Quality Assurance Practices are essential to ensure the overall quality of services that a Computer Forensics unit provides. Two of the fundamentals of quality assurance are a documented Quality Assurance Manual and an individual designated as the QualityQuality Assurance Practices are essential to ensure the overall quality of services that a Computer Forensics unit provides. Two of the fundamentals of quality assurance are a documented Quality Assurance Manual (QAM) and an individual designated as the Quality Manager (QM) who, irrespective of other responsibilities, has the authority and obligation to ensure that the requirements of the quality system are implemented and maintained. These two fundamentals are essential irrespective of whether the Computer Forensics unit is a stand-alone entity, a section within a forensic laboratory, or is part of a private corporation or business. Minimally, the QAM will include quality policies and describe the various elements of the quality system and the quality practices that are to be followed. The QAM can be, but does not necessarily need be, an all-encompassing voluminous document. Rather it can include many detailed quality documents while making reference to others that can be found elsewhere within the unit. Over the past several years, I have reviewed both types of QAMs. As long as all the quality assurance documents are readily available, either approach will work.

The QAM must include all elements of the quality system and be readily available to staff members to ensure that they understand its expectations. To the staff member(s) assigned to develop a QAM, it is often viewed as a lengthy, detailed, time-consuming process. (I am personally aware of many instances where it took an agency one to two years to develop their QAM. This appears to be the norm rather than the exception). Furthermore, once the QAM has been developed and approved by management, it then becomes the responsibility of the QM to ensure that its requirements are maintained. Often when management “designates” someone as the QM, that person does not always understand what is expected of him/her. Ideally, the QM should not be part of the management structure and whenever possible, should be autonomous to the technical operations of the unit. In addition, management should ensure that the QM has some training in the concepts and techniques of quality assurance.

If a Computer Forensics unit is part of an accredited laboratory, the existing laboratory’s QAM was probably modified to include the unit’s quality practices. Additionally, the laboratory QM would oversee the implementation of any additional practices necessary to ensure that the unit complied with the requirements of the QAM. However, if the Computer Forensics unit is not part of an accredited laboratory, then most likely no QAM exists, nor has a person been designated as a QM to oversee the unit’s quality practices. From personal knowledge, most non-accredited Computer Forensics units in the law enforcement community and in the private sector do not have a QAM in place nor do they have a QM. Likewise, there appears to be a general lack of documentation concerning analytical policies and procedures and quality practices. This could have potentially disastrous consequences if legal challenges arise out of the unit’s analytical practices or the unit resides in a state that requires any entity performing forensic analysis to be accredited. The unit’s management needs to assess its mission, beginning by asking some hard questions: Are we providing quality services? How do we know that we are? What do we need to do to demonstrate that we can provide quality results?

To avoid these potential consequences, any Computer Forensic unit operating without a QAM should develop one as soon as possible, regardless of whether or not the unit will seek accreditation. Listed below in outline form is a suggested Table of Contents for a QAM. It has been compiled from several different sources and can be used as a guide:


1.1 Agency/Management Authority and Management Related Issues.
1.2 Agency/Computer Forensics Unit Mission Statement.
1.3 Quality Policy Statement and Objectives.
1.4 Organization and Management Structure (Organizational Chart).
1.5 Relationships and Responsibilities of Management, Technical Operations, and Support Services.
1.6 Position Descriptions, Statement of Qualifications, and Training Records.
1.7 Departures from Policy and Procedures and Exceptions to the QAM.
1.8 Communications within the Unit/Agency and with External Agencies.


2.1 Control and Maintenance of Documentation of Case Records.
2.2 Control and Maintenance of Standard Operational Procedure Manual(s).
2.3 Measurement Traceability to Appropriate Standards (as applicable).
2.4 Types of Examinations Performed.
2.5 Validation/Verification and Methods Development.
2.6 Evidence Handling and Control.
2.7 Use of Standards and Controls in Casework.
2.8 Calibration and/or Maintenance of Analytical Instrumentation.
2.9 Case File Storage and Record Retention.
2.10 Proficiency Testing.
2.11 Technical Case File Review.
2.12 Technical Problems or Discrepancies in Case work.
2.13 Court Testimony Review.
2.14 Quality Manager/Quality Oversight.
2.15 Inventories and Inspections.
2.16 Disclosure of Information.
2.17 Quality Audits and Quality System Review.
2.18 Customer Satisfaction.
2.19 Documenting Policy Changes.


3.1 Training Program.
3.2 Training Coordination.
3.3 Certification.
3.4 Continuing Education and Training.


4.1 Physical Plant Security/Security of the Computer Forensic Unit.
4.2 Health and Safety Program.
4.3 Order to Seal/Expunge Records.


Define terms used in the QAM.


Include copies of Evidence/Property Forms, Training Schedules, Testimony Review Forms, Quality Audit Forms, etc.

The easy part is outlining what should be included in a QAM. The hard part is writing up the specific policies and procedures that address the individual quality elements. As previously indicated, not every document needs to be in the QAM as long as it is referenced therein and the detailed information is readily available elsewhere within the unit. For example, from the Table of Contents above, 2.2 Control and Maintenance of Standard Operational Procedure Manual(s) can be the policy on what to include in the analytical procedures and make reference to a separate procedures manual. Similarly, 2.5 Validation/Verification and Methods Development could include the unit’s policy on how to accomplish a validation/verification and reference where the actual validation/verification documentation studies are maintained.

John J. Barbara is a Crime Laboratory Analyst Supervisor with the Florida Department of Law Enforcement (FDLE) in Tampa, FL. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. John is the General Editor for the “Handbook of Digital & Multimedia Evidence” to be published by Humana Press in 2007.