Playing an Exported Client Session
To view an exported session, download and open the required .efe file in the Syteca Forensic Player.
NOTE: You can download the Syteca Forensic Player on the Forensic Export History page.
NOTE: To view the exported data on computers running the macOS or Linux operating system, you need to first install Mono Framework on them. Follow the instructions at http://www.mono-project.com/docs/ to install Mono Framework on your computer.
Sessions are played in the Syteca Forensic Player.
The Syteca Forensic Player interface is divided into the following areas:
• The Session Player: Allows the viewing of screen captures recorded on computers on which the Windows Client or macOS Client is installed, or for computers with the Linux Client installed either with monitoring of the GUI (if X Window System is enabled) or otherwise a graphical representation of the recorded Linux data (i.e. the input and output as the user sees it in the terminal). The navigation buttons allow you to manage the playback of the video of screen captures or commands executed.
NOTE: If the Enable screen capture recording along with user activity recording checkbox is not selected to enable this option on the Client, the sessions of this Client will not contain any screen captures.
• The Metadata grid: Displays the list of session data in the form of a grid, which contains:
- [For Windows Clients and macOS Clients:] Activity time, Activity title, Application name, URL, Text Data, and Alert (or USB rule);
- [For Linux Clients:] Activity time, Command, Function (i.e. Action), Parameters, and Alert.
• [For Windows Clients and macOS Clients:] The Details area: Allows you to view the text data (keystrokes and clipboard text data) associated with the selected event, alert/USB device information, and the URLs of websites visited by a user.
NOTE: If the user performing the export does not have the Viewing Text Data permission for the Client, the Forensic Export results will not contain any text data.
The following functions are available on the corresponding buttons while viewing an exported session in the Syteca Forensic Player:
• To play/pause the video, click the Play/Pause () button (or in Full Screen mode, press the Space key to pause and resume playback).
• To move from one record to another, use the control buttons ().
• To zoom in to a specific place on the screen of the video being played, click the Magnifying Glass () icon.
• To open the monitored data in Full Screen mode, double-click the monitored data, or click the icon.
• To adjust the speed at which the video of the monitored data is playing, click the icon at the bottom of the Session Player. The speed options available are: 1/2/4/8/16 frame(s) per second.
• To move from one monitor to another in Client sessions with multiple monitors, click the , , , etc. icons.