Daniel Rosehill Hey, It Works!
Digital Evidence Toolkit: A Curated Guide to Collecting and Preserving Digital Evidence
· Daniel Rosehill

Digital Evidence Toolkit: A Curated Guide to Collecting and Preserving Digital Evidence

A curated collection of tools and guides for gathering, preserving, and authenticating digital evidence, from capture through chain of custody.

Projects Open Source Resource List Tools

The Project

https://github.com/danielrosehill/Digital-Evidence-Toolkit

danielrosehill/Digital-Evidence-Toolkit View on GitHub

Whether you're dealing with a legal dispute, documenting workplace harassment, or conducting OSINT research, knowing how to properly collect and preserve digital evidence can make the difference between something that holds up and something that gets thrown out. I put together the Digital Evidence Toolkit as a curated, freely available resource covering the full chain — from initial capture through secure storage, verification, and investigation.

Evidence Capture Tools

The toolkit covers capture methods across multiple evidence types:

  • ProofMode — Android app that automatically generates cryptographic proof for photos and videos at capture time.

  • SingleFile — Browser extension for saving complete web pages as single HTML files, essential for preserving online evidence.

    nickthecook/singlefile View on GitHub

  • eEvid — Certified email delivery service that provides legal proof of email content and timestamps.

  • ASR (Android Smart Recorder) — Audio recording app for Android with features useful for evidence capture.

  • Content Authenticity Initiative — Hardware-level image certification from manufacturers like Leica and Google Pixel.

Digital Evidence Toolkit - Chain of Custody

Storage, Verification, and Integrity

Once evidence is captured, it needs to be stored immutably and verifiably. The toolkit covers:

  • OpenTimestamps — Free, decentralized timestamping anchored to the Bitcoin blockchain. Proves data existed at a specific point in time.

  • AWS S3 Object Lock — Cloud-based WORM (Write Once, Read Many) storage ensuring files cannot be modified or deleted.

  • IPFS — Content-addressed decentralized storage where file integrity is verified by the protocol itself.

  • ExifTool — Industry-standard metadata reader for inspecting and verifying file provenance.

  • Tresorit — End-to-end encrypted cloud storage suitable for sensitive evidence.

  • BagIt — Library of Congress standard for packaging evidence bundles with integrity verification.

Investigations and OPSEC

The toolkit also covers the investigative and operational security side:

  • Maltego — Graphical link analysis and OSINT platform for mapping relationships between entities.

  • Hunchly — Automated web capture tool designed specifically for investigations.

  • Timesketch — Open source tool for collaborative forensic timeline analysis.

The repository includes guides on chain of custody principles, legal considerations for evidence capture (consent laws vary significantly by jurisdiction), and best practices for the full evidence lifecycle. There are also dedicated sections on redaction tools for removing personally identifiable information before sharing evidence, and operational security guidance for protecting yourself during investigations. The whole thing is organized to be a practical starting point rather than an exhaustive catalogue.