Cyber Investigation

The first minutes of an incident matter

Cyber investigations are won or lost in the opening window. The moment a breach is suspected, the clock starts on evidence that decays on its own: rotating logs age out, temporary files are reclaimed, caches flush, and an attacker who is still present may actively destroy traces. Every hour without a clean capture is an hour in which the record you will later rely on quietly changes. To preserve forensic evidence after a breach you have to act first and analyse second — secure the artifacts, fix their state, and only then begin to reason about what happened.

Capture and hash artifacts immediately

The single most important step is to compute a cryptographic hash for each artifact the instant you collect it — before it is opened, copied around, or analysed. A hash is a fixed-length fingerprint of a file's exact contents; change one byte and the fingerprint changes completely. By recording that value at the point of capture, you create an anchor: from then on, anyone can prove a file is unchanged simply by recomputing the same hash. e-Dex computes several algorithms per artifact — MD5, SHA-1, SHA-256, SHA-512 and BLAKE3 — so the integrity proof is strong and matches whichever value a later verifier holds. Logs, mailbox exports, disk images, packet captures, screenshots and config files can all be fixed this way in seconds.

Timestamped, tamper-evident preservation

Capturing a hash is only half the job; you also need to record when it was captured and make any later change obvious. e-Dex records each artifact's hashes alongside the capture time and produces a readable certificate that states an explicit MATCH / MISMATCH verdict for every file. If you need stronger assurance, you can apply a PAdES digital signature binding a signer's identity to the record, and an RFC-3161 trusted timestamp that seals the exact time against an independent Time-Stamping Authority. The result is a preservation record where any tampering — even a single altered byte — surfaces immediately as a MISMATCH.

Hand off a defensible evidence pack

Investigations rarely end with the person who collected the evidence. The findings pass to internal leadership, external counsel, a CERT team, an insurer or, eventually, a court — and each handoff is a chance for doubt to creep in. A defensible evidence pack closes that gap: it lists every artifact with its hashes, an overall verification result, and the capture timestamp, in a form anyone can re-verify months later by recomputing the values themselves. e-Dex generates exactly this kind of certificate, so the integrity of your evidence travels with it instead of relying on memory or trust.

Works air-gapped & offline

Forensic work often happens on isolated machines for good reason — you do not want evidence files leaving a controlled environment. e-Dex is built for this. It runs fully offline on your own Windows machine, including on an air-gapped forensic workstation, with no account, upload or cloud dependency. The artifacts you are protecting never touch the internet; hashing, verification and certificate generation all happen locally. Only the optional trusted-timestamp step reaches out to a Time-Stamping Authority, and you choose whether to use it.

Frequently Asked Questions

How do I preserve forensic evidence after a breach?
Capture the relevant artifacts as early as possible — logs, exported mailboxes, disk images, screenshots, configuration files — and compute cryptographic hashes for each one immediately, before anything else touches them. The hash fixes the file's state at the moment of capture, so any later change is detectable. e-Dex lets you do this locally on Windows, recording multi-algorithm hashes and an explicit verification result for every artifact so the integrity story is established from the first minutes.

Does e-Dex work offline and air-gapped?
Yes. e-Dex runs fully offline on your own Windows machine, including on an air-gapped forensic workstation. Hashing artifacts, recording values and generating the evidence pack all happen locally, so the evidence never leaves the machine. An internet connection is only needed if you choose to apply an RFC-3161 trusted timestamp from a Time-Stamping Authority.

What goes into a defensible evidence pack?
A defensible evidence pack lists each captured artifact with its multi-algorithm hashes (MD5, SHA-1, SHA-256, SHA-512 and BLAKE3), an overall MATCH / MISMATCH verification result, and a timestamp recording when the capture was made. e-Dex produces this as a readable certificate that a colleague, client or court can re-verify later by recomputing the same hashes. For incident-response context, see our guide to the incident response evidence certificate.

Is e-Dex free to use?
Yes. e-Dex is free to download and use on Windows. You can hash artifacts, verify integrity and generate evidence certificates without any licence cost. It is built by Innovativa SoftTech Solutions Private Limited, Pune. You can also try the hash tool before you download.