SWGDE 18-F-002-2.0
The version of this document is in draft form and is being provided for comment by all interested parties for a minimum period of 60 days.
Disclaimer Regarding Use of SWGDE Documents
SWGDE documents are developed by a consensus process that involves the best efforts of relevant subject matter experts, organizations, and input from other stakeholders to publish standards, requirements, best practices, guidelines, technical notes, positions, and considerations in the discipline of digital and multimedia forensics and related fields. No warranty or other representation as to SWGDE work product is made or intended.
SWGDE requests notification by email before or contemporaneous to the introduction of this document, or any portion thereof, as a marked exhibit offered for or moved into evidence in such proceeding. The notification should include: 1) The formal name of the proceeding, including docket number or similar identifier; 2) the name and location of the body conducting the hearing or proceeding; and 3) the name, mailing address (if available) and contact information of the party offering or moving the document into evidence. Subsequent to the use of this document in the proceeding please notify SWGDE as to the outcome of the matter. Notifications should be submitted via the SWGDE Notice of Use/Redistribution Form or sent to secretary@swgde.org.
From time to time, SWGDE documents may be revised, updated, deprecated, or sunsetted. Readers are advised to verify on the SWGDE website (https://www.swgde.org) they are utilizing the current version of this document. Prior versions of SWGDE documents are archived and available on the SWGDE website.
Redistribution Policy:
SWGDE grants permission for redistribution and use of all publicly posted documents created by SWGDE, provided that the following conditions are met:
- Redistribution of documents or parts of documents must retain this SWGDE cover page containing the Disclaimer Regarding Use.
- Neither the name of SWGDE nor the names of contributors may be used to endorse or promote products derived from its documents.
- Any reference or quote from a SWGDE document must include the version number (or creation date) of the document and also indicate if the document is in a draft status.
Requests for Modification
SWGDE encourages stakeholder participation in the preparation of documents. Suggestions for modifications are welcome and must be submitted via the SWGDE Request for Modification Form or forwarded to the Secretary in writing at secretary@swgde.org. The following information is required as a part of any suggested modification:
- Submitter’s name
- Affiliation (agency/organization)
- Address
- Telephone number and email address
- Document title and version number
- Change from (note document section number)
- Change to (provide suggested text where appropriate; comments not including suggested text will not be considered)
- Basis for change
Intellectual Property
All images, tables, and figures in SWGDE documents are developed and owned by SWGDE, unless otherwise credited.
Unauthorized use of the SWGDE logo or document content, including images, tables, and figures, without written permission from SWGDE is a violation of our intellectual property rights.
Individuals may not misstate and/or over represent duties and responsibilities of SWGDE work. This includes claiming oneself as a contributing member without actively participating in SWGDE meetings; claiming oneself as an officer of SWGDE without serving as such; claiming sole authorship of a document; use the SWGDE logo on any material and/or curriculum vitae.
Any mention of specific products within SWGDE documents is for informational purposes only; it does not imply a recommendation or endorsement by SWGDE.
1. Purpose
The purpose of this document is to describe the best practices for the collection of items that may contain digital evidence. These processes are designed to maintain the integrity of digital evidence. This document is limited to computers and other digital storage media.
2. Scope
This document provides basic information on the collection of items that may contain digital evidence. For the purposes of this document, “collector” refers to any personnel designated and trained to collect digital evidence. For guidance on recommended training and qualifications, see SWGDE 10-Q-002-3.0 Guidelines & Recommendations for Training in Digital & Multimedia Evidence [1].
Collection of digital evidence from mobile devices is beyond the scope of this document and is being covered in the draft SWGDE publication, SWGDE 18-F-003-2.0 Best Practices for Mobile Device Evidence Collection, Preservation, and Acquisition [2].
3. Limitations
This document is not intended to be a training manual, nor to replace organizational policy or standard operating procedures, nor should it be construed as legal advice. This document is not all-inclusive and does not contain information relative to specific commercial products. This document may not be applicable in all circumstances. When warranted, a collector may deviate from these best practices and still obtain reliable, defensible results. If collectors encounter situations warranting deviation from best practices, they should thoroughly document the specifics of the situation and actions taken.
This document is part of a set of best practice guides that includes SWGDE 17-F-002-2.0 Best Practices for Computer Forensic Acquisitions [3], SWGDE 18-F-001-1.0 Best Practices for Computer Forensic Examination, and SWGDE 18-Q-002-1.0 Requirements for Report Writing in Digital and Multimedia Forensics.
For information regarding Mobile Device collection see SWGDE 18-F-003-2.0 Best Practices for Mobile Device Evidence Collection & Preservation Handling and Acquisition [2].
4. Preparation
Preparing for the collection of digital evidence includes clear communication between the collector and investigative team. This communication includes the details of the investigation, the nature and scope of the potential evidence, and any unique constraints that could impact acquisition. Collectors should review the legal authority authorizing the search to determine what items may be collected.
The possibility of anti-forensics techniques (e.g., destructive or explosive devices and wiping technology) and encryption should be considered. Appropriate safety measures should always be paramount in planning, along with adherence to organizational policies and procedures.
5. Considerations
Prior to collecting digital evidence, consider collecting and preserving traditional forensic evidence (e.g., fingerprint, DNA, trace). Precautions should be taken to prevent exposure to evidence that may be contaminated with dangerous substances or hazardous materials.
Considerations should be taken to preserve evidence in accordance with appropriate best practice documentation such as SWGDE 17-F-002-2.0 Best Practices for Computer Forensic Acquisitions [3].
When collecting digital evidence, considerations should be taken to preserve the integrity of the data being acquired. Examiners should be aware that any live collection of data can alter and create evidence and should be documented as such. Acquisition is discussed later in this document as well as in SWGDE 17-F-002-2. Best Practices for Computer Forensic Acquisitions [3].
6. Data Integrity
Data Integrity is the property that data is accurate, complete, of high quality, and protected from unauthorized changes in storage, during processing, and while in transit. The integrity of data is built on three core principles: accuracy, consistency, and reliability [2]. It is imperative while collecting digital evidence, proper measures are taken to maintain integrity.
The pursuit for data integrity begins at the initial identification of electronic data as evidence and carries through the conclusion of an investigation. The management of data from acquisition through all subsequent stages of its lifecycle is an essential component of this process. Data handling and documentation should remain consistent throughout the lifecycle. Factors threatening data integrity include, but are not limited to, human error, security breaches, and lack of documentation. Best practices to limit or prevent threats are discussed below.
7. Preparation
Proper preparation of digital storage media used for collections should be completed prior to any data collection and storage. Data sanitization of storage media should be performed to prevent cross-contamination.
8. Security
Security is instrumental to maintaining the integrity of data for reasons including maintaining the chain of custody and preventing unauthorized access or tampering. Security measures should be implemented on, both logical and physical levels, to prevent the contamination between cases or unauthorized access to the original evidence or forensic image. This can be accomplished by different means depending on the agency’s protocols and the type of evidence. It is incumbent upon the examiner to document all procedures used.
The examination area as well as the long-term storage area should be secure and restricted to authorized personnel. E.G. proper controls and limited access to an evidence room or Forensic Laboratory.
9. Search
Remove all non-essential personnel from the proximity of the digital evidence, if possible. Consider dividing the scene into manageable sections (e.g., rooms) and documenting using photographs and sketches; label the scene in an identifiable manner.
Digital evidence collection personnel should recognize devices that may store data and information about the items containing the data (e.g., notes containing usernames, passwords, operating systems documentation, encryption recovery keys, and network credentials). See Section 11 Documentation, for more information on documenting the evidence location.
It is important to determine the computer system’s or digital media’s operational state. For example, a computer in standby mode may appear to be powered down, but it is not and should be handled as a running system. If a computer is powered off, do not turn on the computer.
Observe the system for any potential destructive activity. If a destructive activity is found, stop the activity and document all actions taken. If it is a desktop computer, pull the power plug from behind the machine, or in the case of a laptop, pull the power cord and, if possible, remove the battery. If applicable, isolate the computer system from any network connectivity.
Consider the capture of random access memory (RAM) and other volatile data from the operating system, see SWGDE 17-F-002-2.0 Best Practices for Computer Forensic Acquisitions [3].
Where permitted, the search should be comprehensive. This could include external storage media, which may be connected via network, disguised storage, and other non-standard media. If any of the following situations are encountered, collections specialists should consider consulting more experienced personnel:
- Live systems with file or disk encryption
- Running systems displaying documents or other files of interest
- Running systems acting as virtual machine hosts
- Enterprise class storage systems such as Storage Area Networks (SANs)
- IoT devices (e.g., home automation, media streaming devices)
(See SWGDE 17-F-002-2.0 Best Practices for Computer Forensic Acquisitions [3], SWGDE 18-F-003-2.0 Best Practices for Mobile Device Evidence Collection, Preservation, and Acquisition [2], and SWGDE 23-F-003-1.0 Best Practices for Internet of Things (IoT) Seizure and Analysis [4] for more information.)
As soon as practical, store and secure evidence to prevent loss, contamination, or deleterious change.
10. Acquisition
The pursuit for data integrity begins at the acquisition phase by ensuring data is acquired from a reliable source and best practices are implemented during the evidence collection. This provides reasonable assurance that the data represents accurate information [3].
11. Live Acquisitions
It is the examiner’s responsibility to employ the least invasive techniques on writeable data collected from live running data sources. This includes network data, remote servers and cloud services, live memory, and logical data in a decrypted state. It is the examiner’s responsibility to employ the least invasive technique to preserve data integrity. Examiners should be aware that any live collection of data can alter and create evidence and should be documented as such [5].
12. Third-Party Productions
Data produced as preliminary evidence in an investigation and pursuant to legal process (e.g., subpoena or search warrant) is no exception to maintaining data integrity. Data maintained and produced by third-parties (e.g., Cloud Storage Providers and Electronic Service Providers) can vary greatly in size, format, and quality. It is also often collected by non-forensic personnel using a variety of acquisition techniques. In an effort to maintain the integrity of third-party data, the original copy of the production should be hashed and documented to establish a baseline of the dataset. In instances data is produced electronically, such as email attachments and cloud-based storage, a local static copy should be created and the source documented, such as preserving the original email or complete hyperlink.
Upon successful collection of the data, a cryptographic hash should be completed and documented (if not included by the data provider) to establish a baseline of the data set. A forensic working copy and an archive should be created. See SWGDE 23-F-004-1.0 Best Practices for Digital Evidence Acquisition, Preservation, and Analysis from Cloud Service Providers [5]
The data download links are usually time sensitive and may not be reproducible by other parties at later dates.
13. Hashing
Hashing of the original data, commonly referred to as an acquisition hash, should be done when an image of the data is being created. Hashing the evidence using multiple hashing algorithms is recommended to avoid hash collisions.
Digital Evidence submitted for examination should be maintained in such a way that the integrity of the data is preserved beyond reproach.
A verification hash of the image is calculated after the completion of acquisition. If the data contained within the forensic image/container file requires reexamination, verification can ensure the integrity of the data has not been compromised.
14. Documentation
Appropriate chain of custody and any other agency required documentation should be created upon collection of data and maintained throughout the life of the case. Documentation should be completed in accordance with organizational guidelines and procedures. At a minimum, this documentation should include a chain of custody and evidence inventory.
Documentation may include a written description or photographs of the collection location, the device state (e.g., powered on/off, open files), and physical characteristics (e.g., damage, identifying marks, serial numbers, connections).
Detailed collection notes should be contemporaneously created, including, but not limited to, software employed, logs, reports, screenshots of the interface, downloaded data size, number of files, file names, and hash values. Additional relevant material relating to the collection should be considered, such as email correspondence.
The chain of custody documentation should be contemporaneous to the collection and include a description or unique identifier for the evidence, the date and time of receipt, and reflect all transfers. The record should easily identify each person (e.g., name and signature) taking possession of an item. Follow your agency’s procedures and policies.
Evidence inventories should contain a listing of the items collected and may be used for search warrant returns, report writing, or other reasons.
15. References
[1] Scientific Working Group on Digital Evidence. Guidelines & Recommendations for Training in Digital & Multimedia Evidence. SWGDE 10-Q-002-3.0. SWGDE, 2024, https://www.swgde.org/10-q-002/.
[2] Scientific Working Group on Digital Evidence. Best Practices for Mobile Device Evidence Collection, Preservation, and Acquisition. SWGDE 18-F-003-2.0. SWGDE, 2025, https://www.swgde.org/documents/draftsForPublicComment.
[3] Scientific Working Group on Digital Evidence. Best Practices for Computer Forensic Acquisitions. SWGDE 17-F-002-2.0. SWGDE, 2023, https://www.swgde.org/17-f-002/.
[4] Scientific Working Group on Digital Evidence. Best Practices for Internet of Things Seizure and Analysis. SWGDE 23-F-003-1.0. SWGDE, 2024, https://www.swgde.org/23-f-003/.
[5] Scientific Working Group on Digital Evidence. Best Practices for Digital Evidence Acquisition, Preservation, and Analysis from Cloud Service Providers, SWGDE 23-F004-1.0. SWGDE, 2024, https://www.swgde.org/23-f-004/.
16. Additional Resources
Scientific Working Group on Digital Evidence. Best Practices for Computer Forensic Examination. SWGDE 18-F-001-1.0. SWGDE, 2018, https://www.swgde.org/18-f001/.
Scientific Working Group on Digital Evidence. Requirements for Report Writing in Digital and Multimedia Forensics. SWGDE 18-Q-002-1.0. SWGDE, 2018, https://www.swgde.org/18-q-002/.
17. History
| Revision | Issue Date | History |
|---|---|---|
|
1.0 DRAFT |
01/11/2018 |
Initial draft created and SWGDE voted to release as
a Draft for Public Comment. |
|
1.0 DRAFT |
04/17/2018 |
Formatted and technical edit performed for release
as a Draft for Public Comment. |
|
1.0 DRAFT |
06/14/2018 |
No changes. SWGDE voted to publish as an
Approved document. |
|
1.0 |
07/11/2018 |
Minor editorial changes. Formatted and published as
Approved version 1.0. |
|
2.0
DRAFT |
05/21/2025 |
Refresh of document due to 5-year review. |
|
2.0
DRAFT |
06/29/2025 |
SWGDE voted to release as a Draft for Public Comment. Formatted for release for public comment. |
Version: 2.0 (6/30/2025)