Quality Assurance Practices are essential to ensure the overall quality of services that a Computer Forensics unit provides. Two of the fundamentals of quality assurance are a documented Quality Assurance Manual (QAM) and an individual designated as the Quality Manager (QM) who, irrespective of other responsibilities, has the authority and obligation to ensure that the requirements of the quality system are implemented and maintained. These two fundamentals are essential irrespective of whether the Computer Forensics unit is a stand-alone entity, a section within a forensic laboratory, or is part of a private corporation or business. Minimally, the QAM will include quality policies and describe the various elements of the quality system and the quality practices that are to be followed. The QAM can be, but does not necessarily need be, an all-encompassing voluminous document. Rather it can include many detailed quality documents while making reference to others that can be found elsewhere within the unit. Over the past several years, I have reviewed both types of QAMs. As long as all the quality assurance documents are readily available, either approach will work.

The QAM must include all elements of the quality system and be readily available to staff members to ensure that they understand its expectations. To the staff member(s) assigned to develop a QAM, it is often viewed as a lengthy, detailed, time-consuming process. (I am personally aware of many instances where it took an agency one to two years to develop their QAM. This appears to be the norm rather than the exception). Furthermore, once the QAM has been developed and approved by management, it then becomes the responsibility of the QM to ensure that its requirements are maintained. Often when management “designates” someone as the QM, that person does not always understand what is expected of him/her. Ideally, the QM should not be part of the management structure and whenever possible, should be autonomous to the technical operations of the unit. In addition, management should ensure that the QM has some training in the concepts and techniques of quality assurance.

If a Computer Forensics unit is part of an accredited laboratory, the existing laboratory’s QAM was probably modified to include the unit’s quality practices. Additionally, the laboratory QM would oversee the implementation of any additional practices necessary to ensure that the unit complied with the requirements of the QAM. However, if the Computer Forensics unit is not part of an accredited laboratory, then most likely no QAM exists, nor has a person been designated as a QM to oversee the unit’s quality practices. From personal knowledge, most non-accredited Computer Forensics units in the law enforcement community and in the private sector do not have a QAM in place nor do they have a QM. Likewise, there appears to be a general lack of documentation concerning analytical policies and procedures and quality practices. This could have potentially disastrous consequences if legal challenges arise out of the unit’s analytical practices or the unit resides in a state that requires any entity performing forensic analysis to be accredited. The unit’s management needs to assess its mission, beginning by asking some hard questions: Are we providing quality services? How do we know that we are? What do we need to do to demonstrate that we can provide quality results?

To avoid these potential consequences, any Computer Forensic unit operating without a QAM should develop one as soon as possible, regardless of whether or not the unit will seek accreditation. Listed below in outline form is a suggested Table of Contents for a QAM. It has been compiled from several different sources and can be used as a guide: