Upon launching FAW a starting window will be displayed (fig. 1), requiring the “Case ID”, that is a code/reference number of the case the user is dealing with. Input any alphanumeric character, maximum length of the code is 60 characters, or click on [Auto] to generate a code based on current date and time in ISO 8601 format.
The “Case ID” field is compulsory; a folder with the same name will be created where all data captures will be saved.

 


Fig. 1

 

The “Detective” field is an option, it can be left empty, and it is used to input the name of the investigator who is performing the data capture. If the user has already performed previous data captures it is possible to input further captures just choosing the “Case ID” from the quick choice menu. At this point click [OK] and access FAW main window (Fig. 2)

 


Fig. 2

 

At the first start FAW creates a folder named FAW in the user’s Documents folder. The FAW folder will contain all captures grouped in subfolders with the Case ID input by the user.

A folder named FAWConfiguration will be also created under Documents; it will contain the program configuration files.

At each start, FAW deletes its cache removing temporary files and cookies.

It is possible to set the program preferences from the menu bar choosing: The starting page, the folder to save the data captures, and the user-agent to be used. No user-agent is selected by default; FAW uses the user-agent of the Internet Explorer version currently installed on the user’s computer.

FAW employs two operation methods: Browsing and acquisition (fig. 3) that can be activated clicking on the related button, or using the function keys F10 and F11.

 


Fig. 3

 

The Browsing mode set FAW as a standard browser and allows browsing among web pages using traditional controls: Address bar, forward/reverse keys, go, stop and refresh buttons.

Click the button [Acquisition], FAW begins to capture the traffic on the network and saves the events of windows generated from this moment until the end of the acquisition; in this mode you can browse normally, login, and any other operation until you get to the web page that you want to capture.

 

Acquisition Web page

When you open the web page to be acquired, you must press the button [Set Capture Area] – Fig. 4 – in this way will be blocked navigation and related controls, and you can adjust the height of the area bordered in yellow called “Gold Box” to acquire the ‘entire Web page.

 


Fig. 4

 

Gold box may be expanded downwards with the resize function just passing above it with the mouse (Fig. 5) – a vertical scroll bar will appear on the right of the Gold Box, it should not be confused with the scroll bar of the web page.

 


Fig. 5

 

The Gold Box may be enlarged up to reach the end of the web page or until the point to be acquired. It is possible to set the acquisition area both adjusting the Gold Box height and adjusting the scroll bar of the web page.

The base concept for the graphic acquisition of a web page is: all what is inside the Gold Box is acquired.

To start the acquisition of the web page click on [Acquire] – Fig. 6.

 


Fig. 6

 

FAW will start acquiring the image of the Web page, scrolling it, and then it will acquire the headers and the HTML code of the whole page (not only the selected area’s) and any objects on the page (if selected in the Configuration menu).

At the end of the operations the window of the folder will open where the following files have been saved:

  • Acquisition.log
    is the file that contains the list of operations performed with the software FAW
  • Acquisition.txt
    is a text file that contains all the references of the acquisition
  • Acquisition.xml
    is a file in XML format that contains all the references of the acquisition in accordance with the standard DFXML
  • Checking.faw
    is the file that contains a control code that allows you to check if the files Acquisition.txt Acquisition.xml and have not been altered
  • Code.htm
    is a htm file that contains all the HTML code of the web page
  • CodeFrame{framename}.htm
    are files that contain the HTML of the frame {framename} if present
  • Headers.txt
    is a text file that contains the headers sent to the browser from the web page
  • hosts
    is a copy of the hosts file windows at the time of the Web page
  • Image.png
    is the file that contains the image of the web page bounded by the Gold Box in png format 24bit
  • Image{number}.png
    are image files with cut-outs of the complete image of the web page experience with aspect-ratio 1.41 suitable to be printed on a full page A4
  • SystemLogEvents.txt
    is the file that records all windows events occurring during the acquisition of Web page
  • screenCapture.wmv
    is the captured video file from VLC to capture the entire screen of the computer from the beginning to the end of the acquisition
  • Wireshark_{mac-address-network-interface}.pcap
    is the file generated from WireShark with network traffic that occurred during the acquisition of the web page
  • Folder Object
    is the folder that contains all the elements of the Web page numbered consecutively acquired with the format [nnnnn]filename.ext

Every acquisition is saved into a subfolder numbered with progressive numbers (e.g.: 0001, 0002, 0003, ….. 000n) of the folder with the Case ID name chosen by the user.

To make the web page acquisition valid for legal purposes only the Check.txt can be digitally signed, it is also necessary to set a time mark to certify the acquisition date.

 

Storing data acquisition on FAW server

At the end of the acquisition FAW asks if you wan to save the data acquisition on FAW server; the data that will be saved are: checking code, start and end date acquisition, URL and the IP address of the client that made the acquisition.

If you choose to send this information they will be stored in the FAW server database and will be available to perform on-line testing of the integrity of the acquisition.

 

Check integrity of the acquisition

You can checYou can check if the files Acquisition.txt and Acquisition.xml have not been altered by the function “Acquisition checking” in the menu “Checking” (Fig. 7).

 


Fig. 7

 

Check the acquisition locally

Open Checking menu, click on “Acquisition checking” to open the window “Browse for Folder” in which you will have to select the folder that contains the acquisition you want to check; by clicking then click [OK], the program checks the integrity of the two files Acquisition.txt and Acquisition.xml and shows the test result.

The verification function uses a proprietary algorithm that at the end of the acquisition of the web page generates a verification code that is saved in the file Checking.faw; this file must be present in the same folder with Acquisition.txt and Acquisition.xml when it is appropriate to examine.

 

Check the acquisition online

If the data acquisition have been saved on the FAW server, you can perform a verification the integrity of the files Acquisition.txt and Acquisition.xml by comparison with the data stored in the FAW database.

For do this, simply open the menu Checking and click on the “Acquisition checking on line” will display the test page in your default browser.

The test page using the https protocol to ensure the safety of the data provided by the user; on this page you will need to upload two files Acquisition.txt and Acquisition.xml be checked, and then click the button [Check]; the program checks the integrity of both files certifying whether they have not been altered. The same page, if the verification is correct, the data will show the relative acquisition saved in the FAW server database.

This procedure is an additional tool for the expert to verify the integrity of the acquisitions performed with the software FAW.

 

Check data acquisition on FAW server

You can check on the FAW server are present data for a particular acquisition; to make this, from menu Checking, you click on the “Verify the presence of acquisition on FAW server”; will see the search page in your default browser.

On this page you just need to upload the file Checking.faw an acquisition to determine if the details of the acquisition have been saved in the FAW server database.

If the checking code in the file Checking.faw is present in the database will be shown all related data acquisition.

 

Send acquisition via e-mail

The program allows you to automatically send the purchase you just made to an e-mail, to avoid sending attachments too heavy are shipped only the files Acquisition.txt, Acquisition.xml and Checking.faw. Automatic distribution via e-mail is used to send the acquisition also to a mailbox certified (by their email client) and then to certify temporally the date of acquisition.

On the Configuration menu> Preferences> Acquisition (Fig. 6) it (Fig. 8) it is possible to decide if automatically send an e-mail at the end of the acquisition or not.

 


Fig. 8

 

The available options are:

  • Do not send email
    Disables the sending of e-mail
  • Send email with email client
    Send e-mail when you are done using your own default email client
  • Send email with FAW
    The program sends an e-mail directly to the end of the acquisition, in this case you must enter the details of their e-mail accounts and address of the recipient

If the mail is to be sent to an address by certified mail must be used when sending via your email client is configured on which the certified email accounts.