WebCase Version 1.9b
Contents
1. 207 123 150 236 URL justnet org Who ls WHOIS Server whois pir org Organization LOCKHEED MARTIN ASPEN SYSTEMS CORPORATION Registrant Street 1 2277 Research Blvd GEO Locate Country United States Region 301 City Rockville Postallode 20850 AreaCode 3010 MACode 511 Longitude 77 1835 Latittude 39 0892 tal Save Window Info to Locker 10 12 13 14 15 16 17 Evaluation and Testing of WebCase 9 The Save Window Info to Locker feature was ac cessed to capture the information gathered The information was then hashed by WebCase and placed in the WebCase Evidence locker The Archive feature in the Collect Evidence Con trol Panel was selected to archive the www Justnet org web page The archived page was then saved as evidence and stored in the Web Case evidence locker The collected items window in the control panel window confirmed the page was saved The Start Video feature was selected to test the WebCase video recording and screen capture functions A 10 second video of the Justnet You Tube channel was captured from the homepage After capturing the video it was saved in Web Case in the flv format The Start Video feature was again selected to test the recording of an ongoing live chat session To simulate a chat session between an investigator and a suspect two Yahoo chat accounts were created After logging on to Yahoo the Start Re cording tab was accessed a2. adjust user settings for both Windows 7 and Windows Vista During the installation the WebCase software will install the following components on the investigation computer m WebCase software E Security dongle drivers E Vere software toolbar m Data Burner ActiveX Control m Zip compression tool m HASP run time drivers Following the instructions provided WebCase was installed successfully and the test computer was re started completing the installation process Initial Configuration After rebooting the computer the WebCase software must be configured and registered prior to initiat ing an investigation The investigator must have the Aladdin security dongle inserted into the investiga tive computer to enable the WebCase software If the security dongle is not inserted the following alert will be displayed s 4ASP SRM Protection Syste HASP key not found H0007 OK WebCase requires configuration by a WebCase administrator The administrator will create manage and configure settings for investigator profiles The point of contact for WebCase updates for the licens ing agency or individual must also be completed The default password provided for the administrator account may be changed once the administrator logs on The administrator selects the appropriate time zone and WebCase will sync with the National Institute of Standards and Technology NIST atomic clock enabling WebCase to accurately
3. are not available on this system Please check PR PORTS 012 03 6 10 42 0 log for log entries TCP UDP port usage at service start up 145 active ports found Port Local IP State TCP 135 0 0 0 0 LISTENING UDP 137 192 168 79 53 UDP 138 192 168 79 53 TCP 139 192 168 79 53 LISTENING TcP 445 0 0 0 0 LISTENING UDP 500 0 0 0 0 TCP 1521 0 0 0 0 LISTENING TCP 1521 192 168 79 53 ESTABLISHED UDP 1900 127 0 0 1 UDP 1900 192 168 79 53 TCP 1947 0 0 0 0 LISTENING UDP 1947 0 0 0 0 UDP 3702 0 0 0 0 UDP 3702 0 0 0 0 UDP 4500 0 0 0 0 TCP 4573 127 0 0 1 LISTENING TCP 4573 127 0 0 1 ESTABLISHED UDP 5060 0 0 0 0 UDP 5353 192 168 79 53 TCP 5354 127 0 0 1 LISTENING TCP 5354 127 0 0 1 ESTABLISHED UDP 5355 0 0 0 0 TCP 5357 0 0 0 0 LISTENING TCP 7123 127 0 0 1 LISTENING TCP 22350 0 0 0 0 LISTENING UDP 22350 0 0 0 0 TCP 27015 127 0 0 1 LISTENING TCP 27015 127 0 0 1 ESTABLISHED TCP 49152 0 0 0 0 LISTENING TCP 49153 0 0 0 0 LISTENING TCP 49154 0 0 0 0 LISTENING TcP 49155 0 0 0 0 LISTENING TCP 49157 192 168 79 53 ESTABLISHED TCP 49158 127 0 0 1 ESTABLISHED TCP 49160 192 168 79 53 CLOSE WAIT TCP 49161 127 0 0 1 ESTABLISHED TCP 49162 192 168 79 53 ESTABLISHED TCP 49163 127 0 0 1 ESTABLISHED TCP 49164 127 00 001 LISTENING TCP 49166 127 0 0 1 LISTENING TCP 49171 0 0 0 0 LISTENING TCP 49172 192 168 79 53 ESTABLISHED TCP 49173 0 0 0 0 LISTENING TCP 51102 192 168 79 53 TIME WAIT TCP 51103 192 168 79 53 TIME WAIT TCP 51104 192 168 79 53 TIME WA
4. display the date and time stamp associated with any investigation WebCase Version 1 9b 6 Test Bed Configuration As part of the configuration of the WebCase software the investigator is asked to select a hash algorithm which WebCase will use to secure and authenticate the evidence that is collected in the case The fol lowing hash algorithms are available to choose from MD5 SHA1 SHA256 SHA384 and SHA512 The default hash is MD5 and was used in this testing Upon completion of the administrator setup WebCase performs a system test to make sure all the compo nents were configured and work properly WEB When the WebCase software is properly installed and the testing has successfully completed the following notification screen will be displayed WEB Results CheckVideoEncoder OK a Status Testing CheckVideoEncod Results PASS1 threadtest flv cre Status Finished Testing CheckVic Results OK CheckVideoEncoder Status Finished Testing CheckVic Results OK CheckVideoEncoder t Status Testing Web Application P Note If the investigator is using a PC for the inves tigation an error message indicating the installation failed will display if the investigation computer is not configured with a microphone and audio device The WebCase user manual states that for the WebCase video function to work properly a microphone and speakers must be plugged into the investigative PC during WebCase installation and use A
5. simple USB headset with a microphone will suffice If using a laptop with a built in microphone as the investigating computer WebCase does not display the error message Results Unknown 2 1 2012 5 48 Status Finished Testing StopTCPI Results OK Succeeded Stop 2 1 Status Finished Testing StopTCPt Results CheckVideoEncoder OK Status Failed Testing CheckVidec Results Exception Attempted to Status Finished Testing CheckVic Administrative Configuration The WebCase Software includes a robust set of con figuration options Prior to using WebCase to conduct an investigation WebCase requires the administrator to create investigator accounts The administrator is able to manage and monitor all investigator accounts Once the administrator has configured the software the selected options are saved in the Administrators Panel When this step is completed the administrator has the option to assign investigators and begin an investigation or to log off of the WebCase software NLECTC Criminal Justice Electronic Crime Technology Center of Excellence Evaluation and Testing of WebCase 7 Evaluation and Testing of WebCase Testing Focus The following WebCase data collection preservation and presentation functions were tested m Key Logging of an Internet investigation activity m Archiving of a web page m Web page screen capture m Report generation m HTML Source code capture m Domain registration E Location
6. II Criminal Justice Electronic Crime Technology Center of Excellence WebCase Version 1 9b EVALUATION REPORT LECIC NIJ Criminal Justice Electronic Crime Technology Center of Excellence NIJ Electronic Crime Technology Center of Excellence 550 Marshall St Suite B Phillipsburg NJ 08865 www ECTCoE org NIJ ECTCOE TESTING AND EVALUATION PROJECT STAFF Robert J O Leary CFCE DFCP Donald Stewart CFCE ACE Victor Fay Wolfe Ph D Russell Yawn CFCE Randy Becker CFCE Kristen McCooey CCE ACE Chester Hosmer Jacob Fonseca Laurie Ann O Leary Mark Davis Ph D Michael Terminelli ACE Contents iii Table of Contents It ee D o e P P E E A E 1 A PA ARA 3 Beie ad o A A A 3 coo e PES ES UE O O A 3 Special Eesebuer 3 Ste EECHER 4 Hardware Minimum Requirements ainia liar 4 Test Bed CS Grit e a E 5 PSST AMANO VT AS permuta 5 Jet OH AMON een e E E Ay een 5 Administrative COmiQura vO E 6 Evaluation and Testing of WebCase Testing FOCUS uuu000auu000anu0nnnnnunnnnnnnnnnnunnnnnnnnnnnunnnnnunnannunnunnnnnununnnunnnnnnnnnn 7 Starting an E e e NEE T Test WebCase Standard Ee Et aan een 8 FR SIS PRE Anne o e 10 Test VIG es d E 12 ROSS taa 13 Test Evidence Integrity ee 13 a O A A e ro UP E E 13 Ho A A PR no 15 WebCase Version 1 9b Introduction he National Institute of Justice NIJ Electronic Crime Technology Center of Excellence ECTCoE has been assigned the respons
7. IT TCP 51105 192 168 79 53 TIME WAIT TCP 51106 192 168 79 53 TIME WAIT TCP 51107 192 168 79 53 TIME WAIT TCP 51108 192 168 79 53 TIME WAIT TCP 51109 192 168 79 53 TIME WAIT TCP 51110 192 168 79 53 TIME WAIT TCP 51111 192 168 79 53 TIME WAIT TCP 51112 192 168 79 53 TIME WAIT E WebArchive e ohoopporoRohoooopo 999 99 0 0 0 Ro oo 68 0 0 gt oo oo a 06000000 000 o CH omoooo lt 12 H k pa po pd pl pl pl ps PJ PS PS PS PAS AS AS A LA MA Ly Ly ly H MA HN Las 423 mote IP Port 0 0 0 79 53 49172 1 49161 1 49158 1 49163 79 83 445 1 5354 1 4573 1 27015 7 217 173 443 7 219 148 80 79 53 1521 150 ID 150 150 150 130 150 150 150 1350 150 236 236 236 236 236 236 236 236 236 236 236 WebCase captured the entire scrolling page of 443 443 443 443 443 443 443 443 443 443 443 Justnet org If the investigation computer is con nected to the Internet when the archived web page is viewed the hyperlink displays the current version of the website from the Internet and not the version archived in the WebCase report It is recommended that the investigation computer is disconnected from the Internet when viewing the WebCase report Evaluation and Testing of WebCase 1 1 Case Information Pont Thes Page Suspect Info justnet homepage Evidence Item 7 S Archive of Web Page Mitel 3 39 24 PM View A
8. ate solici tations are developed and grantees are selected through an open competitive peer reviewed Introduction 1 process After grants are awarded the grantee and the NIJ program manager then work collaboratively to develop the solutions m Phase IV Demonstrate test evaluate and adopt potential solutions into practice A potential solu tion is tested to determine how well it addresses the intended functional requirement NlJ then works with first adopting agencies to facilitate the intro duction of the solution into practice After adoption the solution s impact on practice is evaluated Dur ing the testing and evaluation process performance standards and guides are developed as appropri ate to ensure safety and effectiveness not all new solutions will require the publication of new stan dards or guides m Phase V Build capacity and conduct outreach to ensure that the new tool or technology benefits practitioners NIJ publishes guides and standards and provides technology assistance to second adopters The High Priority Criminal Justice Technology Needs are organized into five functional areas m Protecting the Public m Ensuring Officer Safety m Confirming the Guilty and Protecting the Innocent E Improving the Efficiency of Justice m Enabling Informed Decision Making The NIJ ECTCoE tool technology and training evalu ation and testing reports support the NIJ RDT amp E pro cess wh
9. don t have it the WebCase installer provides it during installation WebCase is compliant with Internet Explorer 6 7 and 8 Internet access 3 http veresoftware com index php page webcase system requirements is required to receive software updates and to capture active web pages WebCase can be used to record applications that do not require an Internet connection Hardware Minimum Requirements m An Intel based PC with a minimum of a Pentium 4 or equivalent processor m 100 MB of disk space m 1 GB of RAM E Currently WebCase does not support Apple OS E Currently WebCase only supports Internet Explorer 6 through 8 a NLECTC Criminal Justice Electronic Crime Technology Center of Excellence Test Bed Configuration 5 Test Bed Configuration The following is the system used for testing m Computer a Gateway Mid Tower PC Gateway Test PC 2 Hewlett Packard 64 bit a AMD Athlon II X 4 2 90 GHz 4 6 0 GB Ram installed a Operating system Microsoft Windows 7 Service pack 1 Home Edition Installation of WebCase Prior to installing the WebCase software the WebCase User Manual was downloaded and reviewed The 97 page manual is informative includes clear screen shots of the application and detailed descriptions of the installation process The installation instructions address configuration of antivirus software to allow the WebCase program and its components to access the Internet It also provides instructions to
10. ection Control Panel interface initiating the investigation WebCase Version 1 9b 8 Evaluation and Testing of WebCase When continuing an existing investigation WebCase 7 To start the key logging function of WebCase the will display the Open Existing Investigation window Start Logging tab was selected from the Web This window displays options for the investigator to Case Collect Evidence Control Panel The logging manage the investigation such as adding and editing display window confirmed the application was suspect information or an undercover identity These running Detailed descriptions of each of the func options are explained in detail in the WebCase User tions of the Evidence Control Panel are contained Manual in the WebCase User Manual Test WebCase Standard Operation SL SSS SOE SU le Logging Status The following steps were performed to test WebCase using the www justnet org website ices op Lamm The Start logging tab activates two separate func tions within WebCase a key logger and a TCP IP logger These features add a form of verification to the evidence collected during the investigation 3 Created a suspect named John Doe The key logger records the investigator s key strokes during the logged session Mouse move ments and clicks are not collected The TCP IP 1 Logged in as the administrator 2 Created a new investigator name Once created the administrator was logged off and t
11. he investi gator account was logged on 4 Created a new case named TEST 1 5 The default MD5 hash was selected for evidence OST as at dale ZEN via tne Internet E connection This function was tested by typing the verification following terms into the Bing search engine field 6 Selected Open Existing Investigation option and on the Internet Explorer Web browser selected the investigation named TEST 1 to start the evidence collection process at which time the WebCase Evidence Collection interface was displayed E Google com m 50 ways to m Espn m Hacking facebook m lt Backspace gt lt backspace gt lt backspace gt Note These are actual key presses of Back space on the keyboard 8 The WebCase Launch option was selected from the Collect Evidence Control Panel and the Inter net Explorer browser was selected from the drop down window Internet Explorer is the only Web browser that is compatible with WebCase at this time Internet Explorer opened up in the WebCase Control Panel NLECTC Criminal Justice Electronic Crime Technology Center of Excellence 9 The URL www Justnet org was typed in the address bar of Internet Explorer The Justnet org home page was displayed in the WebCase control Panel ca The Collect Evidence Control Panel was popu lated with the following information Window Caption Mational Law Enforcement and Corrections TCP IP Address
12. ibility of conducting electronic crime and digital evidence tool technology and training testing and evaluations in support of the NIJ Research Development Testing and Evaluation RDT amp E process The National Institute of Justice RDT amp E process helps ensure that NlJ s research portfolios are aligned to best address the technology needs of the criminal jus tice community The rigorous process has five phases m Phase I Determine technology needs princi pally in partnership with the Law Enforcement and Corrections Technology Advisory Council LECTAC and the appropiate Technology Work ing Group TWG NIJ identifies criminal justice practitioners functional requirements for new tools and technologies For more information on LECTAC and the TWGs visit http www justnet org m Phase Il Develop technology program plans to address those needs NIJ creates a multiyear research program to address the needs identified in Phase I One of the first steps is to determine whether products that meet those needs currently exist or whether they must be developed If a solu tion is already available Phases Il and III are not necessary and NIJ moves directly to demonstra tion testing and evaluation in Phase IV If solutions do not currently exist they are solicited through annual competitively awarded science and technol ogy solicitations and TWG members help review the applications m Phase Ill Develop solutions Appropri
13. ich addresses high priority needs for criminal justice technology National Institute of Justice High Priority Criminal Justice Technology Needs March 2009 NCJ 225375 WebCase Version 1 9b Overview FR urrent investigative methods for doing live _ online investigations are limited The Print Screen option shows only a web page not whether it was altered or even when it was collected and a manually written report can contain errors WebCase simplifies and streamlines the investigative process by including critical details in reports Product Information The following is taken from the Vere Software website the company that developed WebCase Online Investi gation Management Tool WebCase was designed by experienced law enforcement professionals to help you collect Internet information in a usable evidential reportable manner Built to manage the cases you initiate The WebCase software is list priced at 995 per licensed dongle Included is the security dongle along with a CD that contains the soft ware a user manual reference material and videos on using the WebCase software There are no renewal fees once you purchase the software and there are multiple user options with a single license Product Description The following was taken from the Vere Software website The investigator utilizes the evidence collec tion console to record and manage online investigative activity The saved data is ha
14. information of the Internet Protocol Address m Capture a video recording of a web page chat conversation m Attaching a file to the case m Logging and securing evidence collected in the case Starting an Investigation To start an investigation using WebCase the investiga tor selects the WebCase Icon 1 The log on screen will appear 2 The login ID field lists the investigator accounts previously created by the WebCase administrator Login to WebCase sch ENE EEE Joan im Password ol QuitExit 3 Inthe Investigation Management window select ing the New Investigation displays the following window Create A New Investigation WEB gt Collect Evidence Control Panel Case Name Investigation Management e Casco New Investigation Choose Identity Open Existing Investigation Generate Evidence Report Add Undercover Identity Edit Undercover Identities Add Global Suspects Edit Global Suspects Logout WebCase 4 The investigator fills in the information for the case name an undercover identity if required the suspect s involved and a description of the case Evidence Verification Options such as hash algo rithm or Video Recording may also be adjusted 5 Once the case options are configured evidence can be collected Selecting the Save option saves the case data Selecting the Start Evidence Collection option opens the WebCase Evidence Coll
15. nd a chat session was recorded The Start Video Screen Capture feature was se lected again to test the WebCase screen capture capability The Justnet org website homepage was captured and saved into the WebCase evi dence locker The HTML feature was selected to collect the HTML data of the Justnet org website This infor mation was then saved to the WebCase evidence locker The Thumbnail feature was selected to capture a thumbnail image of the Justnet org homepage The evidence was then saved in the WebCase evidence locker WebCase offers the feature of adding files to the case Selecting Attach File displays a window to navigate to the file to be added An image name wave4w jpg in the pictures folder was selected WebCase Version 1 9b 10 Evaluation and Testing of WebCase WebCase hashed the file and confirmed it was saved in the collected items window 18 After collecting the evidence and confirming it was listed in the Collected Items window the Done op tion was selected closing the current investigation 19 In the Investigation Management Window the Generate Report option was selected and case items were displayed At this step items can be selected and added to the report 20 The Build Report option was selected and Web Case generated an HTML report The WebCase report is HTML based and the user must permit the Active X controls and allow blocked content in Internet Explorer for the repor
16. ndows Internet EHE CaProgram Files 686 WebCase VereWlorkingfolder VereReport items iteml web htm v x 2 veresoftware Customized Web Search 2 dr Favorites de Suggested Sites v E Ebay v EI HP See What s Hot EI HP Games v EI Web Slice Gallery y Vere Software Webcase Evidence Report Item 14 M E gt El dm y Pager Safetyy Tock y amp To help protect your security Internet Explorer has restricted this webpage from running scripts or ActiveX controls that could access your computer Click here for options x Attached Filename thread14 jpg Comments justnet homepage WebCase Make The Internet Your Regular Beat WebCase Version 1 9b 12 Evaluation and Testing of WebCase EH HTML Capture m Attached File WebCase successfully captured the HTML code for The Attached Image file wave4w jpg was accessed the Justnet org website and displayed the informa in the WebCase report The file was correctly at tion in text format tached to the report and displayed properly Test Evidence Integrity WebCase secures the evidence collected by using a date and time via the atomic clock at NIST The evi dence gathered in each investigation is date and time stamped at the time it is captured and then hashed using the algorithm that was selected by the investiga tor in the WebCase set up procedure The evidence is then stored in a container and cannot be accessed by normal mea
17. ns WebCase also copies files to an Evidence Locker folder so that individual files can be E Whois Information and Domain registration i viewed by the investigator The following steps were information er performed to verify that WebCase maintains the integ WebCase displays the domain registration infor rity of the evidence gathered mation in text format and confirmed that the URL address for Justnet org is registered to LOCKHEED MARTIN ASPEN SYSTEMS CORPORATION WebCase also supplies the phone number street The file to be tested for integrity is an image file named wave4w jpg which was attached to the case earlier in the testing process The following procedure was W conducted to determine if the integrity of the collected address and e mail information for the registrant l l WO l l i evidence is maintained when accessing the Evidence from the Whois database entry Locker folder vr Favorin en ye Suggested Stes E Ebey E HP See What s Hot gt E HP Games ge Web Slice Gallery en CS EE 1 Accessed the Evidence Locker folder 2 Opened the image file named wave4w jpg with Windows Live Photo Gallery 3 Inverted the image using the editing function and saved it back to the Evidence Locker folder leav ing the same file name 4 Closed all open folders and launched the Web Case software NLECTC Criminal Justice Electronic Crime Technology Center of Excellence 5 Generated the evidence repo
18. rchive of Web Page MAONI 3 46 02 PM Collected Date Time UTC 3 6 2012 3 40 20 PM Wen Paot Arcmive Collected Date Time EST Eastern US 3 6 2012 10 40 20 AM EE e Gah IP Address 207 123 150 236 Item 4 tst 4 Source URL justnet org VII A PM Hash Type Hash Value MDS fc814ac591c3 c3831119115 5524661 VIRIL 4 15 25 PM Item 6 justnet Attached Filename tem7web mht homepage Comments Copy of WebPage senm sanior WebCase Make The Internet Your Regular Beat Item 7 justnet homepage 16 2012 3 40 20 PM Item 8 justnet homepage EL ZIERT ET PM Item 9 justnet homepage 36 2012 4149 PM 1 6 2012 3 41 68 PM Initial m Video Capture The video capture feature of WebCase successfully captured the video selected from the Justnet org homepage and successfully captured the chat session m Screen Capture The WebCase report showed that the screen cap ture was successful in capturing a scrolling jpeg image of the Justnet org home page and Corre cr 3 3 1 2012 4 18 28 PM homepage 3 6 2012 3 39 10 PM Item 7 justnet homepage 36 2012 3 40 20 PM Item 8 justnet NODO O 3 6 2012 3 41 02 PM 3 Alaska SMCC SATB COEs NLECTC National 3 6 2012 3 41 49 PM NLECTC National plays a ke VereSoftware Web Site About Us Contact Us E Thumbnail Image Capture WebCase successfully captured a thumbnail image of the Justnet org homepage E Vere Software Webcase Evidence Report Item 14 Viewer Wi
19. rt for the case 6 Opened the case report and accessed the evi dence image item wave4w jpg Results It was confirmed that the evidence image item wave4w jpg did retain its original properties and no manipulation of the photo was detected The hash values in the WebCase report confirmed that the at tached file was not altered Test Evidence Integrity 2 The following steps were performed to ensure that WebCase did not use the files from the Evidence Locker Folder Evaluation and Testing of WebCase 13 1 Accessed the Evidence Locker folder 2 Deleted file named wave4w jpg from the evidence locker folder 3 Closed all open folders and launched the Web Case software 4 Generated the evidence report for the case 5 Opened the case report and accessed the evi dence image item wave4w jpg Results It was confirmed that the evidence image item wave4w jpg was properly displayed in the report and the hash value confirmed that the image wave4w jpg was not altered WebCase Version 1 9b Conclusion he tested features of the WebCase Online Fo rensic Tool performed as advertised in the Web Case documentation and website The software is designed to capture online chat conversations web pages and social networking sites as they appeared at the time an investigator viewed them WebCase uses a hash algorithm to ensure the integrity of evidence collected in a case The installation and use of the software is
20. shed and stored in a secure environment within the http veresoftware com index php page webcase Overview tool Reports based on the collected evidence can then be printed or published to CD DVD for distribution WebCase enables its users to search for collect preserve and report any and all online data including m Web captures m Video recordings m TCIP IP collection m Image capture m Attached files m Keystroke logging m Automatic domain lookups m Automatic Geo location of IP addresses Special Features The following list of special features was taken from the product website m Simplify the online evidence collection process m Aid the investigator to preserve online evidence m Provide for the proper collection of legal defensible evidence E Offer complete undercover identity and suspect information control m Provide reports in a usable understandable format m Full screen capture m HTML capture WebCase Version 1 9b EEEE I ae Overview E 64 bit compatibility m Supports Windows Operating Systems XP to Win dows 7 and Internet Explorer 6 through 8 System Requirements The following system requirements are taken from the WebCase web page WebCase currently operates only on Micro softe Windows operating system versions XP Vista and Win 7 Microsoft 32 bit and 64 bit systems The software requires Microsoft NET version 2 0 framework or later If you
21. simple A seasoned investigator most likely would not require Conclusion 15 training for the operation of WebCase If needed the developer offers training opportunities and an online eLearning page containing instructional videos on the operation of the software The multiuser capabilities with a single license are a valuable feature for an agency with multiple investiga tors enabling both joint and independent investiga tions The WebCase program generates an easy to read HTML report that can be copied to CD DVD or other media WebCase Version 1 9b
22. t to display properly Review and Generate Evidence Report i To Copy Report To Another Location TA View Evidence Filename List Burner Status Nat Ready Case Number 1 03 01 2012 Name t The initial WebCase Report HTML page opens in the default Web browser and displays the details of the investigation including the case and Inves tigator information and the evidence collected during the case The Evidence list identifies the date and time the evidence was collected 7 Case Specific Details Case Number 1 Case Name Test Case 1 Investigator Information Test case 1 HERE Michael Terminelli Start Date 2 29 2012 4 07 51 PM Se Evidence Items 15 UIC Identity Suspect Website website Last Collection 2 29 2012 5 41 57 PM Phone 800 540 3352 Fax Email mterminelli ectcoe org Mail Address 550 Marshall Street Phillipsburg NJ 08865 WebCase Make The Internet Your Regular Beat Selecting an evidence item displays the information associated with that evidence item including the date and time the evidence was collected the name assigned to the evidence a link to open and view the evidence and the hash value WebCase generated for that piece of evidence sl V Q veresoftware Customized Web Search He Favorites ig Suggested Sites y E Ebay v E HP See What s Hot y 8 HP Games v E Web Slice Gallery EA fh gt B 7 ah Pager Safet
23. yw Tools Or amp Vere Software Webcase Evidence Report Print This Page cae test Evidence Item 1 Item 1 test _ Video of Web Activity View Video of Web Activity Collected Date Time UTC 3 1 2012 3 47 53 PM Collected Date Time EST Eastern US 3 1 2012 10 47 53 AM Hash Type Hash Value MD5 5a79395e6defce2159b72b170e19fb0d WebCase Make The Internet Your Regular Beat VereSoftware Web Site i Computer Protected Mode Off Results The report was used to verify each individual section of this test The following is a list of those results E Key Logging After opening the key log evidence item it was con firmed that WebCase captured the key strokes used in the investigation 7 thread1 log Notepad lela File Edit Format View Help google com SE to espn hacking faceb backspace nnibackspace ibackspace key log ey log m TCP IP The TCP IP reports confirmed that all the ports were working properly on the investigation computer and were accessing the website that was under investi gation WebCase displays this information in a text format NLECTC Criminal Justice Electronic Crime Technology Center of Excellence Gi tedi tiog Notepad nn nn a File Edit Format View Help Port Reporter Version 1 01 Log File Service initialization log System Date Tue Mar 06 10 42 00 2012 Local computer name MICHAEL TERMINEL Port to process mappings
Download Pdf Manuals
Related Search