·.·. Computer forensics software made in Germany .·.·

Evidor: The Evidence Collector

No longer maintained since 2004, superseded by X-Ways Investigator.

Evidor 1.23

Copyright by
X-Ways AG

Idea by
Jerry Saperstein

White Paper (PDF)

Software for lawyers, law firms, corporate law and IT security departments, licensed investigators, and law enforcement agencies.

What it does

Evidor allows to search text on hard disks and retrieves the context of keyword occurrences on computer media, not only by examining all files (the entire allocated space, even Windows swap/paging and hibernate files), but also currently unallocated space and so-called slack space. That means it will even find data from files that have been deleted, if physically still existing. Evidor is a small subset of just the search functionality in X-Ways Forensics. Please note that Evidor cannot access remote networked hard disks. For a more powerful solution please use X-Ways Investigator.

Electronic evidence aquisition and discovery

Evidor is a particularly easy and convenient way for any investigator to find and gather digital evidence on computer media. Evidor also comes most handy in civil (pre-)litigation if one party wants to examine (inspect) the computers of the other party. Evidor can be used on site for electronic discovery, will usually not disclose unrelated proprietary or confidential information and does not impose an undue burden on the responding party in terms of personnel, time and money. Evidor serves as an automated forensic examiner, saving you the cost of many hours of hard manual expert work. Evidor produces reliable, replicable, neutral, and simple results, just as needed before court. 

IT security

Evidor is also an excellent tool for proving the presence or absence of confidential data on computer media, either to detect a security leak or confirm a lack thereof. With Evidor you often finds remnants (or even intact copies) of classified data that should have been encrypted, securely erased, or should not have existed on a media in the first place. 

Additional Toolset

The following products are included in Evidor: a powerful, yet very easy to use data recovery tool (Davory, professional license), a tool that deciphers Internet Explorer's internal browsing log file (X-Ways Trace), and a DOS-based hard disk cloning tool (X-Ways Replica).

Important: For more up to date and more powerful, yet still relatively easy to use search functionality (and a lot of other functionality such as viewing, printing, and commenting on documents, extracting metadata, report creation), we now recommend X-Ways Investigator. If you only need search functionality and is has to be as simple as possible, then Evidor might still be better.


Newsletter subscription
Would you like to be kept informed of updates? Please enter your e-mail address:


How to use and What it does

Evidor is a hard drive search tool. Simply select the disk to examine and provide a list of keywords (such as people's names, e-mail addresses, name of traded goods, etc.). Evidor will then retrieve the context of all occurrences of the keywords on the disk. When viewing the output file, you will likely find excerpts from documents that are closely related to the keywords, e.g. purchase orders, e-mail messages, address books, time tables, etc.

Evidor can either produce HTML documents (recommended) or plain text files. HTML documents can be easily imported and further processed in MS Excel. In MS Excel you can sort the search term occurrences by search term and occurrence location, you can cut irrelevant results, etc. Plain text files can be viewed in any text editor, MS Word, etc. In plain text files, matches are separated in the output file by line breaks and a line with six asterisks and the corresponding keyword.


This sample output HTML file created by Evidor shows occurrences of the city names “Los Angeles”, “San Francisco”, “New York”, “London”, and “Paris” on a user's drive F:. These names occur in postal addresses, as company headquarters, as font descriptions, etc.

This sample output plain text file shows all occurrences of an Internet URL (here: http://www.microsoft.com) on a user's hard drive. Evidor quotes the context from temporary Internet files (browser cache), from Internet Explorer's hidden log file (which memorizes all visited web sites), and from free space (apparently previously allocated to the browser's cache).


DOS-based disk cloning tool included

A simple DOS-based hard disk cloning tool is included because it is generally highly advisable to work on a copy, not on the original drive. Most Windows environments tend to access a newly attached drive without asking, thereby e.g. altering the last access dates of some files. This is avoided under DOS. X-Ways Replica


Related software: X-Ways Forensics




  • Evidor is now available in French.
  • Report file starts with a full description of the media examined (drive model number, serial number, etc.)
  • Search terms within extracted context marked in blue in HTML output


  • Error fixed that caused Evidor to report wrong sector numbers in some cases.
  • Exact offset (address) of each occurrence is reported, in decimal notation.