Evidence Types

Configure evidence types and categories to organize digital forensic evidence consistently across investigations.

Default Evidence Types

DFIRe includes common evidence types:

Physical Media

  • Hard Drive / SSD
  • USB Drive
  • Mobile Device
  • Optical Media
  • Memory Card

Digital Artifacts

  • Disk Image
  • Memory Dump
  • Log Files
  • Network Capture
  • Email Export
  • Database Export

Documents

  • Chain of Custody Form
  • Acquisition Notes
  • Analysis Report
  • Screenshots

Creating Evidence Types

  1. Go to Settings → Evidence Types
  2. Click "New Evidence Type"
  3. Configure the Type
    • Name: Display name
    • Category: Grouping (Physical, Digital, Document)
    • Description: When to use this type
    • Icon: Visual identifier
  4. Add Custom Fields

    Define fields specific to this evidence type (e.g., Serial Number for hardware).

  5. Attach Default Runbooks (optional)

    Attach one or more runbooks to the evidence type. Whenever an investigator creates a new evidence item of this type, DFIRe automatically attaches snapshots of the selected runbooks to the item. This is useful for ensuring standard procedures (e.g. chain-of-custody steps for a hard drive, volatile-memory capture notes for a live system) are always present without requiring investigators to remember to attach them manually.

    Runbooks attached to existing items are independent snapshots — editing the default-runbook list on an evidence type does not retroactively change runbooks already attached to items.

Evidence Categories

Organize evidence types into categories for easier navigation:

  • Physical: Tangible items requiring chain of custody
  • Digital: Files and data artifacts
  • Document: Supporting documentation
  • Network: Network-related evidence
  • Cloud: Cloud service exports

Custom categories can be created at Settings → Evidence Types → Categories.

Type-Specific Fields

Each evidence type can have unique fields. Examples:

Hard Drive

  • Make/Model
  • Serial Number
  • Capacity
  • Interface (SATA, NVMe, etc.)

Mobile Device

  • Device Type (Phone, Tablet)
  • Make/Model
  • IMEI/Serial
  • OS Version
  • Passcode Status

Disk Image

  • Image Format (E01, RAW, AFF)
  • Hash Algorithm
  • Hash Value
  • Acquisition Tool