Until recently, capturing a website for litigation was not a common computer forensic practice, but the necessity of capturing and preserving this highly dynamic data has increased along with the overall technical complexity of today’s lawsuits. This has spurred an ever-rising demand for forensic evidence relating to suspicious data from the web, website hijacking, and intellectual property theft.

Because of the dynamic nature of web content, web capture efforts could be plagued with issues. Some of these might include:

• the inability to capture portions of the website
• frequent content updates, making it hard to keep up through the use of manual capture processes
• a lack of access to capture back-end information
• the inability to capture images or information from links to external sites

Further complicating matters, many more advanced websites serve content in dual formats (low and high bandwidth) requiring multiple captures.

It’s important to note that not every website contains dynamic data. Some of the more “traditionally” designed websites use static HTML code that is easily captured using various traditional methods. It is more common today, however, to find a site with dynamic content such as XHTML (the dynamic version of the traditional HTML—hypertext markup language), JavaScript (interactivity for user enhancements), back-end databases that capture information entered by users, or Flash components that provide a movie-like user experience. Other potential trouble spots include small programs that use ActiveX components to format information and facilitate data entry and AJAX coding, which allows data to be streamed to the computer without refreshing the page. In situations like these, basic captures of the page will not get all the available data.

A good case management workflow involving website capture should include the following steps:

1. Research the suspect company background and website.
2. Identify necessary resources required for the project, such as web capture tools and analysis tools.
3. Initiate and execute the project.
4. Provide reporting and testimony, when required.

Research
While it will be necessary to learn about the case, it is also necessary to conduct some standard background research on the target (suspects). Some useful mechanisms for locating information are annual reports, corporate websites, and any background information available on specific users, websites or companies in question. Strategies for researching the background of the website or company in question might include locating additional websites which the company or individual(s) own, identifying other key companies or individuals that are responsible for creating and managing the website, and identifying specific DNS addresses that might be of interest for capturing the website. DNS information will help by providing you with the geographic location where the website is hosted, and could provide useful intelligence about other data locations.