eDetector is an endpoint digital evidence collection system. It aims to execute artifacts collection and program analysis with minimal influence to the target's operation while it's turned on. The artifacts collected range from server history, recently opened files, USB usage history, program execution artifacts, etc. Along with the file $MFT and keyword search, the IR team can identify suspicious sources and preserve related evidence for further analysis.

eDetector could also detect program's behavior artifacts in the memory, including code injection, hidden programs, core interception, connecting history, etc. Through behavioral analysis, eDetector is able to warn and draw up program connections, spotifying hidden threats in time for the users to respond to different kinds of attacks.