SWGDE SOP For Computer Forensics v2

Scientific Working Group on Digital Evidence (SWGDE)
SWGDE
Model Standard Operating Procedures
for
Computer Forensics
Disclaimer:
As a condition to the use of this document and the information contained therein, the SWGDE
requests notification by e-mail before or contemporaneous to the introduction of this
document, or any portion thereof, as a marked exhibit offered for or moved into evidence in
any judicial, administrative, legislative or adjudicatory hearing or other proceeding (including
discovery proceedings) in the United States or any Foreign country. Such notification shall
include: 1) The formal name of the proceeding, including docket number or similar identifier;
2) the name and location of the body conducting the hearing or proceeding; 3) subsequent to
the use of this document in a formal proceeding please notify SWGDE as to its use and
outcome; 4) the name, mailing address (if available) and contact information of the party
offering or moving the document into evidence. Notifications should be sent to
[email protected]
It is the users responsibility to ensure they have the most current version of this document.
It is recommended that previous versions be archived for future reference, as needed, in
accordance with that organizations policies.
Redistribution Policy:
SWGDE grants permission for redistribution and use of all publicly posted documents
created by SWGDE, provided that the following conditions are met:
1. Redistribution of documents or parts of documents must retain the SWGDE cover page
containing the disclaimer.
2. Neither the name of SWGDE nor the names of contributors may be used to
endorse or promote products derived from its documents.
3. Any reference or quote from a SWGDE document must include the version number
(or create date) of the document and mention if the document is in a draft status.
SWGDE Model Standard Operating Procedures Manual for Computer Forensics

June 17, 2011 (Version 2)
This document includes a cover page with the SWGDE disclaimer.

Table of Contents
INTRODUCTION........................................................................................................................................ 8
1.
PURPOSE......................................................................................................................................... 8
2.
SCOPE ............................................................................................................................................. 8
3.
DISCUSSION .................................................................................................................................... 8
MINIMUM EXAM STANDARDS ................................................................................................................. 9

1.
PURPOSE......................................................................................................................................... 9
2.
SCOPE ............................................................................................................................................. 9
3.
EXAMINATION REQUIREMENTS ...................................................................................................... 9
4.
EQUIPMENT PREPARATION ............................................................................................................ 9
5.
EXAMINATION REQUEST ................................................................................................................. 9
6.
EVIDENCE PRESERVATION............................................................................................................... 9
7.
EXAMINATION ................................................................................................................................ 9
8.
DOCUMENTATION ........................................................................................................................ 10
9.
TOOL AND TECHNIQUE VALIDATION ............................................................................................. 10
CASE PRIORITIZATION ............................................................................................................................ 12

1.
PURPOSE AND SCOPE ................................................................................................................... 12
2.
CASE PRIORITIZATION ................................................................................................................... 12

2.1
CASE PRIORITIZATION SPECIFICALLY FOR CRIMES AGAINST CHILDREN ............................................................ 12
3.
EXCEPTIONS AND MODIFICATIONS TO CASE PRIORITIZATION ...................................................... 13
4.
TRIAGE .......................................................................................................................................... 13
5.
RECOMMENDATION ..................................................................................................................... 13
STANDARD OPERATING PROCEDURES MANUAL
ON - SCENE MODULE 1: EVIDENCE PRESERVATION: CRIME SCENE/FIELD RESPONSE ............................. 21

1.
PURPOSE: ..................................................................................................................................... 21
2.
SCOPE: .......................................................................................................................................... 21
3.
EQUIPMENT: ................................................................................................................................. 21
4.
DEFINITIONS: ................................................................................................................................ 21
5.
LIMITATIONS: ............................................................................................................................... 21
Page 2 of 54

5.1 COMPUTERS:...................................................................................................................................... 21
5.1.1
Networked ............................................................................................................................ 21
5.1.2
Non-networked: .................................................................................................................... 22
5.1.3
Removable Media: ................................................................................................................ 22
5.1.4
Handheld Digital Devices: ..................................................................................................... 22
6.
PROCEDURES: ............................................................................................................................... 22
6.1
6.2
6.3
6.4
GENERAL: .......................................................................................................................................... 22
COMPUTERS:...................................................................................................................................... 23
REMOVABLE MEDIA: ........................................................................................................................... 23
HANDHELD DIGITAL DEVICES: ................................................................................................................ 24
7.
REFERENCES: ................................................................................................................................. 24
8.
NOTES ........................................................................................................................................... 24
ON - SCENE MODULE 2: LIVE MEMORY ACQUISITION ........................................................................... 25

1.
PURPOSE: ..................................................................................................................................... 25
2.
SCOPE: .......................................................................................................................................... 25
3.
EQUIPMENT: ................................................................................................................................. 25
4.
LIMITATIONS: ............................................................................................................................... 25
4.1 COMPUTERS....................................................................................................................................... 25
4.1.1
Networked ............................................................................................................................ 25
4.1.2
Non-networked: .................................................................................................................... 26
4.2 REMOVABLE MEDIA: ........................................................................................................................... 26
4.3 HANDHELD DIGITAL DEVICES: ................................................................................................................ 26
5.
PROCEDURES: ............................................................................................................................... 26
5.1
5.2
5.3
5.4
5.5
GENERAL: .......................................................................................................................................... 26
COMPUTERS:...................................................................................................................................... 27
SHUTDOWN PROCEDURES. .................................................................................................................... 27
REMOVABLE MEDIA: ........................................................................................................................... 27
HANDHELD DIGITAL DEVICES: ................................................................................................................ 28
6.
REFERENCES: ................................................................................................................................. 28
7.
NOTES: .......................................................................................................................................... 28
ON - SCENE MODULE 3: PREVIEW AND IMAGING .................................................................................. 29

1.
PURPOSE: ..................................................................................................................................... 29
2.
SCOPE: .......................................................................................................................................... 29
3.
EQUIPMENT: ................................................................................................................................. 29
4.
LIMITATIONS: ............................................................................................................................... 29
5.
PROCEDURE: ................................................................................................................................. 29
5.1
5.2
LINUX PREVIEW ................................................................................................................................... 29

LINUX IMAGING .................................................................................................................................. 30
Page 3 of 54

5.3
5.4
6.
WINDOWS PREVIEW ............................................................................................................................ 30

WINDOWS IMAGING ............................................................................................................................ 30
REFERENCES: ................................................................................................................................. 30
ON - SCENE MODULE 4: MOBILE DEVICE COLLECTION ............................................................................ 31

1.
PURPOSE: ..................................................................................................................................... 31
2.
SCOPE: .......................................................................................................................................... 31
3.
EQUIPMENT: ................................................................................................................................. 31
4.
LIMITATIONS: ............................................................................................................................... 31
5.
PROCEDURE: ................................................................................................................................. 31
6.
REFERENCES: ................................................................................................................................. 31
LAB MODULE 1: EXAM PREPARATION: WORKSTATION .......................................................................... 32

1.
PURPOSE: ..................................................................................................................................... 32
2.
SCOPE: .......................................................................................................................................... 32
3.
EQUIPMENT: ................................................................................................................................. 32
4.
DEFINITIONS: ................................................................................................................................ 32
5.
LIMITATIONS: ............................................................................................................................... 32
6.
PROCEDURES: ............................................................................................................................... 32
7.
REFERENCES: ................................................................................................................................. 32
LAB MODULE 2: PHYSICAL INSPECTION .................................................................................................. 33

1.
PURPOSE: ..................................................................................................................................... 33
2.
SCOPE: .......................................................................................................................................... 33
3.
MATERIALS EQUIPMENT (HARDWARE/SOFTWARE): .................................................................. 33
4.
LIMITATIONS: ............................................................................................................................... 33
5.
PROCEDURES: ............................................................................................................................... 33
6.
REFERENCES: ................................................................................................................................. 33
LAB MODULE 3: WRITE PROTECTING MEDIA.......................................................................................... 34

1.
PURPOSE: ..................................................................................................................................... 34
2.
SCOPE: .......................................................................................................................................... 34
3.
EQUIPMENT: ................................................................................................................................. 34
3.1
3.2
4.
HARDWARE........................................................................................................................................ 34
SOFTWARE......................................................................................................................................... 34
LIMITATIONS: ............................................................................................................................... 34
4.1
GENERAL ........................................................................................................................................... 34
Page 4 of 54

4.2
5.
PROCEDURES: ............................................................................................................................... 35
5.1
5.2
6.
SPECIFIC ............................................................................................................................................ 34
HARD DISK DRIVES AND SOLID STATE STORAGE DEVICES ............................................................................ 35

FOR IOMEGA ZIP AND JAZZ DISKS............................................................................................................ 35
REFERENCES: ................................................................................................................................. 35
LAB MODULE 4: WIPING MEDIA ............................................................................................................. 36

1.
PURPOSE: ..................................................................................................................................... 36
2.
SCOPE: .......................................................................................................................................... 36
3.
EQUIPMENT: ................................................................................................................................. 36
4.
LIMITATIONS: ............................................................................................................................... 36
5.
PROCEDURE: ................................................................................................................................. 36
6.
REFERENCES: ................................................................................................................................. 36
LAB MODULE 5: HARD DRIVE REMOVAL AND BIOS CHECK ..................................................................... 37

1.
PURPOSE: ..................................................................................................................................... 37
2.
SCOPE: .......................................................................................................................................... 37
3.
EQUIPMENT: ................................................................................................................................. 37
4.
LIMITATIONS: ............................................................................................................................... 37
5.
PROCEDURE: ................................................................................................................................. 37
6.
REFERENCES: ................................................................................................................................. 38
LAB MODULE 6: HARD DRIVE IMAGING PROTOCOL USING WINDOWS .................................................. 39

1.
PURPOSE: ..................................................................................................................................... 39
2.
SCOPE: .......................................................................................................................................... 39
3.
EQUIPMENT NEEDED: ................................................................................................................... 39
4.
LIMITATION: ................................................................................................................................. 39
5.
PROCEDURES: ............................................................................................................................... 39
LAB MODULE 7: IMAGING PROTOCOL USING LINUX .............................................................................. 40

1.
PURPOSE: ..................................................................................................................................... 40
2.
SCOPE: .......................................................................................................................................... 40
3.
EQUIPMENT: ................................................................................................................................. 40
4.
LIMITATIONS: ............................................................................................................................... 40
5.
PROCEDURES: ............................................................................................................................... 40
5.1
5.2
USING A LINUX BOOT DISC IN AN EVIDENCE COMPUTER ............................................................................. 40

USING A LINUX WORKSTATION .............................................................................................................. 40
Page 5 of 54

5.3
IMAGE WITH LINUX.............................................................................................................................. 40
6.
REFERENCES: ................................................................................................................................. 41
7.
NOTES: .......................................................................................................................................... 41
7.1
DEFINITIONS ...................................................................................................................................... 41
LAB MODULE 8: IMAGING A MACINTOSH COMPUTER ........................................................................... 42

1.
PURPOSE: ..................................................................................................................................... 42
2.
SCOPE: .......................................................................................................................................... 42
3.
MATERIALS/EQUIPMENT .............................................................................................................. 42
3.1
3.2
HARDWARE........................................................................................................................................ 42
SOFTWARE (APPROVED AND APPROPRIATE VERSION) .................................................................................. 42
4.
DEFINITIONS ................................................................................................................................. 42
5.
LIMITATIONS................................................................................................................................. 43
5.1
5.2
5.3
6.
PROCEDURES ................................................................................................................................ 44
6.1
6.2
6.3
7.
MACINTOSH COMPUTERS ..................................................................................................................... 43

LINUX BOOT CD ................................................................................................................................. 43
WINDOWS COMPUTERS ....................................................................................................................... 43
BOOTING USING EXTERNAL MEDIA .......................................................................................................... 44

TARGET DISK MODE ............................................................................................................................ 45
REMOVING HDD FROM THE EVIDENCE COMPUTER .................................................................................... 46
REFERENCES .................................................................................................................................. 46
LAB MODULE 9: CABLE ACQUISITION PROTOCOL ................................................................................... 47

1.
PURPOSE: ..................................................................................................................................... 47
2.
SCOPE: .......................................................................................................................................... 47
3.
MATERIALS EQUIPMENT (HARDWARE/SOFTWARE).................................................................... 47

3.1
3.2
4.
LIMITATIONS................................................................................................................................. 47
4.1
5.
HARDWARE........................................................................................................................................ 47
SOFTWARE......................................................................................................................................... 47
GENERAL ........................................................................................................................................... 47
PROCEDURES ................................................................................................................................ 47
LAB MODULE 10: HANDHELD/MOBILE DEVICES ..................................................................................... 49

1.
PURPOSE....................................................................................................................................... 49
2.
SCOPE ........................................................................................................................................... 49
3.
EQUIPMENT .................................................................................................................................. 49
4.
DEFINITIONS ................................................................................................................................. 49

Page 6 of 54

5.
LIMITATIONS................................................................................................................................. 50
6.
PROCEDURES ................................................................................................................................ 50
7.
REFERENCES .................................................................................................................................. 51
LAB MODULE 11: EVIDENCE SEARCH PROTOCOL .................................................................................... 52

1.
PURPOSE....................................................................................................................................... 52
2.
SCOPE ........................................................................................................................................... 52
3.
MATERIALS-EQUIPMENT (HARDWARE/SOFTWARE) ..................................................................... 52

3.1
3.2
4.
LIMITATIONS................................................................................................................................. 52
4.1
5.
HARDWARE........................................................................................................................................ 52
SOFTWARE......................................................................................................................................... 52
GENERAL ........................................................................................................................................... 52
PROCEDURES ................................................................................................................................ 52
5.1
5.2
SEARCH PROCEDURES .......................................................................................................................... 52

SUSPECT IMAGE RESTORATION: ............................................................................................................. 53

Page 7 of 54

Introduction
1. Purpose
The purpose of this document is to create a working sample document that organizations
can utilize as a framework for producing their own documented Standard Operating
Procedures (SOPs).
2. Scope
It is designed to be functional for a single person operation as well as multiple person units
and laboratory organizations.
3. Discussion
During the development of this document, SWGDE reviewed a variety of SOPs from a
broad selection of federal, state and local organizations. Organizations having a
requirement to document their procedures are encouraged to use this modular sample in
construction their own SOPs. It should be noted that variations of this SOP design have
been successful in several currently ASCLD/LAB and FQS accredited labs.
This modular approach will enable a lab to remove sections that they may not choose to
implement (e.g. Cell Phone Analysis or Macintosh Forensics). Each module of the SOP is
focused on the methodology to properly conduct an exam and does not intend to provide
step-by-step instructions. It is assumed that the examiner is properly trained and competent
in computer forensic analysis. (Refer to SWGDE Training doc.)
This document is designed with two components; the Laboratory Modules and the Scene
Modules. SWGDE understands that there are two areas of concern for handling evidence in
Law Enforcement; the laboratory, and the initial scene and/or point of collection. This
document will attempt to address both concerns and is thus divided to address those two
issues. Additionally, this document is a work in progress and several modules are currently
being developed and will be included when completed.
Note
The sample SOPs noted below are given as examples only and should not be used as a stepby-step guide. This document must be revised to reflect your organizations policies and
procedures.
Any references to hardware and/or software are for illustrative purposes only and do not
constitute recommendation nor endorsement.

Page 8 of 54

Minimum Exam Standards
1. Purpose
This section describes an overview of the examination process.
2. Scope
This is information defining the structure of the examination process for the
individual examiner, unit or laboratory system.
3. Examination Requirements
4. Equipment Preparation
Hardware and software must be configured to prevent cross contamination.
5. Examination Request
All examinations must have a request. Communicate with requestor to determine the
focus and parameters of the examination. A request for forensic services will include:
1. The type of examinations requested and necessary legal authority. Attention
should be paid to whether the request requires examinations by other disciplines.
2. Any known safety hazards (e.g., chemical, blood borne pathogens, etc.).
3. The identity of the party requesting the services and the date of the request.
6. Evidence Preservation
Digital evidence submitted for examination must be maintained in such a way that the
integrity of the data is preserved. Evidence must be handled in a manner preventing
cross contamination. If other forensic processing will be conducted, consult with
examiners in the appropriate disciplines.
7. Examination
Conduct examinations pursuant to the request and additional identified exams as
necessary pending appropriate legal authority. At a minimum, an examination must
consist of:
1. Visual Inspection Determine the type of evidence, its condition and relevant
information to conduct the examination.
2. Forensic Duplication Conducting an examination on the original evidence
media should be avoided if possible. Examinations should be conducted on
forensic duplicates or forensic image files.
3. Media Examination Examination of the media should be completed in a
logical and systematic manner.
4. Evidence Return Item(s) are returned to appropriate location.
Page 9 of 54

8. Documentation
While documentation may vary, the following items must be included:
1. Request
The examination request must be included.
2. Chain of Custody
The chain of custody must include a description of the item and a documented
history of each transfer.
3. Notes
Notes stemming from the examination shall include at a minimum:
1. Examiner communications regarding the case.
2. Review of legal authority (if necessary)
3. Procedural steps of the examination (with date(s)) in sufficient detail to allow
another forensic examiner, competent in the same area of expertise, to be able
to identify what has been done and to assess the findings independently.
4. If multiple examiners, initials of examiner performing procedural step.
4. Examination Report
The report is to provide the reader with all the relevant information in a clear and
concise manner using standardized terminology. The examiner is responsible for
reporting the results of the examination.
Reports issued by the examiner must address the requestors needs and contain
the following items:
1. Identity of the reporting organization.
2. Case identifier or submission number.
3. Identity of the submitter.
4. Date of receipt.
5. Date of report.
6. Descriptive list of items submitted for examination.
7. Identity and signature of the examiner.
8. Description of examination.
9. Results/conclusions/derived items.
9. Tool and Technique Validation

Tools and techniques are used to analyze digital data to find evidence regarding an
incident. The tool output may result in evidence to be introduced in a court trial. It is
necessary to have tools and techniques which provide reliable results.
Methods, procedures, and tools shall be validated before being used on evidence.
Validation can be performed by third parties if the application used within the
laboratory falls completely within the scope of the validation testing. Validation
testing should be performed whenever new, revised, or reconfigured tools, techniques
or procedures are introduced into the forensic process.
Page 10 of 54

Testing of new technical procedures shall be accomplished using known data sets so
that the outcome shall be known. Procedure validation shall be conducted using the
standard workstations and software found in the laboratory. A validation testing plan
shall be developed to check that the procedure is suitable for the purpose intended and
produces repeatable results. If the testing does not produce the expected results, the
test documentation shall be compared to the procedure tested to ensure the procedure
was followed. The results of testing shall be documented in a report. A designated
reviewer shall conduct a technical review of the test results. The review shall be
documented including comments provided to the tester. The final results of testing
shall be submitted to the appropriate supervisor/lab director for approval/rejection. If
the test report is accepted and the procedure is appropriate for the purpose, the test
shall be signed as approved for use. Test records shall include but are not limited to:
test requests, data sets used, test notes, review documentation, and test reports with
appropriate signatures. Test records shall be retained and made accessible.

Page 11 of 54

Case Prioritization
1. Purpose and Scope
This policy discusses how digital evidence cases are received, triaged, prioritized, and
assigned for forensic analysis and/or criminal investigation.
2. Case Prioritization
Once a digital evidence examination request is accepted, the supervisor/lab director is
responsible for prioritization. Cases will be further prioritized within their individual
agency classifications. Generally, the supervisor/lab director will prioritize
examination requests based upon the facts known to him/her at the time of
prioritization. Digital evidence examination requests will be prioritized as follows:
NOTE: This is an example of case prioritization. Each agency/lab should establish
its own examination request priority.
1. Imminent credible threat of serious bodily injury or death to persons known or
unknown, including examinations of evidence necessary to further the
investigation of an at-large or unknown suspect who poses an imminent threat of
serious bodily injury or death to persons known or unknown.
2. Potential threat of serious bodily injury or death to person(s).
3. Sexual Crimes Against Children (see specifics below).
4. Imminent credible risk of loss of or destruction to property of significant value
including identity and financial theft, as well as system intrusions.
5. Immediate pending court date or non-extendable legal deadline.
6. Potential risk of loss of or destruction to property, or exam needed to further an
investigation.
2.1
Case Prioritization Specifically For Crimes Against Children
Examination request that involve crimes against children shall be prioritized as

follows:
1. A child is at immediate risk of victimization.
2. A child is vulnerable to victimization by a known offender.
3. A child is vulnerable to victimization by a person in a position of trust
(Parent, Day Care or Health Provider, Coach, etc.)
4. A known suspect is aggressively soliciting a child or children).
5. A suspect is manufacturing, distributing or possesses either photographs or
videos that appear to be produced in a home or daycare setting with
domiciled and/or supervised children.
Page 12 of 54

6. A suspect is in possession of a high-volume of child pornography and is a
repeat offender.
7. Any other form of child victimization.
3. Exceptions and Modifications to Case Prioritization

Under special circumstances (factors stated above or additional violations may add a
cumulative value to the prioritization of cases. On a case-by-case basis, the
supervisor/lab director may authorize an examination request be given priority
outside of this policy.
4. Triage
Casework may be triaged to identify primary evidentiary items for examination and
eliminate items having no evidentiary interest to an investigation. Triage may
involve several methods including; review of item locations within the scene, on-site
preview, lab preview, etc. (i.e., Item location within a scene can be used to determine
the highest probability that the subject was using a computer, which was found in his
bedroom, where a computer found in a box in his basement may have little value.
Using on-site and lab preview can eliminate computers not associated with the
incident.)
5. Recommendation
The accompanying modules are intended to be selected to meet an organizations
needs and operational focus. These modules are examples and should be edited to
comply with the organizations methodology. The modules currently relate to two
areas of interest the scene and the lab.

Page 13 of 54
<Organization>
<Lab>
Standard
Operating
Procedures
(SOP)
Revision X
Issue Date: mm/dd/yyyy

Page 14 of 54

Standard Operating Procedures Manual
Authorization and Approval Hierarchy
This authorization and approval section is designed to outline the Laboratory authorization for
the use of Standard Operating Procedures (SOP) and the methods used to deviate from or
implement changes to an SOP.
The technical responsibility for the forensic SOPs resides with the Laboratory Director. The
Director is responsible for major and minor deviations to SOPs. When major deviations are
requested, as outlined in the SWGDE Model Quality Assurance Manual (QAM) Section 5.4.1
General, the Director must sign the Major Deviation Request form in order for the deviation
to be implemented. Major Deviation requests from examiners will be routed, as applicable,
through their chain of command prior to being sent to the Director.
Only examiners and technical personnel authorized by the Lab Manager can use these SOPs
to conduct examinations or analyses. Use of these procedures by persons not authorized is
strictly prohibited.
Laboratory managers, forensic examiners, and technical personnel may request or make a
recommendation for a change or implementation of a procedure. The request should be in
writing and include an explanation.
Management will coordinate discussion and review of the requested changes in accordance
with unit policy. The Lab Director must approve all forensic SOPs before they can be issued.
Only tools approved for use by management shall be used.
All current practices and procedures are, at a minimum, annually reviewed per the QAM
Section 4.3 Document Control. Dissemination of SOPs in any form to entities outside the
laboratory shall be coordinated with the Quality Assurance Program Manager [QAPM]. The
Lab Director approves the incorporation of new and/or revised SOPs to this manual.
Approved:
Supervisor/Laboratory Director
Signature on file
Date: xx/xx/xx
<typed name>

Page 15 of 54

STANDARD OPERATING PROCEDURES MANUAL
ON - SCENE MODULE 1: EVIDENCE PRESERVATION: CRIME SCENE/FIELD RESPONSE21
1. PURPOSE:.21
2. SCOPE:21
3. EQUIPMENT: ..21
4. DEFINITIONS:.21
5. LIMITATIONS: ..21
5.1 COMPUTERS: .....................................................................................................................................................21
5.1.1
Networked ...........................................................................................................................................21
5.1.2
Non-networked: ...................................................................................................................................22
5.1.3
Removable Media: ...............................................................................................................................22
5.1.4
Handheld Digital Devices: ....................................................................................................................22
6. PROCEDURES: ..22
6.1
6.2
6.3
6.4
GENERAL: .........................................................................................................................................................22
COMPUTERS: .....................................................................................................................................................23
REMOVABLE MEDIA:...........................................................................................................................................23
HANDHELD DIGITAL DEVICES: ...............................................................................................................................24
7. REFERENCES:..24
8. NOTES.24
ON - SCENE MODULE 2: LIVE MEMORY ACQUISITION.25
1. PURPOSE:.25
2. SCOPE:25
3. EQUIPMENT:..25
4. LIMITATIONS: 25
4.1 COMPUTERS ......................................................................................................................................................25
4.1.1
Networked ...........................................................................................................................................25
4.1.2
Non-networked: ...................................................................................................................................26
4.2 REMOVABLE MEDIA:...........................................................................................................................................26
4.3 HANDHELD DIGITAL DEVICES: ...............................................................................................................................26
5. PROCEDURES:26
5.1
5.2
5.3
5.4
5.5
GENERAL: .........................................................................................................................................................26
COMPUTERS: .....................................................................................................................................................27
SHUTDOWN PROCEDURES. ...................................................................................................................................27
REMOVABLE MEDIA:...........................................................................................................................................27
HANDHELD DIGITAL DEVICES: ...............................................................................................................................28
6. REFERENCES:..28
7. NOTES:28
Page 16 of 54

ON - SCENE MODULE 3: PREVIEW AND IMAGING...29
1. PURPOSE:.29
2. SCOPE:.29
3. EQUIPMENT:..29
4. LIMITATIONS: 29
5. PROCEDURE:..29
5.1
5.2
5.3
5.4
LINUX PREVIEW ..................................................................................................................................................29

LINUX IMAGING..................................................................................................................................................30
WINDOWS PREVIEW ...........................................................................................................................................30
WINDOWS IMAGING ...........................................................................................................................................30
6. REFERENCES:..30
ON - SCENE MODULE 4: MOBILE DEVICE COLLECTION.31
1. PURPOSE:.31
2. SCOPE:31
3. EQUIPMENT:..31
4. LIMITATIONS: 31
5. PROCEDURE:..31
6. REFERENCES:..31
LAB MODULE 1: EXAM PREPARATION: WORKSTATION..32
1. PURPOSE:.32
2. SCOPE:.32
3. EQUIPMENT:..32
4. DEFINITIONS:.32
5. LIMITATIONS:.32
6. PROCEDURES: 32
7. REFERENCES:..32
LAB MODULE 2: PHYSICAL INSPECTION..33
1. PURPOSE:.33
2. SCOPE:33
3. MATERIALS EQUIPMENT (HARDWARE/SOFTWARE):.33
4. LIMITATIONS:.33
5. PROCEDURES:.33
6. REFERENCES:..33
Page 17 of 54

LAB MODULE 3: WRITE PROTECTING MEDIA.34
1. PURPOSE:.34
2. SCOPE:.34
3. EQUIPMENT:..34
3.1
3.2
HARDWARE .......................................................................................................................................................34
SOFTWARE ........................................................................................................................................................34
4. LIMITATIONS:.34
4.1
4.2
GENERAL ..........................................................................................................................................................34
SPECIFIC ...........................................................................................................................................................34
5. PROCEDURES:35
5.1
5.2
HARD DISK DRIVES AND SOLID STATE STORAGE DEVICES............................................................................................35

FOR IOMEGA ZIP AND JAZZ DISKS ...........................................................................................................................35
6. REFERENCES:..35
LAB MODULE 4: WIPING MEDIA..36
1. PURPOSE:.36
2. SCOPE:.36
3. EQUIPMENT:..36
4. LIMITATIONS:.36
5. PROCEDURE:36
6. REFERENCES:..36
LAB MODULE 5: HARD DRIVE REMOVAL AND BIOS CHECK..37
1. PURPOSE:.37
2. SCOPE:37
3. EQUIPMENT:..37
4. LIMITATIONS:.37
5. PROCEDURE:37
6. REFERENCES:..38
LAB MODULE 6: HARD DRIVE IMAGING PROTOCOL USING WINDOWS ..39
1. PURPOSE:.39
2. SCOPE:39
3. EQUIPMENT NEEDED:.39
4. LIMITATION:..39
5. PROCEDURES: ..39
Page 18 of 54

LAB MODULE 7: IMAGING PROTOCOL USING LINUX.40
1. PURPOSE:.40
2. SCOPE:.40
3. EQUIPMENT:..40
4. LIMITATIONS:.40
5. PROCEDURES: 40
5.1
5.2
5.3
USING A LINUX BOOT DISC IN AN EVIDENCE COMPUTER ............................................................................................40

USING A LINUX WORKSTATION .............................................................................................................................40
IMAGE WITH LINUX .............................................................................................................................................40
6. REFERENCES:..41
7. NOTES:41
7.1
DEFINITIONS......................................................................................................................................................41
LAB MODULE 8: IMAGING A MACINTOSH COMPUTER42

1. PURPOSE:.42
2. SCOPE:.42
3. MATERIALS/EQUIPMENT..42
3.1
3.2
HARDWARE .......................................................................................................................................................42
SOFTWARE (APPROVED AND APPROPRIATE VERSION) .................................................................................................42
4. DEFINITIONS..42
5. LIMITATIONS 43
5.1
5.2
5.3
MACINTOSH COMPUTERS ....................................................................................................................................43

LINUX BOOT CD.................................................................................................................................................43
WINDOWS COMPUTERS ......................................................................................................................................43
6. PROCEDURES.44
6.1
6.2
6.3
BOOTING USING EXTERNAL MEDIA .........................................................................................................................44

TARGET DISK MODE ...........................................................................................................................................45
REMOVING HDD FROM THE EVIDENCE COMPUTER....................................................................................................46
7. REFERENCES46
LAB MODULE 9: CABLE ACQUISITION PROTOCOL47
1. PURPOSE:.47
2. SCOPE:47
3. MATERIALS EQUIPMENT (HARDWARE/SOFTWARE)..47
3.1
3.2
HARDWARE .......................................................................................................................................................47
SOFTWARE ........................................................................................................................................................47
4. LIMITATIONS..47
Page 19 of 54

4.1
GENERAL ..........................................................................................................................................................47
5. PROCEDURES..47
LAB MODULE 10: HANDHELD/MOBILE DEVICES49
1. PURPOSE49
2. SCOPE..49
3. EQUIPMENT.49
4. DEFINITIONS49
5. LIMITATIONS..50
6. PROCEDURES..50
7. REFERENCES51
LAB MODULE 11: EVIDENCE SEARCH PROTOCOL.52
1. PURPOSE..52
2. SCOPE..52
3. MATERIALS-EQUIPMENT (HARDWARE/SOFTWARE)..52
3.1
3.2
HARDWARE .......................................................................................................................................................52
SOFTWARE ........................................................................................................................................................52
4. LIMITATIONS..52
4.1
GENERAL ..........................................................................................................................................................52
5. PROCEDURES.52
5.1
5.2
SEARCH PROCEDURES..........................................................................................................................................52
SUSPECT IMAGE RESTORATION: ............................................................................................................................53

Page 20 of 54

On - Scene Module 1: Evidence Preservation: Crime Scene/Field Response
1. Purpose:
The purpose of this procedure is to secure digital evidence located at a non-laboratory
location to preserve its integrity for further forensic processing.
2. Scope:
This SOP describes procedures to follow when providing digital forensics assistance at nonlaboratory locations.
3. Equipment:
A digital forensics field response kit may contain some of the following:
1. Digital camera
2. Sterilized removable media
3. Forensic computer or laptop
4. Hardware write-blocking devices
5. Forensically sound boot disks
6. Mobile device acquisition tools
7. Tool kit (screw drivers, etc.)
8. Evidence Packaging Materials
4. Definitions:
Handheld Digital Devices Portable devices that have digital storage, network
connectivity (see Glossary)
Removable Media digital storage media such as: CDs, DVDs, Zip disks, Jazz disks,
floppy disks, external hard drives, memory cards, thumb drives, SIM cards, etc.
5. Limitations:
5.1
Computers:
5.1.1 Networked
1. Unplugging a suspect computer from a network may cause data loss and could
potentially damage other computers on the network.
2. Computer networks can be technically complex and may prevent collection of
evidence in a timely manner. Note: If the system administrator is a suspect in
the case, assistance should be sought from personnel knowledgeable in the
networks operation.
Page 21 of 54

5.1.2 Non-networked:
1. Powering down a suspects computer may cause data loss and potentially
damage the operating system.
2. While securing the computer, if the analyst believes that evidence may be
destroyed or manipulated, the computer should be forcibly shut down.
5.1.3 Removable Media:
1. Most removable media is very small and often hard to locate and is often
overlooked.
2. Thumb drives may be obfuscated to thwart detection.
3. Some removable media is susceptible to immediate physical destruction.
5.1.4 Handheld Digital Devices:
1. Active devices are susceptible to data destruction due to network
communication.
2. Mobile devices may lose data or initiate additional security measures once
discharged or shut down.
3. Blocking RF signals: may drain the battery, may be expensive, are not always
successful and may result in the alteration of data.
4. Some components and devices are susceptible to immediate physical
destruction and should be physically secured.
5. A device may be protected with a password, PIN, token or other
authentication mechanism, the suspect may be queried for this information
during the initial interview.
6. Procedures:
These procedures should be adapted as necessary based upon the situation.
6.1
General:
1.
Ensure the safety of all individuals at the scene.
2.
Protect the integrity of evidence.
3.
Evaluate the scene and formulate a search plan.
4.
Identify potential evidence.
5.
All potential evidence should be secured, documented, and/or photographed.
6.
Conduct interviews.
7.
Any item to be removed from the scene should be properly packaged and secured.
Page 22 of 54

6.2
Computers:
1. The scene should be searched to determine if any wireless networks or networking

devices exist.
2. If the evidence computer or device is connected to a network:
a. Assistance should be sought from the system administrator in isolating the
computer or device from the network, presuming the administrator is not a
suspect in the case. Note: If the system administrator is a suspect in the case,
assistance should be sought from personnel knowledgeable in the networks
operation.
b. Isolate and remove the evidence computer or device from the network
immediately.
3. Document the location and condition of all computers and/or devices.
4. Document any open file(s) on the computer.
5. The examiner may choose to capture live memory. (see Live Capture SOP Module)
6. Shutdown procedures.
a. Pull the plug from the back of the computer, or when necessary normal
shutdown procedures should be utilized. When forcibly shutting down a
computer, the plug should be pulled from the back of the unit, not from the
outlet.
b. For laptops you must either push the power button until the system shuts off or
remove the battery.
c. Do not unplug an Uninterruptable Power Supply (UPS) backup unit to cut
power to a computer, because the battery in the UPS could power the computer
long enough to complete any destructive processes.
7. Document all connections to the computer.
8. Search the scene for passwords, account numbers, or other pertinent information.
6.3
Removable Media:
1. Document the location and condition of all removable media.

2. Remove any connected external media (e.g. external drives or thumb drives) after
the computer has been powered down.

Page 23 of 54

6.4
Handheld Digital Devices:
1. Document the location and condition of all handheld digital devices including onscreen data.
2. If possible, physically remove the battery from the device, otherwise power off the
device in the appropriate manner.
3. Search the scene for removable media, passwords, or other pertinent information.
7. References:
Electronic Crime Scene Investigation: A Guide for First Responders, US Dept. of Justice,
NCJ187736, July 2001, URL: http://www.ncjrs.org/pdffiles1/nij/ 187736.pdf
Guidelines on Cell Phone Forensics, NIST Special Publication 800-101, May 2007, URL:
http://csrc.nist.gov/publications/nistpubs/800-101/SP800-101.pdf
Best Practices for Mobile Phone Examinations, SWGDE, May 2009, URL:
http://www.swgde.org/documents/current-documents/2009-0521%20Best%20Practices%20for%20Mobile%20Phone%20Examinations%20v1.0.pdf
Best Practices For Seizing Electronic Evidence v.3: A Pocket Guide for First Responders, US
Secret Service, October 2006, URL: http://www.forwardedge2.usss.gov/pdf/bestPractices.pdf
8. Notes
None

Page 24 of 54

On - Scene Module 2: Live Memory Acquisition
1. Purpose:
The purpose of this procedure is to describe the steps to acquire data stored in Random
Access Memory (RAM)secure digital evidence located at a non-laboratory location to
preserve its integrity for further forensic processing.
2. Scope:
This SOP describes procedures to follow when providing digital forensics assistance at nonlaboratory locations.
3. Equipment:
A digital forensics field response kit may contain some of the following:
Digital camera
Sterilized removable media
Forensic computer
Hardware write-blocking devices
Forensically sound boot disks
Mobile device acquisition tools
Tool kit (screw drivers, etc.)
Evidence packaging materials
4. Limitations:
4.1
Computers
4.1.1 Networked
Unplugging a suspect computer from a network may cause data loss and could
potentially damage other computers on the network.
Computer networks can be technically complex and may prevent collection of
evidence in a timely manner. Note: If the system administrator is a suspect in the
case, assistance should be sought from personnel knowledgeable in the networks
operation.

Page 25 of 54

4.1.2 Non-networked:
Powering down a suspects computer may cause data loss and potentially damage
the operating system.
While securing the computer, if the analyst believes that evidence may be
destroyed or manipulated, the computer should be forcibly shut down.
4.2
Removable Media:
Most removable media is very small and often hard to locate and is often overlooked.
Thumb drives may be obfuscated to thwart detection.
Some removable media is susceptible to immediate physical destruction.
4.3
Active devices are susceptible to data destruction due to network communication.

Mobile devices may lose data or initiate additional security measures once discharged
or shut down.
Blocking RF signals: may drain the battery, may be expensive, are not always
successful and may result in the alteration of data.
Some components and devices are susceptible to immediate physical destruction and
should be physically secured.
A device may be protected with a password, PIN, token or other authentication
mechanism, the suspect may be queried for this information during the initial interview.
5. Procedures:
These procedures should be adapted as necessary based upon the situation.
5.1
General:
1.
Ensure the safety of all individuals at the scene.
2.
Protect the integrity of evidence.
3.
Evaluate the scene and formulate a search plan.
4.
Identify potential evidence.
5.
All potential evidence should be secured, documented, and/or photographed.
6.
Conduct interviews.
Page 26 of 54

7.
Any item to be removed from the scene should be properly packaged and secured.
5.2
Computers:
1.
The scene should be searched to determine if any wireless networks or

networking devices exist.
2.
If the evidence computer or device is connected to a network:

a.
Assistance should be sought from the system administrator in isolating the

computer or device from the network, presuming the administrator is not a
suspect in the case. Note: If the system administrator is a suspect in the case,
assistance should be sought from personnel knowledgeable in the networks
operation.
3.
Isolate and remove the evidence computer or device from the network
immediately.
4.
Document the location and condition of all computers and/or devices.
5.
Document and preserve any open file(s) on the computer.
6.
Capture live memory. (see Live Capture SOP Module)
7.
Document all connections to the computer.
5.3
Shutdown procedures.
1.
Pull the plug from the back of the computer, or when necessary normal shutdown
procedures should be utilized. When forcibly shutting down a computer, the plug
should be pulled from the back of the unit, not from the outlet.
2.
For laptops you must either push the power button until the system shuts off or
remove the battery.
3.
Do not unplug an Uninterruptible Power Supply (UPS) backup unit to cut power
to a computer, because the battery in the UPS could power the computer long
enough to complete any destructive processes.
4.
Search the scene for passwords, account numbers, or other pertinent information.
5.4
Removable Media:
1.
Document the location and condition of all removable media.
2.
Remove any connected external media (e.g. external drives or thumb drives) after
the computer has been powered down.

Page 27 of 54

5.5
1.
Document the location and condition of all handheld digital devices including onscreen data.
2.
If possible, physically remove the battery from the device, otherwise power off
the device in the appropriate manner.
3.
Search the scene for removable media, passwords, or other pertinent information.
6. References:
Electronic Crime Scene Investigation: A Guide for First Responders, US Dept. of Justice,
NCJ187736, July 2001, URL: http://www.ncjrs.org/pdffiles1/nij/ 187736.pdf
Guidelines on Cell Phone Forensics, NIST Special Publication 800-101, May 2007, URL:
http://csrc.nist.gov/publications/nistpubs/800-101/SP800-101.pdf
Best Practices for Mobile Phone Examinations, SWGDE, May 2009, URL:
http://www.swgde.org/documents/current-documents/2009-0521%20Best%20Practices%20for%20Mobile%20Phone%20Examinations%20v1.0.pdf
Best Practices For Seizing Electronic Evidence v.3: A Pocket Guide for First Responders, US
Secret Service, October 2006, URL: http://www.forwardedge2.usss.gov/pdf/bestPractices.pdf
7. Notes:
None.
History:
Revision 1.0 1/12/2011
Revision 2.0 9/15/2011

Page 28 of 54

On - Scene Module 3: Preview and Imaging
1. Purpose:
The purpose of this procedure is to describe the steps for previewing and imaging computers
and digital media on-scene.
2. Scope:
This procedure shall be followed when previewing and imaging computers and digital media
on-scene.
3. Equipment:
1. Linux boot media with preview/imaging software (Helix, Knoppix, etc.)
2. Forensic computer
3. Windows preview/imaging software (FTK Imager, EnCase, etc.)
4. Hardware write blocker for various hard drive interfaces (EIDE, SATA, SCSI, etc.)
5. Wiped and formatted destination hard drive if imaging using evidence files (.E01
files)
6. Wiped destination hard drive if imaging using a RAW data dump (forensic clone of
drive)
4. Limitations:
1. Failure to control the boot order of the computer may result in unintentional writes to
the computers hard drive.
2. Laptop drives may require special hard drive interface adapters.
3. Hard drive removal from a computer may not be easily accomplished.
4. Previewing data on hard drives should be used for triage and not as an alternative to a
full forensic examination.
5. The quantity of data and the time to process digital media can be limiting factors.
5. Procedure:
5.1
Linux preview
1.
Ensure the boot order of the subject computer is set to boot to the Linux media.
2.
Boot the subject computer to the Linux media and preview the computers hard
drive for evidence related to the case.
Page 29 of 54

3.
Document the findings of the preview.
5.2
Linux imaging
1.
Ensure the boot order of the subject computer is set to boot to the Linux media.
2.
Boot the subject computer to the Linux CD.
3.
Image the computers hard drive to the destination drive.
4.
Verify and document the integrity of the image file(s) by comparing the
acquisition and verification hash values.
5.3
Windows preview
1.
Remove the hard drive from the subject computer.
2.
Attach the subject hard drive to the appropriate hardware write blocker.
3.
Attach the write blocker to the forensic computer.
4.
Boot the forensic computer and run the Windows preview/imaging software.
5.
Preview the computers hard drive for evidence related to the case.
6.
Document the findings of the preview.
5.4
Windows imaging
1.
Remove the hard drive from the subject computer.
2.
Attach the subject hard drive to the appropriate hardware write blocker.
3.
Attach the write blocker to the forensic computer.
4.
Boot the forensic computer and run the Windows preview/imaging software.
5.
Image the computers hard drive to the destination drive.
6.
6. References:
Preview/Imaging software user manual
Hardware write blocker user manual

Page 30 of 54

On - Scene Module 4: Mobile Device Collection
1. Purpose:
The purpose of this procedure is to describe the steps to collect mobile devices.
2. Scope:
This procedure shall be followed when collecting mobile devices on-scene.
3. Equipment:
1. RF shielding device (e.g. Faraday bag, etc.)
2. Shielded power cable for mobile device
4. Limitations:
Placing a mobile device in an RF shield may cause the mobile device to increase its transmit
power in a search for a cell tower signal.
Removing power from a mobile device may prevent the extraction of data from the device
without the PIN or pass code.
5. Procedure:
1. Physically secure the mobile device.
2. Perform any other forensic examinations (biological testing, fingerprints, DNA, etc.).
3. Block the mobile device from receiving RF signals by placing the phone in Airplane mode
or using an RF shielding device.
4. Turn off the mobile device if unable to block the RF signals.
5. Submit the mobile device for examination as quickly as possible.
6. Remove the battery from the mobile device, if possible, if storing it for an extended time.
This will prevent the battery from corroding the inside of the mobile device.
6. References:
User manual for the mobile device

Page 31 of 54

Lab Module 1: Exam Preparation: Workstation
1. Purpose:
The purpose of this procedure is to prepare workstation system drives used in forensic
casework to a default state in order to ensure that no cross contamination occurs between
cases.
2. Scope:
This procedure applies to personnel who prepare workstation system drives used in forensic
examinations.
3. Equipment:
1. Forensic Workstation
2. Software for creating and restoring system images
3. System Image
4. Definitions:
System drive the drive that contains the operating system (OS).
System image factory default or user created image of the drive that is used to restore
the hard drive(s) on the forensic workstation.
5. Limitations:
Failure to sanitize the information from a previously used hard drive can lead to potential
contamination of a new case.
6. Procedures:
1. If a previously created system image is available, skip to step 5.
2. If no previously created system image is available use the original system restoration
discs.
3. Install necessary software and configure the new system.
4. Use a backup utility to create the image of the system.
5. Restore the system drive using the prepared system image.
7. References:
None

Page 32 of 54

Lab Module 2: Physical Inspection
1. Purpose:
The purpose of this procedure is to properly catalogue and document the condition of digital
evidence.
2. Scope:
This procedure applies to all submitted digital evidence.
3. Materials Equipment (Hardware/Software):

1. Tool kit (screw driver, etc.)
2. Camera.
4. Limitations:
Some manufacturers of computers have mechanisms that alert the user the computer case has
been opened.
5. Procedures:
It is recommended that the examiner become familiar with computers or devices before
taking the following steps.
1. Assess the potential for a destructive device, biological contaminant or hazardous
material and take appropriate action.
2. Photograph evidence items if necessary.
3. Label submitted evidentiary items in accordance with quality assurance manual.
4. If applicable, remove the cover from the case in order to:
a. Locate and identify internal components.
b. Document serial/model numbers if necessary.
c. Check power leads and cabling and document abnormalities.
5. Upon completion of the hardware examination, replace the cover and secure the case, if
applicable.
6. References:
See user manuals for specific software and hardware.
Quality Assurance Manual Practices for Evidence Control.

Page 33 of 54

Lab Module 3: Write Protecting Media
1. Purpose:
The purpose of this procedure is to preserve the integrity of the evidence during examination
by preventing alterations.
2. Scope:
This procedure applies, when possible, to all digital storage media and/or devices that have
been submitted for examination.
3. Equipment:
3.1
Hardware
1.
Write protection hardware
2.
Internal or external hard drive
3.
Removable media (e.g., flash media, floppy disk or tapes)
3.2
Software
Write protection software utilities

1.
Hard Disk Write Lock (HDL RCMP Tool)
2.
Forensic Boot CD
3.
Write Blocker XP/2K (ACESLE Tools)
4.
Unix/Linux command mount r (Read only: all Unix/Linux recognized file

systems)
4. Limitations:
4.1
General
Write protection software may not protect against programs using direct access
writes to media.
Write protection software in a network/RAID environment may not be applicable.
4.2
Specific
Write Blocker XP: Not recommended for use with USB floppy drives or USB
CD/DVD writers.
Unix/Linux Command mount r: Only effective for the file system(s) mounted
as read only. Will not provide protection at the device level. May not mount all
file systems. May not provide full protection when mounting a journaled file
system.

Page 34 of 54

IDE Jazz and Zip drives: None of the write protection hardware above has been
verified to effectively write protect this type of media.
5. Procedures:
Original evidence must be write-protected when possible. Built-in write protection
mechanisms must be utilized whenever available to complement hardware and software write
protection. If write protection is not possible, this must be documented.
5.1
Hard Disk Drives and Solid State Storage Devices
For hard disk drives and solid state storage devices (e.g. USB thumb drives, memory or
flash cards) the following two methods can be used together or separately:
1.
Follow the manufacturers instructions when using a hardware write-protect

device.
2.
Use the appropriate operating system or boot media when using software writeprotection. If write protection software was not started during the boot process,
initiate write protection software prior to attaching the media.
5.2
For Iomega Zip and Jazz disks
1.
Iomega Zip and Jazz disks utilize a proprietary software utility that changes a
storage location on the media to indicate a write protected or read only state.
Use the appropriate OS version of Iomega Tools to make the disk read only.
Whenever possible, use software write protection.
6. References:
See specific user manuals for listed software and hardware.

Page 35 of 54

Lab Module 4: Wiping Media
1. Purpose:
The purpose of this procedure is to overwrite all data on media (commonly known as
wiping). Wiping is used to sanitize target media prior to the examination process and
ensures that no cross-contamination occurs between cases.
2. Scope:
This procedure applies to media authorized to be wiped.
3. Equipment:
1. Forensic Workstation or other hardware wiping device
2. Wiping Software
3. Digital Media
4. Limitations:
None.
5. Procedure:
1. Connect the target media to the forensic workstation or hardware wiping device.
2. Use wiping software or device to overwrite all sectors of the hard drive.
3. Ensure media is successfully wiped prior to use for examination purposes.
6. References:
See user manuals for wiping software and hardware.

Page 36 of 54

Lab Module 5: Hard Drive Removal and BIOS Check
1. Purpose:
The purpose of this procedure is to describe the steps to remove the hard drive(s) from
computers submitted for examination and checking the BIOS settings.
2. Scope:
This procedure shall be followed when the removal of a hard drive is required.
3. Equipment:
1. Tool kit (screw driver, etc.)
2. Digital camera
4. Limitations:
1. Removing hard drives from some devices may not be an option.
2. The hard drives removed from laptop computers can be imaged using the same
procedures as those removed from desktop computers. An adapter may be necessary to
connect a laptop hard drive to the forensic workstation.
3. Some laptop hard drive/motherboard combinations may have security devices which do
not allow them to be accessed outside of the laptop computer. Image these computers
using a cable acquisition procedure or by booting the laptop using a forensic operating
system environment.
4. On some older or proprietary BIOS/CMOS chips, a setup disk (floppy) provided by the
manufacturer is needed to access the BIOS.
5. On some systems, accessing BIOS with the drives disconnected may change the boot
sequence.
6. Access to BIOS/CMOS can be protected by a password. Some manufacturers can
provide a master password.
7. Precautions should be used to guard against electrostatic discharges.
5. Procedure:
1. Open the case on the computer and photograph the hard drive(s) of the computer.
2. Mark the power cords and data ribbons/connectors connecting the hard drive to the
evidence computer.
3. Remove the hard drive(s) from the evidence computer.
4. Label the hard drive(s) removed from the evidence computer with appropriate case
information.
Page 37 of 54

5. Document the drive information such as make, model, serial number, capacity, etc.
6. With all hard drives removed, boot the evidence computer into the BIOS and document
the BIOS and actual date/time.
6. References:
None

Page 38 of 54

Lab Module 6: Hard Drive Imaging Protocol Using Windows
1. Purpose:
The purpose of this procedure is to use a Microsoft Windows operating system to create a
forensically sound image of evidence hard drives.
2. Scope:
This is the procedure to be utilized by all personnel who image digital evidence while using
the Microsoft Windows operating systems.
3. Equipment Needed:
1. Forensic workstation.
2. Prepared target media.
3. Validated forensic imaging hardware or software.
4. Limitation:
There may be instances when an evidence hard drive cannot be forensically imaged. In these
instances, attempts to properly image the hard drive must be completely documented.
5. Procedures:
1. Attach the evidence hard drive to the forensic workstation using a write-blocking device.
2. Boot the forensic workstation into the Windows OS.
3. Obtain a hash value of the evidence item before imaging.
4. Image the evidence to the target drive using imaging software.
5. Remove the evidence hard drive from the forensic workstation.
6. Verify and document the integrity of the image file(s) by comparing the acquisition and
verification hash values.

Page 39 of 54

Lab Module 7: Imaging Protocol Using Linux
1. Purpose:
The purpose of this procedure is to use a Linux operating system to create a forensic image
of evidence items without altering the data.
2. Scope:
This procedure describes the steps to image digital evidence using Linux.
3. Equipment:
1. Forensic workstation
2. Prepared target media
3. Bootable Linux operating system
4. Software for forensic imaging
4. Limitations:
The examiner must be aware of the Linux mounting process. Linux operating systems must
be tested to ensure all devices are mounted in a read-only state before use.
5. Procedures:
5.1
Using a Linux Boot Disc in an Evidence Computer
1.
Boot the computer into its BIOS setup program.
2.
Set the boot order to allow the Linux media to load first.
3.
Insert the forensically sound Linux operating system (CD/USB device, etc.) and
boot the evidence computer.
5.2
Using a Linux Workstation
1.
Boot the forensic workstation into the Linux OS.
2.
Attach the evidence media to the forensic workstation.
5.3
Image with Linux
1.
Obtain a hash value of the evidence item before imaging.
2.
Attach target media and allow read and write permissions.
3.
Image the evidence to the target media using imaging software.
4.
Remove the evidence hard drive.
5.
Page 40 of 54

6. References:
Linux Desk Reference
Quality Manual
7. Notes:
7.1
Definitions
MD5 Hash A 128 bit number that uniquely describes the contents of a file or
hard drive. This is the standard hash value used in computer forensics.
Forensic OS Drive Hard drive containing the operating system and all of the
forensic software that will be used in the examination.
Forensically Sound Linux Operating System A bootable Linux operating
system that runs entirely in the computers memory and has been specifically
modified to mount all devices connected to the system in a read-only state (e.g.
Helix, Knoppix, etc.).
Target Media The media that will be used in casework to receive forensic
images upon and upon which the processing of casework may be performed.

Page 41 of 54

Lab Module 8: Imaging a Macintosh Computer
1. Purpose:
The purpose of this procedure is to properly create a forensic image of a device running the
Apple Macintosh operating system without altering the data. This procedure covers imaging
of Macs when the hard drive can be removed, as well as in situations when the hard drive
cannot be removed.
2. Scope:
This procedure applies to Macintosh computers.
3. Materials/Equipment
3.1
Hardware
1.
Forensic Tower, Laptop, Portable Forensic Workstation, or Macintosh laptop

specifically used for Mac forensics analysis
2.
Prepared external target drive
3.2
Software (approved and appropriate version)
1.
Forensically sound, bootable CD for Power PC-based Macintosh hardware
2.
Forensically sound, bootable CD for Intel-based Macintosh hardware
4. Definitions
MD5 Hash A 128 bit number that uniquely describes the contents of a file or hard
drive. This is the standard hash value used in computer forensics.
Target Drive The hard drive that will be used in casework to receive forensic images
upon and upon which the processing of casework may be performed.
FireWire Target Disk Mode FireWire Target Disk Mode allows a Mac system to act
as if the entire computer were an external FireWire hard drive for another system. This
mode works at the firmware level before the operating system is engaged and booted. It
is entered by holding down the T key on the Mac system during the boot process.
Forensically Sound, Bootable CD for Power PC Macintosh Hardware A
forensically sound, bootable CD for Power PC Macintosh hardware is a Linux operating
system variant on a CD that has been specially constructed for forensic examination of
live Macintosh systems that have the Power PC processor chips. The CD is forensically
sound due to the fact that all media on the system is placed in read-only mode.
Forensically Sound, Bootable CD for Intel-based Macintosh Hardware A
forensically sound, bootable CD for Intel-based Macintosh hardware is a Linux operating
system variant on a CD that has been specially constructed for forensic examination of
Page 42 of 54

live Macintosh systems that have the Intel processor chips. The CD is forensically sound
due to the fact that all media on the system is placed in read-only mode.
fstab fstab is a configuration file that contains information for all of the partitions and
storage devices in a Linux-based computer. fstab contains information concerning how
and where the partitions and storage devices in a Linux-based system should be mounted.
HFS - Hierarchical File System (HFS) is a file system developed by Apple for use in
computers running Mac OS. HFS is also referred to as Mac OS Standard.
HFS+ - HFS Plus or HFS+ - a file system developed by Apple to replace their
Hierarchical File System (HFS) as the primary file system used in Macintosh computers
(or other systems running Mac OS). HFS Plus is an improved version of HFS,
supporting much larger files (block addresses are 32-bit length instead of 16-bit) and
using Unicode for naming the file items. HFS Plus also uses a full 32-bit allocation
mapping table, rather than HFSs 16 bits. HFS Plus is also referred to as Mac OS
Extended.
5. Limitations
5.1
Macintosh Computers
1. Be sure to plug in a power cable to any MacBook or other Macintosh laptop to be

previewed. Do not allow a laptop to run on battery power during a preview or
acquisition if the appropriate AC power cord is available.
2. If an Intel based Macintosh in dual boot firewire mode is attached to a Windows
system, the Windows partition, if present, will be mounted.
3. If an open firmware password is enabled, it will not be able to be accessed while the
HDD is connected to that computer.
4. An Intel based Macintosh does not have open firmware; the only way to determine
if there is a boot password is to boot with the option key depressed.
5. If you are using another Mac as the examination platform, make sure that you turn
off DiskArbitration otherwise there may be inadvertent writes to the evidence Mac
system.
5.2
Linux Boot CD
1. Will only work with an Intel based Macintosh.

5.3
Windows Computers
1. NEVER use a Microsoft Windows operating system to preview or image a live

Macintosh system. Microsoft operating systems touch drives during the boot
sequence and hence modify the data of the evidence computer.
Page 43 of 54

6. Procedures
Macintosh computers which have an open firmware password enabled will prevent booting
with external media and target disk mode from working properly. The examiner must then
remove the hard drive for imaging or be able to obtain or defeat the open-firmware password
on the evidence computer.
6.1
Booting using external media
Note: If using external media with OS X, disable auto-mounting or disk arbitration.

1. Verify that computer is powered off.
2. Insert a boot disc in the evidence computer. Attach wiped and formatted media to
the evidence computer to store the forensic image.
3. While holding down the appropriate key(s), boot the evidence computer.
4. Observe the bootable external media device and display screen carefully to make
sure that system is accessing the boot media. If there are no indications that the
computer is accessing the boot media, turn off power to the computer immediately.
5. When the forensically sound Linux environment has fully loaded, open up a
terminal session.
6. Navigate to the /etc directory.
7. Edit the fstab file using vi or another text editor. Navigate to the entry in the
fstab file that corresponds to the HFS partition on the evidence computers hard
drive and change the partition type from hfs to hfsplus.
8. If there is a need to copy data off of the evidence computer during the preview, the
target drive must be mounted as read/write in the fstab file by changing the ro
characteristic (Read-Only) to rw (Read-Write). Be cautious to ensure that only
the target drive is mounted as Read-Write.
9. Save the changes to the fstab file and close the terminal session. The changes to the
fstab file allow the forensically sound Linux environment to properly read the file
system on newer Macintosh systems while remaining in a read-only state. Because
this file remains in the active memory of the computer it remains forensically sound
and does not touch the suspect computer.
10. If using the GUI, click once on the Mac hard drive icon to mount the drive. Repeat
this process for the target drive (if used) to mount the target drive. If using the
command line, mount both the suspect drive and the target drive.
11. Use a hashing program to obtain the MD5 hash value of the evidence item before
imaging.
12. Image the evidence computer to the target drive.
Page 44 of 54

13. If the examiner desires to analyze the data from the evidence computer in the native
(Mac) format then the image file must be saved in raw/DD format as a single file.
14. Verify the forensic image was successfully completed.
15. Shut down the evidence and forensic computers and disconnect the Firewire cable.
6.2
Target Disk Mode
1. Boot the evidence computer while holding down the Option key until the
selection dialog is presented. If the evidence computer presents a lock icon and a
password dialog box (Figure 1), there is a firmware password in place and the drive
cannot be imaged without the password. If icons for bootable partitions are visible,
then there is no firmware password and the drive may be imaged.
Figure 1
2. If no firmware password is installed, reboot the evidence computer while holding

down the T key until a FireWire logo is displayed (Figure 2). Selecting this boot
option will place the evidence computer into Target Disk mode.
Figure 2
3. Attach the evidence computer to the forensic computer via a Firewire connection.
4. Boot the forensic computer into a forensically sound operating system environment.
If using a Windows computer, the forensic computer must be booted with a
forensically sound Linux variant. If using a forensic Mac computer, the examiner
must mount the evidence computer in read-only mode. Disk Arbitration must be
turned off in the forensic computer.
5. Use a hashing program to obtain the MD5 hash value of the evidence item before
imaging.
6. Make a forensic image of the evidence computer onto the target drive. A single
disk image file (raw or DD format) must be used to view Mac data natively.
7. Verify the forensic image was successfully completed.
8. Shut down the evidence and forensic computers and disconnect the Firewire cable.
Page 45 of 54

6.3
Removing HDD from the evidence computer
1. Remove the hard drive or drives from the evidence computer and image.
2. If the examiner desires to analyze the data from the evidence computer in the native
(Mac) format then the image file must be saved in raw/DD format as a single file.
7. References
None at this time

Page 46 of 54

Lab Module 9: Cable Acquisition Protocol
1. Purpose:
This procedure describes the steps to be taken in obtaining a forensic image using a network
crossover cable. The purpose of this procedure is to forensically image an evidence hard
drive still installed in the evidence computer when the evidence hard drive is impossible to
remove. This protocol provides a procedure for imaging these evidence hard drives without
making changes to the data on the evidence drives.
2. Scope:
This procedure applies to computers that have been submitted for examination.
3. Materials Equipment (Hardware/Software)

3.1
Hardware
2. Network crossover cable or parallel (laplink) cable
3. Wiped and formatted target media
3.2
Software
1. Forensic software
4. Limitations
4.1
General
1. Media that has sustained physical or mechanical damage and/or electronic failure
may not successfully or completely image.
2. Examiners should note that in order to use a network crossover cable, the evidence
computer must be equipped with a network interface card, and the forensic boot
disk must contain the DOS drivers for that network interface card.
5. Procedures
This procedure requires the use of a forensic tool that can function in a DOS or Linux
environment. (Examples include, but are not limited to, EnCase, LinEn, Raptor, and
SPADA.)
1. The evidence computer's BIOS/CMOS settings should be checked in a way that will not
access or boot the installed evidence hard drive. During this process, the evidence hard
drive can be removed from the evidence computer, or the power cable and data cable can
be removed from the evidence hard drive.
a. Check the BIOS/CMOS settings to be sure that the evidence computer will boot from
attached removable media devices, changing if necessary. This may not be possible
Page 47 of 54

or obvious as some computers do not display the required key(s) or may require a
proprietary disk utility to gain access to the BIOS/CMOS. If the BIOS/CMOS cannot
be accessed, the examiner should perform research on a way to access the
BIOS/CMOS (i.e., reference materials, contacting the manufacturer, etc.).
b. Disable any power-saving features in the BIOS, as available.
c. Once the BIOS/CMOS settings have been checked and changed, as necessary, turn
off the evidence computer and reconnect the evidence hard drive to the evidence
computer.
2. Prepare a hard drive for storage of the forensic image and install it in/connect it to the
forensic computer.
3. Set up the evidence computer in server mode by booting into DOS/Linux using a
forensic tool that allows this (for example, EnCase, SPADA, LinEn, etc.). Server
mode is the mode that the evidence computer is put into to enable it to send data to a
forensic computer in a forensically safe manner for imaging. Always set up the
evidence computer in server mode first before setting up the forensic computer.
4. Connect the evidence computer and forensic computer using a network crossover
cable between the network interface cards, or connect the laplink cable from the
parallel port of the evidence computer to the parallel port of the forensic computer
(running through the dongle if a parallel port dongle is required).
5. Once the evidence computer has booted, run the forensic utility on the evidence
computer according to the tools instructions.
6. Set up the forensic computer in client mode by booting the forensic computer into
DOS/Linux. Client mode is the DOS/Linux mode that the forensic computer is put
into to enable it to receive data from an evidence computer in a forensically safe
manner for imaging.
7. Prior to imaging the evidence hard drive, use a hashing program to obtain the MD5
hash value of the evidence drive.
8. When imaging is complete, follow the prompts to terminate the server/client mode and
power down the evidence computer.

Page 48 of 54

Lab Module 10: Handheld/Mobile Devices
1. Purpose
This procedure may be used for examinations of Handheld/Mobile Devices to extract and/or
recover data that may have value as evidence in criminal investigations. The purpose of
these procedures is to establish a basic methodology for personnel conducting examinations
of Handheld/Mobile Devices. The primary reason for the establishment of these standards is
to ensure the techniques used conform to common industry practices.
2. Scope
This document applies to the forensic examination/data extraction of Handheld/Mobile
Devices, which may include mobile phones, personal digital assistants (PDA) and Global
Positioning System (GPS) devices.
3. Equipment
1. Forensic Computer Workstation
2. Forensic Analysis Software
3. RF shielding
4. Hardware Extraction Devices
5. Hardware/Software Write-blockers
6. SIM card reader
7. Appropriate charging cables and universal battery charging kit
8. Data cables or cradles
9. Manufacturer & 3rd Party software
10. Blank and/or Sterile Media (HD/CD/DVD or other removable devices)
11. Digital camera and camcorder
4. Definitions
PDA Traditionally designed to be a personal organizer, but may include other features
such as web browsing.
Mobile Phones This category includes both the traditional cellular phones and
Smartphones. Cellular phones can provide voice communications, Short Message
Service (SMS), Multimedia Message Service (MMS), and newer phones may also
provide Internet services such as Web browsing, instant messaging capabilities and email. Smartphones are a combination of cellular phones and PDAs, which allow users to
store information, e-mail, and install programs, along with using a mobile phone in one
device.
Page 49 of 54

Global System for Mobile Communications (GSM) The mobile phones using this
cellular system utilize a Subscriber Identity Module (SIM) card to store carrier specific
information and some user information such as text (SMS) messages, call history and
phonebook information. The mobile phones utilizing GSM do not store the devices
assigned phone number.
Code-Division Multiple Access (CDMA) The mobile phones using this cellular
system do not incorporate a SIM card, and the devices assigned phone number is stored
on the mobile phone.
MicroRead A process that involves the use of a high-power microscope to provide a
physical view of the electronic circuitry of memory. This would typically be used when
acquiring data from physically damaged memory chips.
Chip-Off A process that involves the removal of a memory chip to conduct analysis.
Hex Dump A process that provides a physical acquisition of a mobile phones file
system. This may provide access to deleted data that has not been overwritten.
Logical A process that provides access to the user accessible files. This process will not
provide access to deleted data.
Manual A process that involves manually using the keypad and handset display to
document data present in the mobile phones internal memory.
GPS Device A device utilizing the worldwide satellite navigational system formed by
24 satellites orbiting the earth and their corresponding receivers on the earth. These
devices come in a variety of styles which may include vehicle-mounted, portable,
handheld, and wristband.
5. Limitations
Mobile phones present a unique challenge to examiners due to rapid changes in technology.
There are numerous models of mobile phones in use today. New families of mobile phones
are typically manufactured every three (3) to six (6) months. Many of these phones use
closed operating systems and proprietary interfaces making it difficult for the forensic
extraction of digital evidence.
Some software tools do not capture all of the data in the handhelds associated data fields.
This limitation can be identified through comparison of user records displayed on the mobile
phone/PDA with records extracted by the tool.
6. Procedures
1. Conduct examination pursuant to the request of the submitter and within the search
authorization/warrant or consent to search limitations and/or scope.
Page 50 of 54

2. If possible, determine make and model of the device and acquire the user manual.
Research the user manual before removing the battery and/or powering on device to
ensure proper handling so as to not alter data. Replace the batteries quickly or charge the
device when required to prevent memory loss. If power is lost to the evidence, user data
may be lost.
3. Remove any media storage, such as a memory card, and process accordingly.
4. Protect device from external signals and/or other inadvertent access by placing in Faraday
bag (or other approved device) before powering on. If airplane mode is available, engage
immediately. Turn any wireless communication features off if the option is available to
the examiner.
5. If phone has a SIM card, process separately from the phone.
6. Determine software/hardware that supports data extraction from the device as warranted.
Extract data using software tested and authorized for use.
7. If the phone is supported by a Hardware Extraction Devices, the only preparation
necessary is a wiped USB device, such as a thumb drive, in order to store extracted data.
8. If the phone is supported by computer software, refer to Lab Module 1: Exam
Preparations: Workstation, Page 32, and Lab Module 4: Wiping Media, Page 36. Extract
data using supported software to a wiped USB device, such as a thumb drive.
9. Extracted data is verified by manually reviewing data on the device. Any variations must
be documented.
7. References
Refer to specific Owners Manuals, Users Manuals and Software manuals for equipment
and operating instructions.

Page 51 of 54

Lab Module 11: Evidence Search Protocol
1. Purpose
The purpose of this procedure is to provide a systematic means of searching digital evidence
in order find the data of interest.
2. Scope
This policy applies to digital media.
3. Materials-Equipment (Hardware/Software)
3.1
Hardware
3.2
Software
1. Forensic software
4. Limitations
4.1
General
1. Results will vary between different utilities due to the different methods and
algorithms being applied.
2. The examination is conducted pursuant to the request of the submitter and within
the search authorization or consent to search limitations.
5. Procedures
5.1
Search Procedures
Search procedures may include, but are not limited to, the following, depending on the
type of the case and scope of the search authority:
1. Identification of deleted or hidden partitions, folders, and/or files
2. Decompression or unpacking of compressed files
3. Identification of file signature and file header mismatches
4. Carving data from unallocated space, unused space, or file slack
5. Keyword/text string and/or regular expression searches
6. Use of hash sets to include or exclude known data sets
7. Registry analysis
8. Identification of user accounts
9. Internet history analysis
Page 52 of 54

10. Communications analysis (email, chat messages, instant messaging, newsgroups)
11. Document file analysis (text files, spreadsheets, databases, presentations)
12. Graphics and movie file analysis
13. Program file analysis
14. Malware detection
15. Timeline analysis
16. Password cracking and encryption analysis
17. Counter-forensics analysis
5.2
Suspect Image Restoration:
1. At times it may be necessary to view the evidence computer in a bootable state, just
as the suspect would have viewed it at the time it was in use. To do this, it is
acceptable to clone the evidence hard drive using a forensically prepared hard drive
of the same storage capacity or to restore an image file onto a forensically prepared
drive that has the same storage capabilities as the suspect drive. This additional
image/clone drive can then be inserted into the evidence computer and used to boot
the hardware.
2. Another option is to utilize virtual imaging technology to spawn a virtual computer
using the forensic image of the suspects computer as the basis for the virtual
machine. This will allow the examiner to examine the suspects computer in a
virtual environment that simulates the suspects computer in its native state.

Page 53 of 54

History
SWGDE Model Standard Operating Procedures Manual
Revision
1
Issue Date
Section
History
Initial Release
June 2011
October 2011
3&4
Position Change in SOP Model. Moved On-Scene

modules to beginning of manual and added Modules 3
and 4.

Page 54 of 54

SWGDE SOP For Computer Forensics v2

Uploaded by

Copyright:

Available Formats

SWGDE SOP For Computer Forensics v2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SWGDE SOP For Computer Forensics v2

Uploaded by

Copyright:

Available Formats

Scientific Working Group on Digital Evidence (SWGDE)

SWGDE Model Standard Operating Procedures Manual for Computer Forensics

Scientific Working Group on Digital Evidence (SWGDE)

MINIMUM EXAM STANDARDS ................................................................................................................. 9

EXAMINATION REQUIREMENTS ...................................................................................................... 9

EQUIPMENT PREPARATION ............................................................................................................ 9

EXAMINATION REQUEST ................................................................................................................. 9

TOOL AND TECHNIQUE VALIDATION ............................................................................................. 10

CASE PRIORITIZATION ............................................................................................................................ 12

PURPOSE AND SCOPE ................................................................................................................... 12

CASE PRIORITIZATION ................................................................................................................... 12

CASE PRIORITIZATION SPECIFICALLY FOR CRIMES AGAINST CHILDREN ............................................................ 12

EXCEPTIONS AND MODIFICATIONS TO CASE PRIORITIZATION ...................................................... 13

STANDARD OPERATING PROCEDURES MANUAL

ON - SCENE MODULE 1: EVIDENCE PRESERVATION: CRIME SCENE/FIELD RESPONSE ............................. 21

Scientific Working Group on Digital Evidence (SWGDE)

ON - SCENE MODULE 2: LIVE MEMORY ACQUISITION ........................................................................... 25

ON - SCENE MODULE 3: PREVIEW AND IMAGING .................................................................................. 29

LINUX PREVIEW ................................................................................................................................... 29

Scientific Working Group on Digital Evidence (SWGDE)

WINDOWS PREVIEW ............................................................................................................................ 30

ON - SCENE MODULE 4: MOBILE DEVICE COLLECTION ............................................................................ 31

LAB MODULE 1: EXAM PREPARATION: WORKSTATION .......................................................................... 32

LAB MODULE 2: PHYSICAL INSPECTION .................................................................................................. 33

MATERIALS EQUIPMENT (HARDWARE/SOFTWARE): .................................................................. 33

LAB MODULE 3: WRITE PROTECTING MEDIA.......................................................................................... 34

Scientific Working Group on Digital Evidence (SWGDE)

HARD DISK DRIVES AND SOLID STATE STORAGE DEVICES ............................................................................ 35

LAB MODULE 4: WIPING MEDIA ............................................................................................................. 36

LAB MODULE 5: HARD DRIVE REMOVAL AND BIOS CHECK ..................................................................... 37

LAB MODULE 6: HARD DRIVE IMAGING PROTOCOL USING WINDOWS .................................................. 39

EQUIPMENT NEEDED: ................................................................................................................... 39

LAB MODULE 7: IMAGING PROTOCOL USING LINUX .............................................................................. 40

USING A LINUX BOOT DISC IN AN EVIDENCE COMPUTER ............................................................................. 40

Scientific Working Group on Digital Evidence (SWGDE)

IMAGE WITH LINUX.............................................................................................................................. 40

LAB MODULE 8: IMAGING A MACINTOSH COMPUTER ........................................................................... 42

MACINTOSH COMPUTERS ..................................................................................................................... 43

BOOTING USING EXTERNAL MEDIA .......................................................................................................... 44

LAB MODULE 9: CABLE ACQUISITION PROTOCOL ................................................................................... 47

MATERIALS EQUIPMENT (HARDWARE/SOFTWARE).................................................................... 47

LAB MODULE 10: HANDHELD/MOBILE DEVICES ..................................................................................... 49

SWGDE Model Standard Operating Procedures Manual for Computer Forensics

Scientific Working Group on Digital Evidence (SWGDE)

LAB MODULE 11: EVIDENCE SEARCH PROTOCOL .................................................................................... 52

MATERIALS-EQUIPMENT (HARDWARE/SOFTWARE) ..................................................................... 52

SEARCH PROCEDURES .......................................................................................................................... 52

SWGDE Model Standard Operating Procedures Manual for Computer Forensics

Scientific Working Group on Digital Evidence (SWGDE)

SWGDE Model Standard Operating Procedures Manual for Computer Forensics

Scientific Working Group on Digital Evidence (SWGDE)

Scientific Working Group on Digital Evidence (SWGDE)

9. Tool and Technique Validation

Scientific Working Group on Digital Evidence (SWGDE)

SWGDE Model Standard Operating Procedures Manual for Computer Forensics

Scientific Working Group on Digital Evidence (SWGDE)

Case Prioritization Specifically For Crimes Against Children

Examination request that involve crimes against children shall be prioritized as

Scientific Working Group on Digital Evidence (SWGDE)