Verify a capture

PageRecon includes various measures to provide a high level of confidence that the data captured was not manipulated before it reached the web browser, within the web browser or within the output files. These measures are detailed below:

Web Browser

PageRecon uses an embedded web browser for rendering web pages and taking screenshots:

  • The browser is an embedded version of Microsoft’s Edge (Chromium) web browser.
  • The browser receives automatic updates from Microsoft to ensure the latest version is in use.
  • The browser developer tools are disabled to prevent the user from modifying a web page within the browser.
  • The browser cache is disabled to ensure the latest version of a web page is always loaded.

Timestamps

PageRecon records the following timestamps:

  • Web page loaded
  • Capture started
  • Capture complete

Each timestamp is recorded using the local machine clock and an Internet Time Server. The timestamp from the time server is communicated via SSL and further encrypted, to reduce the possibility of the timestamp being modified using a man-in-the-middle attack.

Request Data

PageRecon records the response of every web request including:

  • The IP address the response came from
  • The HTTP headers of the response
  • The SSL certificate used for communication (if HTTPS is used)

If required this data could be used for manually verifying that the responses came from the expected web server and were not manipulated in transit.

File Hashes

The SHA256 hash of each file that is output by PageRecon is included in the PDF report. These hashes can be used to confirm that the output files have not been modified.

A custom hash of the PDF report is included in a separate file ('Report Hash.txt') and can be used to verify that the PDF report, and therefore the other file hashes, have not been modified.

The file hashes can be checked at the following page:
https://www.foxtonforensics.com/pagerecon/check-hash

Evidence Summary

Despite all reasonable steps being taken to ensure the integrity of the captured data, there always remains the theoretical possibility that the data generated with PageRecon could have been manipulated. As with any software it is possible that the mechanisms used to secure the data are overcome, allowing someone to modify the data without detection. For this reason the integrity of the data captured and presented is ultimately dependent on the integrity of the individual presenting that data.