Evidence Types
Configure evidence types and categories to organize digital forensic evidence consistently across investigations.
Default Evidence Types
DFIRe includes common evidence types:
Physical Media
- Hard Drive / SSD
- USB Drive
- Mobile Device
- Optical Media
- Memory Card
Digital Artifacts
- Disk Image
- Memory Dump
- Log Files
- Network Capture
- Email Export
- Database Export
Documents
- Chain of Custody Form
- Acquisition Notes
- Analysis Report
- Screenshots
Creating Evidence Types
- Go to Settings → Evidence Types
- Click "New Evidence Type"
-
Configure the Type
- Name: Display name
- Category: Grouping (Physical, Digital, Document)
- Description: When to use this type
- Icon: Visual identifier
-
Add Custom Fields
Define fields specific to this evidence type (e.g., Serial Number for hardware).
Evidence Categories
Organize evidence types into categories for easier navigation:
- Physical: Tangible items requiring chain of custody
- Digital: Files and data artifacts
- Document: Supporting documentation
- Network: Network-related evidence
- Cloud: Cloud service exports
Custom categories can be created at Settings → Evidence Types → Categories.
Type-Specific Fields
Each evidence type can have unique fields. Examples:
Hard Drive
- Make/Model
- Serial Number
- Capacity
- Interface (SATA, NVMe, etc.)
Mobile Device
- Device Type (Phone, Tablet)
- Make/Model
- IMEI/Serial
- OS Version
- Passcode Status
Disk Image
- Image Format (E01, RAW, AFF)
- Hash Algorithm
- Hash Value
- Acquisition Tool