Incident Response and Digital Forensic Investigation Common Procedures

Adhering to NIST Guidelines and Expert Witness Codes

At Notion Digital Forensics, we adhere to the NIST 800-61 Rev 2 “Computer Security Incident Handling Guide”1 and our in-house Notion Digital Forensics Procedures (NDFPs) for prompt and effective live responses. In conducting investigations, we follow the NIST 800-86 “Guide to Integrating Forensic Techniques into Incident Response”2 and our NDFPs to ensure a thorough approach.

In all cases, we comply with the Expert Witness Code specific to the jurisdiction in which we operate. In Australia, this typically means adhering to the GPN-EXPT3 or equivalent codes in various courts and tribunals, while in New Zealand, we follow the “Code of Conduct for Expert Witnesses.”4

Below, we’ve outlined a few key strategies we employ for certain types of evidence collection.


  1. Cichonski, P. et al. (2012) Computer Security Incident Handling Guide, Computer Security Resource Centre. National Institute of Standards and Technology (NIST) (USA). Available at: (Accessed: April 25, 2023).[]
  2. Kent, K., Chevalier, S., Grance, T. and Dang, H. (2006). SP 800-86 -Guide to integrating forensic techniques into incident response, National Institute of Standards and Technology (NIST), United States, [online] doi:[]
  3. Allsop, C.J. (2016). Expert Evidence Practice Note (GPN-EXPT).  Federal Court of Australia, Available at: [online][]
  4. New Zealand Government, High Court Rules 2016 (LI 2016/225) (as at 23 June 2022) Schedule 4 Code of conduct for expert witnesses – New Zealand Legislation. [online] Available at: [Accessed 25 Apr. 2023][]