Evidence Collector in no more maintain by Security-Database. We just let it here for informations and history.


Evidence Collector is a free forensics program used to manage other utilities to collect useful information you may need to investigate on some IT Incidents.


  • System information : Get owner, IP, MAC address before going through forensics.
  • Shares and policies applied on shares : very handy to detect if someone gets into computer from opened shares.
  • Started and stopped services : Some services could be a wide opened doors to get unauthorized accesses.
  • Installed softwares : Unwanted softwares could be installed without your knowledge. See what inside your computer
  • Installed Hotfixes : Enumerating installed hotfixes. Note that a missed critical patch is a potential exploitable vulnerability.
  • Enumerated Processes : List whole processes starting on system.
  • Events logs : Application, system and security events logs are collected. Events logs keep traces of what happened to system.
  • TCP / UDP mapping endpoints : See what hidden behind TCP / UDP ports. Generally, most of remote administration tools and trojans don't hide their activities.
  • Process handles tracking : See what processes did when started. From accessing Registry keys to writing into files. Useful to see if evil activities are not disguised behind some processes.
  • List start-up programs : When rebooting computers, many evil programs stick into registry keys in order to be reloaded again.
  • Suspected modules : Scanning modules to see if they are rootkitted.
  • USB history : Reveals if any USB key has been plugged into system.
  • Users policies : Collecting users and their policy. You can easily identify any unknown user.
  • And more...

Evidence Collector Preview