One reason why Hunchly has become so popular...Court Decision

  • We encourage our users to use Real Names to build a real community, friendships and networking opportunities.

    [more information]

Do you think Source Code is required for captured (screenshot) pages?

  • Yes

    Votes: 1 20.0%
  • Yes - But only because of the court case discussed below

    Votes: 3 60.0%
  • No

    Votes: 0 0.0%
  • It depends

    Votes: 1 20.0%
  • Not sure

    Votes: 0 0.0%

  • Total voters
    5

OSINT Web Capture Tool - Designed for Online Investigations

twicesafe

Administrator
Staff member
Sep 4, 2018
84
Ratings
20
8
Vancouver, Canada
www.computerforensicsworld.com
Twitter
Forensic_Notes
#1
A lot of OSINT investigators now use Hunchly due to a recent terrorism case in BC Canada.

CanLII - 2017 BCSC 676 (CanLII)
R. v. Hamdan, 2017 BCSC 676


If you are an OSINT investigator and haven't read this case, I suggest you read it over. You may not agree with what the courts stated, but the outcome is clear.

"if the police procedures do not improve, subsequent decisions may find the police action to be unreasonable."

The defense argued that the source code of a page is needed for all captured pages....
[6] The RCMP captured the Key Posts using non-forensic-grade software that failed to capture metadata or source code. As a result, the Facebook posts cannot be replicated and there is no assurance that the Electronic Documents are accurate.


The founder of Hunchly wrote a good article following this decision discussing some of the points in the case.

Screenshots and a Terrorism Case – Hunchly – Medium

What are your thoughts on this case?
Do you think the courts were correct in their decision and expectations for the future?
 

Lids

New Member
Experienced Member
Oct 23, 2018
22
Ratings
19
3
#2
The court's judgement is an interesting read, I'm fascinated that a police department would be using SnagIt for web capture but I guess we work with what we have available at the time. I remember testing an early version of X1 Social Discovery and found it to be an interesting tool, earlier versions still had some work to be done on FB capture to get up to speed but I liked the layout.

The defense expert witness was doing what he was paid for, which is picking holes in the prosecution's case - that being the case, some of the things that he stated - such as malware on the machines from where evidence was taken - was correctly cross-examined as most likely not having the ability to alter the text within the jpg's taken from the SnagIt software. He does make a valid point however about not taking MD5 hashes and keeping the screenshots in their original format, preserving file metadata, etc.

The court's decision for admission may be more regional - I found it interesting that the burden of proof for admission is as low as the person looking at it and saying "Yes, that looks like what it should".
 

RobertM

New Member
TRUSTED Contributor
Sep 30, 2018
21
Ratings
9
3
#3
He does make a valid point however about not taking MD5 hashes and keeping the screenshots in their original format, preserving file metadata, etc.
I think this is one of the key points of the decision. The need for proper evidence handling of electronic artefacts and evidence. Especially when court cases can be months, if not years away.

One of the main issues with Snagit (although I love the application for other uses), is the fact the many investigators simply save the screen capture as-is, then convert it to a common format or put it in a Word document with no way to confirm when the capture was taken or if it had been altered since the capture.

With Social Media, what you capture one minute could be very different the next. Given that many sites customize the experience (especially ads) to the user based on their browsing habits and location. However, this doesn't change the actual content of user-generated posts which is normally the evidence, but it does change the overall look of the page which can cause confusion to a potential witness when the court asks "Is this the page you saw or observed online?"

The court's decision for admission may be more regional - I found it interesting that the burden of proof for admission is as low as the person looking at it and saying "Yes, that looks like what it should".
I think you are right about the regional aspect and something that we should always keep in mind when looking at CaseLaw. But in my experience, the legal debates that happen in one region will eventually occur in another. I think this is especially true when dealing with Digital Forensics due to the fact that many courts are still trying to understand what is and what isn't possible with digital data.
 

hunchly

New Member
TRUSTED Contributor
Sep 17, 2018
1
Ratings
3
3
Canada
www.hunch.ly
Twitter
https://twitter.com/hunchly
#4
We also often note that it's not a failing of the investigator to not take notes, timestamps, URLs, hashes. That is a tremendous burden on most investigators and they are generally under a number of constraints (time, resources, case load, etc.) that can dictate it.

This is really where we are trying to simply allow you to do your work without having to think about these things, and that's where an ounce of prevention is worth a pound of cure.
 

bshavers

New Member
TRUSTED Contributor
Dec 2, 2008
28
Ratings
17
3
Seattle, WA
www.dfir.training
Facebook
https://www.facebook.com/dfirtools/
Twitter
https://twitter.com/DFIRTraining
#5
If a tool exists, then it is up to the investigator to use it for best evidence seizure, whether the tool is software or hardware. I'm sure that few people would imagine capturing webpage source code in the 90s for an investigation, but today, it is easy enough to do with what is available.
 

Ellingtond

Derek Ellington
Sep 20, 2006
17
Ratings
2
3
#6
FYI, X1 Social Discovery peaked about 2 years ago. Changes to Facebook and other's APIs means you don't get as much social media data as you did last year, and their email and indexing tool is way too slow. Aid4mail can download a Gmail account in minutes that takes X1 days or even a week. We finally stopped renewing because the $2k a year they wanted was not worth it considering how ineffective it was. We kept making suggestions and pushing for development but it didn't happen. There were no major updates and the program itself was stagnant.
 

azuleonyx

Member
Experienced Member
Oct 20, 2018
33
Ratings
29
18
Charlotte, North Carolina Area
cyberfenixtech.blogspot.com
Twitter
https://twitter.com/AzuleOnyx
#7
What amazes me is they thought screenshots would work in court. I think those 'might' be the start of an investigation but by no means what evidence should be. It is also interesting what is considered 'evidence' when considering website information. I guess the whole notion of 'document/record everything' is something to remember when non-standard locations of information.

Of course, as mentioned already, pulling the whole site is a chore and takes plenty of time (which is where Hunchly and similar tools can help).
 

twicesafe

Administrator
Staff member
Sep 4, 2018
84
Ratings
20
8
Vancouver, Canada
www.computerforensicsworld.com
Twitter
Forensic_Notes
#8
What amazes me is they thought screenshots would work in court. I think those 'might' be the start of an investigation but by no means what evidence should be.
From your perspective @azuleonyx , what type of evidence 'should' be collected for OSINT investigations so that they can be presented in civil and criminal court?
 

azuleonyx

Member
Experienced Member
Oct 20, 2018
33
Ratings
29
18
Charlotte, North Carolina Area
cyberfenixtech.blogspot.com
Twitter
https://twitter.com/AzuleOnyx
#9
I am probably going to point the obvious data that should be collected:

- Site Name, URL, and Site Ownership information
- Who posted the information
- Poster's profile information
- What was contained in the post
- When and where (location of the poster if shown or ability to find) it was posted
- Who/What the post was posted about (or too)
- The conversation thread (reply/responses) to the post. Depending on the post, might be good idea to get a list of profiles who replied to the post.

Of course, screenshots may hold this information. Screenshots can be great for initial gathering of information but greater care needs to be taken when the possibility of using in court. However, they can be doctored. Honestly, lower resolution screenshots are harder to change then full resolution, crisps ones but have their own problem in the court of law.

Software which grabs the page contains to display the information in a static way with proper documentation of the process and verifying the information is authenticate helps with court cases. Also, it provides a way to search revisit the static snapshot for a second look, compare to newer versions of the site, or compare to other sites and OSINT information.
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu