Incident Response and Digital Forensic Investigation Common Procedures

Adhering to NIST Guidelines and Expert Witness Codes

At Notion Digital Forensics, we adhere to the NIST 800-61 Rev 2 “Computer Security Incident Handling Guide”((Cichonski, P. et al. (2012) Computer Security Incident Handling Guide, Computer Security Resource Centre. National Institute of Standards and Technology (NIST) (USA). Available at: (Accessed: April 25, 2023).)) and our in-house Notion Digital Forensics Procedures (NDFPs) for prompt and effective live responses. In conducting investigations, we follow the NIST 800-86 “Guide to Integrating Forensic Techniques into Incident Response”((Kent, K., Chevalier, S., Grance, T. and Dang, H. (2006). SP 800-86 -Guide to integrating forensic techniques into incident response, National Institute of Standards and Technology (NIST), United States, [online] doi: and our NDFPs to ensure a thorough approach.

In all cases, we comply with the Expert Witness Code specific to the jurisdiction in which we operate. In Australia, this typically means adhering to the GPN-EXPT((Allsop, C.J. (2016). Expert Evidence Practice Note (GPN-EXPT).  Federal Court of Australia, Available at: [online] or equivalent codes in various courts and tribunals, while in New Zealand, we follow the “Code of Conduct for Expert Witnesses.”((New Zealand Government, High Court Rules 2016 (LI 2016/225) (as at 23 June 2022) Schedule 4 Code of conduct for expert witnesses – New Zealand Legislation. [online] Available at: [Accessed 25 Apr. 2023]))

Below, we’ve outlined a few key strategies we employ for certain types of evidence collection.