We recently released PageRecon, a new tool for capturing and preserving web pages as forensically-defensible evidence.

How does PageRecon work?
PageRecon is a Windows app that features an embedded version of the Chromium web browser. The user simply navigates to the desired web page and clicks the 'Capture' button.

PageRecon will then automatically perform the following:
  • Record the timestamp of when the web page was loaded and when the capture started/completed
  • Record the details of every HTTP request made by the web browser
  • Record a full-page screenshot of the web page as it appears in the browser
  • Record the MHTML archive of the web page
  • Extract Exif/IPTC metadata from all images
  • Record the SHA256 hash of every output file
  • Generate a PDF report containing all relevant data and screenshots

Since the web browser is built-in to PageRecon you can capture all types of web pages including those that require a user login. PageRecon can also automatically take screenshots of infinite scrolling web pages such as social media sites.

How is the evidence forensically-defensible?
PageRecon includes various measures to provide a high level of confidence that the data captured was not manipulated before it reached the web browser, within the web browser itself or within the output files.

By using an embedded web browser PageRecon ensures that the browser's developer tools have not been used to modify the web page prior to capture. The browser cache is also permanently disabled to ensure the web page is always loaded from the web server and not from the browser's local cache.

Timestamps are recorded using the local machine clock and an Internet Time Server. The timestamp from the time server is communicated via SSL and further encrypted, to reduce the possibility of the timestamp being modified using a man-in-the-middle attack.

The details of every web request is recorded including the IP address of the web server and the SSL certificate used for communication (if HTTPS is used). This data could be used for manually verifying that the responses came from the expected web server and were not manipulated in transit.

The SHA256 hash of each file that is output by PageRecon is included in the PDF report. These hashes can be used to confirm that the output files have not been modified. A custom hash of the PDF report is included in a separate file ('Report Hash.txt') and can be used to verify that the PDF report, and therefore the other file hashes, have also not been modified.

The file hashes can be checked at the following page:

To try PageRecon for yourself, visit our Downloads page for a free trial.