2. Hunchly Data Forwarding
Hunchly has the ability to forward captured data to an HTTP(S) endpoint of your choosing. Hunchly will then POST JSON data to that endpoint for each new page that is captured. This can enable teams to store content in a central database such as Elasticsearch or Splunk as well as being able to perform analysis on the data across an entire team or do full text keyword searches.
NOTE: Hunchly still stores all evidence captures locally for a user, and the core functionality of Hunchly is not affected by data forwarding.
Configuring Data Forwarding
By clicking on the Settings panel (the gear icon in the top right of the Hunchly dashboard) and then selecting Data Forwarding from the left hand side will show you this:
1. Enable / Disable - this will turn on or turn off the data forwarding.
2. HTTP(S) Address - this is the full HTTP(S) host and port number to send the JSON.
3. Username - the HTTP Basic Authentication username if required.
4. Password - the HTTP Basic Authentication password if required.
5. Sync Only New Pages - If this setting is set to On only new pages will be sent to the HTTP(S) endpoint. If set to Off Hunchly will start sending any pages that are in the database that have not already been sent to the HTTP(S) endpoint.
Once you have configured your settings, click the Save button and Hunchly will be ready to begin forwarding data.
Using Case Information for User Tracking
In a team based environment it may be beneficial to see which investigator captured a particular page. There are a few options that are available here when configuring Data Forwarding.
1. Case Reference Tracking - this takes the currently logged in username from your operating system, a date, and a random number. This would allow you to track the team members that are capturing data.
2. Specific Case Information Fields - as shown above, we have created an Investigator field and set it to Justin. This field will then be submitted with every request when the data is forwarded.
The following is a table that explains all of the fields that are passed along from Hunchly to the HTTP(S) endpoint:
|page_content||String||Full HTML document with tags in place.|
|case_information||Object|| Contains case information including a child object case_information that passes case information fields from Hunchly.
|case_information. case_id||Integer||Hunchly Case ID on investigator's machine.|
|case_information. case_name||String||Hunchly Case Name on investigator's machine.|
|case_information. case_reference||String||Case reference tracking includes the name of the locally logged in investigator (operating system username), a date and a random 6 digit number. Useful for tracking which investigator found which particular pages.|
|case_information. case_information||Object||Key value pairs of the Case Information that can be defined in the Hunchly settings panel.|
|data||Array||An array of objects that contains data extractor records (email addresses, IP addresses, etc.).|
|data. data||String||The result of the data extraction, for example: email@example.com|
|data. data_extractor||String||The type of data extractor used, for example: Email Address|
|data. data_type||String||The category of the data extracted, for example: Accounts|
|page||Object||An object that describes the page that was captured.|
|page. case_id||Integer||Hunchly Case ID on investigator's machine.|
|page. hash||String||A SHA-256 hash of the MHTML page captured on disk on the investigator's machine.|
|page.page_id||Integer||The page ID for this page based on the investigator's local Hunchly.|
|page.timestamp_created||String||A date string of when the page was initially captured.|
|page.timestamp_updated||String||A date string of when the page was last updated.|
|page.title||String||The title of the page.|
|page.url||String||The URL of the captured page.|
|photos||Array||An array of photo objects.|
|photos.photo_hash||String||The SHA-256 hash of the photo.|
|photos.photo_url||String||The photo's URL.|
|photos.exif||Object||An EXIF object that contains key-value pairs for the EXIF metadata extracted from the photo.|
Example JSON Request
'page_content': '<html><head><title>Example.com Page</title></head><body>Lots of content here.</body></html>',