ACQUISITION
Partial or total acquisition of web pages
The program allows acquiring a whole, full resolution web page or just a part of it, quick selecting the area. Using side scroll bars and a horizontal cursor it is possible to decide what web page area has to be analysed.
Acquisition of pages containing streaming videos
The application can analyse all pages containing data streaming. The software automatically acquires videos or pages with client side effects (javascript, jquery, flash, etc.).
Acquisition of pages with frames
The program has been conceived also to work with web pages containing frames, i.e. sites composed by different sections, independent among them. The side scroll bars allow browsing among the different frames and decide what have to be acquired.
Acquisition of all graphic elements
The software acquires any kind of image and supports the most common graphic formats.
Acquisition of tooltips
Thanks to shortcuts (i.e. function keys) the application acquires web pages’ tooltips. The tooltip is a small “box” with additional information concerning the object that is usually displayed when the pointer moves above it.
Acquisition of the html code of Web pages
The program acquires the whole HTML code of the Web page also when it is composed by several frames and saves the headers.
Acquisition of all objects connected to the web page automatically
You can acquire all file types including: images, files, documents, executables and scripts. The references of all scanned files are placed in the file Acquisition.xml reporting guidelines of the original path and hashes of control. The acquisition of objects connected to the page is user configurable from the menu Configuration> Linked Objects.
Integration with WireShark
Wireshark is a network protocol analyzer widely used in network forensics which has its point of strength in flexibility: thanks to special rules for sorting and filtering the investigator can extrapolate and analyze data quickly his interest from the information recorded. FAW uses the capabilities of Wireshark to capture all of the traffic on all interfaces active network during the acquisition of the Web page, the investigator can then do an analysis of all the network traffic is transited to reach the Web page on both the intrinsic behavior of the same. The integration allows you to have a log file in pcap format since acquisition start up at the end of the same.
Storing data acquisition on a remote server
FAW allows you to save check data acquisitions on a remote server, in this way the expert can verify the integrity of acquisitions comparing local data with those stored on the server.
CONFIGURATION
Possibility to change user agent
The software offers the possibility to mimic different kind of browsers. When Internet users visit a web site a text string is usually sent to the server to identify the user agent. This is part of the HTTP request with the prefix “User-agent” or “User-Agent”. It typically contains information such as name of the client application, version, operating system and language. The same page may be displayed differently according to the user agent used.
Cases and acquisitions management
The application allows an accurate and separate management of each case divided by its acquisitions. A tree structure on file system allows better organising the detective’s job.
Multiuser (usable by different detective)
The software separately profiles the users dedicating separate areas for each detective, successfully managing the competition.
FORENSICS
Automatic calculation of hash md5 and sha1 of all acquired files
The application performs automatically the hash md5 and sha1 calculation for all acquired files. Hash algorithms, particularly SHA1 and MD5 are widely used in forensics IT to validate and digitally sign the acquired data, specifically forensics copies. As a matter of fact the recent legislation imposes a custody chain allowing preserving IT’s finds against possible alterations after acquisition: hash codes check in any moment that the finds have remained unchanged in time. If hash codes correspond, both parties in a judicial proceeding will surely work on the same version, thus guaranteeing even analysis and results. The results of the hash codes are calculated by default by most forensics acquisition applications and annexed to the saved forensics copies.
Summary files for each acquisition
The software, for each acquisition, generates a summary file with a detailed log of all operations performed, created files and times. It also certifies the author of the analysis by IP and unique identification of the machine.
Verifying the integrity of the acquisition
This function allows you to verify the integrity of the acquisition, using a proprietary algorithm to check whether all the captured files are not altered.