2. Hunchly Data Forwarding

Hunchly has the ability to forward captured data to an HTTP(S) endpoint of your choosing. Hunchly will then POST JSON data to that endpoint for each new page that is captured. This can enable teams to store content in a central database such as Elasticsearch or Splunk as well as being able to perform analysis on the data across an entire team or do full text keyword searches.

NOTE: Hunchly still stores all evidence captures locally for a user, and the core functionality of Hunchly is not affected by data forwarding.

Configuring Data Forwarding

By clicking on the Settings panel (the gear icon in the top right of the Hunchly dashboard) and then selecting Data Forwarding from the left hand side will show you this:


1. Enable / Disable - this will turn on or turn off the data forwarding.

2. HTTP(S) Address - this is the full HTTP(S) host and port number to send the JSON.

3. Username - the HTTP Basic Authentication username if required.

4. Password - the HTTP Basic Authentication password if required.

5. Sync Only New Pages - If this setting is set to On only new pages will be sent to the HTTP(S) endpoint. If set to Off Hunchly will start sending any pages that are in the database that have not already been sent to the HTTP(S) endpoint.

Once you have configured your settings, click the Save button and Hunchly will be ready to begin forwarding data.

Using Case Information for User Tracking

In a team based environment it may be beneficial to see which investigator captured a particular page. There are a few options that are available here when configuring Data Forwarding.

1. Case Reference Tracking - this takes the currently logged in username from your operating system, a date, and a random number. This would allow you to track the team members that are capturing data.

2. Specific Case Information Fields - as shown above, we have created an Investigator field and set it to Justin. This field will then be submitted with every request when the data is forwarded.

JSON Format 

The following is a table that explains all of the fields that are passed along from Hunchly to the HTTP(S) endpoint:

page_content String Full HTML document with tags in place. 
javascript String Full Javascript that could be extracted at page capture time.
case_information Object Contains case information including a child object case_information that passes case information fields from Hunchly.
case_information. case_id Integer Hunchly Case ID on investigator's machine.
case_information. case_name String Hunchly Case Name on investigator's machine.
case_information. case_reference                      String Case reference tracking includes the name of the locally logged in investigator (operating system username), a date and a random 6 digit number. Useful for tracking which investigator found which particular pages.
case_information. case_information Object Key value pairs of the Case Information that can be defined in the Hunchly settings panel.
data Array An array of objects that contains data extractor records (email addresses, IP addresses, etc.).
data. data String The result of the data extraction, for example: support@hunch.ly
data. data_extractor String The type of data extractor used, for example: Email Address
data. data_type String The category of the data extracted, for example: Accounts
page Object An object that describes the page that was captured.
page. case_id Integer Hunchly Case ID on investigator's machine.
page. hash String A SHA-256 hash of the MHTML page captured on disk on the investigator's machine.
page.page_id Integer The page ID for this page based on the investigator's local Hunchly.
page.timestamp_created String A date string of when the page was initially captured.
page.timestamp_updated String A date string of when the page was last updated.
page.title String The title of the page.
page.url String The URL of the captured page.
photos Array An array of photo objects.
photos.photo_hash String The SHA-256 hash of the photo.
photos.photo_url String The photo's URL.
photos.exif Object An EXIF object that contains key-value pairs for the EXIF metadata extracted from the photo.

Example JSON Request

'javascript' : 'var bunch_of_javascript = true;',

'page_content': '<html><head><title>Example.com Page</title></head><body>Lots of content here.</body></html>',

'case_information': {
'case_id': 1,
 'case_information': { 
 "Investigator" : "Investigator1"  
            'case_name': 'Unassigned',
            'case_reference': 'Reference number: Investigator1-16/04/2019-618851'
'data' : [
'data' : 'UA-52456075-1',
           'data_extractor':  'Google Analytics',
                'data_type': 'Tracking Code'
 'page': {
'case_id' : 1,
          'hash' :  '0ac1612aa878948098ab56333ef12b244cedce505ec22bf96cc14a251f18c54b',
               'page_id' : 122,
                'timestamp_created' :  '2019-04-22T17:43:32Z',
                'timestamp_updated' : '2019-04-22T17:43:32Z',
                'title' :  'Example.com - Home',
                'url': u'https://www.example.com/'
    'photos': [
'exif': null,
                'photo_hash' : '8d793d1f866c5d5e4ef0d6ff8162e719040c71af15050a61d1950016fd891d08',
                 'photo_url' : 'https://www.example.com/logo.png'
'photo_hash' : '30cb13d89322f5921792d6acd2132c4e37ba239decdc40ff12e7d48d6a7a8a10',
                     'photo_url' :  'https://example.com/logo.jpg'
 'exif': { 
    'ColorSpace' : [ '1' ],
               'DateTimeDigitized' : '2015:05:04 12:46:28',
                         'Make' :  'Apple',
                         'Model' : 'iPhone 8',
                         'Orientation': [ '1' ],
                                        'PixelXDimension': [ '1200' ],
                                        'PixelYDimension': [ '1200' ],

Still need help? Contact Us Contact Us