User Interface
Main Menu Bar: The Main Menu Bar contains all the functionality necessary to operate the DataEcho program.
Main Button Bar: Almost all of the functionality in the Main Menu Bar is accessible from the button bar.
Reconstructed Web Page: The reconstructed network session will be displayed in web format and displayed in this pane. Graphics and media files such as jpeg and mpeg files will also be displayed in this pane. Sessions that are not Web pages, graphics or media will still be displayed. They will not be recognizable, but can still be used to search for specific text.
Note: Due to the fact that all network sessions are displayed in the Web Page, non-html code is sent to the Web control. This can cause the program to become unstable, even to the point of locking. Therefore, it is recommended that the captured session tree be saved before browsing any sessions. If the program does freeze, the session tree can be restored and browsing can be resumed.
Text Pane: This pane displays up to 32KB of the session in text format. This pane is useful for looking at the headers and for searching for text that would not be searchable in the Web page.
Reconstructed Session Navigation Tree: The reconstructed Session Navigation Tree is the visual representation of all the sessions that have been reconstructed from the network stream. There are four levels to the tree.
The first level is all the clients that have sessions in the stream. It is sorted by IP address. In cases where there is no clear client, such as a session that was ongoing before the capture started, a best guess method is used to determine the client. Sometimes this may result in a server appearing in the tree as a client. These will be incomplete sessions, but can still be valuable in a forensic investigation.
The second tree level is the servers that have sessions with the clients in the first tree level. It is possible that the same server could show up under multiple clients. This level is also sorted by IP address.
The third level of the tree is the individual sessions between the server and the client. This level is sorted by timestamp, so that sessions may be viewed in the order that they occurred. If the session was an HTML request, the name of the session is the request. Otherwise, the name will be the timestamp of the first packet in the session. This is the only level of the tree that when selected will display session information in the Reconstructed Web Page and the Text Pane.
The fourth level is the IP address, port, timestamp and request name information. This information is used for documentation purposes and has no effect on how the session is displayed.
Session Navigation: The tree is a standard Windows navigation tree and uses the normal mouse and keyboard shortcuts for expanding, collapsing and selecting tree nodes.