Spectra MacCollect performs documented live triage and logical acquisition on a running Mac — a read-only snapshot, copied into a logical image, every action logged, and the whole evidence set cryptographically sealed.
SHA-256 · a3f1c0…9c20 · ✓ sealed
Live collection in progress — interface preview
One annual license per collecting drive. Buy a configured drive ready to run, or bring your own.
$500 / year
The Spectra MacCollect software license for one year, bound to your collecting drive. Includes updates, support, and continued macOS validation.
Purchase — $500$1,000 / first year
A ready-to-run external evidence drive (SSD) with the license pre-bound and partitions configured — license included. Plug in and collect; renews at $500/yr.
Buy with SSD — $1,000$500 / year
Keeps your MacCollect license current with new macOS releases and tool updates. Renew before expiry to avoid interruption.
Renew — $500Bring your own drive — the license binds to the drive's serial. A time-limited evaluation is available before purchase. See the full purchase flow →
Spectra MacCollect is built for forensic examiners who need to collect from a live, logged-in Mac and stand behind every step of how they did it. It takes a read-only, point-in-time snapshot of the subject's data, copies it into a logical image, and collects high-value artifacts for triage — producing a complete, hashed, self-verifying evidence set along the way.
The framing is deliberate and consistent: it performs documented live triage, not a forensic image of physical media. On modern Macs — particularly Apple Silicon and FileVault-encrypted systems — a traditional bit-for-bit image of the internal drive is often impossible to obtain. Spectra MacCollect is built for the collection that is actually achievable on a running machine, and documents its boundaries honestly.
The boot volume is busy, and on Apple Silicon the physical image is generally unobtainable. Examiners are left collecting from a running system, where files are changing, some content is OS-protected, and some isn't even on the device. Done carelessly, that produces a collection that's hard to defend — no record of what was and wasn't captured, and no answer when opposing counsel asks "how do you know this is complete?"
Spectra MacCollect freezes a consistent point in time, records every action it takes, seals the result so alteration is detectable, and produces an explicit, honest accounting of what it could not capture and why. The defensibility doesn't come from a claim — it comes from the evidence set the tool leaves behind.
A read-only APFS local snapshot, mounted read-only. The source volume is never modified.
The snapshot is copied into a logical sparse image, sized to the data and optionally AES-256 encrypted.
High-value artifact modules are collected from the same frozen snapshot as hashed raw archives plus parsed output.
The complete set is hashed and rooted by a terminal anchor — integrity is verifiable later with standard tools.
Read-only snapshot, mounted read-only, copied into a logical image — the source is never touched.
A pre-collection scan flags files held off-device (consistent with iCloud "Optimize Mac Storage") before imaging.
The whole evidence set is hashed and rooted by a terminal anchor, so tampering with any piece is detectable.
Sequential phase bars, a live console, and an elapsed timer show exactly where the collection is — pre-check, imaging, triage, close-out, and E01 conversion — with the content-hash fixity pass reading the full image before the seal is written.
Annual license, configured evidence drives, and bring-your-own-drive support.