Skip Maine state header navigation

Agencies | Online Services | Help

State Log

Maine State Government

Dept. of Administrative & Financial Services

Office of Information Technology

Forensic Investigation Workflow Policy


I. Statement

The Office of Information Technology (OIT) follows a well-defined workflow to perform forensic investigations.


II. Purpose

Given the sensitivity of forensic investigations, it is critical to codify an effective, efficient, and discreet workflow to perform them.


III. Applicability

This policy applies to all forensic investigations conducted by OIT, by order of either DAFS-BHR or the AG.


IV. Responsibilities

A. HR Director: Within DAFS-BHR, a forensic investigation can be requested by a person in the rank of Director or above.

B. HR Officer: Within the Legislative, Judicial or Constitutional Branches, a forensic investigation can be requested by the H.R. Officers.


C. Assistant Attorney General: Within the Office of the AG, a forensic investigation can be requested by a person in the rank of Assistant Attorney General (AAG) or above.


D. State EEO Coordinator: Within DAFS-BER, a forensic investigation can be requested by the State EEO Coordinator.


E. Chief Technology Officer: The OIT Chief Technology Officer owns and enforces this policy.


F. OIT Customer Support: OIT Customer Support personnel execute this policy.


V. Directives

A. OIT Customer Support takes delivery of the evidence exclusively from the Requester, or their authorized designee. OIT Customer Support never takes delivery of the evidence from the User.


B. Once OIT Customer Support takes delivery of the evidence, OIT maintains strict chain-of-custody of the evidence through the forensic investigation, until OIT delivers the said evidence back to the Requester, or their authorized designee.


C. OIT Customer Support never communicates with the User. All communication from OIT is addressed exclusively to the Requester.


D. OIT Customer Support always provides a written report to the Requester, describing the results of the forensic investigation.


E. OIT Customer Support treats any and all forensic investigations on a need-to-know basis. Any HR investigation is considered CONFIDENTIAL, and NO ticket is created for it in the OIT work-tracker.  If it appears laws may have been broken, Law Enforcement will be consulted.


F. OIT Customer Support maintains several confidential Standard Operating Procedures that specify in great detail the exact steps undertaken in support of this policy.


VI. Definitions

A. Evidence: Any IT asset that is the subject of the forensic investigation. Evidence includes, but is not limited to, workstations, desktops, laptops, external drives, compact discs, digital video discs, universal serial bus memory sticks, or any other removable media. In forensic computer investigations in criminal matters it may also include a duplicate image of the device to conduct the investigation so as not to corrupt the original. 


B. Chain-of-Custody: Documented audit trail verifying the receipt, custody, handling, control, transfer, and disposition of evidence in a manner to avoid possibility of tampering or misconduct.


C. Requester: An HR Director, HR Officer, an AAG, or the State EEO Coordinator, who requests the forensic investigation.


D. User: The State personnel who uses the IT asset that is the subject of the forensic investigation.


VII. References

VIII. Document Information

Document Reference Number:  47


Original Adoption Date: February 7, 2013

Effective Date: February 7, 2013

Last Update Date:  February 13, 2013

Next Review Date: February 7, 2015


Point of Contact: B. Victor Chakravarty, Enterprise Architect, Office of Information Technology, State House Station #145, Augusta, ME 04333, (207) 624-9840.


Approved By: James R. Smith, Chief Information Officer, State House Station #145, Augusta, ME 04333, (207) 624-9471.


Position Title(s) or Agency Responsible for Enforcement:  Greg McNeal, Chief Technology Officer, telephone 207-624-9471.


Legal Citation:  5 M.R.S.A. Chapter 163 Section 1973 paragraphs (1)B and (1)D, which read in part, “The Chief Information Officer shall:” “Set policies and standards for the implementation and use of information and telecommunications technologies…” and “Identify and implement information technology best business practices and project management.”


Waiver Process: See the Waiver Policy[1].