed by the Software Engineering Institute, a cohort of government groups, and industry experts. The CMMI was originally designed to have an application towards software engineering but was quickly generalized to other areas of program appraisal. In January of 2013, the CMMI Institute was formed at Carnegie Mellon to continue the research and dissemination of the framework. Practitioners should take notice that the CMMI is not a standard and does not provide detailed information about achieving the goals being measured. The framework was more designed to serve as a guideline to understanding current implementations and alternative mechanisms to implement maturity levels in the program.

The CMMI defines a capability model method to measure levels across the framework. The five maturity levels are defined as initial, managed, defined, quantitatively managed, and optimizing. The CMMI framework offers a statistical means for organizational management to rank and understands how to improve the process being evaluated. A CMM should provide guidance on what actions can be performed to improve the process rather than explicitly listing steps to achieve the next level of maturity.  Al-Hanaei & Rashid (2014) explained that as the organization capability increases, the results produced will better align with expectations and accuracy. As results improve from the CMM, an organization should experience decreased costs, decreased development time, increased productivity and increased quality.

2.1.1 Defining the CMMI Levels

• CMMI level 0 is defined as incomplete. At level 0, processes are not executed or are executed incorrectly. Processes are executed with no goals and without clear standards.
• CMMI level 1 is defined as performed. At level 1 processes are chaotic and ad hoc. At this level, an organization would not expect a stable outcome and productive activities at this level are attributed to the experience of the person or team involved.  Organizations at this initial level would not expect a quality outcome from this process. 
• CMMI level 2 is defined as managed. Visibility has been provided for management to understand the status of the processes and controls are in place. At the managed level, services are expected to follow project plans that meet standards and requirements.
• CMMI level 3 is labeled as defined. At the level the defined level, processes are clearly understood, documented, followed, and consistent. Defined mature processes are improved by the attributes of greater detail, proactive quality controls, deeper understanding of relationships, and detailed metrics.
• CMMI level 4 is defined as quantitatively managed. This level exhibits a program by which subprocesses are reviewed by statistical means to improve control over the larger processes. Detailed measurements are collected and analyzed. Variations would be identified and analyzed for improvements to quality. Level 4 processes are more mature than a level 3 processes by the quantitative measurements that are taken and used for decision-making. 
• CMMI level 5 is optimized. At level 5 processes are continually improved through technology innovation. Improvements are measured and evaluated. The organization’s ability to quickly impart change as opportunities is a result of a cycle of constant process improvement. Level 5 processes are at a higher maturity because of the analysis of variations and predictability.

CMMI maturity levels cannot be skipped or passed over. The more mature levels are built on the success of the lower levels. The CMMI Institute claims that an organization at a lower maturity level can attempt to perform processes at a higher level but must understand that there is a risk of inconsistency.  Overall, the CMMI provides an easy framework that can be modified to fit most situations and in the case of this research, can be used to show maturity levels of a digital forensic program.

2.2 Understanding Common Digital Forensics Frameworks and Guidelines

An experienced forensic investigator will follow a common guideline either mandated by their organization or a method in which they have been trained. Standardizing on a forensic guideline has many benefits and most of the advantages derived from a commonality of processes and the ability to contrast results across investigations (Jafari & Satti, 2015; Selamat, Yusof & Sahib, 2008). To better understand how to measure an organization’s maturity of digital forensic processes, a review of the common digital forensic models is needed. Salamat’s research described 13 different digital forensic investigation frameworks that could be leveraged by an organization or individual to complete an investigation. The digital forensic frameworks published in the body of knowledge have a common analysis process and can vary from four phases up to 21 phases. Common to most process models are the phases of collection, examination, analysis, and reporting. This section provides a literature review of the common digital forensic models found in the industry.

2.2.1 A Framework for Digital Forensic Science (DFRWS Conference)

The DFRWS conferences produced a model titled “Road Map for Digital Forensic Research” that described the six-step process of identification, preservation, collection, examination, analysis, and presentation of digital forensics (Jafari & Satti, 2015; Palmer, 2001; Pollitt, 2007; Reith, Carr, & Gunsch, 2002). This model explained that forensics is not a single process but a grouping of tasks that distill into functions. These functions are based on the role of the investigation and bounded by constraints defined by a set of requirements. The DFRWS framework was designed to be extended, refined, introduce a DFIR vocabulary and used as a practice tool.

2.2.2 NIST Special Publication 800-101

The SP 800-101 was published by the National Institute of Standards and Technology as a guideline for performing forensics on mobile devices. According to Ajijola, Zavarsky, and Ruhl (2014), 800-101 provides a unique in-depth look at applicable technologies and the corresponding connections to specific forensic procedures. Ayers, Brothers, Jansen (2014) claimed the 800-101 The publication provides procedures for validation, preservation, acquisition, examination, analysis, and reporting. The publication defines mobile forensic toolsets, preservation procedures, acquisition, and examination. A classification system is described that allows investigators to easily compare extraction methods of differing toolsets. Evidence preservation objectives are clearly outlined for securing the scene, documentation, isolating, transporting, storing, and onsite processing. Additionally, the 800-101 publication explains the acquisition process in steps of identification, tool selection, device memory acquisition and device considerations (Yang & Lai, 2012). 

2.2.3 Abstract Digital Forensics Model (ADFM)

Reith, Carr, and Gunsch (2002) presented the ADFM as an enhanced model based on data from DFRWS. ADFM composes of nine phases that included investigation, preparation, approach, preservation, collection, examination, analysis, presentation and returning. The ADFM model introduced a comprehensive pre and post-investigation procedures that had not been previously defined. The added phases in the ADFM, as compared to the DFRWS, focused on the end of the investigation. Presentation of the findings and relinquishing the evidence were detailed.

2.2.4 Systematic Digital Forensic Investigation Model (SDFIM)

Agarwal, Gupta, Gupta, and Gupta (2011) presented SDFIM based on the DRFWS model. The SDFIM was designed to provide a detailed approach for practitioners to build applicable policies and procedures. The SDFIM describes an eleven-stage model. Emphasis is placed on the stages that include documentation of scene, communication shielding, evidence collection, preservation, and examination.

2.2.5 Integrated Digital Investigation Process (IDIP)

Carrier and Spafford (2003) integrated all available models and investigative procedures at the time of the research into a map of their digital investigative process. This framework is organized into five groups consisting of 17 phases. Readiness, deployment, crime scenes, investigations, and review comprise this process. The IDIP highlighted a review phase in which the whole investigation is reviewed in order to note improvements that could mature the next investigation.

2.2.6 ISO/IEC Standard 27037

 The 27037 standard provides guidelines for identification, collection, acquisition, and preservation of digital evidence. The intent of the authors was to provide a practical platform for digital forensic investigators to facilitate the usability of evidence (Ajijola, Zavarsky, and Ruhl, 2014). Veber & Smutny (2015) claimed this ISO focused on the collecting and storing of the evidence above other processes in a traditional forensics model.

2.2.7 Network Forensic Generic Process Model (NFGPM)

Fenu & Solinas (2013) and Pilli, Joshi, and Niyogi (2010) described the NFGPM as a 9-phase forensic standard. Network forensic is applicable in environments where security tools are deployed in egress points that allow packet inspection. The detection phase in NFGPM is initiated from alarms generated by the security tools rather than the investigator being called to the crime scene. The incident response phase is then conducted by the team to better understand the alarm and whether to incident needs to be elevated into a formal response. Collection, preservation, examination, and analysis in NFGPM then aligns with the other models such as the DFRWS.

2.3 Other Forensics Based CMMI

The literature review revealed other models based on the CMMI framework. AL Hanaei & Rashid (2014) created the DF-C-M that was focused on creating a modular management decision framework. Al Hanaei’s model utilized assessments and planning tools to measure compliance. The DF-C-M model was designed to fill the gaps of ISO 27037, ISO 27041 and other models rather than a direct tool to measure maturity. Kerrigan’s (2013) framework, A capability maturity model for digital investigations, was based on a CMMI and focused on regulatory crime, entities in Ireland, response rates, and computing devices. The Kerrigan model is a heavily cited paper and provided a good primer for measuring a forensics program, however, this model is missing newer areas of forensics, such as network-based artifacts that are being incorporated into this research.

3. THE RESEARCH

The development of the DFCMMI provided a mechanism to benchmark the maturity of a digital forensic program. According to Kerrigan (2013), digital evidence plays a significant role in any investigation that may be conducted by an organization or law enforcement. From the literature review of the existing frameworks and models covered in the above sections, it can be understood that most of these frameworks have similar approaches. Some frameworks focus on certain areas of the investigation while others in different areas. However, all of these processes work toward a common goal and often utilize the same toolsets and procedures. This research proposed a maturity model by applying the CMMI to the common processes and steps of the digital forensic frameworks found in the body of knowledge. This grouping process was designed to achieve a forensic CMMI that allows entities to better understand what the next steps could be to improve their specific digital forensic investigations. This research approach involved a literature review, qualitative style interviews of subject matter experts, and testing of the model in several organizations.

3.1 Constructing the Model

In the initial phase of building the DFCMMI model, sections were constructed based on the literature review and experience of the researcher. The DFCMMI was then shared with digital forensic experts to be applied as a tool in a corporate organization or relevant environment. Qualitative data was then collected from the participants on the application of the model, feedback on the descriptions found within the DFCMMI, and answers from a short questionnaire on the use of the model. The feedback was then incorporated into the model and sent back to the participants to ensure their feedback was properly represented.

3.1.1 Experts

The DFCMMI was shared with DFIR experts and researchers for use in measuring a forensics program.  Several experts were invited to join in this research and 9 provided data for this research. Qualitative data collected was collected from the participants to be analyzed in improving the first draft of the DFCMMI maturity model. Suggestions by an expert were evaluated, potentially added to the model, and sent back out to the remaining participants in an updated release of the model. Any qualitative suggestions received in a consensus greater than 80 percent of the participants resulted in a change to the model.

3.1.2 Survey

The participants were provided a survey with the DFCMMI model to better understand the potential impact the model could have on the measurement of a digital forensics program. The qualitative survey asked the experts to rank different aspects of the model and to score the impact of the questions using a five-point Likert scale. The scale utilized the number five as strongly agree and one as the strongly disagree. The questionnaire and results are found in Appendix A.

3.1.3 Analysis of the Model

The overall phases of the DFCMMI were constructed based on the research conducted during the literature review and qualitative Likert results collected from the survey. According to the participants, the model scored 4.5 out of 5 in judgment as a valuable measuring tool. The survey results indicated that participants found the model to be easy to apply at 4.5, a clear intent at 4.5, and provided for understanding of where a program could be matured at 4.5, and as an intuitive application at 4.0. These results show that the model can be easily applied to an organization to quickly understand the maturity level of the forensics program and what necessary step is needed for improvements.

3.2 Digital Forensics Capability Maturity Model (DFCMMI)

This research presented a digital forensics process model to be used as a tool to benchmark the maturity of an organization’s digital forensics program. The DFCMMI is defined by five major sections that include preprocesses, acquisitions, examinations, presentation, and management. The DFCMMI can found in Appendix A.

3.2.1 Scoring Using the Model

The DFCMMI major sections have weighted scoring that increases as the forensics program aligns to the more mature objectives.

Calculated Score	Level of Maturity
0 to 20 points	Ad-hoc level
20 to 40 points	Reactive Level
40 to 60 points	Managed Level
60 to 75 points	Proactive Level
Greater than 75 point	Optimized Level

Table 1. Calculations for DFCMMI maturity.

When scoring a DFIR program that is currently aligning at an incomplete level, the program would receive a zero score. If the DFIR program aligns with the Managed-Optimized level, the program would score 4 points for that objective.  The overall scoring from the DFCMMI of the forensic program may allow an organization or stakeholder to have a better understanding of what the present capabilities are and what steps can be taken to mature their program to the next level.

 3.2.2 Preprocesses Section

The preprocess section of the DFCMMI model focuses on triage procedures, identification of devices o the scene, documentation of the scene, physically securing the evidence and isolation procedures. Measurements of the preprocess section may assist in understanding the improvements that can be made in preparation of the materials, sources, and evidence for acquisition by the forensics team. Processes in this section include onsite triage, identification, documenting the scene, physical device preservation, and evidence isolation.

3.2.3 Acquisition and Preservation Section

 The acquisition and preservation section follows the securing of the scene and primarily deals with evidence collection. This phase includes drive acquisition, memory acquisition, network event collection, eDiscovery, hashing, and mobile device collection. Measurements of the acquisition and preservation section may assist in understanding the improvements that can be made in collecting the digital evidence from all applicable sources, mobile devices and necessary steps for the chain of custody.

3.2.4 Examination and Analysis Section

 The examination and analysis section follows the acquisition section and primarily focuses on examining the contents of the digital evidence collected by the forensic examiner. This phase includes evidence analysis, forensic toolsets documentation, and e-discovery. Measurements of the examination and analysis section may assist in understanding the improvements that can be made in collecting the technical analysis of the evidence, selection of toolsets, and necessary documentation.

3.2.5 Presentation Section

The presentation phase follows the examination and analysis phase and focuses on the examiner presenting judgments based on the findings from the investigation. This phase includes reporting and lessons learned. Measurements of the presentation section may assist in understanding the improvements that can be made in how judgments are displayed, categorized, and presented to the stakeholders of the investigation.

4. RECOMMENDATIONS

 Based on the research presented, additional processes or activities need to be added to the DFCMMI. There is still some emerging process needing to be studied and added to the model. Forensic steps and best practices will need to be developed for cloud computing, IoT, drones, and emerging gaming systems. As technology continues to expand in features and logging, the opportunity for forensic metadata is increased. As new legal requirements are developed or standards created by regulatory bodies, additions may be added to improve the effectiveness of the DFCMMI in these areas.

5. CONCLUSION

In this paper, a CMMI based model is proposed for measuring the maturity of digital forensic team processes. The DFCMMI contained five sections with multiple subsections that allow for scoring by a management team, forensic expert or stakeholders in an organization. The expert participant’s results indicated that the DFCMMI model can be used effectively to evaluate the maturity of a digital forensic program. In understanding what steps can be taken to improve a program and taking actions to improve the forensics processes, investigations can result in better judgments, reporting, and applicability. The model should be used in teams to gauge where process, tools, or training can be used to improve the results of investigations.

REFERENCES

[1]    Adams, R. (2013). The emergence of cloud storage and the need for a new digital forensic process model”. Murdoch University. Retrieved from

[2]    Agarwal, A., Gupta, M., Gupta, S., & Gupta, S. C. (2011). Systematic digital forensic investigation model. International Journal of Computer Science and Security (IJCSS), 5(1), 118-131. Retrieved from http://www.cscjournals.org/journals/IJCSS/description.php

[3]    Ajijola, A., Zavarsky, P., & Ruhl, R. (2014, December). A review and comparative evaluation of forensics guidelines of NIST SP 800-101 Rev. 1: 2014 and ISO/IEC 27037: 2012. In World Congress on Internet Security (WorldCIS-2014) (pp. 66-73). IEEE.

[4]    Al Hanaei, E. H., & Rashid, A. (2014). DF-C2M2: a capability maturity model for digital forensics organisations. In 2014 IEEE Security and Privacy Workshops (57-60). IEEE. Retrieved from https://pdfs.semanticscholar.org/6abd/64acfc0829db7edb9c81b0ebcc13efbf7e4d.pdf

[5]    Ayers, R., Brothers, S., Jansen, W. (2014). Guidelines on Mobiles Device Forensics. NIST. http://dx.doi.org/10.6028/NIST.SP. 800-101r1

[6]    Brunty, J. (2011) Validation of Forensic Tools and Software: A Quick Guide for the Digital Forensic Examiner. Forensic Magazine. Retrieved from http://www.forensicmag.com/article/2011/03/validation-forensic-tools-and-software-quick-guide-digital-forensic-examiner

[7]    Carrier, B., & Spafford, E. H. (2003). Getting physical with the digital investigation process. International Journal of digital evidence, 2(2), 1-20. Retrieved from http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.76.757&rep=rep1&type=pdf

[8]    Fenu, G., & Solinas, F. (2013, March). Computer forensics investigation an approach to evidence in cyberspace. In The Second International Conference on Cyber Security, Cyber Peacefare and Digital Forensic (CyberSec2013) (pp. 77-88).

[9]    Garfinkel, S. L. (2010). Digital forensics research: The next 10 years. Digital investigation, 7, S64-S73. Retrieved from https://apps.dtic.mil/dtic/tr/fulltext/u2/a549288.pdf

[10]            Hanaei, E., & Rashid, A. (2014).  DF-C2M2: A Capability Maturity Model for Digital Forensics Organisations. IEEE Security and Privacy Workshops, 57-60. doi: 10.1109/SPW.2014.17

[11]            Jafari, F., & Satti, R. S. (2015). Comparative Analysis of Digital Forensic Models. Journal of Advances in Computer Networks, 3(1), 82-86.

[12]            Karie, N., & Karume, S. M. (2017). Digital forensic readiness in organizations: Issues and challenges. The Journal of Digital Forensics, Security and Law, 12(4), 43-53. Retrieved from https://ezp.waldenulibrary.org/login?url=https://search-proquest-com.ezp.waldenulibrary.org/docview/2034195913?accountid=14872

[13]            Kerrigan, M. (2013). Capability maturity model for digital investigations, Digital Investigation, Volume 10, Issue 1, 2013, 19-33. https://doi.org/10.1016/j.diin.2013.02.005.

[14]            National Institute of Justice (2001). Electronic Crime Scene Investigation Guide: A Guide for First Responders. Retrieved from 

[15]            NIST(2004). Guidelines on PDA Forensics. Retrieved from https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-72.pdf

[16]            Pilli,E., Joshi, R., and Niyogi, R.(2010). Network forensic frameworks: Survey and research challenges. Digital Investigation, vol. 7, no. 1-2, pp. 14–27.

[17]            Reith, M., Carr, C., & Gunsch, G. (2002). An examination of digital forensic models. International Journal of Digital Evidence, 1(3), 1-12. Retrieved from http://www.just.edu.jo/~Tawalbeh/nyit/incs712/digital_forensic.pdf

[18]            Ryan, D. & Shpantzer, G. (2011). Legal Aspects of Digital Forensics. In Proceedings: Forensics Workshop.  Retrieved from http://euro.ecom.cmu.edu/program/law/08-732/Evidence/RyanShpantzer.pdf

[19]            Sammons, J. (2012). The basics of digital forensics: the primer for getting started in digital forensics. Waltham, MA: Elsevier, 2012.

[20]            SWGDE (2010). “Best practices for Computer Forensics” (PDF). Archived from the original (PDF) on 27 December 2008.

[21]            Pollitt, M. M. (2007, April). An ad hoc review of digital forensic models. In Second International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE’07) (pp. 43-54). IEEE. Retrieved from https://ieeexplore.ieee.org/abstract/document/4155349

[22]            Veber, J., & Smutny, Z. (2015, July). Standard ISO 27037: 2012 and collection of digital evidence: Experience in the Czech Republic. In European Conference on Cyber Warfare and Security (p. 294). Academic Conferences International Limited.

[23]            Yang, C. H., & Lai, Y. T. (2012). Design and implementation of forensic systems for Android devices based on Cloud computing. Appl. Math, 6(1S), 243S-247S. Retrieved from http://www.naturalspublishing.com/files/published/3r315k3w2rxp64.pdf

Appendix A

Digital Forensics Capability Maturity Model (DFCMM)
	Incomplete (level 0)	Performed (level 1)	Managed (level 2)	Defined (level 3)	Optimized (level 4)
Pre-Process	0 points	1 point	2 points	3 points	4 points
On-Site Triage Procedures	Little to no guidance is provided for decisions made at the crime scene. Examiners are left to use their best judgement and the securing of evidence is often a failure or produces incomplete results.	Examiners perform the triage process inconsistently and to the best of their ability. The crime scene is basically secured for the investigation to begin. Warrants and authorization are seldom obtained prior to the triage procedures.	The triage process is clearly published and followed by the examiner to secure the scene. Warrants and all authorization necessary is obtained prior to arrival on the scene.	The triage process is clearly published and followed by the examiner to secure the scene. Risks and threats are identified prior to the investigation. Warrants and all authorization necessary is obtained prior to arrival on the scene.	Clear onsite decision tree that is used as a guideline to allow for alignment with the organization’s standards.  The decision tree reduces workloads, leverages existing resources, offers live collections, and produces immediate results. The triage process is clearly published and followed by the examiner. Risks and threats are identified prior to the investigation. Warrants and all authorization necessary is obtained prior to arrival on the scene.
Identification	Examiners have no guidance or experience involving what should be collected and preserved for the investigation. Device collection is lacking and examiners are unsure if everything that could be in scope was found.	Technology devices in scope of the investigation are often overlooked by the examiner. Devices may be overlooked if they are out of sight or hidden. Examiners generally stop when they have collected laptops or personal computers.	Examiners are trained and have clear procedures for identifying technology that could provide evidence Examiners collect all devices that have been defined in the procedures.	Examiners are trained and have clear procedures for identifying technology that could provide evidence Examiners collect all devices that have been defined in the procedures. Devices that could contain digital evidence are sought out by the examiner.	Examiners are trained and have clear procedures for identifying technology that could provide evidence A systematic search is conducted at the crime scene to identify all possible devices that could seem irrelevant at first sight. Responders consider the possibility of hidden devices and conduct thorough searches.
Documenting the scene	No to little documentation is captured from the scene. Examiners are not knowledgeable in what may be helpful in the investigation when questions may arise later.	Documentation is created in an adhoc fashion. The quality of the documentation is based off the knowledge of the examiner.	Procedures exist for the documentation of the crime scene. Examiners properly document the scene of the crime according to approved procedures.	Evidence is accurately defined and accounted for. Paper materials such as invoices and packaging are collected. Peripherals, connectors, removable media, mobile devices and screens are photographed and saved with the case.	Evidence is accurately defined and accounted for. Paper materials such as invoices and packaging are collected. The scene is photographed on the state of the computer or digital devices to be helpful in the future of the investigation. Peripherals, connectors, removable media, mobile devices and screens are photographed and saved with the case.
Physical device preservation	Physical devices are not collected or haphazardly collected without a clear understanding of what is in scope of the investigation. Photography is not utilized and no supplemental documentation is created about the devices in scope.	Physical devices are collected according to the understanding of each examiner. Photography is sometime used to supplement documentation.	Procedures exist for properly preserving all devices that may contain digital evidence. Photography is used to supplement the documentation of the devices in scope of the investigation	Once a device is seized, it is placed in the appropriate container and labeled according to the organization’s standards. Significant photography is used to supplement the case. Chain of custody is followed.  The container is immediately transported and checked into the forensic laboratory holding/inventory.	Once the device is seized, it is placed in the appropriate container and labeled according to the organization’s standards. Significant photography is used to supplement the case. Chain of custody is followed.  The container is immediately transported and checked into the forensic laboratory holding/inventory.  Battery powered devices that must remain on power are identified and provided power.
Evidence Isolation	devices are not protected from external influence such as wireless or cellular control signals A remote lock or remote memory wipe can be impactful to the device.	The examiner may take steps to isolate the device. This is based on the experience of the examiner.	Processes exist for the isolation of typical devices that can be involved in an investigation. Examiners are trained on basic procedures and take steps to preserve the state of the device	Clear processes exist for the isolation of devices in scope. Examiners continue to provide feedback to the team on new devices encountered and how they might collect from the new device. Examiners are trained on basic procedures and take steps to preserve the state of the device	Devices are isolated from other devices used for data synchronization such as a cradle, USB cable, or personal computer.  Examiners continue to provide feedback to the team on new devices encountered and how they might collect from the new device. The device is isolated from all radio networks such as WIFI, Cellular and Bluetooth to keep new evidence from overwriting potential evidence. Devices are placed in airplane mode or placed in a Faraday container.
Acquisition and Preservation	0 points	1 point	2 points	3 points	4 points
Acquisition through drive Imaging	Imaging may not be considered. Examiners collect physical devices with the intent to perform the analysis on the device.	There is no clear standard on how imaging will take place. Imaging is conducted at the judgement of the examiner. Logical imaging is often used. Images at this phase can be corrupted or tampered with during the process of acquisition.	Imaging is executed consistently and reliably according to published procedures. Both logical, disk cloning, and full physical disk imaging are conducted where applicable. Images are retained in a technology repository for retrieval by analysts.	Imaging is executed consistently and reliably according to published procedures. Both logical, disk cloning, and full physical disk imaging are conducted where applicable. Portable imaging technology with a sizable storage capacity is provided to the examiners to conduct the imaging activities.	Imaging is executed consistently and reliably according to published procedures. All seized devices are identified by make and model and the proper toolsets are selected to best match the devices being imaged. Portable imaging technology with a sizable storage capacity is provided to the examiners to conduct the imaging activities.  Care is taken to avoid altering the state of a device. Examiners will confirm the contents of a device were properly captured.
Volatile Memory Acquisition	Memory is not considered as a source to be captured from technology devices. Examiners are not equipped to perform memory acquisition.	Memory acquisition is conducted in an adhoc basis and only by certain examiners that understand the procedure. Tools are not standardized for volatile memory acquisition. Tools are chosen by the examiner. Volatile memory is not given a priority of acquisition in this phase.	Clear procedures exist for a capture of volatile memory in devices. Investigators have standardized on a toolset and are fully trained. Examiners collect volatile memory from common devices such as laptops or desktops.	Clear procedures exist for a capture of volatile memory in devices. Investigators have standardized on a toolset and are fully trained Examiners are trained to collect volatile memory from multiple devices such as phones, personal computers, gaming systems and wearables.	Clear procedures exist for a capture of volatile memory in devices in scope. Investigators have standardized on a toolset and are fully trained Examiners are trained to collect volatile memory from multiple devices such as phones, personal computers, gaming systems and wearables. Data collected in this phase follows the same procedures for protecting memory as protecting drive images.
Network event collection	Log events are not sought out or collected as evidence. Examiners are not trained in collecting evidence from security or network teams.	Network log events are not consistently collected. When network logs are collected, it is at the knowledge level of the investigator and does not exhibit consistent results.	Investigators are trained in the collection and use of network logs for the investigation. Network log events are collected from systems where applicable to the investigation. Written procedure exist for the collection of network events.	Investigators are trained in the collection and use of network logs for an investigation. Log events are collected from network systems where applicable to the investigation. Logs are collected in a consistent manner and are correlated to endpoint events in the incident timeline. Written procedure exist for the collection of network events.	Examiners seek out logging data from security sources such as firewalls, content filters, CASB, intrusion detection and  security event management (SIM) sources. Relevant logs are exported and added to the investigation repository. Network event logs are correlated to endpoint events in the incident timeline. Security and Network SME are consulted for a full understanding of the events collected.
IoT Devices	IoT devices are not considered as sources of evidence for the investigation.	IoT devices are not consistently considered as evidence. When local IoT devices artifacts are collected in the investigation it is at the individual understanding of the investigator.	Investigator are trained to look for artifacts in Iot devices. Artifacts are collected from local IoT devices according to written procedures.	Investigator are trained to look for artifacts in Iot devices. Artifacts are collected from local IoT devices according to written procedures. IoT devices are placed into a state that protects their data from being tamped with.	Investigator are trained to look for artifacts in Iot devices. Artifacts are collected from local IoT devices, network and cloud sources according to written procedures. IoT devices are placed into a state that protects their data from being tamped with.
Hashing of evidence	Hashing of evidence is not considered necessary for the investigation.	Investigators hash specific files to assist in the investigation and to follow chain of custody purposes Hashing is used in accordance to the knowledge level of the investigator.	Formal, written procedure exist that outline how evidence will be hashed for chain of custody. Investigators hash specific files to assist in the investigation and follow chain of custody	Formal, written procedure exist that outline how evidence will be hashed. Investigators hash specific files to assist in the investigation and to follow a proper chain of custody. Investigators use hashing to identify known files used in other criminal investigations.	Formal, written procedure exist that outline how evidence will be hashed. Investigators hash specific files to assist in the investigation and to follow a proper chain of custody. Hashing is used in accordance to the knowledge level of the investigator. Investigators use known good hash files to significantly reduce the number of files that must be reviewed.
Mobile forensics collection	Mobile devices are not considered as data sources during the investigation. Investigators are not trained in mobile evidence extraction.	Mobile devices are occasionally selected as sources for evidence. Mobile device forensics are only successful depending upon the knowledge level of the investigator. Logical extractions are conducted from the device wired to a pc that is sending commands to the device.	Formal written procedures exist for the collection and analysis of mobile device artifacts. Investigators are formally trained in the analysis of mobile devices. Investigators have the ability to collect call logs, text messages, contact lists, and media from an unlocked phone.	Formal written procedures exist for the collection and analysis of mobile device artifacts. Investigators are formally trained in the analysis of mobile devices. Investigators have the ability to collect call logs, text messages, contact lists, and media from an unlocked or locked phone. Manual extraction techniques are considered.	Formal written procedures exist for the collection and analysis of mobile device artifacts. Investigators are formally trained in the analysis of mobile devices. Investigators have the ability to collect call logs, text messages, contact lists, and media from an unlocked or locked phone. Investigators have the ability to extract data from the visual screen level to the   micro read level (microscope).
Backups of evidence	Backups are not considered as a necessary step in the investigation. Original media is used.	Making a backup of the evidence is not consistent among investigations. Backups are made at the discretion of the investigator. Backups of evidence are not consistently available when needed.	Formal procedures exist for the backup of physical evidence. Investigators consistently create a backup in order to preserve the original evidence. Forensic analysis is always conducted against backups instead of the original.	Formal procedures exist for the backup of physical evidence. Multiple backups exist of each device in scope of the investigation. Forensic analysis is always conducted against backups instead of the original.	A forensic suite is used to keep archives from all of the examiners on the team in a single location. Multiple backups exist of each imaged device. Analysis data is backed up during the investigation process. Backups are placed in multiple locations to anticipate disaster recovery scenarios.
Examination and Analysis	0 points	1 point	2 points	3 points	4 points
Evidence Analysis	Examiners are not formally trained in forensic analysis. There is no scope of the investigation and investigations are not generally successful in producing findings.	Analysis is conducted in an adhoc manner with little direction or authority. The success of the analysis is dependent on the knowledge level of the examiner. The success rate of the analysis at this phase is not consistent. Examiners are focused on windows forensics.	Written procedures exist for the forensic analysis of collected evidence. Examinations are formally trained in forensic analysis and toolsets. Examiners are generally successful in producing findings from analysis. Examiners are focused on windows, Unix and apple forensics.	A clear phased workflow is published and followed to ensure a quality forensic analysis of the evidence. Additional advanced training is provided to examiners to allow for decryption of files and password cracking. Examiners are highly successful in producing findings for the investigation.	A defined workflow is published and followed to ensure a quality analysis of the evidence. Advanced training is provided to examiners to allow for decryption of files and password cracking. Examiners are highly successful in producing findings for the investigation. Examinations are formally trained to look for evidence of tampering by the suspect and discover hidden files or directories. A timeline Analysis based on the file system metadata  is produced to supplement the investigation.
Forensic Tool Sets	Analysis at this phase is a manual process of observation. Examiners do not use forensic toolsets in this phase.	Examiners perform forensics with the toolsets of their personal preference. Tools utilized in this phase are not necessarily optimized for the analysis being conducted. Free or open source tools are used in this phase.	Approved tools are provided to the examiners and examiners are trained on the tools. Tool are purchased and obtained to align with the investigations being conducted. Free, opensource and commercial tools are utilized.	Approved tools are provided to the examiners and examiners are trained on the tools. Tool are purchased and obtained to align with the investigations being conducted. A mix of opensource and enterprise tools are made available to the investigations.	Approved tools are provided to the examiners and examiners are trained on the tools. Tool are purchased and obtained to align with the investigations being conducted. Custom tools are continuously developed by examiners for investigations. A mix of opensource and enterprise tools are made available to the investigations.
Documentation	No documentation is created when conducting an investigation.	Paper notes are recorded by the examiner conducting the investigation. No formal process exists for documentation and is at the discretion of each examiner.	A formal policy is followed for creating good documentation about the investigation. Notes are recorded and ultimately digitized. Examiners create adequate documentation at this phase.	Full documentation is completed by following the team’s standard operation procedures. Notes are recorded and ultimately digitized. All digital documentation is retained within the case repository.	Full documentation is completed by following the team’s standard operation procedures. Digital forms are used for the documentation to ensure version history, authorship and disaster recovery. All digital documentation is retained within the case file and digital evidence.
e-discovery	Examiners do not conduct e-discovery as part of investigations. e-Discovery is not conducted in this phase.	e-discovery may be conducted by an examiner but the outcome is not always successful in revealing evidence.	e-Discovery is conducted according to written policies. Examiners are successful in obtaining documentation and correspondence when e-discovery is necessary.	e-Discovery is conducted according to written policies. Litigation holds are placed on custodians and people of interest. Examiners are successful in obtaining documentation and correspondence when e-discovery is necessary.	An enterprise e-discovery platform is made available for examiners. e-Discovery is conducted according to written policies. Litigation holds are placed on custodians and people of interest. Examiners are successful in obtaining documentation and correspondence when e-discovery is necessary.
Presentation	0 points	1 point	2 points	3 points	4 points
Reporting	No formal reporting is conducted by the examiner following the conclusion of the investigation.	Reporting is occasionally conducted and presented those in charge of the investigation. Reporting is lacking and often incomplete at this phase.	Custom templates exist ed for examiners to use to create a consistent product. Reporting is complete and polished at this phase.	Reporting standards are published and followed by examiners. Custom templates have been created for examiners to use. Supporting materials such as copies of digital evidence, chain of custody, examiner field notes and other physical evidence are submitted.	Reporting standards and templates are published and followed by examiners. The report is crafted with the audience in mind. Technical noise is removed with jargon removed. Layman’s terminology is used. Supporting materials such as copies of digital evidence, chain of custody, examiner field notes and other physical evidence are submitted. The report consists of a clear, detailed summary of the steps of the investigation, tools utilized and any conclusions reached.
Lessons Learned	Lessons learned are conducted by investigators in this phase.	Lessons learned are conducted infrequently and initiated at the request of the examiner.	Formal procedures are written for lessons learned activities to be conducted. Lessons learned activities are conducted after every investigation.	Formal procedures are written for lessons learned activities to be conducted. Investigators formally meet to review the investigation phases, results, and identify areas for improvement. Lessons learned are routinely used to improve the formal investigation process for all examiners.	Formal procedures are written for lessons learned activities to be conducted. Investigators formally meet to review the investigation phases, results, and identify areas for improvement. Lessons learned are routinely used to improve the formal investigation process for all examiners. Manager and stakeholders attend lessons learned meetings.
Misc. Management	0 points	1 point	2 points	3 points	4 points
Policies and Procedures	No written policies exist for authorization, initiating, executing, completing, or reporting a digital forensic investigation.	Examiners have created procedures for certain aspects of the investigation. These procedures may be shared with team members when necessary.	A high-level policy is written that outlines the forensics program. Policies and standards are written to define the forensics authority and how the investigation will be executed. Examiners are instructed on the standards and policies to be followed.	Policies, standards, and procedures are clearly written and followed by the forensic team. The leadership of the organization supports the documentation.	All policies, standards and procedures are clearly written and reviewed on a annual basis. Changes, and improvements are sought out and incorporated into the policies. All policies and procedures are authorized/supported by the leadership of the organization.
Repeatability	Tools are not tested by examiners to ensure they are continuing to provide correct judgements.	Processes are tested upon initial implementation and on an adhoc basis going forward.	Internal testing is conducted by the agency management. Open testing is conducted where examiners are aware and involved in testing the process	Blind testing is conducted where examiners are not aware the testing is happening. Open Testing is conducted where examiners are aware and involved in testing the process Internal testing is conducted by the agency management.	All processes are tested for repeatability. A separate examiner can repeat the process to provide the exact results. All examiners are trained using the same procedures. External testing is conducted by an independent agency
Formal Training	No training is available to resources that are performing the investigations.	Success of the investigation is based on the individual knowledge of the examiner conducting the investigation. Formal training is infrequently offered. .	Team members are sent to vendor training on the toolsets being utilized. Senior members of the team train up junior members of them team on the existing processes that are conducted	Team members are sent to forensic training from a body such as SANS, or ISACA. A mentor program has the senior members training junior members Examiners obtain certifications in their toolsets.	Forensic Teams obtain formal and internal training throughout the year. Forensics conferences are attended by team members. Vendors are solicited for keeping the team current on new feature sets. Senior team members are assigned junior members of the team to mentor. Examiners obtain certifications in their toolsets.
Investigation Roles and Responsibilities	No formal roles are assigned to an investigation. Resources are obtained when needed and roles are assigned in an adhoc fashion.	At the time of the Investigation, roles are assigned based on availability of person resources.	Individuals are assigned roles by management according to their skillset and needed actions.	All individuals involved are assigned predefined roles according to their skillset and needed actions. Investigations will have people assigned into the roles of: a) Case leader, b) Business Owner, c) Legal advisor, d) InfoSec Resource, e) Digital Forensic specialist, f) Forensic Systems Administrator, g) Digital Forensic Analyst, h) Legal Prosecutor	Investigations will have people assigned into the roles of: a) Case leader, b) Business Owner, c) Legal advisor, d) InfoSec Resource, e) Digital Forensic specialist, f) Forensic Systems Administrator, g) Digital Forensic Analyst, h) Legal Prosecutor Responsibilities are periodically re-evaluated to confirm they have been properly assigned.
Search Authority	Approval is not explicitly granted and data could be suppressed by a biased party.	Search approval is often gained from the proper authorities but not consistently.	Written procedures exist for those involved in the process to obtain the proper authority to conduct the investigation. Approvals will reasonably identify the items to be searched for and the place where investigators are authorized to search for those items.	Written procedures exist for forensic teams to obtain the proper authority to conduct the investigation. Approvals will reasonably identify the items to be searched for and the place where investigators are authorized to search for those items.	Written procedures exist for forensic teams to obtain the proper authority to conduct the investigation. Approval for searches is assigned. formal processes for search warrant, subpoena, consent to search. Stakeholders and management teams are notified during each phase of the approval process. Steps are taken to ensure the process is reasonable and lawful.
Chain of custody	No chain of custody is followed during an investigation.	Chain of custody at this phase is problematic. Detailed records are not consistently kept. Chain of custody is only conducted for certain cases and at the discretion of the investigator.	Formal chain of custody procedures are clearly written and followed by investigators.	Formal chain of custody procedures are clearly written and followed by investigators. The chain of custody is entered digitally into an enterprise forensic platform.	Well-documented procedure of chain of custody. The process accounts for each evidence item from collection to presentation. The chain is clearly documented, electronically archived into an enterprise forensic platform, and cannot be altered.