Alcyone SecureAlcyone Secure
Get Black Box
ALL PRODUCTS
SHIPPING--FOR EVERY DEVICE OWNER--v1.0.1 . MAY 2026 . WIN 10/11
FORENSIC FLIGHT RECORDER

Black Box

A tamper-evident activity recorder for your Windows machine.

Black Box is a forensic-grade activity recorder for Windows. It runs as a quiet system service, captures every USB connection, file open, login event, process start with its full command line, PowerShell execution via Windows ETW, critical registry key changes, and browser window titles — all written into a SHA-256 hash chain that is mathematically tamper-evident. When your device leaves your hands, you get back a verifiable record of what happened.

DownloadSee it work
DASHBOARDALCYONE / PRODUCT

SESSION

A3F2-9C1A-4F0B

EVENTS

1,284

CHAINVERIFIED
LIVE EVENT STREAMtail -f blackbox.log
01280[INFO]blackbox.svc started#9c1a4f
01281[OK]session A3F2 chain=genesis#0b88e1
01282[+]usb_inserted vid=0781 pid=5583#f10c22
01283[+]file_open notes.docx#3a7e90
01284[HIGH]etw bulk_copy detected#c54bd7
01285[CRIT]anti_debug attach_attempt#a01284
01286[OK]shadow_copy aes-256 OK#62a4f8
01287[+]login user=svc-tech remote#5e2913

INTEGRITY

100%

ENCRYPT.

AES-256

WATCHDOG

ACTIVE

USB LOGALCYONE / PRODUCT

USB DEVICES OBSERVED

2 unique drives

BYTES MOVED

5.0 GB

TIMEEVENTVIDPIDSERIALBYTES
14:21:08INSERT0x07810x5583AA040312
14:22:11MOUNT0x07810x5583AA040312
14:23:45READ0x07810x5583AA0403121.2 GB
14:24:09READ0x07810x5583AA0403123.8 GB
14:25:33EJECT0x07810x5583AA040312
14:31:00INSERT0x09510x1666BBE5T9X1
HASH CHAINALCYONE / PRODUCT

HASH CHAIN . SHA-256

6 of 1,284 blocks

INTEGRITY 100%
BLOCK 01280[INFO]
prev_hashGENESIS
this_hash9c1a4flinked
BLOCK 01281[OK]
prev_hash9c1a4f
this_hash0b88e1linked
BLOCK 01282[+]
prev_hash0b88e1
this_hashf10c22linked
BLOCK 01283[+]
prev_hashf10c22
this_hash3a7e90linked
BLOCK 01284[HIGH]
prev_hash3a7e90
this_hashc54bd7linked
BLOCK 01285[CRIT]
prev_hashc54bd7
this_hasha01284linked
WATCHDOGALCYONE / PRODUCT

WATCHDOG . ACTIVE

Self-healing monitor

BlackBoxSvcRUNNING

UPTIME 31d 04h 12m

RESTARTS 0

ETW ListenerRUNNING

UPTIME 31d 04h 12m

RESTARTS 0

USB WatcherRUNNING

UPTIME 12h 45m

RESTARTS 1

Chain AnchorRUNNING

UPTIME 31d 04h 11m

RESTARTS 0

[14:31:08] WATCHDOG_RESTART_LOGGED

USB Watcher process_id=4892 stopped unexpectedly

elapsed_until_restart_ms=4720

action=process_relaunched verify=ok

chain_entry_written hash=8a02f1 prev=c54bd7

integrity_unbroken

REPORTALCYONE / PRODUCT

FORENSIC REPORT . SIGNED PDF

Session A3F2-9C1A-4F0B

SIGNED OK

EVENTS

1,284

DURATION

47 min

INTEGRITY

100%

# report.pdf — manifest excerpt

session_id A3F2-9C1A-4F0B

chain_root 0xb24a91...e8d2

events 1284 (CRIT 1, HIGH 2, INFO 1281)

integrity sha256_chain unbroken

watchdog 1 restart logged inline

shadow_copy aes-256-gcm verified

signature pkcs7_signed_data ok

verify offline: blackbox-verify report.pdf

PDF EXPORTSHA-256 MANIFESTOFFLINE VERIFIERLEGAL ADMISSIBLE
S 02Tech stack and more in-depth explanation

Under the hood.

BUILT ON

The cryptographic primitives forensic teams already trust.

Black Box is built on industry-standard primitives, not novel cryptography. The SHA-256 hash chain, the AES-256-GCM shadow copy, the PBKDF2 PIN derivation. Standard parts assembled into a tamper-evident whole.

  • +Windows Service (BlackBoxSvc, low-privilege account)
  • +Event Tracing for Windows (ETW) at kernel level
  • +AES-256-CBC / GCM encrypted shadow copy
  • +PBKDF2 PIN derivation
  • +SHA-256 hash chain with anchor files
WHY IT WORKS

Tampering is mathematically forced to leave a mark.

The hash chain means an attacker cannot edit one entry without rewriting every subsequent one. The shadow copy means the attacker cannot quietly delete the primary log. The watchdog means killing the service is itself a logged event. Three independent ways every interference produces evidence.

  • +Hash chain breaks visibly if any row is altered
  • +Shadow copy survives primary-log deletion
  • +Watchdog restarts and logs the interruption
  • +Anchor files cross-validate independently
REAL-WORLD EXAMPLE

A laptop sent for repair, with proof of what happened.

You install Black Box, hand the laptop to the service centre, and pick it up two days later. You generate the forensic report and see: one technician login, four file opens (all in the diagnostic folder), no USB devices attached, no new processes. You have proof that nothing else happened. If the report had instead shown a USB stick arriving and the user-photos folder being read, you would have evidence the law cares about.

Black.
Open the site.

Free for individuals, forever. The 2.9 MB installer ships signed, runs offline, and produces verifiable evidence on day one.

DownloadCompare products