Why this exists
Open-source findings get challenged on process, not just substance. If you can show what you saw, when you saw it, and that a captured file hasn't changed since, your work holds up. This tool records an ISO-8601 timestamp and a SHA-256 hash for every entry, and can fingerprint a screenshot or downloaded file so you can later prove the bytes are identical. Pair it with the Pivot Hub as you work a case, and export the log when you're done.
How it works
Type a source URL and an observation, then Add entry — the timestamp and hash are computed for you. To fingerprint a file, choose it and the tool hashes the raw bytes locally with the browser's Web Crypto API; the file itself never leaves your device. Your log is saved in this browser's local storage so it survives a refresh, and Clear log wipes it. Export any time as Markdown (readable), CSV (spreadsheet), or JSON (machine-readable), including your case name and investigator for the record.
Frequently Asked Questions
How does this help with chain of custody?
Each finding gets an automatic ISO-8601 timestamp and a SHA-256 hash of the entry, giving a tamper-evident record of what you saw and when. Hash an uploaded file to fingerprint a screenshot or artifact, and export the log as documentation you can attach to a case.
Is my evidence uploaded anywhere?
No. Everything runs in your browser, hashing is done locally with the Web Crypto API, files never leave your device, and the log lives only in this browser's local storage. There's no account and no server.
What is a SHA-256 hash?
A fixed 64-character fingerprint of any input; identical input always gives the same hash, and any change gives a completely different one. Recording a file's hash at collection lets you later prove it hasn't been altered.