Does an organization have an understanding of the maturity level of their internal digital forensics teams? Do they understand what the next steps would be to improve the maturity level of the team?

This research produced the Digital Forensic Common Maturity Model Integration (DFCMMI) based on the Common Maturity Model Integration framework developed by Carnegie Mellon University.

This model can be used by management teams to measure their digital forensic team’s capabilities.








Digital Forensics Capability Maturity Model (DFCMM)
  Incomplete (level 0) Performed  (level 1) Managed (level 2) Defined (level 3) Managed  / Optimized (level 4)
Pre-Process 0 points 1 point 2 points 3 points 4 points
On-Site Triage Procedures Little to no guidance is provided for decisions made at the
crime scene.

Examiners are left to use their best judgement and the securing of evidence
is often a failure or produces incomplete results.

 Examiners perform the triage process inconsistently and to the
best of their ability.

The crime scene is basically secured for the investigation to begin.

Warrants and authorization are seldom obtained prior to the triage procedures.

 The triage process is clearly published and followed by the
examiner to secure the scene..

Warrants and all authorization necessary is obtained prior to arrival on
the scene. 

 The triage process is clearly published and followed by the
examiner to secure the scene.

Risks and threats are identified prior to the investigation.

Warrants and all authorization necessary is obtained prior to arrival on
the scene.

Clear
onsite decision  tree that is used as a
guideline to allow for alignment with the organization’s standards.  The decision tree reduces workloads,
leverages existing resources, offers live collections, and produces immediate
results.

The triage process is clearly published and followed by the examiner.

Risks and threats are identified prior to the investigation.

Warrants and all authorization necessary is obtained prior to arrival on
the scene. 
Identification Examiners have no guidance or experience involving what should
be collected and preserved for the investigation.

Device collection is lacking and examiners are unsure if everything that
could be in scope was found.

 Technology devices in scope of the investigation are often
overlooked by the examiner.

Devices may be overlooked if they are out of sight or hidden.

Examiners generally stop when they have collected laptops or personal computers.

 Examiners are trained and have clear procedures for identifying
technology that could provide evidence

Examiners collect  all devices that
have been defined in the procedures.

 Examiners are trained and
have clear procedures for identifying technology that could provide evidence

Examiners collect  all devices that
have been defined in the procedures.

Devices that could contain digital evidence are sought out by the examiner.

 Examiners
are trained and have clear procedures for identifying technology that could
provide evidence

A systematic search is conducted at the crime scene to identify all
possible devices that could seem irrelevant at first sight.

Responders consider the possibility of hidden devices and conduct thorough
searches.
Documenting
the scene		 No to little documentation is captured from the scene.

Examiners are not knowledgeable in what may be helpful in the investigation
when questions may arise later.

 Documentation is created in an adhoc fashion.

The quality of the documentation is based off the knowledge of the
examiner.

 Procedures exist for the documentation of the crime scene.

Examiners properly document the scene of the crime according to approved
procedures.

 Evidence
is accurately defined and accounted for.

Paper materials such as invoices and packaging are collected.

Peripherals, connectors, removable media, mobile devices and screens are
photographed and saved with the case.

 Evidence is
accurately defined and accounted for.

Paper materials such as invoices and packaging are collected.

The scene is photographed on the state of the computer or digital devices
to be helpful in the future of the investigation.

Peripherals, connectors, removable media, mobile devices and screens are
photographed and saved with the case.
physical
device preservation		 Physical devices are not collected or haphazardly collected
without a clear understanding of what is in scope of the investigation.

Photography is not utilized and no supplemental documentation is created
about the devices in scope.

 Physical devices are
collected according to the understanding of each examiner.

Photography is sometime used to supplement documentation.

 Procedures exist for properly preserving all devices that may
contain digital evidence.

Photography is used to supplement the documentation of the devices in scope
of the investigation

 

 Once a device is seized, it is placed in the appropriate
container and labeled according to the organization’s standards.

Significant photography is used to supplement the case.

Chain of custody is followed.  The
container is immediately transported and checked into the forensic laboratory
holding/inventory.  

 Once the
device is seized, it is placed in the appropriate container and labeled
according to the organization’s standards.

Significant photography is used to supplement the case.

Chain of custody is followed.  The
container is immediately transported and checked into the forensic laboratory
holding/inventory. 

Battery powered devices that must remain on power are identified and
provided power.
Evidence
Isolation		 devices are not protected from external influence such as
wireless or cellular control signals

A remote lock or remote memory wipe can be impactful to the device.

 The examiner may take steps to isolate the device. This is based
on the experience of the examiner.		 Processes exist for the isolation of typical devices that can be
involved in an investigation.

Examiners are trained on basic procedures and take steps to preserve the
state of the device

 Clear processes exist for the isolation of devices in scope.

Examiners continue to provide feedback to the team on new devices
encountered and how they might collect from the new device.

Examiners are trained on basic procedures and take steps to preserve the
state of the device

 Devices are
isolated from other devices used for data synchronization such as a cradle,
USB cable, or personal computer.

Examiners continue to provide feedback to the team on new devices
encountered and how they might collect from the new device.

The device is isolated from all radio networks such as WIFI, Cellular and
Bluetooth to keep new evidence from overwriting potential evidence.

Devices are placed in airplane mode or placed in a Faraday container. 
Acquisition
and Preservation		 0 points 1 point 2 points 3 points 4 points
Acquisition
through drive Imaging		 Imaging may not be considered.

Examiners collect physical devices with the intent to perform the analysis
on the device.

 There is no clear standard on how imaging will take place.

Imaging is conducted at the judgement of the examiner.

Logical imaging is often used.

Images at this phase can be corrupted or tampered with during the process
of acquisition.

 Imaging is executed consistently and reliably according to
published procedures.

Both logical, disk cloning, and full physical disk imaging are conducted
where applicable.

Images are retained in a technology repository for retrieval by analysts.

 Imaging is executed consistently and reliably according to
published procedures.

Both logical, disk cloning, and full physical disk imaging are conducted
where applicable.

Portable imaging technology with a sizable storage capacity is provided to
the examiners to conduct the imaging activities. 

 Imaging is
executed consistently and reliably according to published procedures.

All seized devices are identified by make and model and the proper toolsets
are selected to best match the devices being imaged.

Portable imaging technology with a sizable storage capacity is provided to
the examiners to conduct the imaging activities. 

Care is taken to avoid altering the state of a device. Examiners will
confirm the contents of a device were properly captured.
Volatile
Memory Acquisition		 Memory is not considered as a source to be captured from
technology devices.

Examiners are not equipped to perform memory acquisition.

 Memory acquisition is conducted in an adhoc basis and only by
certain examiners that understand the procedure.

Tools are not standardized for volatile memory acquisition. Tools are
chosen by the examiner.

Volatile memory is not given a priority of acquisition in this phase.

 Clear procedures exist for a capture of volatile memory in
devices.

Investigators have standardized on a toolset and are fully trained.

Examiners collect volatile memory from common devices such as laptops or
desktops.

Clear procedures exist for a capture of volatile memory in
devices.

Investigators have standardized on a toolset and are fully trained

Examiners are trained to collect volatile memory from multiple devices such
as phones, personal computers, gaming systems and wearables.

 Clear
procedures exist for a capture of volatile memory in devices in scope.

Investigators have standardized on a toolset and are fully trained

Examiners are trained to collect volatile memory from multiple devices such
as phones, personal computers, gaming systems and wearables.

Data collected in this phase follows the same procedures for protecting
memory as protecting drive images.
Network event collection Log events are not sought out or collected as evidence.

Examiners are not trained in collecting evidence from security or network
teams.

 Network log events are not consistently collected.

When network logs are collected, it is at the knowledge level of the
investigator and does not exhibit consistent results.

 Investigators are trained in the collection and use of network
logs for the investigation.

Network log events are collected from systems where applicable to the
investigation.

Written procedure exist for the collection of network events.

 Investigators are trained in the collection and use of network
logs for an investigation.

Log events are collected from network systems where applicable to the
investigation.

Logs are collected in a consistent manner and are correlated to endpoint
events in the incident timeline.

Written procedure exist for the collection of network events.

 Examiners
seek out logging data from security sources such as firewalls, content
filters, CASB, intrusion detection and
security event management (SIM) sources.

Relevant logs are exported and added to the investigation repository.

Network event logs are correlated to endpoint events in the incident
timeline.

Security and Network SME are consulted for a full understanding of the
events collected.
IoT Devices IoT devices are not considered as sources of evidence for the
investigation.		 IoT devices are not consistently considered as evidence.

When local IoT devices artifacts are collected in the investigation it is
at the individual understanding of the investigator.

 Investigator are trained to look for artifacts in Iot
devices.

Artifacts are collected from local IoT devices according to written
procedures.

 Investigator are trained to look for artifacts in Iot
devices.

Artifacts are collected from local IoT devices according to written
procedures.

IoT devices are placed into a state that protects their data from being
tamped with.

 Investigator
are trained to look for artifacts in Iot devices.

Artifacts are collected from local IoT devices, network and cloud sources
according to written procedures.

IoT devices are placed into a state that protects their data from being
tamped with.
Hashing
of evidence		 Hashing of evidence is not considered necessary for the
investigation.		 Investigators hash specific files to assist in the investigation
and to follow chain of custody purposes

Hashing is used in accordance to the knowledge level of the investigator.

 Formal, written procedure exist that outline how evidence will
be hashed for chain of custody.

Investigators hash specific files to assist in the investigation and follow
chain of custody 

 Formal, written procedure exist that outline how evidence will
be hashed.

Investigators hash specific files to assist in the investigation and to
follow a proper chain of custody.

Investigators use hashing to identify known files used in other criminal
investigations.

 Formal,
written procedure exist that outline how evidence will be hashed.

Investigators hash specific files to assist in the investigation and to
follow a proper chain of custody.

Hashing is used in accordance to the knowledge level of the
investigator.

Investigators use known good hash files to significantly reduce the number
of files that must be reviewed. 
Mobile
forensics collection		 Mobile devices are not considered as data sources during the
investigation.

Investigators are not trained in mobile evidence extraction.

 Mobile
devices are occasionally selected as sources for evidence.

Mobile device forensics are only successful depending upon the knowledge
level of the investigator.

Logical extractions are conducted from the device wired to a pc that is
sending commands to the device.

 Formal written procedures exist for the collection and analysis
of mobile device artifacts.

Investigators are formally  trained
in the analysis of mobile devices.

Investigators have the ability to collect call logs, text messages, contact
lists, and media from an unlocked phone. 

 Formal written procedures exist for the collection and analysis
of mobile device artifacts.

Investigators are formally  trained
in the analysis of mobile devices.

Investigators have the ability to collect call logs, text messages, contact
lists, and media from an unlocked or locked phone.

Manual extraction techniques are considered.

 Formal
written procedures exist for the collection and analysis of mobile device
artifacts.

Investigators are formally  trained
in the analysis of mobile devices.

Investigators have the ability to collect call logs, text messages, contact
lists, and media from an unlocked or locked phone.

Investigators have the ability to extract data from the visual screen level
to the   micro read level (microscope).

  
Backups of evidence Backups are not considered as a necessary step in the
investigation. Original media is used.		 Making a
backup of the evidence is not consistent among investigations.

Backups are made at the discretion of the investigator.

Backups of evidence  are not
consistently available when needed.

 Formal procedures exist for the backup of physical
evidence.

Investigators consistently create a backup in order to preserve the
original evidence.

Forensic analysis is always conducted against  backups instead of the original.

 Formal procedures exist for the backup of physical
evidence.

Multiple backups exist of each device in scope of the investigation.

Forensic analysis is always conducted against  backups instead of the original.

 A forensic
suite is used to keep archives from all of the examiners on the team in a
single location.
Multiple backups exist of each imaged device.

Analysis data is backed up during the investigation process.

Backups are placed in multiple locations to anticipate disaster recovery
scenarios.
Examination
and Analysis		 0 points 1 point 2 points 3 points 4 points
Evidence
Analysis		 Examiners are not formally trained in forensic analysis.

There is no scope of the investigation and investigations are not generally
successful in producing findings.

 Analysis is conducted in an adhoc manner with little direction
or authority.

The success of the analysis is dependent on the knowledge level of the
examiner.

The success rate of the analysis at this phase is not consistent.

Examiners are focused on windows forensics.

 Written procedures exist for the forensic analysis of collected
evidence.

Examinations are formally trained in forensic analysis and toolsets.

Examiners are generally successful in producing findings from
analysis.

Examiners are focused on windows, Unix and apple forensics.

 A clear phased workflow is published and followed to ensure a
quality forensic analysis of the evidence.

Additional advanced training is provided to examiners to allow for
decryption of files and password cracking.

Examiners are highly successful in producing findings for the
investigation.

 A defined
workflow is published and followed to ensure a quality analysis of the
evidence.

Advanced training is provided to examiners to allow for decryption of files
and password cracking.

Examiners are highly successful in producing findings for the
investigation.

Examinations are formally trained to look for evidence of tampering by the
suspect and discover hidden files or directories.

A timeline Analysis based on the file system metadata  is produced to supplement the
investigation.

Forensic
Tool Sets		 Analysis at this phase is a manual process of observation.

Examiners do not use forensic
toolsets in this phase.

 Examiners perform forensics with the toolsets of their personal
preference.

Tools utilized in this phase are not necessarily optimized for the analysis
being conducted.

Free or open source tools are used in this phase.

 Approved tools are provided to the examiners and examiners are
trained on the tools.

Tool are purchased and obtained to align with the investigations being
conducted.

Free, opensource and commercial tools are utilized.

 Approved tools are provided to the examiners and examiners are
trained on the tools.

Tool are purchased and obtained to align with the investigations being
conducted.

A mix of opensource and enterprise tools are made available to the
investigations.

 Approved
tools are provided to the examiners and examiners are trained on the
tools.

Tool are purchased and obtained to align with the investigations being
conducted.

Custom tools are continuously developed by examiners for investigations.

A mix of opensource and enterprise tools are made available to the
investigations.
Documentation No
documentation is created when conducting an investigation.		 Paper notes are recorded by the examiner conducting the
investigation.

No formal process exists for documentation and is at the discretion of each
examiner.

 A formal policy is followed for creating good documentation
about the investigation.

Notes are recorded and ultimately digitized.

Examiners create adequate documentation at this phase.

 Full documentation is completed by following the teams standard
operation procedures.

Notes are recorded and ultimately digitized.

All digital documentation is retained within the case repository.

 Full
documentation is completed by following the teams standard operation
procedures.

Digital forms are used for the documentation  to ensure version history, authorship and
disaster recovery.

All digital documentation is retained within the case file and digital
evidence.
e-discovery Examiners
do not conduct e-discovery as part of investigations.

e-Discovery is not conducted in this phase.

 e-discovery may be conducted by an examiner but the outcome is
not always successful in revealing evidence.		 e-Discovery is conducted according to written policies.

Examiners are successful in obtaining documentation and correspondence when
e-discovery is necessary.

 e-Discovery is conducted according to written policies.

Litigation holds are placed on custodians and people of interest.

Examiners are successful in obtaining documentation and correspondence when
e-discovery is necessary.

 An
enterprise e-discovery platform is made available for examiners.

e-Discovery is conducted according to written policies.

Litigation holds are placed on custodians and people of interest.

Examiners are successful in obtaining documentation and correspondence when
e-discovery is necessary.
Presentation 0 points 1 point 2 points 3 points 4 points
Reporting No formal reporting is conducted by the examiner following the
conclusion of the investigation.		 Reporting is occasionally conducted and presented those in
charge of the investigation.

Reporting is lacking and often incomplete at this phase.

Custom templates exist ed for examiners to use to create a consistent
product.

Reporting is complete and polished at this phase.

 Reporting standards are published and followed by
examiners.

Custom templates have been created for examiners to use.

Supporting materials such as copies of digital evidence, chain of custody,
examiner field notes and other physical evidence are submitted.

 Reporting
standards and templates  are published
and followed by examiners.

The report is crafted with the audience in mind. Technical noise is removed
with jargon removed. Layman’s terminology is used.

Supporting materials such as copies of digital evidence, chain of custody,
examiner field notes and other physical evidence are submitted.

The report consists of a clear, detailed summary of the steps of the
investigation, tools utilized and any conclusions reached.
Lessons Learned Lessons learned are conducted by investigators in this phase. Lessons learned are conducted infrequently and initiated at the
request of the examiner.		 Formal procedures are written for lessons learned activities to
be conducted.

Lessons learned activities are conducted after every investigation.

 Formal procedures are written for lessons learned activities to
be conducted.

Investigators formally meet to review the investigation phases, results,
and identify areas for improvement.

Lessons learned are routinely used to improve the formal investigation
process for all examiners.

 Formal
procedures are written for lessons learned activities to be conducted.

Investigators formally meet to review the investigation phases, results,
and identify areas for improvement.

Lessons learned are routinely used to improve the formal investigation
process for all examiners.

Manager and stakeholders attend lessons learned meetings.
Misc.
Management		 0 points 1 point 2 points 3 points 4 points
Policies
and Procedures		 No written policies exist for authorization, initiating,
executing, completing, or reporting a digital forensic investigation. 		 Examiners have created procedures for certain aspects of the
investigation. These procedures may be shared with team members when
necessary.		 A high level policy is written that outlines the forensics
program.

Policies and standards are written to define the forensics authority and
how the investigation will be executed.

Examiners are instructed on the standards and policies to be followed.

 Policies, standards, and procedures are clearly written and
followed by the forensic team.

The leadership of the organization supports the documentation.

 All
policies, standards and procedures are clearly written and reviewed on a
annual basis.

Changes, and improvements are sought out and incorporated into the
policies.

All policies and procedures  are
authorized/supported by the leadership of the organization.
Repeatability Tools are not tested by examiners to ensure they are continuing
to provide correct judgements.
Processes are tested upon initial implementation and on an adhoc basis
going forward. 
Internal testing is conducted by the agency management.

Open testing is conducted where examiners are aware and involved in testing
the process

 Blind testing is conducted where examiners are not aware the
testing is happening.

Open Testing is conducted where examiners are aware and involved in testing
the process

Internal testing is conducted by the agency management.

 All
processes are tested for repeatability. A separate examiner can repeat the
process to provide the exact results. All examiners are trained using the
same procedures.

External testing is conducted by an independent agency
Formal
Training		 No training is available to resources that are performing the
investigations. 		 Success of the investigation is based on the individual
knowledge of the examiner conducting the investigation.

Formal training is infrequently offered.

.

 Team members are sent to vendor training on the toolsets being
utilized.

Senior members of the team train up junior members of them team on the
existing processes that are conducted

 Team members are sent to forensic training from a body such as
SANS, or ISACA.

A mentor program has the senior members training junior members

Examiners obtain certifications in their toolsets.

 Forensic
Teams obtain formal and internal training throughout the year.

Forensics conferences are attended by team members.

Vendors are solicited for keeping the team current on new feature sets.

Senior team members are assigned junior members of the team to
mentor.

Examiners obtain certifications in their toolsets.
Investigation
Roles and Responsibilities		 No formal roles are assigned to an investigation. Resources are
obtained when needed and roles are assigned in an adhoc fashion. 		 At the time of the Investigation, roles are assigned based on
availability of person resources.

 Individuals are assigned roles by management according to their
skillset and needed actions.

All individuals involved are assigned predefined roles according
to their skillset and needed actions.

Investigations will have people assigned into the roles of:
a) Case leader, b) Business Owner, c) Legal advisor, d) InfoSec Resource,
e) Digital Forensic specialist, f) Forensic Systems Administrator, g) Digital
Forensic Analyst, h) Legal Prosecutor

 Investigations
will have people assigned into the roles of:
a) Case leader, b) Business Owner, c) Legal advisor, d) InfoSec Resource,
e) Digital Forensic specialist, f) Forensic Systems Administrator, g) Digital
Forensic Analyst, h) Legal Prosecutor

Responsibilities are periodically re-evaluated to confirm they have been
properly assigned.
Search
Authority		 Approval is not explicitly granted and data could be suppressed
by a biased party.		 Search approval is often gained from the proper authorities but
not consistently.		 Written procedures exist for those involved in the process to
obtain the proper authority to conduct the investigation.

Approvals will reasonably identify the items to be searched for and the
place where investigators are authorized to search for those items. 

 Written procedures exist for forensic teams to obtain the proper
authority to conduct the investigation.

Approvals will reasonably identify the items to be searched for and the
place where investigators are authorized to search for those items.

Written procedures exist for forensic teams to obtain the proper
authority to conduct the investigation.

Approval for searches is assigned. formal processes for search warrant,
subpoena, consent to search.

Stakeholders and management teams are notified during each phase of the
approval process. Steps are taken to ensure the process is reasonable and
lawful.
Chain
of custody		 No chain of custody is followed during an investigation. Chain of custody at this phase is problematic. Detailed records
are not consistently kept.

Chain of custody is only conducted for certain cases and at the discretion
of the investigator.

 Formal chain of custody procedures are clearly written and
followed by investigators. 		 Formal chain of custody procedures are clearly written and
followed by investigators.

The chain of custody is entered digitally into an enterprise forensic
platform.

 Well-documented
procedure of chain of custody. The process accounts for each evidence item
from collection to presentation.

The chain is clearly documented, electronically archived into an enterprise
forensic platform, and cannot be altered.