Skip to content

Evidence Forensics

Jump to bottom
André Henrique edited this page Jun 8, 2026 · 2 revisions

Evidence & Forensics

The Evidence Vault module provides a hash-chained, tamper-evident audit ledger for wireless security assessments. It is designed to meet ISO/IEC 27037 requirements for digital evidence collection, preservation, and chain of custody.

Module Reference

Module Description
evidence_vault/evidence_vault Hash-chained tamper-evident audit ledger
session_manager/session_manager SQLite-backed pentest session manager with JSON export

ISO/IEC 27037 Compliance

ISO/IEC 27037 defines principles for the handling of digital evidence:

  • Auditability - every action is recorded and traceable
  • Integrity - evidence cannot be modified without detection
  • Chain of custody - who collected what, when, how
  • Reproducibility - collection method is documented in sufficient detail

The Evidence Vault implements these principles through:

  1. SHA-256 content hashing of every recorded item
  2. Hash chaining - each record's hash includes the previous record's hash
  3. Timestamping - RFC 3339 timestamps on each entry
  4. Operator identification - operator ID/name recorded on each entry
  5. Tamper detection - verify command detects any modification to the chain

Evidence Vault Usage

Initialize a session

wxf > use generic/evidence_vault/evidence_vault
wxf (EvidenceVault) > show options

Options:
  SESSION_ID  (required)  Unique session identifier (e.g. pentest_office_2026_06)
  VAULT_DIR   /evidence   Directory to store vault files
  OPERATOR    unknown     Operator name for chain of custody
  SIMULATE    false       Preview without writing

wxf (EvidenceVault) > set SESSION_ID pentest_office_2026_06
wxf (EvidenceVault) > set VAULT_DIR /evidence
wxf (EvidenceVault) > set OPERATOR j.analyst

Record a WiFi scan finding

wxf (EvidenceVault) > run scan \
    --ssid "OfficeWiFi" \
    --bssid AA:BB:CC:DD:EE:FF \
    --channel 6 \
    --rssi -65 \
    --security WPA2-PSK \
    --note "Guest network, no client isolation"

[+] Evidence #0001 recorded
    Type:       scan
    Session:    pentest_office_2026_06
    Timestamp:  2026-06-08T08:15:00Z
    Operator:   j.analyst
    Data:       ssid=OfficeWiFi bssid=AA:BB:CC:DD:EE:FF ch=6 rssi=-65 sec=WPA2-PSK
    SHA-256:    a1b2c3d4e5f6...
    Chain head: a1b2c3d4e5f6...

Record a captured handshake

wxf (EvidenceVault) > run capture \
    --type eapol_handshake \
    --bssid AA:BB:CC:DD:EE:FF \
    --file /evidence/capture_office_001.pcap \
    --note "4-way EAPOL captured after deauth"

[+] Evidence #0002 recorded
    Type:       capture
    Session:    pentest_office_2026_06
    Timestamp:  2026-06-08T08:18:32Z
    Operator:   j.analyst
    File:       /evidence/capture_office_001.pcap
    File SHA-256: 9f8e7d6c5b4a...
    Chain SHA-256: c3d4e5f6a1b2...
    Chain head: c3d4e5f6a1b2...

Record a vulnerability finding

wxf (EvidenceVault) > run finding \
    --severity HIGH \
    --title "WPA2 passphrase cracked in 4h20m" \
    --bssid AA:BB:CC:DD:EE:FF \
    --evidence-ref 0002 \
    --note "Passphrase: 'qwerty123' found in rockyou.txt at position 847,293"

[+] Evidence #0003 recorded
    Type:       finding
    Severity:   HIGH
    Session:    pentest_office_2026_06
    Timestamp:  2026-06-08T12:38:00Z
    Operator:   j.analyst
    Linked to:  evidence #0002
    Chain SHA-256: b2c3d4e5f6a1...
    Chain head: b2c3d4e5f6a1...

Verify chain integrity

wxf (EvidenceVault) > verify

[*] Verifying chain integrity for session pentest_office_2026_06...
[+] Record #0001: hash OK (a1b2c3d4e5f6...)
[+] Record #0002: hash OK (c3d4e5f6a1b2...) | file hash OK
[+] Record #0003: hash OK (b2c3d4e5f6a1...)
[+] Chain VALID (3 records)
[+] ISO/IEC 27037 chain-of-custody: MAINTAINED
[*] Vault path: /evidence/pentest_office_2026_06.vault.json

If tampering is detected:

wxf (EvidenceVault) > verify

[*] Verifying chain integrity for session pentest_office_2026_06...
[+] Record #0001: hash OK
[!] Record #0002: HASH MISMATCH
    Stored:   c3d4e5f6a1b2...
    Computed: deadbeef1234...
[!] CHAIN INTEGRITY BROKEN at record #0002
[!] Evidence from record #0002 onwards may not be admissible

Export report

wxf (EvidenceVault) > export --format json --output /evidence/pentest_office_2026_06_report.json
[+] Exported 3 records to /evidence/pentest_office_2026_06_report.json

wxf (EvidenceVault) > export --format csv --output /evidence/pentest_office_2026_06_report.csv
[+] Exported 3 records to /evidence/pentest_office_2026_06_report.csv

Session Manager

The Session Manager provides a SQLite-backed database for tracking pentest session metadata, targets, and findings alongside the Evidence Vault.

wxf > use generic/session_manager/session_manager
wxf (SessionManager) > set SESSION_ID pentest_office_2026_06
wxf (SessionManager) > set DB_PATH /evidence/sessions.db
wxf (SessionManager) > run

[*] Session: pentest_office_2026_06
[*] DB: /evidence/sessions.db

wxf (SessionManager) > add target \
    --host AA:BB:CC:DD:EE:FF \
    --name "OfficeWiFi" \
    --type wifi \
    --note "Primary target - 2.4GHz WPA2"

[+] Target #1 added: AA:BB:CC:DD:EE:FF (OfficeWiFi)

wxf (SessionManager) > list targets

  ID  Host                  Name        Type   Status   Added
  --  ----                  ----        ----   ------   -----
   1  AA:BB:CC:DD:EE:FF     OfficeWiFi  wifi   active   2026-06-08 08:15

wxf (SessionManager) > export --format json --output /evidence/session_pentest_office.json
[+] Session exported to /evidence/session_pentest_office.json

Best Practices

Before the engagement

wxf > use generic/evidence_vault/evidence_vault
wxf (EvidenceVault) > set SESSION_ID client_name_YYYYMMDD
wxf (EvidenceVault) > set OPERATOR your.name
wxf (EvidenceVault) > run init

[+] New vault initialized: /evidence/client_name_20260608.vault.json
[+] Chain started: empty (0 records)
[+] Session metadata: operator=your.name date=2026-06-08 tool=WXF-1.8.0

During capture

  • Record every significant finding immediately
  • Record file hashes of all captures as you take them
  • Note timestamps explicitly for time-sensitive findings
  • Reference prior evidence records when a finding builds on earlier captures

After the engagement

  1. Run verify to confirm chain integrity
  2. Export the vault in JSON and CSV format
  3. Archive the vault file alongside all referenced capture files
  4. Provide chain-of-custody export to the client or legal team if required

Vault File Format

The vault is stored as a JSON file with append-only semantics:

{
  "session_id": "pentest_office_2026_06",
  "tool": "WirelessXPL-Forge 1.8.0",
  "created": "2026-06-08T08:15:00Z",
  "records": [
    {
      "seq": 1,
      "type": "scan",
      "timestamp": "2026-06-08T08:15:00Z",
      "operator": "j.analyst",
      "data": { "ssid": "OfficeWiFi", "bssid": "AA:BB:CC:DD:EE:FF" },
      "hash": "a1b2c3d4e5f6...",
      "prev_hash": null
    },
    {
      "seq": 2,
      "type": "capture",
      "timestamp": "2026-06-08T08:18:32Z",
      "operator": "j.analyst",
      "data": { "type": "eapol_handshake", "file": "/evidence/capture_office_001.pcap" },
      "file_hash": "9f8e7d6c5b4a...",
      "hash": "c3d4e5f6a1b2...",
      "prev_hash": "a1b2c3d4e5f6..."
    }
  ]
}

Related pages: Wardriving | WIDS | Wi-Fi Attacks

Author: Andre Henrique (@mrhenrike) | Uniao Geek

WirelessXPL-Forge v1.8.0

Home-pt-BR | Home

Português (pt-BR)

Primeiros Passos

Ataques Wireless

Drones e UAV

Protocolos Especializados

Ferramentas de Pentest

Hardware

Clone this wiki locally