Web Evidence Acquisition: An ISO 27037 Forensic Guide

In most digital disputes today, the key piece of evidence lives on a webpage. Defamation on social networks, counterfeit listings on a marketplace, unfair competition, contracts signed online, public conduct in group chats: it all sits on URLs that can change, disappear, or get quietly edited within hours. Web evidence acquisition is the technical and legal process that turns those shifting contents into proof you can actually put in front of a judge.

A raw screenshot, the one you get with PrintScreen, does not hold up in court. The image can be altered in seconds, it carries no verifiable metadata, and nothing ties it cryptographically to the server that produced it. ISO/IEC 27037 is the international framework for acquiring digital evidence in a defensible way, but translating it to the web takes a kind of technical literacy that few legal teams and forensic consultants actually have.

So how do you run a forensically defensible web evidence acquisition? You capture the rendered DOM, an MHTML archive, the SSL/TLS certificate, the server IP, and the environment metadata in an ISO 27037 workflow, sealed with a SHA-256 hash and a qualified electronic timestamp under an auditable chain of custody. This guide walks through what to capture, why it matters in court, and how to run every step with the rigor the standard demands.

Why a screenshot is not enough as legal evidence

Unlike a screenshot, a forensic web capture records the full state of a page at the moment of observation, not just its visual rendering. A screenshot is an image the operating system produces: no technical metadata about the source server, no third-party verifiable timestamp, no cryptographic hash tying the pixels to the content actually delivered. In court, opposing counsel can contest it with a qualified challenge under authenticity rules, and the evidentiary weight tends to collapse fast. As the American Bar Association Litigation Section has noted, screenshots are rarely the ideal form of digital evidence because they strip away the metadata, timestamps, and source linkage that any authentication argument relies on.

This is not an academic problem. Under Federal Rules of Evidence 901, any party offering evidence has to produce enough foundation to support a finding that the item is what it claims to be. For a bare screenshot that usually means witness testimony, corroborating metadata, or expert authentication. All three are slow, expensive, and exposed to cross-examination. A forensic acquisition skips the whole debate: done properly, it meets the self-authentication thresholds of Federal Rule of Evidence 902(13) and 902(14), which cover records copied from electronic devices and systems when accompanied by a qualified certification.

A raw screenshot offers none of that. It cannot prove the pixel was on the live site at 14:37 on a given day, cannot prove the serving domain was the one the claimant says it was, cannot prove the image was not retouched before filing. To shift the burden onto the party denying the evidence, you have to work on the acquisition methodology itself. That is where ISO 27037 comes in, and where the broader question of admissibility of digital evidence in court starts to resolve. The classic benchmark, set in Lorraine v. Markel American Insurance Co. (D. Md. 2007), still applies: authentication, hearsay, best evidence, unfair prejudice, original writing. A bare screenshot struggles on almost every one; a forensic acquisition answers them together in a single artifact.

According to the American Bar Association Litigation Section (2022), "screenshots are rarely the ideal form of digital evidence" because they lack the metadata that courts rely on for authentication. Combined with Lorraine v. Markel American Insurance Co. (D. Md. 2007), the standard analytical framework for admitting electronic evidence requires authentication, hearsay analysis, the best-evidence rule, unfair prejudice, and original-writing considerations. A forensic acquisition compliant with ISO/IEC 27037 is engineered to address all five tests in one package. Further context is available in our guide to screenshot evidence admissibility.

What ISO 27037 requires for digital evidence acquisition

ISO/IEC 27037:2012 defines four operational processes for handling potential digital evidence: identification, collection, acquisition, and preservation. Applied to web evidence acquisition, the standard asks you to treat every URL as a discrete evidentiary scene, with documented technical and procedural controls. Published by ISO and IEC in 2012, it has been cited in European and US forensic literature for more than a decade, and the UNODC Education for Justice module on digital evidence lists it as the most frequently referenced international standard for electronic evidence admissibility. Courts and judicial experts lean on it because it applies equally to physical devices and to live web content.

The text, available on the official ISO page, introduces two technical figures worth knowing by name. The DEFR (Digital Evidence First Responder) is the authorized and trained operator who acts first on the scene, often under time pressure, to identify, collect, and preserve potential evidence. The DES (Digital Evidence Specialist) is the senior expert with advanced skills in operating systems, networking, and application forensics, who steps in for the more complex acquisition and analysis phases. Both have to follow documented procedures and be able to justify every technical choice they make.

The core principles, repeated throughout sections 5.3 and 5.4 of the standard, are four: auditability (every action traceable and verifiable by an independent third party), repeatability (the same procedures on the same data under the same conditions yield the same results), reproducibility (another examiner with different tools reaches the same conclusions), and justifiability (every technical choice has to be defensible). These are obligations, not options. If even one breaks, the defense has a clean path to challenge the evidence.

ISO/IEC 27037:2012, paragraph 5.3, states that a first responder must minimize handling of the original data, document every step, and preserve the chain of custody so that a competent third party can independently reproduce the conclusions. The same logic applies to web evidence acquisition, where the "original" lives on a remote server and cannot be physically seized. This is why web forensics demands more documentation, not less, than a hard-drive imaging exercise.

On the web, the standard actually asks for more rigor, not less. The data lives on a third-party system, the environment is live, there is nothing to power down. Every choice the DEFR or the DES makes (which tool, which endpoint, which timestamp source, which network logging) has to survive an adversarial forensic review. Done right, ISO 27037 treats every URL like a digital crime scene, with controls analogous to those applied to a seized hard drive, adapted to the realities of a network environment. The discipline of digital forensics certification sits on exactly this foundation.

What to acquire from a webpage to produce legally valid evidence

A modern webpage is not a document. It is the real-time product of an interaction between client, server, CDN, DNS, certificate authorities, JavaScript runtime, and user state. Web evidence acquisition means pulling every one of those layers into one verifiable dataset, not saving a single image.

A forensic capture aligned with ISO 27037 includes at least six distinct technical elements. Each one closes a line of defensive attack that would otherwise stay open, and none of them can substitute for another. The table below explains why.

Element	What it proves	Why it cannot be missing
Rendered DOM	What the user actually saw after JavaScript execution	Dynamic content (SPAs, feeds, modals, cookie banners) is not in the source HTML
MHTML archive	The complete page with CSS, images, fonts, scripts in a single file	Lets a forensic expert reopen it offline years later, even if the site is gone
SSL/TLS certificate	That at time t the domain presented that signed public key	Shields the evidence against MITM or domain spoofing claims
Server IP and DNS	That the domain resolved to a specific host in a specific geography	Enables correlations with registrars, ASNs, jurisdiction
SHA-256 hash	That the dataset has not been modified between acquisition and filing	The cornerstone of integrity: two identical hashes, zero tampering
Qualified timestamp	The date and time opposable to third parties, with eIDAS legal presumption	Anchors the evidence in time, eliminating chronological challenges

The rendered DOM (what the user actually saw)

According to the SWGDE Best Practices for Acquiring Online Content 21-F-001 v1.1 (2024), capturing the rendered DOM is the technical step that separates a rigorous web evidence acquisition from an amateur grab. The DOM (Document Object Model) is the in-memory representation of the page after the browser has parsed the HTML and executed the JavaScript. It matches what the user actually sees, not what the server initially sent. The W3C DOM Living Standard defines it as the runtime representation of the page, distinct from its source.

The gap between the two can be large. On a React, Angular, or Vue application, the initial HTML can be almost empty, and almost everything textual and visual emerges dynamically inside the DOM after render. A marketplace page showing a counterfeit product, a cookie banner with a recorded consent, a social feed loading posts on scroll: all of it lives only inside the DOM. Save the raw HTML and you save a "dead" page, different from what the user actually experienced, and therefore unrepresentative of the historical fact you are trying to prove.

Technically, the DOM is captured by serializing the outerHTML of the root element once rendering has completed, inside a controlled browser environment. A SHA-256 hash is computed on the result immediately, and that hash becomes the cryptographic fingerprint of that specific page state. SWGDE 21-F-001 also notes that APIs, where available, are the preferred acquisition method, because they capture both visible content and technical metadata that would otherwise be inaccessible through a user interface. Tools that wait for the render cycle to finish before serializing state satisfy the fidelity requirement under ISO 27037.

The MHTML archive (self-contained snapshot)

MHTML is an archive format that packages the HTML together with every dependent resource (CSS, images, JavaScript, fonts, media) into a single file. Chromium-based browsers support it natively, and it remains the cleanest way to preserve a page as a self-contained entity that a technical expert can reopen offline years later.

Why does it matter? Because the live site changes all the time. Images are removed, CSS gets rewritten, CDNs serve different assets, domains change hands. Without a self-contained archive, even a perfect DOM capture becomes partially unreadable over time: the visual context and the dependent resources that gave it meaning simply disappear. MHTML is the modern technical form of what the literature has long called forensic website preservation, applied specifically to dynamic online content. The companion doctrine sits in our article on web page certification and its legal value.

The international web archiving community relies on a second format alongside MHTML: WARC (ISO 28500:2017), used by the Library of Congress, British Library, Internet Archive, and other preservation institutions. For episodic, courtroom-grade forensic acquisition, MHTML is usually enough and easier to handle. For structured, high-volume archival, WARC is the preferred choice. Both formats are open, documented, and let an independent expert verify the evidence without proprietary tooling.

SSL/TLS certificates (server identity)

The server-side SSL/TLS certificate is the X.509 document the server presents during the cryptographic handshake. It ties the captured content to the verified identity of the domain that served it. The mechanism is simple: the browser receives a certificate signed by a recognized Certification Authority, validates the trust chain up to the root CA, and only then accepts the content as originating from the claimed domain. In a web evidence acquisition, capturing this certificate along with its SHA-256 fingerprint freezes the cryptographic proof that at that specific time, on that specific URL, the content was actually served by the legitimate server. The certificate format is defined by RFC 5280 (X.509 Public Key Infrastructure) and by the policies of the major trust stores (Mozilla CA Program, Apple Root Program, Microsoft Trusted Root Program), recognized across every Western legal system. Without the certificate, provenance is a verbal claim; with it, provenance becomes a cryptographic fact.

If the certificate is not captured, the defense can argue that the page was served by an unauthorized intermediary (MITM), by a clone server with hijacked DNS, or by a development environment set up for the occasion. It is one of the more awkward technical attack vectors to deal with, because it shifts the discussion from the content itself to its origin.

Operationally, you store the SHA-256 fingerprint of the certificate, the full chain of trust up to the root CA, and wherever possible the OCSP or CRL verification response captured at the moment of acquisition. One element that can turn a contestable piece of evidence into a hardened one, because it introduces an attribution layer that cannot be reproduced by anyone who does not control the domain.

Server IP and DNS resolution (technical origin)

DNS resolution at the moment of acquisition, with A, AAAA, CNAME, NS records, and where relevant a WHOIS snapshot, proves that at that instant the domain pointed to a specific IP address, and therefore to a specific machine. It becomes a critical data point when the domain is later transferred, seized, or cleaned up.

This is not pedantry. In counterfeit enforcement, phishing investigations, or coordinated defamation campaigns, the jurisdiction of the server, the hosting provider, and the originating ASN are often decisive for identifying who is responsible and for choosing the right procedural strategy. Capturing DNS and IP at acquisition time means freezing information that could be gone within a week.

Forensic acquisition metadata (timestamp, hash, device)

The last piece concerns the capture environment itself. A reproducible forensic acquisition needs an independent expert to be able to tell, later, which browser, which version, which extensions, which timezone, which viewport, which user-agent, and which network configuration were in play during acquisition. Add to that an NTP-synchronized local timestamp, a SHA-256 hash of the complete bundle, and an eIDAS qualified timestamp applied on top.

Regulation (EU) 910/2014 (eIDAS Article 41) is the legal instrument that turns a self-declared time reference into a legal presumption. A qualified electronic time stamp carries a presumption of accuracy of the date and time it indicates and of the integrity of the data it is bound to, recognized in every EU Member State. Article 42 spells out the technical requirements: UTC-linked source, tamper-evident binding, and signature or seal by a qualified trust service. Without it, the chronology of the capture is contestable; with it, the moment of acquisition becomes a legally opposable fact.

The forensic acquisition process step by step

A web evidence acquisition aligned with ISO 27037 runs through three logical phases: preparing the environment, acquiring under digital chain of custody, and sealing with cryptographic hash and qualified timestamp. Following the sequence is what separates a defensible operation from an amateur capture destined to fall apart at the first qualified challenge.

What follows translates the standard into operational steps designed for lawyers, forensic consultants, and digital forensics professionals, with references to NIST SP 800-86 and the SWGDE guidelines already cited. The approach maps closely to the broader discipline of ISO 27037, SWGDE and NIST evidence preservation standards TrueScreen covers in its pillar content.

Environment preparation (isolated browser, clean profile)

Before capturing anything, you need a controlled environment. A commercial browser used every day drags along cookies, extensions, login state, cache, A/B test assignments, geolocation, and more: inputs that change what the server decides to return. A forensic acquisition performed on a "dirty" browser is not reproducible by an independent expert, who would get a different page from the same URL.

Correct preparation requires a dedicated forensic browser or an isolated session, a clean profile, no extensions, the system clock synchronized against an authoritative NTP source, the language and timezone declared in the log, and any VPN or tunneling documented explicitly. All of it goes in the technical report as part of the setup record.

The ACPO Good Practice Guide for Digital Evidence (version 5), cited in European and Commonwealth courts alongside ISO 27037, lays out four principles that apply here: no alteration of the original data, competence of the operator, a verifiable audit trail, and responsibility of the investigator. A clean setup is the precondition for all four to hold.

Acquisition with digital chain of custody

The core acquisition phase captures, in parallel, the rendered DOM, the MHTML archive, a full-page screenshot, the SSL/TLS certificate with its chain of trust, the HTTP headers, the DNS resolution, the server IP, and the live network trace. Every element lands in a structured, signed log with a timestamp. During live capture, network traffic has to be recorded through a packet analyzer or a forensic proxy: SWGDE 21-F-001 explicitly requires it, to prove the absence of unexpected redirects, injections, or in-transit alterations.

The digital chain of custody is the thread that holds the whole operation together. It answers the right questions: who acquired the evidence, when, with which tool, with which hash, where it was stored, who accessed it afterward. An incomplete log is enough to break the audit trail and with it the repeatability the standard demands. For that reason the chain of custody is not a bureaucratic appendix. It is the structural backbone of admissibility.

Under the Budapest Convention on Cybercrime (Council of Europe, ETS 185), Articles 16, 17, and 19 require signatory states to enable expedited preservation and lawful search and seizure of stored computer data, with an explicit requirement that the preservation process protect integrity. Article 32 extends the rules to cross-border access to publicly available data, the legal basis most courts rely on when a forensic team captures pages hosted outside its own jurisdiction. A properly logged chain of custody is what turns those articles into working practice.

Sealing with cryptographic hash and qualified timestamp

The last phase closes the evidence. You apply a SHA-256 hash over the complete bundle (every individual file plus a manifest listing them with their individual hashes), a qualified electronic seal, and a qualified electronic timestamp. At that point the evidence becomes legally opposable across time.

The mechanism under Regulation (EU) 910/2014 is twofold. The qualified electronic seal carries a presumption of integrity of the data and of correctness of origin (Article 35). The qualified electronic timestamp carries a presumption of accuracy of the date and time indicated and of integrity of the data it is bound to (Article 41). The two effects combined produce a piece of evidence that is cryptographic and legal at once, automatically recognized in every EU Member State. Regulation (EU) 2024/1183, in force since 20 May 2024 (eIDAS 2.0 text), keeps the regime for seals and timestamps and adds qualified electronic archiving services, useful for long-term preservation of forensic acquisitions.

On the US side, Federal Rule of Evidence 902(14) follows the same logic. A digital copy accompanied by a certification from a qualified person attesting to the digital identification process (typically hash comparison) is self-authenticating and does not require live testimony to be admitted. A web acquisition sealed with a SHA-256 hash and a formal certification sits squarely inside that category and travels on an abbreviated path. Outside the EU, the combination of ISO 27037 plus NIST-approved hashes builds a probative bridge recognized across most common-law and civil-law jurisdictions. For practitioners who want the US-specific mechanics, the dedicated guide to FRE 901 covers the authentication grounds in detail.

Federal Rule of Evidence 902(14), effective since 1 December 2017, makes electronic records self-authenticating when they have been copied from an electronic device, storage medium, or file and are accompanied by a qualified person's certification "that complies with the certification requirements of Rule 902(11) or (12)" and attests that the copy was produced through a digital identification process (typically SHA-256 hash comparison). The effect is procedural: the proponent no longer needs a live witness to authenticate, which reduces cost and discovery burden in cross-border cases.

How TrueScreen implements ISO 27037 for web acquisition

TrueScreen is the Data Authenticity Platform that automates the ISO/IEC 27037 requirements for web evidence acquisition, from capture through long-term preservation, in a single verifiable workflow. The forensic methodology covers the four standard processes (identification, collection, acquisition, preservation) and adds a legal certification layer with qualified electronic seal and qualified electronic timestamp under eIDAS. ISO 27037 itself does not prescribe that layer, but it is decisive for cross-border enforceability. Unlike generic tools, the whole pipeline is built around the four ISO principles: auditability, repeatability, reproducibility, and justifiability. Every session starts from a clean environment; every element (DOM, MHTML, SSL/TLS, IP, DNS, network trace) is captured in parallel and sealed at the source with a SHA-256 hash and a qualified timestamp; every step lands in an immutable log that an independent expert can reproduce. For legal teams, forensic consultants, and compliance officers, that is the difference between a filing-ready piece of evidence and a capture that will be challenged at the first qualified objection.

The Forensic Browser is the reference product for ISO 27037 web evidence acquisition. It isolates every session in a clean environment (no residual cookies, no extensions, an NTP-synchronized clock) and captures in parallel the post-JavaScript rendered DOM, the self-contained MHTML archive, the server-side SSL/TLS certificate with its chain of trust, the resolved server IP, and the full network trace. Every acquisition receives a SHA-256 hash and an eIDAS qualified timestamp applied at the source, not afterward, once files may have already been exposed to manipulation.

The TrueScreen product surface relevant to web acquisition includes the Forensic Browser, a proprietary browser for pages and dynamic content, designed for full forensic sessions in isolated environments; the Web Portal, a browser-based interface for page capture, screen recording, evidence management, and audit trail; the Chrome Extension, which embeds forensic capture into the operator's existing browser for quick acquisitions; the App for iOS and Android, for field use; and the API and SDK, certification primitives for embedding web evidence acquisition into enterprise workflows (continuous marketplace monitoring, social media surveillance, compliance pipelines, AI-generated content provenance).

On courtroom defensibility specifically, TrueScreen maps directly onto the four ISO 27037 principles. Auditability comes from the Web Portal's immutable log, which records who acquired what, when, with which parameters, and in which environment. Repeatability comes from the controlled environment and clean profile of the Forensic Browser. Reproducibility is supported by the full documentation of metadata, HTTP headers, DNS, and runtime environment. Justifiability lives in the signed PDF/A technical reports that accompany every acquisition.

One concrete example. A law firm specialized in copyright litigation needs to capture forty marketplace listings advertising counterfeit products before the seller removes them. Using TrueScreen via the API, the firm obtains within minutes forty complete forensic acquisitions (DOM, MHTML, SSL certificate, server IP, DNS, hash, qualified timestamp), each with its own signed technical report. The next day the seller takes the listings down, but the forensic record stays admissible and ready to file. The same dynamic applies to social-media defamation, unfair competition, online evidence in criminal proceedings, and regulated communications subject to record-keeping obligations. The logic sits inside the broader perimeter of digital provenance that lets a webpage be treated as a verifiable asset across its entire lifecycle, not only at the moment of capture.

Common mistakes to avoid in web forensic acquisition

Forensic web acquisitions that collapse in court almost always collapse for the same recurring reasons. Recognizing them in advance is how you build a defensible process and lower the risk of a qualified objection that can wipe the evidence from the record.

The list below groups the ten mistakes we see most often in web evidence acquisition that reaches litigation with technical weaknesses, mapped against SWGDE and NIST best practices.

Capturing only a screenshot without DOM and without post-render HTML. A screenshot on its own is weak and broadly contestable. You also need the serialized DOM and the bundle of resources.
Omitting the SSL/TLS certificate capture. Without the certificate, the defense can argue the content came from a different server than the claimed one. An easy attack vector to close, yet one that is frequently overlooked.
Operating with a system clock not synchronized to NTP. If the local timestamp is not anchored to an authoritative source, the chronology of the acquisition is exposed. A qualified timestamp helps, but only on top of a correctly time-synchronized environment.
Computing the hash only on the screenshot, not on the bundle. The forensic dataset is the aggregated package. You need a SHA-256 hash on each individual element and a hash on the full bundle, with a signed manifest.
Using a "dirty" browser with cookies, cache, and extensions. The environment influences what gets rendered. Without a clean profile, the acquisition is not reproducible by an independent examiner.
Failing to document the digital chain of custody. Who, when, which tool, where it was stored: ISO 27037 requires all of it. Without a signed log, the audit trail breaks.
Not logging network traffic during live acquisition. SWGDE 21-F-001 requires it explicitly, to prove the absence of redirects, injections, or in-transit alterations.
Relying on a local timestamp without a qualified timestamp. The computer clock is self-declared. The eIDAS qualified timestamp carries a legal presumption across the whole EU, which is the line between a strong piece of evidence and a contestable one.
Acquiring dynamic pages with tools built for static HTML. On React, Angular, Vue, infinite-scroll feeds, modal dialogs: if the tool does not wait for full rendering, it captures a "dead" page, different from what the user saw.
Assuming the server will keep the original page forever. Pages change, disappear, get redirected or taken down. Forensic acquisition has to be performed at the moment of the event. Even a twenty-four-hour delay can mean losing the only usable copy.

For anyone looking at the downstream question of how to preserve digital evidence once the acquisition is complete, the practices cited here are the foundation. Prevention, though, starts with the quality of the capture process itself. For teams weighing up specialized alternatives, the dedicated Page Vault comparison walks through the differentiators in scope and methodology.

Not a file, a process: what to bring to court

Web evidence acquisition is not a PrintScreen exercise. It is a technical and legal process that starts from identifying the content, runs through an isolated and documented capture environment, produces a dataset with DOM, MHTML, SSL certificate, server IP, DNS, and metadata, and closes with a SHA-256 hash and an eIDAS qualified timestamp along a traceable chain of custody. Without that pipeline, even the most relevant page risks collapsing at the first qualified challenge.

ISO/IEC 27037, backed by SWGDE and NIST best practices, by the ACPO principles, the Budapest Convention framework, and the eIDAS regime, gives you the operational protocol for courtroom-defensible web evidence. Translating it into daily practice takes tools built for forensic acquisition, not generic utilities adapted to the task. TrueScreen is engineered exactly for that: closing the chain from capture to preservation for every webpage that can serve in civil, criminal, administrative, or cross-border litigation.

For law firms, forensic consultants, compliance officers, and enterprise teams managing growing volumes of digital disputes, the question is no longer whether to perform web evidence acquisition. The question is whether to do it with a defensible process, or to keep taking the risk that the opposing party will find exactly where to attack.

FAQ: Web evidence acquisition and ISO 27037

What does ISO 27037 require for acquiring digital evidence?

ISO/IEC 27037:2012 requires that the acquisition process satisfy four core principles: auditability (every action traceable by an independent third party), repeatability (same results under same conditions), reproducibility (another examiner with different tools reaches the same conclusions), and justifiability (every technical choice defensible). The standard distinguishes between Digital Evidence First Responder (DEFR) and Digital Evidence Specialist (DES), requires minimal handling of the original data, and demands full documentation of the chain of custody. It applies across physical devices and live web environments.

Is a timestamped screenshot enough as legal evidence in court?

On its own, it is weak. A screenshot whose timestamp is declared by the operating system offers no cryptographic proof of integrity nor any verifiable link to the source server. Under Federal Rules of Evidence 901, the proponent must produce a foundation sufficient to support a finding that the item is authentic, and a bare screenshot rarely meets that bar without corroborating testimony or metadata. A forensic acquisition with SHA-256 hash and eIDAS qualified timestamp, or equivalent US-recognized trust service, moves the evidence into the self-authentication regime of Rule 902(14).

What is the DOM and why does it matter in forensic web acquisition?

The DOM (Document Object Model) is the in-memory representation of the page after the browser has parsed the HTML and executed the JavaScript. It matches what the user actually sees on screen, which is often very different from the raw HTML the server initially sent. On React, Angular, or Vue applications, much of the visible content exists only inside the post-render DOM. In a web evidence acquisition, capturing only the initial HTML means saving an incomplete page, unrepresentative of what appeared on the screen. The serialized DOM is the technical core of a defensible capture.

What is the difference between MHTML and a regular screenshot?

A screenshot is just an image of the page: no code, no resources, no technical metadata. MHTML is a self-contained archive that packages HTML, CSS, images, scripts, fonts, and media into a single file. A technical expert can reopen it offline years later, even when the live site no longer exists. In evidentiary terms, a screenshot illustrates; an MHTML archive documents.

Why should I capture the SSL certificate of a webpage?

The SSL/TLS certificate cryptographically binds the captured content to the verified identity of the domain that served it. Without it, the defense can argue the page came from a clone server, from a MITM attack, or from an ad-hoc development environment. Capturing the certificate with its SHA-256 fingerprint, the chain of trust up to the root CA, and the OCSP or CRL verification turns provenance into a cryptographic fact, much harder to dismantle with a generic denial than a verbal claim of origin would be.

Who can perform ISO 27037 compliant web evidence acquisition?

ISO/IEC 27037 identifies two roles: the DEFR (Digital Evidence First Responder), trained and authorized personnel who act first on the scene, and the DES (Digital Evidence Specialist), the senior expert with advanced skills in operating systems, networking, and application forensics. In practice, this usually means a certified digital forensics consultant, a court-appointed technical expert, or in-house counsel working with a forensic toolchain. The standard requires the operator to be competent and able to justify every technical choice: without that baseline, the work is not repeatable or verifiable.

How long should I retain forensically acquired web evidence?

A web acquisition sealed with a SHA-256 hash and a qualified timestamp under eIDAS has potentially unlimited evidentiary validity, provided the digital chain of custody stays intact and the cryptographic algorithms do not become obsolete. Regulation (EU) 2024/1183 (eIDAS 2.0) introduced qualified electronic archiving services designed exactly for long-term preservation of certified digital evidence. In practice, retention should be sized against the statute of limitations for the relevant dispute class, with a conservative margin.

Is a TrueScreen acquisition valid outside the European Union?

Yes. TrueScreen combines ISO/IEC 27037 compliance (an international standard), a qualified electronic seal and a qualified electronic timestamp under eIDAS (automatically recognized across every EU Member State under Articles 35 and 41 of Regulation 910/2014), and NIST-approved SHA-256 hashes. In the United States, that combination maps onto Federal Rule of Evidence 902(14) self-authentication. Under international cybercrime law, the Budapest Convention (ETS 185) covers cross-border access to and preservation of electronic evidence, providing the framework most common-law and civil-law jurisdictions apply to foreign-hosted web content.

Ready to capture web evidence that holds up in court?

Run ISO 27037 compliant web acquisitions in under 60 seconds: rendered DOM, MHTML, SSL, IP, SHA-256 hash and eIDAS qualified timestamp, all sealed at the source by the TrueScreen Forensic Browser.

Start now

Request a demo