Evidence Capture

Evidence Capture turns "I found a webpage stealing my art" into a forensic-grade evidence package. It is more than a screenshot — it freezes the complete state of the entire webpage, including the rendered page, source code, server certificate, and a record of the network interactions.

When to use it

• You discover someone reposting or stealing your work without authorization
• You need to submit infringement-complaint materials to a platform
• You want to lock down evidence before having a lawyer send a demand letter or filing suit
• You are tracing a chain of reposts (use it together with Reverse Image Search)

How to use it

Find the "Evidence Capture" card in the toolbox (the purple gavel icon):

1. Enter the infringing URL — paste the link to the webpage where you found the infringement
2. Click "Start Capture" — Nephele launches its built-in browser and automatically visits the page
3. Wait for collection to finish — usually 10-30 seconds (when there is no CAPTCHA), depending on page complexity and network conditions
4. Save the evidence package — a .nep file is generated when it's done; we recommend saving it immediately

If you previously used Reverse Image Search to find the infringing link, you can click the "Capture" button directly on the search-result card and the URL will be filled in automatically.

What the capture includes

Evidence Capture collects the following information, all bundled into the .nep evidence package:

1. Full-page screenshot

Before capturing, the tool automatically scrolls to the bottom, triggers lazy-loading, and waits for all images to finish loading, then returns to the top and takes a long screenshot of the entire page (not just the first viewport). Waterfall feeds and very long articles are captured in full. If a particular image fails to load, the HTML source still preserves all the content in full.

2. Page source (page.html)

The complete HTML DOM structure, which proves the page really does contain your work and the corresponding text description.

3. PDF archive (page.pdf)

A PDF generated by the browser's print mode, serving as a complementary format to the screenshot.

4. Extracted page images (images/)

Automatically extracts every image on the page that is ≥150px in size, up to a limit of 30 images. For each image it computes a SHA-256 and a perceptual hash, used to compare against your original work.

5. TLS certificate

Captures the target site's server certificate, proving you connected to the real server (a CA-issued certificate cannot be forged locally). If the target site's certificate has problems, the error is recorded but the process is not interrupted.

6. DNS resolution record

Records the IP address that the domain resolved to at the time of capture, preventing the other party from denying it later.

7. HTTP response headers

Saves the raw HTTP headers returned by the server, including the server time (Date), content version (ETag), CDN node identifier, and more.

8. Network traffic log (network.har)

Records the complete request/response sequence, proving the images really were loaded from that domain. If the browser context fails to be created, the HAR may be missing.

9. Operation log

A complete operation record with UTC timestamps, including environment information, navigation events, screenshots, downloads, hash computations, timestamp requests, and other steps.

10. RFC 3161 timestamp

Requests a TSA timestamp for the entire evidence package, fixing the point in time that proves "this evidence already existed at time X."

Evidence package structure

After capture completes, the structure of the unpacked .nep file looks like this:

20250423_143052_example_com.nep/
├── manifest.json           # 证据清单 + 所有文件哈希
├── manifest.tsa            # RFC 3161 时间戳（TSA 不可用时降级为 manifest_timestamp.json）
├── operation_log.txt       # 操作日志
├── screenshot.png          # 整页截图
├── page.html               # 页面源码
├── page.pdf                # PDF 归档
├── response_headers.json   # HTTP 响应头
├── network.har             # 网络流量日志（可能缺失）
├── server_certificate.der  # TLS 证书（可能缺失）
├── server_certificate.pem  # TLS 证书 PEM 格式
└── images/
    ├── img_000.png
    └── ...

The manifest_sha256 in manifest.json is the fingerprint of the entire package's data. If any file is modified (even by a single byte), the recomputed hash will no longer match manifest_sha256.

Independent verifier

Anyone can independently verify a .nep evidence package at verify.arisfusion.com.

• Pure in-browser local computation: the files you upload never leave your device and never pass through any server
• Single-file front-end app: a single HTML file with zero build dependencies — you can audit it by right-clicking "View Page Source" in your browser
• MIT licensed: see /docs/license

What it verifies:

• The SHA-256 integrity of each captured file
• Recomputation and comparison of the manifest fingerprint (manifest_sha256)
• Parsing of the RFC 3161 timestamp token (issuing authority, signing time)

The same verifier also supports .nep packages produced by Evidence Timestamping; for those, it additionally rebuilds the Merkle Tree root hash and cross-checks it against the TSA.

Verification works even without the Nephele software — this is the direct fulfillment of our promise that "the evidence still works even if Nephele goes under." Lawyers, notaries, court technical advisors, or any third party can complete the verification independently using this tool or any other RFC 3161 verification tool (such as openssl ts -verify or rfc3161ng).

What to do when you hit a CAPTCHA

Some platforms (such as Weibo and Xiaohongshu) pop up a CAPTCHA or login wall when accessed by a headless browser. Nephele's handling strategy:

1. Automatic detection — recognizes the CAPTCHA/login state via keywords in the page title
2. Switch to a visible browser — automatically pops up a visible Chromium window
3. Wait for user action — up to 2 minutes to complete the CAPTCHA or login
4. Automatically resume collection — once verification passes, it continues taking screenshots and extracting content

Merging evidence packages and similarity analysis

Nephele supports merging multiple pieces of evidence into a structured evidence package:

1. Original-work timestamping — first use Evidence Timestamping to lock down your original work
2. Infringement capture — use Evidence Capture to lock down the infringing page
3. Similarity comparison — compute the pHash distance and similarity percentage between your original and the infringing image
4. One-click packaging — generates a ZIP containing the following:
   • 01_ownership/ — the original work + the timestamp certificate
   • 02_infringement/ — the infringing-page evidence
   • 03_similarity_report.pdf — a visual similarity analysis report
   • 04_verification/ — a verification guide
   • bundle_manifest.json + bundle_checksum.sha256 — integrity checks

About demand letters

Nephele separately provides a demand-letter template generator, which can produce Chinese demand-letter text based on the copyright owner, work title, infringement date, and other details you fill in. However, the demand letter is not automatically included in the evidence package — it is a standalone tool that you use separately after generating the evidence package.

Important: the demand-letter template is for reference only; before any official use, be sure to have it reviewed and revised by a qualified lawyer.

Things to note

Limitations of screenshots

Evidence Capture automatically scrolls to trigger lazy-loading and then takes a full-page long screenshot, so waterfall feeds and very long articles are captured in full. However, if a page has content that only expands through interaction (such as clicking "expand comments," or a pop-up layer that only appears on hover), automatic collection will not actively trigger those actions. For pages like this, we recommend manually expanding to the target state in the visible browser before capturing. The HTML source and network log are also preserved in full as a supplement.

Evidence timeliness

Webpage content can change or be deleted at any time. Capture immediately after discovering infringement — don't delay.

Capturing across multiple locations

If the same work is being stolen on multiple platforms, we recommend capturing each platform separately. Different platforms have different page structures and copyright notices, so capturing them individually is cleaner.

Don't modify the evidence package yourself

Once a .nep file is generated, do not manually unpack it, modify any of its contents, and recompress it. Any modification breaks the manifest hash chain and causes verification to fail. If you need to add supplementary materials, store them separately.

Limitations of local timestamps

If all three TSA timestamp servers are unavailable, the evidence package falls back to a local timestamp. A local timestamp can only prove "my computer had this file at this time"; it cannot prove "this page existed on the internet at this time." Prioritize having a stable network connection during capture.

Legal advice

• Small-value or in-platform disputes: submitting the evidence package as a platform complaint directly is usually sufficient
• High-value commercial infringement: we recommend finding a lawyer, and getting notarization from a notary office when necessary
• Cross-border disputes: pay attention to the evidence-admissibility rules of the target country