███████╗██╗ ██╗██╗██████╗ ███████╗███╗ ██╗ ██████╗███████╗
██╔════╝██║ ██║██║██╔══██╗██╔════╝████╗ ██║██╔════╝██╔════╝
█████╗ ██║ ██║██║██║ ██║█████╗ ██╔██╗ ██║██║ █████╗
██╔══╝ ╚██╗ ██╔╝██║██║ ██║██╔══╝ ██║╚██╗██║██║ ██╔══╝
███████╗ ╚████╔╝ ██║██████╔╝███████╗██║ ╚████║╚██████╗███████╗
╚══════╝ ╚═══╝ ╚═╝╚═════╝ ╚══════╝╚═╝ ╚═══╝ ╚═════╝╚══════╝
Collect. Organize. Report.
Evidence is a lightweight command-line tool designed to help offensive security professionals, OSCP candidates, penetration testers, and CTF players collect and organize evidence during engagements.
Instead of juggling screenshots, notes, credentials, loot files, and terminal output across multiple folders, Evidence automatically captures and organizes everything into a structured workspace, chronologically from start to finish.
- Workspace management
- Live command execution (live terminal output)
- Automatic command output logging
- Screenshot collection
- Credential tracking
- Loot management
- Engagement notes
- Activity history
- Status dashboard
One of the most common problems during assessments is maintaining organized evidence.
It's easy to:
- Forget screenshots
- Lose command output
- Misplace credentials
- Forget where a flag was found
- Spend hours rebuilding notes for reports
Evidence automatically organizes everything into a structured workspace, allowing operators to focus on the assessment instead of evidence management.
## Example Workflow
```bash
evidence create oscp
evidence run -- rustscan -a 10.10.10.5
evidence run -- nmap -sCV 10.10.10.5
evidence screenshot
evidence note "Anonymous FTP access discovered."
evidence credential add ftp anonymous
evidence loot add local.txt
evidence statusgit clone https://github.com/YOUR_USERNAME/evidence.git
cd evidencepipx install -e .If you prefer a virtual environment:
python3 -m venv venv
source venv/bin/activate
pip install -e .
Verify installation:
```bash
evidence --help
evidence --versionCreate a workspace:
evidence create oscpRun commands and save output:
evidence run -- nmap -sCV 10.10.10.5Add notes:
evidence note "Discovered SMB shares."Save credentials:
evidence credential add administrator Password123Store loot:
evidence loot add local.txtTake screenshots:
evidence screenshotCheck workspace status:
evidence statusEvidence automatically creates the following layout:
└── oscp/
├── commands/
│ ├── 0001_whoami.txt
│ ├── 0002_nmap.txt
│ └── 0003_netexec.txt
├── screenshots/
│ ├── 0001_user_shell.png
│ └── 0002_root_shell.png
├── loot/
├── engagement.md
├── credentials.md
└── .activity.log
evidence --versionExample: Evidence v0.1.0
Stores command output with timestamps.
Example:
0001_whoami.txt 0002_nmap.txt 0003_netexec.txt
Full timestamps are preserved inside each output file.
Stores screenshots captured during the engagement.
Screenshots can be labeled with a description and are automatically named using sequential IDs.
Example:
0001_user_shell.png 0002_root_shell.png
Stores collected files such as:
- local.txt
- root.txt
- BloodHound archives
- hashes
- configuration files
Primary note-taking document.
Stores captured credentials.
Internal activity tracking used for workspace status and history.
evidence create oscpevidence use oscpevidence currentevidence run -- whoamievidence run -- netexec smb 10.10.10.5evidence loot add local.txtevidence credential add administrator Password123With source tracking:
evidence credential add administrator Password123 --source responderevidence note "Anonymous FTP access discovered."evidence screenshotevidence statusExample:
Workspace: oscp
Commands: 17
Screenshots: 8
Credentials: 4
Loot Files: 2
Last Activity:
COMMAND: netexec smb 10.10.10.5
2026-06-09 15:42:01
status is actually one of the coolest parts now.
* Workspace management
* Live command execution
* Command output logging
* Screenshot collection
* Credential tracking
* Loot management
* Engagement notes
* Activity history
* Status dashboard
* Workspace statistics
---
## Use Cases
### OSCP
Track:
* Enumeration
* Credentials
* Privilege escalation
* Screenshots
* Flags
### Penetration Testing
Maintain organized evidence throughout assessments.
### Capture The Flag
Keep notes, loot, and command history organized during competitions.
### Red Team Operations
Document activity and findings throughout engagements.
---
## Roadmap
Planned features:
* Exportable reports
* Markdown report generation
* Screenshot tagging
* Credential search
* Workspace history
* Activity timeline
* Evidence export bundles
* Report templates
---
## Contributing
Contributions, feature requests, and bug reports are welcome.
Please open an issue before submitting major changes.
---
## Roadmap
Planned improvements:
- [ ] Cleaner report formatting with reduced timestamp noise
- [ ] Streaming command support for tools like `responder`, `nc`, and `python3 -m http.server`
- [ ] Background session tracking for long-running services
- [ ] Interactive shell/session tracking for WinRM, SSH, reverse shells, and cmd shells
- [ ] Built-in redaction workflow for flags, proof files, credentials, and screenshots
- [ ] Export modes for Markdown, HTML, and PDF reports
---
## License
MIT License
---
## Disclaimer
This project is intended for authorized security testing, education, and research purposes only.
Users are responsible for ensuring compliance with all applicable laws, regulations, and rules of engagement.
### Author
Evan DeWeese (FrankieBFG)
Built while studying offensive security from the crossroads of The United States
GitHub: https://github.com/FrankieBFG