n Wolf Pak Capturen What You’ll Learn
This tutorial walks through the complete AEGIS forensic capture workflow — from targeting a URL to receiving a 10-file evidence package with cryptographic verification.
By the end, you’ll understand exactly what AEGIS produces and how each file in the evidence package supports the chain of custody.
Step 1: Target a URL
Every AEGIS capture begins with a target URL. This is the web page you need to preserve as evidence.
AEGIS records the target URL, resolves the IP address, and begins documenting the capture environment — your browser, operating system, screen resolution, and network details.
Step 2: Forensic Capture
AEGIS captures the page in multiple formats simultaneously:
- Full-page screenshot — a visual record of exactly what appeared
- PDF render — a portable, printable version
- MHTML archive — a complete web archive with all resources embedded
- Raw HTML source — the original source code as served by the target
- Extracted text — all visible text content, machine-readable
This multi-format approach ensures the evidence is preserved in both human-readable and machine-processable forms.
Step 3: Cryptographic Verification
After capture, AEGIS generates a layer of cryptographic proof:
- SHA-256 Hashing: Every file in the evidence package receives a cryptographic hash. These hashes are compiled into a manifest (SHA256_MANIFEST.sha256).
- RSA-2048 Digital Signature: The manifest is signed with an RSA-2048 key, creating an EVIDENCE_SIGNATURE.sig file. The corresponding public key (EVIDENCE_PUBLIC_KEY.pem) is included for independent verification.
- NTP Timestamp: The capture time is verified against NIST atomic clock servers.
- Bitcoin Blockchain Timestamp: The manifest hash is submitted to OpenTimestamps and anchored to the Bitcoin blockchain, creating a BLOCKCHAIN_TIMESTAMP.ots proof file.
Step 4: TLS Certificate Attestation
AEGIS documents the target server’s TLS/SSL certificate at the time of capture. This records:
- Certificate issuer and validity period
- Domain names covered by the certificate
- Certificate serial number and fingerprint
- Protocol and cipher suite used for the connection
This attestation helps prove that AEGIS connected to the legitimate server — not an impersonator or cached version.
Step 5: Chain of Custody Report
AEGIS generates a branded HTML chain of custody report (FORENSIC_REPORT.html) that consolidates everything:
- Capture identification (target URL, IP, timestamps)
- Operator and environment details
- Cryptographic file integrity table (every file + hash)
- Digital signature and blockchain timestamp attestation
- TLS certificate details
- Evidence package inventory
- HTTP session log
This report serves as the primary chain of custody document for the capture.
Step 6: e-Discovery Export
Finally, AEGIS generates load files for direct import into litigation review platforms:
- EDISCOVERY_LOADFILE.dat — Concordance-delimited metadata file
- EDISCOVERY_OPTFILE.opt — Image cross-reference file
These files allow your evidence package to be imported into Relativity, DISCO, Concordance, or Everlaw without manual reformatting.
The Complete Evidence Package
After a single AEGIS capture, your evidence directory contains 10 files:
| # | File | Purpose |
|---|---|---|
| 1 | SCREENSHOT_FULL.png | Full-page visual capture |
| 2 | FORENSIC_ARCHIVE.mhtml | Complete web archive |
| 3 | PAGE_SOURCE.html | Raw HTML source |
| 4 | EXTRACTED_TEXT.txt | Visible text content |
| 5 | EXIF_METADATA.json | Image and page metadata |
| 6 | FORENSIC_LOG.txt | HTTP session log |
| 7 | SHA256_MANIFEST.sha256 | Hash verification manifest |
| 8 | EVIDENCE_SIGNATURE.sig | RSA-2048 digital signature |
| 9 | BLOCKCHAIN_TIMESTAMP.ots | Bitcoin timestamp proof |
| 10 | EDISCOVERY files (.dat/.opt) | Litigation platform import |