Freeze the moment. Log every step. Seal the result.
Spectra MacCollect takes a read-only APFS local snapshot of the subject's data volume and mounts it read-only, so the collection is a consistent point-in-time view rather than a moving target — and the source is never written to. It then copies that snapshot into a logical image and, when requested, collects artifacts for triage from the same frozen snapshot.
Snapshot
A read-only APFS local snapshot is taken and mounted read-only. The collection reflects one consistent moment, and the source volume is never modified.
Image
The snapshot is copied into a logical sparse image, sized to the data rather than the whole drive, and optionally encrypted with AES-256 at rest.
Triage
High-value macOS artifact categories are collected from the same frozen snapshot, preserved as hashed raw archives plus parsed, human-readable output.
Seal
The complete evidence set is hashed into an integrity manifest and rooted by a terminal anchor — so any later change to a log, an artifact, or the image is detectable with a single verification.
Provenance
Every action through one chokepoint
Every action the tool takes runs through a single audit chokepoint that records the intent, the exact command, the exit code, the duration, and the output — into an acquisition log, a full transcript, and a structured action log. "What did the tool do, and in what order" has a precise answer rather than a reconstruction.
The tool also captures its own cryptographic hash — proving exactly which version executed — along with the subject system's identity and clock, the macOS version, and the storage device details. And it refuses to write evidence onto the subject's own disk or the device being imaged.
The real interface
Choose a mode, then watch it run
Choose a collection modeCollection in progress
The seal — and its limits
Verifiable with standard tools, honest about scope
When the collection finishes, the entire evidence set is hashed and rooted by a terminal anchor, so the integrity of every log, artifact, and the image can be demonstrated — not asserted — under a standard verification command.
A live logical collection always leaves some files uncaptured — off-device, permission-protected, or locked. Spectra MacCollect documents those rather than hiding them. It does not recover unallocated space, deleted-but-not-overwritten data, or drive slack; it is a logical capture of live, accessible data.
