Each acquisition is inserted in a sequentially numbered folder (example: 00001, 00002, 00003,… 0000n) of the main folder with the name of the Case ID chosen by the user when starting the program.
ATTENTION: these folders must not be renamed otherwise the software cannot create subsequent folders and an error will be generated.
Each acquisition generates the following files:
Acquisition.log
is a log file that contains the list of all the operations performed with the FAW software with timestamp.
Acquisition.txt
it is a text file that contains all the references of the acquisition including the hashes of all the other files.
Acquisition.xml
is a file in Digital Forensics XML format that contains all the references of the acquisition.
Acquisition.zip
is an archive file that contains the files Aquisition.txt, Acquisition.xml, Checking.faw, Code.html and Image.png – these five files contain the essential information necessary to certify the acquisition of the web page.
Acquisition_{Case ID}_{acquisition nr.}.docx
is a file in Word format containing a report containing the files Aquisition.txt, Acquisition.xml, Checking.faw, Code.html and the screenshot images.
Note: this file is generated only if the “Generate MS WORD and PDF” item is checked in Configuration> Pro – Activity.
Acquisition_{Case ID}_{acquisition nr.}.pdf
is a file in PDF format containing a report with the files Aquisition.txt, Acquisition.xml, Checking.faw, Code.html and the images of the screenshot.
Note: this file is generated only if the “Generate MS WORD and PDF” item is checked in Configuration> Pro – Activity.
certClient.cer
is the SSL certificate of the client that made the request to the web page.
certServer.cer
is the SSL certificate of the web server hosting the web page.
Checking.faw
is the file that contains a control code that allows you to check if the Acquisition.txt and Acquisition.xml files have been altered.
Code.html
is an html file that contains all the HTML code of the web page.
CodeFrame{nameframe}.htm
they are files that contain the HTML code of the frame {nameframe} if present.
Sslkeylog.log
contains all the cryptographic keys exchanged while browsing websites with SSL protocol
Headers.txt
is a text file that contains the headers sent to the browser by the web page.
hosts
is the copy of the windows hosts file at the time of the acquisition of the web page; allows you to check whether at the time of acquisition there were mappings between hostnames and IP addresses.
FAWCA.dll
is the file that the software uses to verify the integrity of the acquisitions
Image.png
is the file that contains the image (screenshot) of the web page in 24bit png format.
Image{number}.png
if the file containing the image (screenshot) of the web page is higher than 20,000 px, the image is split into multiple files to which a progressive number is added.
screenCapture.wmv
is the video file of the screencast of the entire computer screen from the beginning of the acquisition to the end.
SystemLogEvents.txt
is the file in which all windows events occurred during the acquisition of the Web page are recorded.
Network_Dump_{mac-address-network-interface}.pcap
is the file that contains the dump of the network traffic that occurred during the acquisition of the Web page.
Folder Objects
the folder contains all the elements of the Web page acquired (images, documents, scripts, etc.) and numbered progressively with the format [nnnnn] filename.ext.
Folder ImagesA4
the folder contains the Image.png file (screenshot of the web page) cropped into multiple images with a base/height ratio of A4 format. These images are ideal for inclusion in reports to be printed.
FAW uses three types of browsers to acquire web pages, depending on which browser is used there may be more or less types of acquired files, the following table shows the functionality of each browser.
[table id=1 /]