Field & lab evidence collection

Evidence Collector

Collect, copy, verify and inspect storage media from one guided Windows application — with EWF (E01 / Ex01) imaging, multi-hash integrity checks, session logs and operator safety built in from connect to case handoff.

Evidence Collector home dashboard — Drive to Image, Drive to Drive, Image to Drive, Disk Info, Speed Test, Hex Viewer, Sanitize Drive, Verify Compare, CCTV Identification
Home Dashboard

Every workflow on one screen

Start every job from one place — acquisition, verification and examination tools grouped with clear safety cues, so operators need minimal training in the field or the lab.

  • Card-first layout with plain labels and a grouped sidebar (Acquisition · Verification · Examine · Session).
  • Colour safety cues — read-only, caution and destructive paths are visually distinct.
  • Case header strip — case number, evidence date and media type on every job page.
  • Fix / Reset layout to save card order or restore defaults on shared PCs.
Evidence Collector home dashboard
One app, eleven workflows

The complete toolset

Imaging, cloning, restore, verification, inspection and sanitization — without ever leaving the application.

Drive to Image acquisition workflow
Write to image fileE01 / Ex01

Drive → Image

Create E01 / Ex01 forensic images from physical or logical sources with live sector maps, multi-hash digests and exportable logs.

  • EWF-native output with MD5, SHA-1, SHA-256 & SHA-512 embedded via libewf.
  • Whole physical disk or a single logical volume as the source.
  • Live sector view and read-status map — pending, completed, bad and error regions.
  • Adjustable bad-sector policy — zero-fill & log, retries and jump size for failing media.
  • Process & hash log — copy or save throughput and digest output for case notes.
Disk cloneDestination writes

Drive → Drive

Clone a source disk to destination media with pre-flight checks, offline safety, live progress and post-clone verification.

  • Source / destination picker showing model, serial and capacity upfront.
  • Pre-flight checks warn when source and destination overlap.
  • Throughput chart — rolling MB/s, elapsed time and ETA.
  • USB / write-blocker I/O tuning, with unplug-source handoff after clone + verify.
  • Write-blocker bridge identity logged in the session and HTML report header.
Drive to Drive clone workflow
Image to Drive restore workflow
Restore to diskE01 / raw

Image → Drive

Restore E01, Ex01 or raw image files back to a physical disk with streaming hash verify and the same progress UI as acquisition.

  • Open segmented E01 sets or single raw image files.
  • Destination capacity and geometry checks before writing.
  • Streaming hash verify confirms restored content matches the source.
  • Case header strip — case number, evidence date and media type on the job page.
  • Dual confirmation before destructive writes, plus an exportable HTML log.
Read-only compareMD5 · SHA-1 · SHA-256 · SHA-512

Verify / Compare

Prove two sources match — Drive → Drive, Image → Drive and related pairs — with multi-hash digests and sector-level mismatch detail.

  • Multiple compare modes with partition-aware scope.
  • Optional MD5, SHA-1, SHA-256 and SHA-512 digest panel.
  • Read progress map plus overlap warnings for same-disk pairs.
  • Folder hashing — mark files in a tree for per-file digests and a folder-hash HTML report.
  • Mismatch detail captured in the HTML session report.
Verify Compare workflow
Speed Test benchmark workflow
Read-onlyBenchmark

Speed Test

Exercise read throughput on a drive or image safely — benchmark before imaging, clone or verify jobs without ever writing to evidence.

  • Read-only surface exercise — no writes to the selected source media.
  • Live rolling-window MB/s chart and a sector read map.
  • Elapsed time and ETA to plan field time before a full acquisition.
  • Session log — copy or save results for case documentation.
Read-onlySMART

Disk Info

Profile a drive before imaging — identity, capacity, partition layout, SMART summary and sector geometry, all without writing to the disk.

  • Model, serial, firmware, interface and online state at a glance.
  • Logical / physical sector size, LBA count and partition table.
  • HPA / DCO notes and a SMART heuristic health score (0–100).
  • Write-blocker card showing forensic USB bridge identity.
Disk Info workflow
Hex Viewer workflow
Read-onlyLBA seek

Hex Viewer

Inspect raw bytes at any LBA — a read-only hex view with seek, search and an ASCII column for quick spot checks in the field.

  • Reads sectors directly from the selected physical disk.
  • LBA navigation to jump to boot sector, partition or signature checks.
  • Hex + ASCII dual-pane layout with byte-pattern search.
  • No writes — safe to use on evidence prior to imaging.
Read-onlyDVR detect

CCTV Identification

Detect DVR / CCTV filesystem brands on a physical disk — read-only vendor identification with a confidence score and a full probe trace.

  • Identifies Dahua / CP PLUS, Hikvision and other DVR filesystem signatures.
  • Confidence percentage and detection method shown with each result.
  • Step-by-step probe trace and filesystem notes for the report.
  • SMART summary alongside identification results.
  • No disk writes — safe triage before imaging or handoff to recovery tools.
CCTV Identification workflow
Sanitize Drive workflow
DestructiveAdmin required

Sanitize Drive

Overwrite every sector on a physical disk with visible warnings, a SMART health gate, adaptive block size and full session logging.

  • Full-disk overwrite — all sectors written with 0x00 by default.
  • SMART health gate — blocked below score 80 unless explicitly overridden.
  • Adaptive write-block size that auto-tunes when burst slowdown is detected.
  • Optional sampled read-back verification pass after overwrite.
  • Case number, evidence date and media type recorded in the session log and HTML report.
Built for accountable collection

Operational safeguards

Safeguards, EWF imaging, logging and operator guidance stay with the job from connect to case handoff.

Write-blocker detection

Tableau and other forensic USB bridges identified via PNP; identity carried into Disk Info, session logs and HTML reports.

Software write protection

Arm USB ports or connected disks before media is attached, for an extra layer of safety.

Session logging

Structured HTML logs per workflow with session ID License_date_time[_case].

Case & custody fields

Case number, evidence date and storage media type recorded in every HTML session report.

Clone & sanitize guards

Destination prep, dual confirmation and visible destructive warnings on every write path.

Checklists in Help

Authorization, labelling, source/destination roles and custody notes built into the app.

Platform

Native Windows, forensic-grade

  • WinUI 3 native Windows shell with administrator-aware prompts for raw disk access.
  • EWF status in About — libewf readiness shown before you rely on E01 workflows.
  • Made in India — part of the Field Forensic product line for field and lab operators.
E01 / Ex01Forensic container with embedded hashes
HTML logsPer-session reports with case metadata
Session IDLicense · date · time · case#
Write blockerHardware bridge detect + log attribution
Sector mapsLive visual progress on every job
Folder hashPer-file digests in Verify / Compare

Collection, imaging & verification in one app

Less switching between utilities, more defensible results. Request a demo or a quote for Evidence Collector.