-
Notifications
You must be signed in to change notification settings - Fork 2
Evidence Forensics
André Henrique edited this page Jun 8, 2026
·
2 revisions
WirelessXPL-Forge includes a tamper-evident audit ledger compatible with ISO/IEC 27037 chain-of-custody requirements for digital forensic evidence.
In authorized penetration tests, maintaining a verifiable chain of evidence proves:
- What was found and when
- Which analyst collected it
- That evidence has not been modified after collection
The Evidence Vault uses a SHA-256 Merkle-style hash chain: modifying any past record breaks the chain and is detected by verify_chain().
wxf > use generic/evidence_vault/evidence_vault
# Create a new session vault
wxf (EvidenceVault) > set SESSION_ID pentest_client_2026_06
wxf (EvidenceVault) > set VAULT_DIR /evidence/client_abc
wxf (EvidenceVault) > set OPERATOR analyst01
# Log a discovered network
wxf (EvidenceVault) > log_scan --ssid "CorporateWiFi" --bssid AA:BB:CC:DD:EE:FF --channel 6 --rssi -65 --security WPA2
[+] Evidence #0001 recorded: kind=scan
ts: 2026-06-08T14:23:01.123Z
operator: analyst01
sha256: a1b2c3d4e5f6...
prev_hash: 0000000000000000 (genesis)
Chain head: a1b2c3d4e5f6...
# Log a captured handshake
wxf (EvidenceVault) > log_capture --ssid "CorporateWiFi" --bssid AA:BB:CC:DD:EE:FF --type handshake --file /captures/corporate.hc22000
[+] Evidence #0002 recorded: kind=capture
artifact_sha256: e5f6789abc...
artifact_size: 23,412 bytes
Chain head: b2c3d4e5f6a1...
# Log a recovered credential (stored as hash, not plaintext)
wxf (EvidenceVault) > log_credential --ssid "CorporateWiFi" --method dictionary --credential_hint "mypass***"
[+] Evidence #0003 recorded: kind=credential
credential_hash: sha256(credential)
method: dictionary
Chain head: c3d4e5f6a1b2...
# Log an analyst note
wxf (EvidenceVault) > log_note "Network appears segmented from corporate domain. Separate VLAN."
[+] Evidence #0004 recorded: kind=note
Chain head: d4e5f6a1b2c3...wxf (EvidenceVault) > verify
[*] Verifying chain: /evidence/client_abc/vault_pentest_client_2026_06.jsonl
[+] Chain VALID
Records: 4
Head hash: d4e5f6a1b2c3...
Integrity: All sha256 hashes and prev_hash links verified
Standard: ISO/IEC 27037 compliant chain-of-custodyIf tampering occurred:
[!] Chain BROKEN - 1 error detected
Record #2: sha256 mismatch
Stated: e5f6789abc12...
Recomputed: e5f6789abc99... (differs!)
Evidence from record #2 onwards cannot be trustedwxf (EvidenceVault) > export_html --output /reports/pentest_client.html
[+] HTML report generated: /reports/pentest_client.html
4 records | Chain: VALID
Includes: timeline, findings table, integrity statuswxf (EvidenceVault) > export_bundle --output /reports/evidence_client_abc.tar.gz
[+] Bundle created: /reports/evidence_client_abc.tar.gz (12.4 MB)
Contents:
vault_pentest_client_2026_06.jsonl (audit ledger)
artifact_e5f6789abc.bin (handshake capture)
Head hash: d4e5f6a1b2c3...| Method | Description |
|---|---|
log_scan() |
Record a discovered WiFi network |
log_capture() |
Record a captured handshake/PCAP file |
log_credential() |
Record a recovered password (stored as hash) |
log_attack() |
Record an attack attempt and its outcome |
log_note() |
Free-form analyst annotation |
| Property | Implementation |
|---|---|
| Tamper evidence | SHA-256 Merkle chain - any modification detected |
| Non-repudiation | Each record links to previous (GENESIS = 64 zeros) |
| Artifact integrity | Binary artifacts stored with SHA-256 hash |
| Timestamp | ISO-8601 UTC on every record |
| Operator identity | Configurable operator field per session |
| ISO/IEC 27037 | Structure designed for digital forensics admissibility |
Author: André Henrique (@mrhenrike) | União Geek
Primeiros Passos
Ataques Wireless
Drones e UAV
Protocolos Especializados
Ferramentas de Pentest
Hardware