Comprehensive guides and tools for collecting digital evidence in cybersecurity incidents. These resources are recommended for clients preparing evidence submissions to HackAid.
All evidence collection procedures should follow these fundamental principles:
Windows forensic artifact collection and parsing. Fast triage collection with VHDX export support.
Download KAPE →Advanced endpoint monitoring and DFIR platform. Remote collection across multiple systems with VQL queries.
GitHub Repository →Google's incident response framework for remote live forensics. Scalable to enterprise environments.
GitHub Repository →Disk imaging and memory capture tool. Industry standard for creating forensic images.
Download FTK Imager →Enterprise remote forensic acquisition. Network-based live collection with encrypted channels.
Learn More →👥 Best for: Non-technical users, first responders
Step-by-step procedures for recognizing, collecting, and preserving digital evidence at electronic crime scenes.
Download PDF →👥 Best for: Field responders, patrol officers
Pocket-sized reference guide for on-scene digital evidence handling.
Download PDF →👥 Best for: IT staff, corporate security
Scientific Working Group standards for digital evidence collection, chain of custody, and integrity verification.
View Guidelines →👥 Best for: Incident responders, forensic practitioners
Guide to integrating forensic techniques into incident response procedures.
Download PDF →👥 Best for: Visual learners, quick reference
Free downloadable poster covering evidence identification, collection, and preservation.
Download Poster →👥 Best for: Evidence handlers
Digital Evidence Preservation considerations for those handling digital evidence.
Download PDF →SWGDE best practices for mobile device evidence collection, preservation, and acquisition (Updated 2025).
Download PDF →SWGDE best practices for remote collection of digital evidence from endpoints.
View Guidelines →Depending on your incident, collect the following where possible:
If you need assistance with evidence collection or have questions about what to collect for your specific incident:
Remember: When in doubt, document everything and preserve the original state. It's better to collect too much evidence than too little.