Evidence Chain - PhantomYerra Help

Why Evidence Quality Matters

A vulnerability report without evidence is an opinion. A vulnerability report with forensic-grade evidence is a fact. PhantomYerra captures evidence at the moment of discovery — not reconstructed later, not summarized, not inferred. Raw requests, raw responses, extracted data, timing measurements, and cryptographic hashes that prove the evidence has not been modified since capture.

Standard: Every finding includes evidence that would satisfy a court of law, a compliance auditor, or a skeptical CISO. If the evidence is not conclusive, the finding does not reach the report.

Evidence Collection Pipeline

📨

Capture Request

→

📩

Capture Response

→

📦

Extract Data

→

📝

Generate PoC

→

🔒

Hash (SHA-256)

→

🕒

Timestamp

→

🔗

Link to Chain

→

✅

Package Complete

Eight Evidence Components

📨

1. Raw Request

The exact HTTP request as sent to the target: method, URL, headers (including cookies, authorization tokens, content-type), and body. Nothing is omitted or sanitized. This is the precise input that triggered the vulnerability.

📩

2. Raw Response

The complete HTTP response from the target: status code, all response headers, and full response body. This proves the server's exact behavior in response to the attack payload.

⏱

3. Timing Data

Request-to-response latency measured in milliseconds. Essential for confirming time-based blind vulnerabilities where the only signal is a measurable delay in the server's response time.

📦

4. Extracted Data

Any data obtained during exploitation: database records, credentials, API keys, PII, configuration values, internal network information. Cataloged and classified by sensitivity level.

🔒

5. SHA-256 Hash

Cryptographic hash computed over the complete evidence package (request + response + timing + extracted data) at the moment of capture. Any post-capture modification of the evidence will produce a different hash, proving tampering.

🕒

6. RFC 3161 Timestamp

Trusted timestamp establishing exactly when the evidence was captured. This is applied at capture time, not at report generation time. Proves the finding existed at a specific point during the engagement.

📝

7. PoC Script

A copy-paste ready script or command that reproduces the finding independently. The client or their remediation team can run this command to verify the vulnerability exists before applying fixes, and again after fixes to confirm remediation.

🔗

8. Chain Context

Reference to the attack chain this finding belongs to, including predecessor findings (what enabled this finding) and successor findings (what this finding enables). Provides the full exploitation narrative context.

Sample Evidence Package Structure

Evidence Package: FINDING-2026-0042 ----------------------------------------------- Finding: SQL Injection (Boolean-Based Blind) Severity: Critical (CVSS 9.8) Parameter: id Endpoint: /api/users Confirmed: 2026-04-13T14:23:07Z [REQUEST] POST /api/users HTTP/1.1 Host: target.example.com Content-Type: application/json Authorization: Bearer eyJ... {"id": "1 AND 1=1--"} [RESPONSE] HTTP/1.1 200 OK Content-Type: application/json {"user": {"id": 1, "name": "admin", ...}} [TIMING] Latency: 47ms (baseline: 42ms) [EXTRACTED DATA] - User records from users table (5 records) - Database version: MySQL 8.0.32 [HASH] SHA-256: a4f3e8c1d9b2...7f6e5d4c3b2a [TIMESTAMP] RFC 3161: 2026-04-13T14:23:07Z [POC] curl -X POST https://target.example.com/api/users \ -H "Content-Type: application/json" \ -H "Authorization: Bearer TOKEN" \ -d '{"id": "1 AND 1=1--"}' [CHAIN CONTEXT] Chain: AUTH-BYPASS-001 -> SQLI-042 -> DATA-EXFIL-003 Predecessor: AUTH-BYPASS-001 (provided valid session) Successor: DATA-EXFIL-003 (enables full database dump)

Integrity Guarantees

Hashed at capture time. Evidence is hashed immediately when captured — before any post-processing, before report generation, before any human reviews it. The hash proves the evidence is unmodified.
Hash chain links findings. Each finding's evidence hash is linked to the engagement record, creating a chain where modifying any single finding would break the chain.
Timestamps at capture, not generation. Timestamps record when the evidence was captured during the live engagement, not when the report was generated hours or days later.
Immutable after capture. Once captured and hashed, evidence cannot be modified without producing a different hash. The report includes the original hash for independent verification.

Chain of Custody

For engagements requiring legal-grade evidence, PhantomYerra maintains a full chain of custody log:

Event	Recorded Data
Evidence Captured	Timestamp, finding ID, engagement ID, evidence hash, capture method
Evidence Stored	Storage location, encryption status, access controls applied
Evidence Accessed	Who accessed, when, for what purpose (report generation, review, export)
Evidence Exported	Export format, destination, hash verification at export time
Report Generated	Which findings included, evidence hashes embedded in report, report hash

Compliance: This evidence methodology satisfies the evidence requirements for PCI DSS penetration testing (Requirement 11.3), SOC 2 Type II audit evidence, and ISO 27001 Annex A.12 security testing documentation.

Evidence Chain Methodology