Each acquisition is inserted in a sequentially numbered folder (example: 00001, 00002, 00003,… 0000n) of the main folder with the name of the Case ID chosen by the user when starting the program.

ATTENTION: these folders must not be renamed otherwise the software cannot create subsequent folders and an error will be generated.

Each acquisition generates the following files:

Acquisition.log

is a log file that contains the list of all the operations performed with the FAW software with timestamp.

Acquisition.txt

it is a text file that contains all the references of the acquisition including the hashes of all the other files.

Acquisition.xml

is a file in Digital Forensics XML format that contains all the references of the acquisition.

Acquisition.zip

is an archive file that contains the files Aquisition.txt, Acquisition.xml, Checking.faw, Code.html and Image.png – these five files contain the essential information necessary to certify the acquisition of the web page.

Acquisition_{Case ID}_{acquisition nr.}.docx

is a file in Word format containing a report containing the files Aquisition.txt, Acquisition.xml, Checking.faw, Code.html and the screenshot images.
Note: this file is generated only if the “Generate MS WORD and PDF” item is checked in Configuration> Pro – Activity.

Acquisition_{Case ID}_{acquisition nr.}.pdf

is a file in PDF format containing a report with the files Aquisition.txt, Acquisition.xml, Checking.faw, Code.html and the images of the screenshot.
Note: this file is generated only if the “Generate MS WORD and PDF” item is checked in Configuration> Pro – Activity.

certClient.cer

is the SSL certificate of the client that made the request to the web page.

certServer.cer

is the SSL certificate of the web server hosting the web page.

Checking.faw

is the file that contains a control code that allows you to check if the Acquisition.txt and Acquisition.xml files have been altered.

Code.htm

is an html file that contains all the HTML code of the web page.

CodeFrame{nameframe}.htm

they are files that contain the HTML code of the frame {nameframe} if present.

Headers.txt

is a text file that contains the headers sent to the browser by the web page.

hosts

is the copy of the windows hosts file at the time of the acquisition of the web page; allows you to check whether at the time of acquisition there were mappings between hostnames and IP addresses.

Image.png

is the file that contains the image (screenshot) of the web page in 24bit png format.

Image{number}.png

if the file containing the image (screenshot) of the web page is higher than 20,000 px, the image is split into multiple files to which a progressive number is added.

screenCapture.wmv

is the video file of the screencast of the entire computer screen from the beginning of the acquisition to the end.

SystemLogEvents.txt

is the file in which all windows events occurred during the acquisition of the Web page are recorded.

Network_Dump_{mac-address-network-interface}.pcap

is the file that contains the dump of the network traffic that occurred during the acquisition of the Web page.

Folder Objects

the folder contains all the elements of the Web page acquired (images, documents, scripts, etc.) and numbered progressively with the format [nnnnn] filename.ext.

Folder ImagesA4

the folder contains the Image.png file (screenshot of the web page) cropped into multiple images with a base/height ratio of A4 format. These images are ideal for inclusion in reports to be printed.