FAW Tool Review- Part One

Forensic Acquisition of Websites (FAW) is used as a web browser with the purpose of forensically acquiring an active website. FAW is a great tool for capturing social networking sites, or any live internet site or page, for information that is publically available. Additionally, this tool provides a further method of forensically acquiring web data in the form that it was viewed by the user.

FAW gives the investigator the ability to select specific areas of the webpage to acquire. The investigator can select either the entire page all at once or specific posts or frames of the page. FAW is even capable of acquiring videos streaming from JavaScript, Flash, and other plugins, as well as graphics and images. In addition to capturing the physical look of the page, FAW captures the html code of the webpage.

FAW automatically calculates the hash of the files that it is able to acquire. Additionally, FAW creates logs of the all the actions that take place during the examination of a webpage. It also has the ability to handle multiple investigators on the same machine by setting up case folders, so that each case and capture is properly organized.

Our goal is to evaluate the tool and to answer questions we have as examiners about this tool. We want to know exactly what data is captured, and if the data is repeatable and accurate. We are also going to research other web artifact forensic tools and compare the differences of abilities. Finally, we want to research whether the browser type makes a difference in the data acquired.

Webpages determine what browser is being used by the “user-agent” field. If a user were to look at their school’s website on Microsoft’s Internet Explorer (IE), then go to the same webpage and use Apple’s Safari, the webpage will look somewhat different because IE and Safari send different user-agents. FAW allows the investigator to select the user-agent, in order to mimic other browser types.

We will be acquiring three websites (Woot.com, Facebook.com, and lcdi.champlain.edu). For each website, we will set the FAW browser to mimic IE, Google Chrome, and Safari, and see if this produces any differences in the data collected.

-Nick Aspinwall