SPEKTOR Forensic Intelligence

Designed specifically for use by non-technical investigators, SPEKTOR is used by front line police and other enforcement officers around the world to rapidly preserve and automatically examine data stored on computers, servers and mass storage devices.

Rapid Data Collection

Our unique ultra fast collection technology means that SPEKTOR collects in minutes. Deployed against LIVE or powered-off systems, SPEKTOR finds target data based on signatures and/or file extentions, recovers deleted files, collects volatile memory and comprehensive file information.

Comprehensive, Safe, Fast and Secure

Collect targeted data or conduct a full forensic image from removable media such as hard disk drives, USB sticks and memory cards. SPEKTOR fully supports collections from Windows, Apple or Linux based machines.

Accepted Forensically & Evidentially

SPEKTOR uses standard & accepted forensic techniques to preserve & protect original data while creating full forensic images or collecting targeted files. SPEKTOR captures details about every file on a system and calculates MD5 and SHA1 hashes for all collected data.

Unlimited Collectors

SPEKTOR uses standard removable USB devices as ‘Collectors’ so you can process as many targets as you like simultaneously.

Couple this with an easy to use 6 step wizard and you’ve got the ultimate digital triage, forensic imaging and automated analysis solution in one box.

Core Features

Review Docs, Images & Multimedia

Most Graphics & Human Readable Files
Fully Playable Media & Full Metadata Recovery

Email Support

Full Local Email Support
Supports Formats Including PST, OST, MBOX, MSG, EML & AppleMail

Web Based Activity

Full Page Reconstruction
All Main Browsers Supported
Chat Client and Social Media Activity

New Technology Support

Full UEFI Secure Boot Support
PC App Support

Secure Forensic Process

Highly Secure
Designed by Forensic Experts
Process Driven Software

Advanced Export and Reporting

Reports in HTML, PDF & DOCX formats
Export Files and Hashsets
Export to Intelligence Systems

Additional Features

Password Lists

Allows the unlocking of password protected files.

Match & Ignore Lists

Identify files of interest and ignore unwanted files

Perpetual Licensing Model

No subscription is required with SPEKTOR, once purchased it continues working for as long as you need it.

Important Number Recognition

Automatically recognise important numbers such as bank cards and IMEIs.

International Language Support

Multi-language file support and keyword search

More Information

SPEKTOR Forensic Intelligence Brochure

Download the SPEKTOR Forensic Intelligence brochure for more information.
Download Brochure

SPEKTOR Forensic Intelligence Movies

View movies showing the capabilities of SPEKTOR and how it functions.

Latest SPEKTOR Forensic Intelligence Release Notes

View the latest SPEKTOR Release Notes.
Release Notes

SPEKTOR Testimonials

Read Some Testimonials From Our Customers

SPEKTOR was recently deployed by CEOP on a high profile operation at 5 key locations where time was of the essence. We chose SPEKTOR because of its comprehensive device support, speed and ease of use. On the day, SPEKTOR enabled our officers to quickly examine multiple computers, memory cards, mobile phones and USB devices resulting in a very successful operation. SPEKTOR was provided on a pro-bono basis by Evidence Talks.
Ruth Allen Head of Specialist Operational Support, CEOP
We have been very impressed and found the kit (SPEKTOR) easy to use and effective - it has saved us a lot of unnecessary paperwork and submissions of media that would have proved fruitless.
Regional Asset Recovery Team Metropolitan Police, London
Lancashire Constabulary Hi Tech Crime Unit have chosen SPEKTOR from Evidence Talks, as an effective tool, to assist in processing the ever increasing range and volume of digital evidence presented for examination. SPEKTOR has proven to be a very useful and innovative tool, being able to overcome many of the difficulties associated with processing items such as MacBooks and devices containing multiple disks or solid state storage such as Netbooks. The use of SPEKTOR in acquiring forensic images from such devices is achieved using the specially developed SPEKTOR collection technology. This has proved to be a real time saver, avoiding the often onerous task of disassembling devices to remove hard disks. In addition to its regular use within the lab, SPEKTOR is also available to assist on scene, providing additional peace of mind when facing the challenge of potentially complex crime scenes involving multiple and varied devices. We are very happy with the use of SPEKTOR and acknowledge the full potential of the product for imaging and triage, which to date has had a very positive impact in our ability to handle a wide range of devices.
Hi-Tech Crime Unit Lancashire Constabulary


What is SPEKTOR?
SPEKTOR is a Forensic Triage solution designed for people with little or no technical skills, it allows them to quickly and easily review the contents of all PCs, MACs, Servers, and any mobile media such as USB thumb drives, memory cards, mobile phones and satellite navigation systems etc, (we call these the target devices) in a way that is acceptable both as evidence or intelligence.
Do I need to have an understanding of forensic processes and practices to operate SPEKTOR?
No, SPEKTOR has been specifically designed to provide non-forensic operators the ability to triage digital devices, whilst in a forensically sound manner. This is achieved by utilising a combination of integrated hardware, process driven configuration and deployment protocols in conjunction with comprehensive event auditing within a secure Linux Operating System.
What type of devices can SPEKTOR triage?
SPEKTOR Forensic Intelligence is the base product which operates in a Linux environment, providing the ability to triage and forensically image a wide range of digital media, such as computers, USB external storage devices and card based media, e.g. SD, Compact Flash etc.
Am I able to triage and image external media, such as USB thumb drives, loose hard drives, SD cards, CF Cards etc.?
Yes, SPEKTOR is configured with designated read only protected USB and Firewire ports, allowing media to be individually ‘triaged’ or forensically imaged via the SPEKTOR Control Pod to a triage collector disc or store disc for imaging. A multimedia card reader is supplied as standard, which supports a variety of proprietary media formats.
What process is required to set up SPEKTOR search profiles?
The creation of search profiles is wizard-driven, using clear, concise terms and intuitive onscreen graphics. The operator is able to create new, edit, clone and save as many profiles as required to suit individual operational needs.
What changes does SPEKTOR make to the target devices?
Whether performing standard triage or creating forensic images of target systems (SPEKTOR produces images in Encase, FTK, SMART and DD formats) the target systems/devices are always accessed 100% read-only. This has been validated in our own forensic laboratories and by CAST during their recent evaluation of triage tools. Standard triage mode and Forensic imaging uses exactly the same techniques that forensic analysts use when processing a target with a Linux boot CD. Target computers can be booted either from a Linux partition on the SPEKTOR collector or from the SPEKTOR Linux boot CD. We use a specially crafted OpenSuse Linux in both cases and all target access is 100% read only, resulting in absolutely no changes being made to the target media. Live mode is used to acquire data from running windows computers and, like every other live response tool, the process does make some small changes to the target. Such changes are impossible for any tool to avoid. However, we do not make any changes to file system dates and times and restrict the changes we do make to a couple of entries in the Windows Registry that relate to the attachment of the SPEKTOR Collector, a similar entry in the Setupapi.log file and a further entry in the Pre-fetch data showing the collection code being run. Any attempt to remove these entries after collection would not reflect good forensic practice so we don’t do it.
Does SPEKTOR support MacBooks?
Yes, SPEKTOR is able to undertake triage collections on Intel based MacBooks and forensic imaging on all models.
Can collected data be exported?
Following a triage based collection, data can be reviewed and marked as an item of interest and subsequently selected to be exported to either a USB storage device or optical media. Exported content includes logical files, hash values, a full file listing, html report and full details of the collection configuration.
Will I need to remove the hard disc to conduct triage or imaging?
No, SPEKTOR utilises a special boot disc which allows the target computer to be booted in a forensically sound manner and preventing the often onerous task of disassembling modern notebooks and prevents any change ‘writes’ being made to the target disc being accessed. An ISO image of the boot disc is stored on SPEKTOR, allowing you to burn as many bootable CD’s as required, in order to undertake multiple, consecutive triage collections or full disc imaging.
How are software updates handled?
To maintain the maximum effectiveness of SPEKTOR, new updates are released on a regular basis, which can be downloaded directly onto SPEKTOR via our secure support portal. We are always looking to improve functionality and welcome feedback from users, which directly contributes to ongoing product development.
Is SPEKTOR able to recover deleted data from the slack/unallocated areas of a disc?
Recoverable deleted data is collected as part of standard triage collections, which is designed to collect and present potentially valuable evidence and actionable intelligence within the shortest possible time frame. SPEKTOR can be deployed to undertake full forensic imaging in a variety of proprietary formats, e.g. EnCase, FTK, SMART and DD, in order to support further extensive traditional forensic analysis.
How does SPEKTOR prevent changes being made to evidence?
To maintain the maximum effectiveness of SPEKTOR, new updates are released on a regular basis, which can be downloaded directly onto SPEKTOR via our secure support portal. We are always looking to improve functionality and welcome feedback from users, which directly contributes to ongoing product development.
Does SPEKTOR log user actions?
Audit and logging is at the heart of SPEKTOR. MD5 and SHA1 hash values are calculated for every file SPEKTOR collects together with comprehensive logs covering the entire triage or imaging process, from the initial registering of the collector to the control pod, through the cleaning of the collector prior to deployment, the deployment process, the automatic data analysis process and even the users navigation of the results and which files they have viewed. The level of log detail exceeds that produced by Accessdata’s FTK forensic tool. It also logs when and how a user exports data from SPEKTOR.
Does SPEKTOR replace the need for forensic analysis?
No, we recommend that forensic analysis be undertaken on systems identified by SPEKTOR as containing potential evidence. SPEKTOR is designed to allow intelligent decisions to be made by the user at the point of contact with suspect device. The use of SPEKTOR does not affect any subsequent forensic analysis.


Please login here



Contact Us

Evidence Talks Ltd
Willen House
Tongwell Street
Fox Milne
Milton Keynes
MK15 0YS
t: +44 (0)1908 597960
f: +44 (0)1908 597958