Evidence Tracking
Track digital and physical evidence with detailed metadata, chain of custody, legal ownership, and encrypted file attachments.
Understanding Evidence Items
Evidence items in DFIRe represent both digital artifacts and physical items being analyzed as part of an investigation. Each evidence item can have:
- Type-specific metadata - Fields defined by the evidence type (e.g., hash values, serial numbers, device info)
- Legal owner and custodian - Track who owns the device and who was using it
- Storage location - Where the evidence is stored (physical location or digital path)
- Investigation status - Current stage of processing (e.g., "Identification", "Acquisition", "Analysis")
- Flags - Custom tags for categorization
- File attachments - Related files, always encrypted at rest
- Notes - Analysis notes and findings
Physical vs Digital Evidence
DFIRe supports both types of evidence:
- Physical evidence - Computers, hard drives, mobile phones, paper documents, SIM cards. Storage location refers to a physical location (e.g., "Evidence Locker A, Shelf 3").
- Digital evidence - Disk images, memory dumps, log files, network captures. Storage location can be a digital path (e.g., "\\fileserver\evidence\case001" or "/mnt/evidence/images/").
Large Files: Although DFIRe supports large file attachments, items like full disk images or large memory dumps are best stored using a dedicated file storage solution. Use the storage location field to reference external storage paths.
Evidence Hierarchy
Evidence items can be organized hierarchically. For example:
- A Laptop can be the parent of a Hard Drive Internal
- A Hard Drive can be the parent of a Disk Image
- A Mobile Phone can be the parent of a SIM Card
- A Server can be the parent of a Memory Image (RAM)
This hierarchy helps maintain chain of custody relationships between items.
Default Evidence Types
DFIRe ships with a comprehensive set of preconfigured evidence types. Administrators can modify these or create new types in System Settings > Evidence Types.
Physical Devices
| Type | Key Fields |
|---|---|
| Laptop | Serial Number, Hostname, MAC Address, Full Disk Encryption, User Password |
| Workstation | Serial Number, Hostname, MAC Address, Full Disk Encryption |
| Server | Hostname, IP Address, OS Version, Server Role, RAID Config, Is Virtual |
| Mobile Phone | IMEI, Make, Model, Passcode, SIM Present, Faraday Bag |
| Tablet | IMEI, Make, Model, Passcode, SIM Present |
| Hard Drive (Internal/External) | Serial Number, Capacity, Interface, Manufacturer, Acquisition Hash |
| Flash Media | Brand, Type (SD, USB), Capacity, Physical Description |
| SIM Card | ICCID Number, Carrier, Associated Phone Number |
| Network Device | Make, Model, IP Address, MAC Address, Admin Access, Logs Preserved |
| Drone / UAV | Manufacturer, FAA Registration, Serial Number, Onboard Storage |
| Paper Documents | Document Type, Page Count, Condition |
Digital Artifacts
| Type | Key Fields |
|---|---|
| Disk Image | Format (E01, RAW, VHD), Segment Size, Acquisition Hash, Source Drive Serial |
| Memory Image (RAM) | Source Hostname, OS Build/Profile, Size, Acquisition Tool, Acquisition Hash |
| Virtual Machine | Hostname, Format/Platform, IP Address, OS Version, Is Snapshot |
| Network Capture (PCAP) | Source, Capture Duration, Endpoints Count, Traffic Encrypted |
| Log File | Source System, Log Type, Format (EVTX, JSON), Period Start/End |
| Malware Sample | File Name, File Type, MD5/SHA256 Hash, Source URL, Is Live/Dangerous |
| Database | Database Role, Format, Contains Sensitive Content, Contains Payment Info |
| File | File Name, File Type, File Size, MD5 Hash |
Accounts & Identities
| Type | Key Fields |
|---|---|
| User Account | Username/Email, Platform (AD, Okta, Gmail), User ID, MFA Enabled, Status |
| E-Mail Account | Service Provider, Is Active, Is Shared Account |
| Email Message | Sender, Recipient, Subject, Message-ID, Format (MSG, EML) |
Adding Evidence
-
Open a case and go to the Evidence tab
You can also click "Add Evidence" from the case header.
-
Select the Evidence Type
Choose from the configured evidence types. This determines which fields are available.
-
Fill in the Evidence Details
- Name / Label: Descriptive name for the item
- Parent Item: If this is a child item (e.g., disk image from a hard drive)
- Storage Location: Physical location or digital path where evidence is stored
-
Set Ownership & Custody
- Legal Owner: Entity that owns the device (person or organization)
- Primary User: Person who was using the device
You can create new entities inline or select from existing ones.
-
Fill in Type-Specific Attributes
Complete the fields specific to your evidence type (serial numbers, hash values, etc.).
-
Click "Add Item"
The evidence item will be created and you'll be taken to its detail view.
The Evidence Detail View
Click on any evidence item to view and manage it.
Overview
Shows all evidence attributes, ownership information, investigation status, and flags.
Notes
Add analysis notes specific to this evidence item. Notes support markdown formatting.
Attachments
Upload files related to this evidence item (chain of custody forms, acquisition logs, exported artifacts).
History
Full audit trail of changes made to the evidence item.
Investigation Status Workflow
Evidence items progress through investigation statuses. The default workflow includes:
| Status | Description |
|---|---|
| Identification | Potential evidence identified |
| Acquisition | Evidence seized and imaged/secured |
| Processing | Indexing, hashing, and data extraction |
| Analysis | Investigator review and artifact correlation |
| Reporting | Findings documented and report generated |
| Archived/Returned | Case closed, evidence returned or stored long-term |
To change the status, click on the status badge in the evidence detail view.
Investigation workflow steps are configurable in System Settings > Investigation Steps. You can customize the workflow to match your organization's procedures.
Flags
Flags are customizable tags you can apply to evidence items for categorization. Default flags include:
| Flag | Description |
|---|---|
| Evidence | Contains evidence relevant to the case |
| No evidence | Contains no relevant evidence |
| Malware | Contains malware |
| Illegal content | Contains illegal content |
| Broken | Device is broken or file corrupted |
| Do not return | Do not return this item to owner |
Administrators can configure flags in System Settings > Flags.
Legal Entities
Legal entities represent the people and organizations associated with evidence. Entities are managed from the top navigation bar by clicking Entities (next to Dashboard and Search).
Entity Types
| Type | Use For |
|---|---|
| Natural Person | Individual people (employees, suspects, witnesses) |
| Organization | Companies, corporations, departments |
| Government Agency | Law enforcement, regulatory bodies |
| Team | Internal teams or working groups |
| Other | Any entity that doesn't fit the above categories |
Owner vs. Primary User
- Legal Owner - The entity that legally owns the device (often the employer)
- Primary User - The person who was actually using the device
This distinction is important for establishing chain of custody and legal authority.
Entities are reusable across cases. When adding evidence, you can select existing entities or create new ones inline.
File Attachments
You can attach files to evidence items. Common use cases:
- Chain of custody forms
- Acquisition logs
- Analysis reports
- Exported artifacts
- Screenshots
Encryption
All attachments are encrypted at rest using AES-256-GCM. The encryption key is derived from:
- The tenant's master key
- The case-specific key
- An attachment-specific salt
Important: Attachment data is never stored unencrypted. Deleting the tenant, case, or evidence item renders all associated attachments permanently unreadable. There is no recovery mechanism - this is by design for security.
Large Files
DFIRe uses chunked uploads for files over 8MB. While there's no hard limit on file size, large forensic images (disk images, memory dumps) are best stored on dedicated file storage infrastructure. Use the evidence item's storage location field to reference the external path.
Evidence Organization
Viewing Options
The Evidence tab provides several ways to view items:
- List view - Simple list sorted by creation date
- Tree view - Hierarchical view showing parent/child relationships
Filtering
Filter evidence by:
- Evidence type
- Investigation status
- Flags
- Owner or custodian