Scientific Working Group on
Best Practices for Computer Forensics
As a condition to the use of this document and the information contained therein, the SWGDE
requests notification by e-mail before or contemporaneous to the introduction of this document,
or any portion thereof, as a marked exhibit offered for or moved into evidence in any judicial,
administrative, legislative or adjudicatory hearing or other proceeding (including discovery
proceedings) in the United States or any Foreign country. Such notification shall include: 1) The
formal name of the proceeding, including docket number or similar identifier; 2) the name and
location of the body conducting the hearing or proceeding; 3) subsequent to the use of this
document in a formal proceeding please notify SWGDE as to its use and outcome; 4) the name,
mailing address (if available) and contact information of the party offering or moving the
document into evidence. Notifications should be sent to email@example.com
SWGDE grants permission for redistribution and use of all publicly posted documents created by
SWGDE, provided that the following conditions are met:
1. Redistributions of documents or parts of documents must retain the SWGDE cover page
containing the disclaimer.
2. Neither the name of SWGDE nor the names of contributors may be used to endorse or
promote products derived from its documents.
3. Any reference or quote from a SWGDE document must include the version number (or
create date) of the document and mention if the document is in a draft status.
SWGDE Best Practices for Computer Forensics
Version 2.1 (July 2006)
This document includes a cover page with the SWGDE disclaimer.
Page 1 of 11
The purpose of this document is to describe the best practices for computer forensics. This
document is not all inclusive and does not contain information relative to specific operating
systems or forensic tools. If you are not a computer