Evidence Tracking
Track digital and physical evidence with detailed metadata, chain of custody, legal ownership, and encrypted file attachments.
Understanding Evidence Items
Evidence items in DFIRe represent both digital artifacts and physical items being analyzed as part of an investigation. Each evidence item can have:
- Type-specific metadata - Fields defined by the evidence type (e.g., hash values, serial numbers, device info)
- Legal owner, primary user, and custodian - Track who owns the device, who was using it, and who currently has possession
- Storage location - Where the evidence is stored (physical location or digital path)
- Chain of custody - Formal record of custody transfers between entities and users
- Investigation status - Current stage of processing (e.g., "Identification", "Acquisition", "Analysis")
- Runbooks - Step-by-step procedural checklists for evidence handling
- Flags - Custom tags for categorization
- File attachments - Related files, always encrypted at rest
- Notes - Analysis notes and findings
Physical vs Digital Evidence
DFIRe supports both types of evidence:
- Physical evidence - Computers, hard drives, mobile phones, paper documents, SIM cards. Storage location refers to a physical location (e.g., "Evidence Locker A, Shelf 3").
- Digital evidence - Disk images, memory dumps, log files, network captures. Storage location can be a digital path (e.g., "\\fileserver\evidence\case001" or "/mnt/evidence/images/").
Large Files: Although DFIRe supports large file attachments, items like full disk images or large memory dumps are best stored using a dedicated file storage solution. Use the storage location field to reference external storage paths.
Evidence Hierarchy
Evidence items can be organized hierarchically. For example:
- A Laptop can be the parent of a Hard Drive Internal
- A Hard Drive can be the parent of a Disk Image
- A Mobile Phone can be the parent of a SIM Card
- A Server can be the parent of a Memory Image (RAM)
This hierarchy helps maintain chain of custody relationships between items.
Default Evidence Types
DFIRe ships with a comprehensive set of preconfigured evidence types. Administrators can modify these or create new types in System Settings > Evidence Types.
Physical Devices
| Type | Key Fields |
|---|---|
| Laptop | Serial Number, Hostname, MAC Address, Full Disk Encryption, User Password |
| Workstation | Serial Number, Hostname, MAC Address, Full Disk Encryption |
| Server | Hostname, IP Address, OS Version, Server Role, RAID Config, Is Virtual |
| Mobile Phone | IMEI, Make, Model, Passcode, SIM Present, Faraday Bag |
| Tablet | IMEI, Make, Model, Passcode, SIM Present |
| Hard Drive (Internal/External) | Serial Number, Capacity, Interface, Manufacturer, Acquisition Hash |
| Flash Media | Brand, Type (SD, USB), Capacity, Physical Description |
| SIM Card | ICCID Number, Carrier, Associated Phone Number |
| Network Device | Make, Model, IP Address, MAC Address, Admin Access, Logs Preserved |
| Drone / UAV | Manufacturer, FAA Registration, Serial Number, Onboard Storage |
| Paper Documents | Document Type, Page Count, Condition |
Digital Artifacts
| Type | Key Fields |
|---|---|
| Disk Image | Format (E01, RAW, VHD), Segment Size, Acquisition Hash, Source Drive Serial |
| Memory Image (RAM) | Source Hostname, OS Build/Profile, Size, Acquisition Tool, Acquisition Hash |
| Virtual Machine | Hostname, Format/Platform, IP Address, OS Version, Is Snapshot |
| Network Capture (PCAP) | Source, Capture Duration, Endpoints Count, Traffic Encrypted |
| Log File | Source System, Log Type, Format (EVTX, JSON), Period Start/End |
| Malware Sample | File Name, File Type, MD5/SHA256 Hash, Source URL, Is Live/Dangerous |
| Database | Database Role, Format, Contains Sensitive Content, Contains Payment Info |
| File | File Name, File Type, File Size, MD5 Hash |
Accounts & Identities
| Type | Key Fields |
|---|---|
| User Account | Username/Email, Platform (AD, Okta, Gmail), User ID, MFA Enabled, Status |
| E-Mail Account | Service Provider, Is Active, Is Shared Account |
| Email Message | Sender, Recipient, Subject, Message-ID, Format (MSG, EML) |
Adding Evidence
-
Open a case and go to the Evidence tab
You can also click "Add Evidence" from the case header.
-
Select the Evidence Type
Choose from the configured evidence types. This determines which fields are available.
-
Fill in the Evidence Details
- Name / Label: Descriptive name for the item
- Parent Item: If this is a child item (e.g., disk image from a hard drive)
- Storage Location: Physical location or digital path where evidence is stored
-
Set Ownership & Custody
- Legal Owner: Entity that owns the device (person or organization)
- Primary User: Person who was using the device
You can create new entities inline or select from existing ones.
-
Fill in Type-Specific Attributes
Complete the fields specific to your evidence type (serial numbers, hash values, etc.).
-
Click "Add Item"
The evidence item will be created and you'll be taken to its detail view.
The Evidence Detail View
Click on any evidence item to view and manage it.
Sidebar
The left sidebar displays the evidence item information: type, name, location, legal owner, primary user, current custodian (derived from the latest chain of custody entry), hierarchy (parent/child items), flags, and technical attributes. It also shows a progress bar summarizing runbook completion across all attached runbooks.
Notes
Add analysis notes specific to this evidence item. Notes support markdown formatting.
Runbooks
View and work through attached procedural checklists. Runbooks from the evidence type are auto-attached on creation. Additional runbooks can be attached manually. See Runbooks for details.
Custody
Formal chain of custody records. Each entry records the transfer type (intake, transfer, correction, or released), the parties involved, location, and timestamp. Custody transfers automatically update the item's storage location. A printable receipt can be generated for paper records. See Chain of Custody below.
Attachments
Upload files related to this evidence item (acquisition logs, exported artifacts, screenshots).
History
Full audit trail of changes made to the evidence item.
Investigation Status Workflow
Evidence items progress through investigation statuses. The default workflow includes:
| Status | Description |
|---|---|
| Identification | Potential evidence identified |
| Acquisition | Evidence seized and imaged/secured |
| Processing | Indexing, hashing, and data extraction |
| Analysis | Investigator review and artifact correlation |
| Reporting | Findings documented and report generated |
| Archived/Returned | Case closed, evidence returned or stored long-term |
To change the status, click on the status badge in the evidence detail view.
Investigation workflow steps are configurable in System Settings > Investigation Steps. You can customize the workflow to match your organization's procedures.
Flags
Flags are customizable tags you can apply to evidence items for categorization. Default flags include:
| Flag | Description |
|---|---|
| Evidence | Contains evidence relevant to the case |
| No evidence | Contains no relevant evidence |
| Malware | Contains malware |
| Illegal content | Contains illegal content |
| Broken | Device is broken or file corrupted |
| Do not return | Do not return this item to owner |
Administrators can configure flags in System Settings > Flags.
Legal Entities
Legal entities represent the people and organizations associated with evidence. Entities are managed from the top navigation bar by clicking Entities (next to Dashboard and Search).
Entity Types
| Type | Use For |
|---|---|
| Natural Person | Individual people (employees, suspects, witnesses) |
| Organization | Companies, corporations, departments |
| Government Agency | Law enforcement, regulatory bodies |
| Team | Internal teams or working groups |
| Other | Any entity that doesn't fit the above categories |
Owner, User, and Custodian
Three distinct roles are tracked for each evidence item:
- Legal Owner - The entity that legally owns the item (often the employer in corporate investigations)
- Primary User - The person who was actually using the item (e.g., the employee whose laptop is being examined)
- Custodian - The entity or user who currently has physical or logical possession, determined by the chain of custody records
Owner and primary user are set when creating the evidence item. The custodian is derived automatically from the latest chain of custody entry and displayed in the evidence sidebar.
Entities are reusable across cases. When adding evidence, you can select existing entities or create new ones inline.
File Attachments
You can attach files to evidence items. Common use cases:
- Chain of custody forms
- Acquisition logs
- Analysis reports
- Exported artifacts
- Screenshots
Encryption
All attachments are encrypted at rest using AES-256-GCM. The encryption key is derived from:
- The tenant's master key
- The case-specific key
- An attachment-specific salt
Important: Attachment data is never stored unencrypted. Deleting the tenant, case, or evidence item renders all associated attachments permanently unreadable. There is no recovery mechanism - this is by design for security.
File Size Limits
DFIRe uses chunked uploads for files over 8MB. The maximum file size for general attachments is 4 GB. Image files (for the evidence photo gallery) are limited to 32 MB.
Large forensic images (disk images, memory dumps) that exceed the upload limit are best stored on dedicated file storage infrastructure. Use the evidence item's storage location field to reference the external path.
Proxy configuration: If you use a reverse proxy (nginx, Traefik, etc.) in front of DFIRe, ensure it is configured with sufficient client_max_body_size (at least 4096M) and long timeouts (at least 3600 seconds) to handle large file uploads and downloads without dropping the connection. See the Deployment Guide for the recommended nginx configuration.
Chain of Custody
The chain of custody records who has had possession of an evidence item and when. This is critical for maintaining the legal integrity of evidence, particularly physical items like hard drives, laptops, and mobile devices.
Custody Transfer Types
| Type | When to Use |
|---|---|
| Intake | Evidence is entering or re-entering custody. The first intake establishes the chain; subsequent intakes record re-acquisition after a release. |
| Transfer | Evidence is moving from one custodian to another. The "from" party must match the current custodian. |
| Correction | The previous custody entry was incorrect. Use this to fix errors in the chain without deleting records. Requires a note explaining the correction. |
| Released | Evidence is released from custody (returned to owner, sent for destruction, etc.). The "from" party must match the current custodian. |
Recording a Custody Transfer
- Open the evidence item and go to the Custody tab
- Click "Record Custody Transfer"
- Select the transfer type (intake, transfer, correction, or released)
- Set the from and to parties — these can be legal entities or DFIRe users
- Record the date, time, and location
- Submit the transfer — the item's storage location will be updated automatically
Chain continuity: DFIRe enforces chain continuity. A transfer or release must come from the current custodian (the "to" party of the most recent entry). If the current custodian is incorrect, use a correction entry first.
Printable Custody Receipt
Click the Print button in the Custody tab to generate a printable receipt showing the complete chain of custody. This opens in a new browser tab as a clean, print-ready page. The receipt includes the evidence item details, all custody transfers, and a disclaimer noting that the electronic record in DFIRe is the authoritative document.
Optional: Chain of custody is not mandatory. Many evidence types (log files, memory images, documents) don't require formal custody tracking. The Custodian field in the sidebar will show "No record" for items without custody entries.
Related Evidence
From any evidence item's detail view, click Add Related Evidence to create a new item that is linked as a parent or child. This is useful for building evidence hierarchies without navigating back to the case view — for example, creating a disk image item directly from the hard drive it was acquired from.
Evidence Organization
The Evidence tab displays items in a tree-list view that shows the parent-child hierarchy. Items without a parent appear at the top level, and child items are nested underneath their parents. This makes it easy to see how evidence relates to each other (e.g., a disk image nested under the hard drive it was acquired from).