Maine State Government
Dept. of Administrative & Financial
Office of Information Technology
Forensic Investigation Workflow
The Office of Information Technology (OIT) follows a
well-defined workflow to perform forensic investigations.
Given the sensitivity of forensic investigations, it is critical
to codify an effective, efficient, and discreet workflow to perform them.
This policy applies to all forensic investigations conducted
by OIT, by order of either DAFS-BHR or the AG.
HR Director: Within DAFS-BHR, a forensic investigation
can be requested by a person in the rank of Director or above.
Officer: Within the Legislative, Judicial or Constitutional Branches, a
forensic investigation can be requested by the H.R. Officers.
Assistant Attorney General: Within the Office of the
AG, a forensic investigation can be requested by a person in the rank of
Assistant Attorney General (AAG) or above.
State EEO Coordinator: Within DAFS-BER, a forensic
investigation can be requested by the State EEO Coordinator.
Chief Technology Officer: The OIT Chief Technology
Officer owns and enforces this policy.
OIT Customer Support: OIT Customer Support personnel
execute this policy.
OIT Customer Support takes delivery of the evidence
exclusively from the Requester, or their authorized designee. OIT Customer
Support never takes delivery of the evidence from the User.
Once OIT Customer Support takes delivery of the evidence,
OIT maintains strict chain-of-custody of the evidence through the forensic
investigation, until OIT delivers the said evidence back to the Requester, or
their authorized designee.
OIT Customer Support never communicates with the User. All communication from OIT is
addressed exclusively to the Requester.
OIT Customer Support always provides a written report to the Requester, describing the
results of the forensic investigation.
OIT Customer Support treats any and all forensic
investigations on a need-to-know basis. Any HR investigation is considered
CONFIDENTIAL, and NO ticket is created for it in the OIT work-tracker. If it appears laws may have been broken, Law
Enforcement will be consulted.
OIT Customer Support maintains several confidential
Standard Operating Procedures that specify in great detail the exact steps
undertaken in support of this policy.
Evidence: Any IT asset that is the subject of the
forensic investigation. Evidence includes, but is not limited to, workstations,
desktops, laptops, external drives, compact discs, digital video discs,
universal serial bus memory sticks, or any other removable media. In forensic
computer investigations in criminal matters it may also include a duplicate
image of the device to conduct the investigation so as not to corrupt the
Chain-of-Custody: Documented audit trail verifying the
receipt, custody, handling, control, transfer, and disposition of evidence in a
manner to avoid possibility of tampering or misconduct.
Requester: An HR Director, HR Officer, an AAG, or the State
EEO Coordinator, who requests the forensic investigation.
User: The State personnel who uses the IT asset that is
the subject of the forensic investigation.
Document Reference Number:
Original Adoption Date: February 7, 2013
Effective Date: February 7, 2013
Date: February 13, 2013
Date: February 7, 2015
Point of Contact: B. Victor Chakravarty, Enterprise
Architect, Office of Information Technology, State House Station #145, Augusta,
ME 04333, (207) 624-9840.
Approved By: James R. Smith, Chief Information Officer,
State House Station #145, Augusta, ME 04333, (207) 624-9471.
Position Title(s) or Agency Responsible for Enforcement: Greg McNeal, Chief Technology Officer,
Legal Citation: 5
M.R.S.A. Chapter 163 Section 1973 paragraphs (1)B and (1)D, which read in part,
“The Chief Information Officer shall:” “Set policies and standards for the
implementation and use of information and telecommunications technologies…” and
“Identify and implement information technology best business practices and
Waiver Process: See the Waiver Policy.