How Eviquire Works
Acquisition Concept
An Eviquire acquisition is a controlled evidence-collection session conducted within a case. The case serves as the overall investigation container, the acquisition represents a single collection session, and each evidence item is a smaller sealed package created during that session. This structure enables investigators to gather multiple independent pieces of evidence while preserving their broader context. Screenshots, downloads, emails, page source files, network captures, and reports all remain linked to the acquisition and case from which they originated.
When an acquisition begins, the desktop application creates or selects a case, initializes an Acquisition object, stores the investigator’s selected options, and launches the forensic browser as a separate process. The browser performs the live evidence capture, while the manager process waits for completion and then packages the acquisition.
The session object provides continuity throughout the process. SessionInfo contains the current case ID, acquisition ID, evidence ID, investigator name, software version, acquisition type, and timestamps. Storage paths are derived from these identifiers so that the logical structure matches the filesystem layout. Whenever Eviquire changes the current evidence ID, all subsequent screenshots, summaries, reports, and archives are written to that evidence item’s dedicated folder.
What Happens During Capture
At startup, the browser reconstructs the acquisition using environment variables supplied by the manager process. These include the case ID, acquisition ID, acquisition type, investigator details, start time, Tor or proxy settings, DNS-over-HTTPS mode, enabled options, mail or mobile parameters, and license information.
The browser then creates the acquisition database, chain-of-custody logger, browser profile, request interceptor, and evidence handler.
The browser is not merely a viewing interface. It is a fully instrumented acquisition environment that records user actions, navigation events, page loads, file downloads, screenshots, source captures, network logs, cookies, cache, browser profile state, and optional contextual data such as WHOIS information, certificates, system details, robots.txt, and sitemap.xml.
Every significant operation generates a chain-of-custody event. Each event records what occurred, when it occurred in UTC, the related URL or page, the user agent used, the file produced, and the file’s SHA2-256 hash when applicable. These events are written both to the acquisition database and to human-readable activity logs.
Evidence Creation
Whenever the investigator captures an item, Eviquire creates a new evidence ID such as E-...UTC. This ID becomes the root of a self-contained evidence package.
For screenshots, Eviquire saves the image as a PNG file, creates an EvidenceFile, calculates file hashes, logs a chain-of-custody event such as “Screenshot taken (PNG)”, and generates a summary JSON linking the file to the case, acquisition, and evidence ID. Standard screenshots may also be converted to PDF for stable review or printing.
For page-source evidence, Eviquire saves the HTML or source text, records the URL, domain, page title, and user-agent context, then hashes and summarizes the file. Full-page captures may combine auto-scroll screenshots with source capture so that both visual and technical representations are preserved.
For downloads, Eviquire distinguishes between user-initiated downloads and files downloaded as part of another evidence capture. A normal download becomes its own evidence item, and a screenshot is taken at the moment of download to preserve visual context. A download associated with another capture is stored inside that evidence package.
For mail acquisition, downloaded mail files are preserved with mail-specific metadata such as server ID, email timestamp, sender, and subject. These files are then wrapped in the same forensic structure: chain-of-custody record, summary JSON, report, archive, and final package.
Artifacts and Their Purpose
Screenshots and page-shot artifacts preserve what the investigator visually observed. This is important because live web content may later change, disappear, or render differently. PNG files preserve the visual state, while PDF versions provide a stable review format.
Page-source artifacts preserve the underlying markup or extracted source. They provide a second perspective on the evidence by showing not only what was displayed, but also what the browser received or extracted.
The browser profile preserves browsing state such as persistent cookies and cache. This can be critical for authenticated sessions and for understanding how content was accessed, although it may contain sensitive session data.
Network artifacts preserve communications generated during the acquisition. The PCAPNG file captures packet-level traffic. The TShark log records capture-tool activity. The TLS key log may support later decryption or analysis of encrypted traffic where applicable. The browser net log provides an additional browser-level network perspective.
Chain-of-custody logs preserve the procedural history of the acquisition, including navigation events, page loads, screenshots, report generation, recording start and end times, and file creation events.
Summary JSON files preserve machine-readable integrity metadata such as file name, size, creation time, MD5, SHA2-256, SHA3-256, and case/acquisition/evidence linkage. These files are later timestamped and may be submitted for blockchain anchoring.
Hash-list files preserve a complete file tree with hashes and timestamps. Evidence-level hash lists compare hashes recorded at acquisition time with hashes recalculated during packaging. Any mismatch is recorded.
Timestamp Authority (TSA) files (.tsq and .tsr) preserve external timestamp proof for the summary JSON. Blockchain raw files preserve blockchain submission metadata. Together, these allow later verification that the evidence summary existed in a specific hashed form at a particular time.
Packaging and Preservation
Evidence finalization is the stage where raw captured material becomes a sealed evidence package. Eviquire gathers additional context, creates a hash list, compresses the evidence directory into an archive, generates PDF and JSON reports, creates a summary JSON over the archive and report, timestamps that summary, optionally submits its hash to a blockchain service, and builds the final evidence ZIP package.
Accordingly, an evidence ZIP file is not merely a screenshot or downloaded file. It is a forensic bundle containing the raw evidence archive, report files, summary JSON, timestamp request and response files, and blockchain metadata when available.
When the browser session ends, the manager finalizes the acquisition. It opens the acquisition database, loads evidence records, determines the acquisition end time from the final event, and collects metadata such as software version, operator, timestamps, video duration, public IP, proxy IP, PCAP hash, TShark version and hash, TLS key-log hash, DNS settings, and enabled acquisition options. It then creates an acquisition hash list, acquisition archive, acquisition report, acquisition summary JSON, timestamp files, and blockchain submission data.
Case closure applies the same process at the highest level. The case is closed, hashed, archived, reported, summarized, timestamped, blockchain-anchored, and compressed into a final case ZIP. This creates integrity layers at the evidence, acquisition, and case levels.
Why the Model Is Flexible
The model is flexible because each layer serves a distinct purpose.
Evidence packages are small, focused, and independently reviewable.
Acquisitions preserve the full collection session, including logs, database records, video, network captures, and all related evidence packages.
Cases preserve the complete investigation and may contain multiple acquisition sessions.
This allows an investigator to collect a single page, a sequence of web captures, a mobile session, mail evidence, downloads, and network traffic within one acquisition while still treating each evidence item as an individually sealed forensic object.
Later, the investigator may review a single evidence item, reopen an acquisition, or close and deliver the full case.
The core forensic principle is straightforward: Eviquire does not simply save files. It records how those files were created, links them to investigator, session, and case context, hashes them at multiple stages, timestamps their summaries, and packages them so that later review can verify whether the material still matches what was originally captured.
