SWGDE

Scientific Working Group on Digital Evidence

SWGDE Current Documents

Filter and Browse


 

Displaying 71 of 71 documents

Advanced Document Search

From:

To:

 

SWGDE Best Practices for Computer Forensic Acquisitions  
Published: 2018-04-25 | Version: 1.0
The purpose of this document is to describe the best practices for the forensic acquisition of digital evidence from computers and associated storage media. These processes are designed to maintain the integrity of digital evidence.
Comments: 0

SWGDE Best Practices for Data Acquisition from Digital Video Recorders  
Published: 2018-04-25 | Version: 1.0
The purpose of this document is to provide best practices for acquiring video, audio, and associated data evidence from digital video recorders (DVRs). This document provides guidance for acquisition of evidence utilizing a DVR’s operating system to export the native or proprietary data for use in a criminal investigation and/or prosecution. This document includes a sample "Audio/Video Field Retrieval Worksheet" fillable form.
Comments: 0

SWGDE Best Practices for Digital and Multimedia Evidence Video Acquisition from Cloud Storage  
Published: 2018-04-25 | Version: 1.0
The purpose of this document is to provide guidance for acquiring remotely stored video, audio, and associated data. This document identifies the major considerations and steps that will be part of the acquisition process. Includes template for a "Sample of Preservation Request".
Comments: 0

SWGDE Best Practices for Examining Magnetic Card Readers  
Published: 2018-04-25 | Version: 3.0
The purpose of this document is to describe best practices for seizing, acquiring, and analyzing data contained within magnetic card readers, and related transmission modules, capable of acquiring and storing personally identifiable information (PII) in an unauthorized manner. As a skimming device is not typically deemed contraband, it is the responsibility of the investigator/examiner to determine if the device was used illegally. Version 3.0 is a substantial technical update and includes a new section for Bluetooth.
Comments: 0

SWGDE Guidelines for Capturing Latent Impressions Using a Digital Camera in the Field  
Published: 2018-04-25 | Version: 1.0
The purpose of this document is to describe the proper documentation of latent print evidence by qualified personnel when using a digital camera in the field.
Comments: 0

SWGDE Guidelines for the Digital Imaging of Footwear and Tire Impressions  
Published: 2018-04-25 | Version: 1.0
The purpose of this document is to describe the proper method of photographing evidence for the purpose of allowing comparison and analysis by qualified personnel.
Comments: 0

SWGDE Guidelines for the Testing and Capture of Latent Impressions Using a Camera or Scanner  
Published: 2017-09-25 | Version: 1
The purpose of this document is to describe a procedure to ensure that a digital camera or scanner can capture an image of latent print evidence at an achievable resolution that enables recording of level three detail.
Comments: 0

SWGDE Framework of a Quality Management System for Digital and Multimedia Evidence Forensic Science Service Providers  
Published: 2017-09-25 | Version: 1
The purpose of this document is to present a foundational framework on which to develop a Quality Management System (QMS) for Digital and Multimedia Evidence (DME) Forensic Science Service Providers (FSSP). This document is limited to identifying the primary components of a QMS and is not intended to identify specific minimum requirements.
Comments: 0

SWGDE Mobile Device Photography for Comparative Analysis Position Paper  
Published: 2017-09-25 | Version: 1
The purpose of this document is to define the SWGDE position on the use of mobile device cameras to take images of items, where that image will be subjected to comparative analysis (e.g., latent prints). This document is specific to images captured by investigative organizations.
Comments: 0

SWGDE Recommendations for Cell Site Analysis  
Published: 2017-09-25 | Version: 1
The purpose of this document is to provide recommendations on the use of Historic Cell Site Location Information (HCSLI) contained in Call Detail Records (CDRs) when conducting Cell Site Analysis (CSA). This document provides information and recommended guidelines for using HCSLI contained within CDRs to conduct CSA. It is intended for analysts who have training, knowledge, and experience in using these investigative techniques.
Comments: 0

SWGDE Establishing Confidence in Digital Forensic Results by Error Mitigation Analysis  
Published: 2017-09-25 | Version: 1.7
The purpose of this document is to provide a process for recognizing and describing both errors and limitations associated with tools used to support digital forensics. This document proposes that confidence in digital forensic results is best achieved by using an error mitigation analysis approach that focuses on recognizing potential sources of error and then applying techniques used to mitigate them.
Comments: 0

SWGDE Technical Notes on FFmpeg  
Published: 2017-07-31 | Version: 1.0
This document provides a general awareness of FFmpeg, its functions, basic use, and common uses as it pertains to digital forensics. FFmpeg (Fast Forward mpeg) is an open source, cross-platform framework that uses command line to play, convert, and stream audio and video. This framework is used by multiple applications for forensic and commercial purposes.
Comments: 1

SWGDE Technical Overview of Digital Video Files  
Published: 2017-07-18 | Version: 1.0
This document provides a foundation of knowledge of file formats, encoding standards, and compression algorithms used in digital video. It does not cover still image compression algorithms or file formats. Understanding these elements, including the advantages and disadvantages of the options within each element, will allow organizations to make informed decisions about the handling of digital video evidence.
Comments: 0

SWGDE Core Competencies for Forensic Audio  
Published: 2017-07-18 | Version: 2.0
This document provides an outline of the knowledge and abilities practitioners of forensic audio should possess. The following elements provide a basis for training and testing programs. This basis is suitable for certification, competency, and proficiency testing. These competencies are sufficient for a technician performing basic forensic audio functions such as equipment configuration, handling of evidence, format conversion, basic media repairs, and reporting of results as outlined in SWGDE Best Practices for Forensic Audio.
Comments: 0

SWGDE Best Practices for Photographic Comparison for All Disciplines  
Published: 2017-07-18 | Version: 1.1
The purpose of this document is to provide personnel with guidance regarding practices appropriate when performing photographic comparison as a part of forensic analysis (this includes, but is not limited to, fingerprints, tool marks, odontology, etc.) For the purposes of this document, photographic comparison refers to comparing objects recorded on film, digital images, images from video sources, and printed images.
Comments: 1

SWGDE Collection of Digital and Multimedia Evidence Myths vs Facts  
Published: 2017-07-18 | Version: 1.2
The purpose of this document is to compile "myths" commonly encountered in the forensic discipline of digital evidence, and its sub-disciplines, and provide factual explanations for each.
Comments: 1

SWGDE Best Practices for Maintaining the Integrity of Imagery  
Published: 2017-07-18 | Version: 1.0
The purpose of this document is to provide personnel with guidance regarding maintaining and evaluating the integrity of imagery. The integrity of digital imagery plays an important role in the process of forensic investigation. In the current legal system, there are standards and expectations for proving that digital imagery has been maintained in a forensically sound manner. With the preservation of integrity, evidence is shown as accurate and consistent.
Comments: 0

SWGDE Best Practices for Digital Audio Authentication  
Published: 2017-02-21 | Version: 1.2
The purpose of this document is to provide the background, technical considerations, and potential criteria upon which to conduct forensic authentication examinations of digital audio when its provenance and/or integrity is in question.
Comments: 1

SWGDE Best Practices for the Acquisition of Data from Novel Digital Devices  
Published: 2017-02-21 | Version: 1.0
This document outlines a framework for performing forensic acquisitions of novel digital devices. These techniques are intended for new or previously unencountered technologies with no established procedures or best practices specific to the examination of those particular devices. They can be applied to devices such as media streaming dongles, “PC-on-a-stick” systems, embedded systems, “Internet of Things” (IoT) connected devices, similar non-traditional or unfamiliar digital devices, or technologies yet to be developed.
Comments: 0

SWGDE Windows 8 and 8.1 Tech Notes  
Published: 2017-02-21 | Version: 1.0
The scope of this document is to identify differences between previous Microsoft operating systems and Microsoft Windows 8/8.1 as it applies to digital forensics, software, and hardware tools. This document is an overview of the new Windows 8/8.1 software.
Comments: 0

SWGDE Tech Notes regarding Chip-off via Material Removal Using a Lap and Polish Process  
Published: 2017-02-21 | Version: 1.0
This document explains the chip-off via material removal using a lap and polish process. This new process removes layers of circuit board and circuit board components from under the flash in order to access the chip’s mechanical connection points, while minimizing the temperature escalation of the chip itself. This process is an alternative to the traditional chip-off process via heated removal, which is becoming limited and more difficult to perform as the internal components of mobile devices become smaller.
Comments: 0

SWGDE Photographic Equipment and Infrastructure Recommendations  
Published: 2017-02-21 | Version: 1.0
The purpose of this document is to provide guidance and recommendations for equipment, infrastructure, training, Standard Operating Procedure (SOP) development, and the security and integrity issues for photography in the forensic environment. This document addresses the photographic documentation of events and/or subjects that are in the field, forensic laboratory, studio or other controlled environment.
Comments: 0

SWGDE Myths and Facts about Accreditation for Digital and Multimedia Evidence Labs  
Published: 2017-02-21 | Version: 1.0
This document is intended to address commonly expressed myths about accreditation under ISO/IEC 17025 or 17020 in the Digital and Multimedia Evidence Forensic Science Service Provider (DME FSSP) community. This document responds to ongoing discussions within the forensics community about the appropriate role of accreditation, including a recommendation from the National Commission on Forensic Science to the Attorney General on Accreditation of DME FSSPs.
Comments: 0

SWGDE Overview of the Accreditation Process for Digital and Multimedia Forensic Labs  
Published: 2017-02-21 | Version: 1.0
The purpose of this document is to provide guidance for the ISO/IEC 17025 or 17020 accreditation process. A related SWGDE document, currently in draft. This document applies to DME FSSPs who are considering or have chosen to become accredited. While it is recognized that DME organizations vary in size, the core concepts of quality assurance remain the same.
Comments: 0

SWGDE Best Practices for Image Content Analysis  
Published: 2017-02-21 | Version: 1.0
The purpose of this document is to provide personnel with guidance regarding practices appropriate when performing photographic content analysis as a part of forensic image analysis. For the purposes of this document, photographic content analysis refers to the drawing of conclusions about an image or the subjects/objects represented in the image.
Comments: 0

SWGDE Guidelines for Forensic Image Analysis  
Published: 2017-02-21 | Version: 1.0
The objective of this document is to provide personnel with guidance regarding practices appropriate when performing a variety of analytic tasks involving images, regardless of the knowledge domain that is the subject of analysis.
Comments: 0

SWGDE Comments on Forced Minimization Requirements for the Seizure of Digital Evidence  
Published: 2016-10-08 | Version: 1.0
This is SWGDE's response to a growing tendency to restrict the amount or types of digital information, or data, that can be seized during the execution of legally-authorized operations, such as search warrant executions. SWGDE's position is that this is a disturbing trend, as it can have a negative impact on the investigation and cause, not only a loss of both inculpatory and exculpatory information, but worse, could result in the misinterpretation of information that causes detrimental consequences.
Comments: 0

SWGDE Crime Scene-Critical Incident Videography Recommendations and Guidelines  
Published: 2016-10-08 | Version: 1.0
The objective of this document is to provide recommendations and guidelines for the use of video camcorders to document crime scenes and critical incidents. Crime scene/critical incident videography should not replace or take precedence over still photography, but can be used as an additional investigative or demonstrative tool.
Comments: 0

SWGDE Best Practices for Forensic Audio  
Published: 2016-10-08 | Version: 2.2
The purpose of this document is to provide forensic audio practitioners recommendations for the handling and examination of forensic audio evidence in order to successfully introduce such evidence in a court of law.
Comments: 0

SWGDE Digital and Multimedia Evidence Glossary  
Published: 2016-06-23 | Version: 3.0
SWGDE provides this Glossary of Terms with general, as well as discipline specific, definitions as they apply across the spectrum of image analysis, computer forensics, video analysis, and forensic audio.
Comments: 0

SWGDE Digital Image Compression and File Formats Guidelines  
Published: 2016-06-23 | Version: 1.0
This document provides a foundation of knowledge of compression algorithms and file formats utilized in digital imaging, including photography and scanning. It does not cover video compression algorithms or file formats. Understanding these processes and their advantages and disadvantages will allow agencies to make informed decisions for the appropriate application of file formats and compression algorithms. For a comprehensive understanding, the reader is encouraged to seek out other sources.
Comments: 0

SWGDE Best Practices for Vehicle Infotainment and Telematics Systems  
Published: 2016-06-23 | Version: 2.0
The purpose of this document is to describe best practices for acquiring the data contained within infotainment and telematics systems installed in motor vehicles. The intended audience is first responders and/or others involved in the collection of digital data from vehicles.
Comments: 0

SWGDE Proposed Techniques for Advanced Data Recovery from Security DVRs Containing H.264 Data  
Published: 2016-06-23 | Version: 1.2
The purpose of this document is to present advanced techniques for data recovery from security system digital video recorders (DVRs) when the data cannot be recovered using the traditional methods. This document provides advanced recovery methods specific to security system DVRs storing video streams in the H.264 format. These methods should not be used by personnel not trained in the methods and techniques to which they refer. Traditional methods of recovery should be attempted first. These advanced techniques should only be attempted after all other options have been exhausted.
Comments: 0

SWGDE Image Processing Guidelines  
Published: 2016-02-08 | Version: 1.0
The purpose of this document is to provide guidelines for the use of digital image processing and to ensure the production of quality forensic imagery for the criminal justice system. This document includes brief descriptions of advantages, disadvantages, and potential limitations of each major process.
Comments: 0

SWGDE Linux Tech Notes  
Published: 2016-02-08 | Version: 1.0
The purpose of this document is to provide background information for the forensic examination of computers running Linux operating systems. The intended audience is computer forensic examiners trained and experienced in the examination of Windows and/or Macintosh operating systems seeking direction in the analysis of Linux systems.
Comments: 0

SWGDE Training Guidelines for Video Analysis, Image Analysis and Photography  
Published: 2016-02-08 | Version: 1.1
The purpose of this document is to provide guidelines and recommendations to assist organizations in designing a training program for forensic video analysts, image analysts, and photographers to ensure competency in the completion of forensic tasks and analyses.
Comments: 0

SWGDE Best Practices for Chip-Off  
Published: 2016-02-08 | Version: 1.0
This document describes best practices for acquiring data contained within a device by removing the flash memory chip from the printed circuit board (PCB) and directly reading the data from the chip. This document supplements and expands upon the material in SWGDE Best Practices for Mobile Phone Forensics. While the chip-off method of data extraction is commonly used on mobile devices, this technique can also be used to acquire data from other devices with flash memory attached to a PCB.
Comments: 0

SWGDE Best Practices for Collection of Damaged Mobile Devices  
Published: 2016-02-08 | Version: 1.1
This document provides basic information on the handling of mobile devices damaged by liquid, structural damage, or thermal exposure. The intended audience is first responders and/or others involved in the collection of damaged mobile devices.
Comments: 0

SWGDE Best Practices for Examining Mobile Phones Using JTAG  
Published: 2015-09-29 | Version: 1.0
The purpose of this document is to describe best practices for acquiring data contained within a mobile device using a Joint Test Action Group (JTAG) boundary scan technique as defined in IEEE 1149.1-2013, IEEE Standard for Test Access Port and Boundary-Scan Architecture. This document supplements and further expands upon the material in SWGDE Best Practices for Mobile Phone Forensics, which should be referenced prior to reading this document.
Comments: 0

SWGDE Best Practices for the Forensic Use of Photogrammetry  
Published: 2015-09-29 | Version: 1.0
The purpose of this document is to provide personnel with recommendations regarding appropriate practices when performing photogrammetric examinations as a part of forensic analysis.
Comments: 0

SWGDE Proficiency Test Guidelines  
Published: 2015-09-29 | Version: 1.0
The purpose of this document is to provide guidance for testing core competencies for a Digital and Multimedia Evidence (DME) proficiency test program.
Comments: 0

SWGDE Recommendations and Guidelines for Using Video Security Systems  
Published: 2015-09-29 | Version: 1.0
The purpose of this document is to provide recommendations and guidelines for the use of video security systems. For the purpose of this document, fixed-site surveillance cameras and recording devices will be discussed. In most cases, these basic principles and recommendations can be applied to any video system using surveillance cameras and video recorders. This document addresses analog and digital video systems. The intent of these recommendations and guidelines is to optimize image quality to facilitate the identification of unknown people and objects depicted therein.
Comments: 0

SWGDE Mac OS X Tech Notes  
Published: 2015-09-29 | Version: 1.3
The scope of this document is to describe the procedures for imaging and analyzing Macintosh computers. This document is restricted to the OS X operating system.
Comments: 0

SWGDE Recommended Guidelines for Validation Testing  
Published: 2014-09-05 | Version: 2.0
Validation testing is critical to the outcome of the entire examination process. Validation, based on sound scientific principles, is required to demonstrate that examination tools (hardware and software), techniques and procedures are suitable for their intended purpose. Tools, techniques and procedures should be validated prior to initial use in digital forensic processes. Failure to implement a validation program can have detrimental effects.
Comments: 0

SWGDE Capture of Live Systems  
Published: 2014-09-05 | Version: 2.0
The purpose of this document is to provide guidance to the forensic community on acquiring data from live computer systems. A primary concern is the ability to capture and save data in a usable format. Factors such as the volatility or the volume of data, restrictions imposed by legal authority, or the use of encryption may dictate the need to capture data from systems without interrupting the power cycle.
Comments: 0

SWGDE Focused Collection and Examination of Digital Evidence  
Published: 2014-09-05 | Version: 1.0
The purpose of this document is to provide the examiner with considerations to address when dealing with the review of large amounts of data and/or numerous devices.
Comments: 0

SWGDE Best Practices for Handling Damaged Hard Drives  
Published: 2014-09-05 | Version: 1.0
The purpose of this document is to describe the best practices for handling magnetic media hard drives when the data cannot be accessed via standard methods.
Comments: 0

SWGDE Best Practices for Computer Forensics  
Published: 2014-09-05 | Version: 3.1
The purpose of this document is to describe the best practices for collecting, acquiring, analyzing and documenting the data found in computer forensic examinations.
Comments: 0

Digital and Multimedia Evidence (Digital Forensics) as a Forensic Science Discipline  
Published: 2014-09-05 | Version: 2.0
The purpose of this paper is to provide an abstract to assist the reader in understanding that digital forensics is a forensic science and to address confusion about the dual nature of the application of digital forensics techniques as both a forensic science and as an investigatory tool.
Comments: 0

SWGDE Electric Network Frequency Discussion Paper  
Published: 2014-02-06 | Version: 1.2
The purpose of this document is to describe the potential use of electric network frequency (ENF) analysis in the United States for the forensic examination of audio recordings.
Comments: 0

SWGDE UEFI Effect on Digital Imaging  
Published: 2014-02-06 | Version: 1
This document provides a general overview and guidance with regard to Unified Extensible Firmware Interface (UEFI) and its effects on media imaging. The implementation and standards for UEFI are currently evolving and changes to this document are anticipated as this technology and its standards develop and mature. The intended audience for this document is the trained forensics professional who may encounter UEFI for the first time.
Comments: 0

DME Letter To NCFS Commissioners  
Published: 2014-01-30 | Version: 1
Joint letter from SWGDE, SWGIT, and FISWG to the National Commission on Forensic Science (NCFS) Commissioners on the exclusion of digital evidence from the Commission's work (as of January 2014). This letter recommends including digital evidence in the Commission's work to ensure the quality and integrity of digital evidence as a forensic science and offers to assist the Commission.
Comments: 0

DME Response to NIST  
Published: 2013-11-01 | Version: 1
Joint letter from SWGDE, SWGIT, and FISWG in response to the Notice published by the National Institute of Standards and Technology (NIST) in The Federal Register on 09/27/2013 regarding Possible Models for the Administration and Support of Discipline-Specific Guidance Groups for Forensic Science. The letter contains an overview to the request for model perspectives and provides opinions to the questions asked in the Notice.
Comments: 0

SWGDE Best Practices for Mobile Phone Forensics  
Published: 2013-02-11 | Version: 2.0
The purpose of this document is to describe the best practices for mobile phone forensics.
Comments: 0

SWGDE Core Competencies for Mobile Phone Forensics  
Published: 2013-02-11 | Version: 1.0
This document provides an outline of the knowledge and abilities all practitioners of mobile phone forensics should possess. The following elements provide a basis for training and testing programs. This basis is suitable for certification, competency and proficiency testing.
Comments: 0

SWGDE Model QAM and SOP Forms Download (ZIP File)  
Published: 2012-09-13 | Version: 1
Zip file with templates to accompany the SWGDE Model SOP and QAM documents.
Comments: 0

SWGDE Model QAM and SOP Manuals Introduction  
Published: 2012-09-13 | Version: 1
Introduction to SWGDE's Model QAM and SOP Manuals. These two manuals were developed in response to the needs of digital forensic laboratories that don’t have the resources for in-house development of quality assurance programs. They provide for off-the-shelf, easily tailored documents that can be utilized to begin to establish quality standards in the performance of digital forensic examinations.
Comments: 0

SWGDE Model QAM for Digital Evidence Laboratories  
Published: 2012-09-13 | Version: 3.0
The purpose of this document is to provide a model Quality Assurance Manual (QAM) for use by any entity performing digital and multimedia forensic examinations.
Comments: 0

SWGDE Model SOP for Computer Forensics  
Published: 2012-09-13 | Version: 3.0
The purpose of this document is to create a working sample document that organizations can utilize as a template for producing their own documented Standard Operating Procedures (SOPs).
Comments: 0

SWGDE Best Practices for Portable GPS Devices  
Published: 2012-09-12 | Version: 1.1
The purpose of this document is to describe the best practices for portable GPS device examinations and provides basic information on the logical and physical acquisition of GPS devices.
Comments: 0

Foundational Forensic Science Annotated Bibliographies Requested by RDT-E IWG  
Published: 2012-01-17 | Version: 1
This letter responds to a request regarding published literature in regards to digital evidence analysis.
Comments: 0

SWGDE Response to the Preliminary Outline of Draft Forensic Reform Legislation  
Published: 2010-05-25 | Version: 1
A letter from SWGDE offering constructive observations and suggestions regarding Draft Forensic Reform Legislation. SWGDE outlines their position on key terms for the Draft Legislation, including: Accreditation; Certification; Research; Standards/Best Practices; and Oversight and Coordination.
Comments: 0

SWGDE Technical Notes on Microsoft Windows 7  
Published: 2010-05-15 | Version: 1.0
The purpose of this document document is to identify differences between current Microsoft operating systems (Windows Vista and XP) and Microsoft Windows® 7 as it applies to digital forensics, software and hardware tools.
Comments: 0

Minimum Requirements for Quality Assurance in the Processing of Digital and Multimedia Evidence  
Published: 2010-05-15 | Version: 1.0
The purpose of this document is to describe the minimum requirements necessary to achieve quality assurance in regard to completing forensic examinations.
Comments: 0

SWGDE-SWGIT Guidelines and Recommendations for Training  
Published: 2010-01-15 | Version: 2.0
The purpose of this document is to provide guidelines and recommendations to assist with designing a proper training program.
Comments: 0

SWGDE Position on the NAS Report  
Published: 2009-09-17 | Version: 1
SWGDE’s response to the National Research Council’s February 18, 2009 report to Congress, entitled “Strengthening Forensic Science in the United States: A Path Forward,” on a broad overview of the state of forensic science in the United States. This letter is SWGDE’s position on the thirteen recommendations within The Report, such as: Standardization of terminology; Collaboration and standards development; Mandatory accreditation and certification; Quality assurance; Academic programs.
Comments: 0

SWGDE Technical Notes on Microsoft Windows Vista  
Published: 2008-02-08 | Version: 1
The scope of this document is to identify differences between current Microsoft operating systems (Windows XP) and the new Windows Vista as it applies to digital forensics, software and hardware tools.
Comments: 0

SWGDE Position Paper Standards and Controls  
Published: 2008-01-30 | Version: 1.0
The purpose of this document is to clearly define the SWGDE position on the use of standards and controls in the computer forensics sub-discipline.
Comments: 0

SWGDE Peer to Peer Technologies  
Published: 2008-01-30 | Version: 1
The purpose of this document is to provide guidance in locating potential evidence concerning peer to peer (P2P) file sharing technologies during a forensic examination.
Comments: 0

SWGDE Data Archiving  
Published: 2006-04-12 | Version: 1
The purpose of this document is to familiarize the reader with issues surrounding digital data archiving.
Comments: 0

SWGDE History  
Published: 2003-01-22 | Version: 1
This document provides a description and history of SWGDE.
Comments: 0