Incident Response

Preserve Breach Evidence the Way Responders Should

When an incident hits, the artifacts you collect in the first hour decide whether your findings hold up months later. Incident response evidence preservation means hashing and timestamping each artifact at the moment of collection, keeping an unbroken record of custody, and producing a certificate that proves nothing was altered. e-Dex does all of it offline, free, on a single Windows machine.

 Download e-Dex Free  Verify a Certificate
Incident response evidence certificate showing artifact hashes, collection timestamp and a MATCH verdict

Why IR Evidence Gets Challenged

Most disputes over breach evidence are not about what the data shows — they are about whether the data can be trusted at all. A memory image, a firewall log export, a quarantined malware sample: each is just bytes until you can prove those bytes have not changed since you pulled them off the wire. If nobody recorded a hash at collection, and nobody can account for where the file sat between then and now, an opposing party has an easy opening. Preserving evidence properly removes that opening before it ever appears, so your analysis stands on a foundation no one can quietly knock out.

Hash and Timestamp at Collection

The single most important moment in preservation is the first one. As soon as an artifact is acquired, e-Dex computes a cryptographic hash across its contents — MD5, SHA-1, SHA-256, SHA-512 and BLAKE3 side by side — and records the exact time of collection. Because a hash changes completely if even one byte moves, that recorded value becomes the anchor every later check compares against. Where you need independent proof of when the artifact was sealed, an optional RFC-3161 trusted timestamp binds the collection time to a Time-Stamping Authority, so the moment of preservation is provable rather than merely asserted.

Maintain Custody Through Handoff

Evidence rarely stays with one person. It passes from the first responder to a DFIR analyst, from the analyst to counsel, and sometimes onward to a regulator or court. Each of those handoffs is a point where integrity can be questioned, so each one needs a record. By recording artifacts and their hashes up front, e-Dex gives every later holder a fixed reference to verify against: recompute the hash, compare to the sealed value, and the result is a plain MATCH or MISMATCH. The incident response evidence certificate carries that proof with the artifacts wherever they travel.

Generate the IR Evidence Certificate

When the preservation step is done, e-Dex produces a single readable Incident Response Evidence Certificate. It lists every artifact with its multi-algorithm hashes and collection timestamp, and prints an overall verification result across the whole set, so a reviewer sees at a glance whether the batch is intact. There is no spreadsheet to assemble and no two columns of hex to eyeball — the verdict is stated on the page. Months later, anyone can re-run the same files through e-Dex, or use the public certificate verifier, and confirm the evidence is exactly what was collected.

Fits SOC and DFIR Workflows — Air-Gapped Friendly

e-Dex is built to slot into the way response teams already work. It runs fully offline on a standalone Windows workstation, which means it is comfortable on an air-gapped DFIR lab machine or an isolated containment network where nothing is allowed to phone home. Hashing, custody records and certificate generation all happen locally, so sensitive breach artifacts never leave the box. Because the tool is free, an entire SOC can standardise on one preservation routine — every analyst, every shift, producing the same defensible record without licensing friction or per-seat cost.

Frequently Asked Questions

Why does incident response evidence get challenged later?
Breach evidence is most often challenged because no one can prove an artifact is unchanged since collection. If a log export, memory image or malicious file has no hash recorded at the moment it was acquired, and no continuous record of who held it, opposing counsel or a regulator can argue it was altered. e-Dex closes that gap by hashing and timestamping each artifact at collection and recording custody from that point forward.

Does e-Dex work on an air-gapped or isolated forensic workstation?
Yes. e-Dex runs fully offline on a standalone Windows machine, which suits air-gapped DFIR labs and isolated containment networks. Hashing, custody logging and certificate generation all happen locally, so evidence never leaves the workstation. An internet connection is only needed if you choose to apply an RFC-3161 trusted timestamp from a Time-Stamping Authority.

What is in an Incident Response Evidence Certificate?
The certificate lists each preserved artifact with its multi-algorithm hashes, the collection timestamp, and an overall MATCH or MISMATCH verification result. It gives SOC analysts, DFIR teams and counsel a single readable document proving the artifacts are bit-for-bit identical to what was collected during the incident.

Is e-Dex free for SOC and DFIR teams to use?
Yes. e-Dex is a free download for Windows from Innovativa SoftTech, Pune. There is no cost to hash artifacts, maintain custody records or generate an Incident Response Evidence Certificate, which makes it easy to standardise preservation across an entire SOC or response team.

Preserve Your Next Incident Properly

Defensible incident response evidence preservation starts the moment you collect the first artifact. Hash it, timestamp it, keep custody, and let the certificate carry the proof. You can do all of it in minutes, offline, on a single Windows machine with e-Dex — the free Digital Evidence Integrity Suite. Download it now and make every breach artifact you collect stand up to scrutiny.