Certification & Online Trace Collection · service active
WACZ · ISO 28500/ eIDAS timestamping/ Client area
C.E.R.T.O.
Sign in Register free
IT EN
C.E.R.T.O. / Modules / Web pages
01 · WEB

Web pages

Capture a web page exactly as it appears in that moment — with everything it is made of — and seal it before it can change or vanish.

Register free All modules
Built-in forensic browser: target URL bar and a “Start acquisition” button. With “Screenshot” the operator captures the screen whenever they deem it appropriate while interacting with the page; navigation stays confined to the declared scope.

C.E.R.T.O.'s Web pages module performs the forensic acquisition of websites and web pages: it captures a page in the exact state it appears — text, images, code, resources and network traffic — and seals it as digital evidence before it can change or vanish. It is the tool designed for court-appointed and party experts, lawyers and law enforcement who need to freeze online content — a defamatory post, a copyright infringement, an e-commerce page, a review — with a full chain of custody and technical validity.

Key features

What this module does.

  • Replayable archive in WACZ format (ISO 28500 / WARC).
  • Built-in browser with HD video recording and system audio.
  • Full-page screenshots, HTTP traffic (HAR) and SSL/TLS analysis.
  • Multi-page with a capture-completeness engine.
  • BagIt 1.0 bundle signed with Ed25519, double RFC 3161 timestamp and CASE/UCO.
Final forensic report: the interactive index-interactive.html dashboard of the bundle — summary, pages, screenshots, network, certificates, completeness, hash inventory and integrity check.
Forensic pipeline

How the module operates.

A repeatable, documented procedure: from time synchronisation to cryptographic sealing, every step leaves a verifiable trace inside the bundle.

01 · NTP

Synchronised time

Multi-source NTP sync (Google/Cloudflare/pool) with documented offset and roundtrip: the capture window is anchored.

02 · SCOPE

Confined navigation

Built-in forensic browser with declared object and scope (domain, domain+subdomains or free navigation); every in-scope page becomes an exhibit.

03 · CAPTURE

Passive capture

Passive traffic capture via Chrome DevTools Protocol (Network domain, no request interception) — no page alteration.

04 · RENDER

Visual states & DOM

For each page: viewport screenshot, full-page screenshot (scroll-and-stitch) and a DOM snapshot after JavaScript execution.

05 · WACZ

Replayable archive

Self-contained WACZ/WARC packaging (ISO 28500): the navigation replays offline, byte for byte, with ReplayWeb.page.

06 · COMPLETE

Completeness

Session-aware completeness engine: compares seen vs captured resources, recovers the missing ones and declares the unrecoverable.

07 · NETWORK

Network & TLS

Complete W3C HAR, DNS, WHOIS, traceroute and X.509 certificate chains (leaf + intermediates + root) for every host contacted.

08 · HASH

Fingerprints

Quadruple MD5 + SHA-1 + SHA-256 + SHA-512 (FIPS 180-4) hash of every file, inventoried in file-hashes.json.

09 · SIGN

Signature & double timestamp

manifest.json signed with Ed25519 (RFC 8032) bound to the device + double RFC 3161 timestamp (inner anchor on the manifest, outer seal on the tag-manifest).

10 · SEAL

Sealed bundle

Everything is packaged into a BagIt 1.0 bundle (RFC 8493) with a CASE/UCO description and verify.sh / verify.bat verifiers.

Bundle contents

Everything that gets generated.

A single acquisition produces dozens of coordinated artefacts, each with a precise forensic role. They are organised into clearly-named folders inside data/.

Viewport screenshots

The visible screen during navigation (one frame per page), as JPEG watermarked with C.E.R.T.O., version, acquisition ID, URL and timestamp.

pages/NNN_…/screenshots/

Full-page screenshots

The whole page recomposed with scroll-and-stitch, beyond the fold, with the background flattened to white for colour fidelity. Generated post-hoc for each page.

pages/NNN_…/screenshots-fullpage/

DOM HTML snapshots

The DOM serialised after JavaScript execution (post-hydration), as actually rendered by the browser — not just the static source.

pages/NNN_…/html-snapshots/

WACZ archive

Web Archive Collection Zipped (ISO 28500): WARC + indexes, self-contained. Replays the whole navigation offline with ReplayWeb.page — it is the sealed media.

evidence/ReplayWebPage.wacz

Session video

Video recording (WebM) of the forensic browser during the acquisition, with system audio: the dynamic proof of what the operator saw and did.

evidence/video/

Network capture (HAR)

W3C HTTP Archive: complete record of requests/responses, real headers, timing and payload. Plus requests/responses/resources in JSON and statistics.

network/network.har

DNS · WHOIS · Traceroute

DNS resolution, WHOIS registry query (domain owner and registration data) and a map of the network hops from client to host.

network/dns-lookup.txt · whois.txt · traceroute.txt

SSL/TLS certificates

The full X.509 chains (leaf + intermediates + root, in PEM and human-readable) of every host contacted during the acquisition, with certificate details.

tls/certificates/

Cookies & JavaScript state

All active cookies with metadata (HttpOnly, Secure, SameSite, expiry) and the session storage / local storage snapshot at capture time.

network/cookies-detailed.json · evidence/javascript-state/

User interactions

Recording of clicks, scrolls, inputs and keystrokes during navigation (chain of custody of the operator's actions).

evidence/interactions/user-interactions.json

Resource map

The complete site-structure: every resource (CSS, JS, fonts, images) saved and organised by host, with the provenance metadata of each.

resources/site-structure/

Capture completeness

A report that honestly declares how many resources were seen, captured, recovered via session and how many remain unrecoverable, with the percentage.

network/completeness-report.json

Forensic report

The report in PDF and TXT (operator, scope, IP, NTP, SSL, inventory, forensic statements) with its own RFC 3161 timestamp (report.tsr).

reports/report.pdf · report.txt · report.tsr

Hash inventory

The list of every file with its quadruple of cryptographic hashes, the basis for an integrity check repeatable by anyone, even offline.

hashes/file-hashes.json

Self-validation

A bundle that proves itself.

The bundle does not need C.E.R.T.O. to be validated: anyone, even years from now, can verify its authenticity with standard tools. The BagIt 1.0 structure and the interactive dashboard make it self-explanatory.

  • index-interactive.html — the navigable offline dashboard of the bundle: summary, visited pages, screenshots, video, network, certificates, completeness, hash inventory and client-side integrity check.
  • manifest.json signed with Ed25519 (RFC 8032), bound to the identity of the device registered at first launch.
  • Double RFC 3161 timestamp: inner anchor on data/tsa.tsr and outer seal on tagmanifest-sha256.txt.tsr. Free cascade Sectigo→DigiCert→GlobalSign; optional qualified eIDAS InfoCert.
  • manifest-sha256.txt and tagmanifest-sha256.txt (RFC 8493): fixity of the payload and of the control files; no file can be added or altered without the check failing.
  • metadata/evidence.case.jsonldCASE 1.3 / UCO 1.4 description of the evidence, and tsa-ca.pem for verifying the timestamp even offline.
  • verify.sh / verify.bat — standalone verifiers: they recompute the hashes, check the double timestamp and the signature, and declare “VALID BUNDLE”.
FAQ

Frequently asked questions

Forensic web page acquisition, evidence validity, the WACZ format and bundle verification: the most common questions.

What is forensic web page acquisition?
It is the capture of a web page in the exact state it appears at a given moment — content, code, resources, network traffic and certificates — cryptographically sealed so it can be used as digital evidence and verified by third parties.
What is the difference between a screenshot and a forensic acquisition?
A screenshot is just an image, easily manipulated and without context. C.E.R.T.O.'s forensic acquisition also collects the rendered HTML, the replayable WACZ archive, the HTTP traffic (HAR), the TLS certificates, cryptographic hashes and a double RFC 3161 timestamp, with a verifiable chain of custody.
Is the acquisition valid as evidence in court?
The bundle is produced according to recognised standards (ISO/IEC 27037, BagIt RFC 8493, RFC 3161, CASE/UCO) with an Ed25519 signature and a double timestamp. Its authenticity and integrity can be verified by anyone, even offline, making it suitable for expert and court use. The final assessment always rests with the adjudicating authority.
What is a WACZ archive?
WACZ (Web Archive Collection Zipped, based on WARC / ISO 28500) is a standard format that bundles the entire navigation — pages, resources and traffic — into a single self-contained file, replayable offline byte for byte with ReplayWeb.page.
How is the bundle's authenticity verified?
Every bundle contains verify.sh / verify.bat and an index-interactive.html dashboard: they recompute the hashes, check the Ed25519 signature and the double RFC 3161 timestamp and declare whether the bundle is valid. Verification needs neither C.E.R.T.O. nor an internet connection.
What content is acquired?
Viewport and full-page screenshots, a DOM snapshot after JavaScript execution, the WACZ archive, the session video, HAR network traffic, DNS/WHOIS/traceroute, SSL/TLS certificates, cookies and JavaScript state, user interactions, the resource map and a PDF forensic report, with a complete hash inventory.

Collect evidence with the Web pages module.

Register for free and download C.E.R.T.O. Desktop for Windows and macOS from your client area.

Register free Back to modules