Features
Eleven cryptographic seals,
executed before you put the phone down.
The complete pipeline detailed step by step — what each operation guarantees, the standards it conforms to, and what to cite in an expert report.
For each step we list: what the app does, which reference standard applies, which artefact lands in the bundle.
NTP sync
Authoritative time fix from time.cloudflare.com
Capture
Native camera, raw frame, no filters applied
Watermark
3-line burn-in: time · UUID · GPS+heading
EXIF inject
Camera metadata preserved + LOCUS UserComment
Triple hash
MD5 · SHA-256 · SHA-512 in one pass
RFC 3161 TSA
Sectigo→DigiCert→GlobalSign + InfoCert eIDAS opt-in
Ed25519 manifest
Device-bound keypair, manifest signed
CASE / UCO
JSON-LD sidecar: Image · Device · Location · Provenance
PDF report
Forensic report ready for the case file
BagIt assembly
RFC 8493 packaging + tagmanifest TSA
Registry + e-mail
Only metadata + fingerprints on the server (never the media), certified e-mail notification
Trust model
Three concentric layers that reinforce each other
Reliability does not rest on a single mechanism. Logical chain: file bytes → hash in the manifest → manifest hash in the tag manifest → tag-manifest digest in the timestamp → signature of the accredited TSA.
1
Content hash (fixity)
Every file has a SHA-256 digest recorded in the manifests: changing a single byte makes verification fail.
2
Digital signature (authenticity)
The LOCUS manifest — gathering hashes and metadata — is signed with the device's Ed25519 private key.
3
Timestamp (trusted time)
Two RFC 3161 tokens from an accredited TSA bind both the media digest and the whole-package digest to a certain date and time.
The final seal. The tagmanifest-sha256.txt file holds the hashes of every control file (including the CASE/UCO sidecar); a timestamp is applied to it, « sealing » the whole bundle: any later alteration becomes detectable and provably subsequent to the certified date.
Bundle structure
A self-verifiable BagIt v1.0 folder
The root and the manifest are common to all types; the payload (data/) changes according to the captured media.
LOCUS-<Tipo>-<uuid>/ ├─ bagit.txt BagIt format declaration ├─ bag-info.txt package metadata (incl. Conformance) ├─ manifest-sha256.txt SHA-256 hashes of files in data/ ├─ tagmanifest-sha256.txt SHA-256 hashes of control files ├─ tagmanifest-sha256.txt.tsr RFC 3161 timestamp (the seal) ├─ tsa-ca.pem TSA CA chain (for verification) ├─ README.txt verification instructions ├─ verify.sh / verify.bat verification scripts (macOS/Linux and Windows) ├─ data/ PAYLOAD — depends on type └─ metadata/evidence.case.jsonld CASE/UCO chain of custody
| Payload file | Photo | Video | Audio |
|---|---|---|---|
| media.jpg / .mp4 / .wav | ✓ | ✓ | ✓ |
| original.jpg | ✓ | — | — |
| manifest.json | ✓ | ✓ | ✓ |
| tsa.tsr | ✓ | ✓ | ✓ |
| device.json | ✓ | ✓ | ✓ |
| camera.json / camera.jsonl | ✓ | ✓ | — |
| gps.jsonl | — | ✓ | ✓ |
| mappa-gps.png | ✓ | ✓ | ✓ |
| commento.m4a | ✓ | — | — |
| waveform.png | — | — | ✓ |
| frames/ + frames-strip.jpg | — | ✓ | — |
| histogram.png | ✓ | — | — |
| frames-hist/*.png | — | ✓ | — |
| report.pdf · interactive.html | ✓ | ✓ | ✓ |
| in-media provenance | APP11 | BMFF | — |
Authenticity and fidelity
In-media provenance and signed disclosure
LOCUS separates two questions: « does this file come from this acquisition? » and « how faithful is the content to what was captured? ». It covers both, honestly stating the limits.
LOCUS-PROV-v1 provenance. Beyond the package seal, LOCUS embeds a provenance statement in the file itself, so authenticity travels with the media: an APP11/JUMBF segment for JPEG (ISO/IEC 19566-5), a BMFF uuid box for MP4 (ISO/IEC 14496-12); WAV audio carries no embedded provenance by the nature of the format. It is a manifest inspired by C2PA/JUMBF but not standard C2PA: it uses a proprietary label and is not automatically recognised by c2patool.
Declared fidelity. The capture pipeline is declared in the capture object of the signed manifest: origin (live capture, no import on iOS), the device's computational processing (HDR/multi-frame fusion, which cannot be disabled and is declared honestly, without passing the photo off as raw sensor data) and generative AI editing (ai_editing = none-by-LOCUS). The pipeline declaration is itself intact and non-repudiable.
| Aspect | Audio | Photo | Video |
|---|---|---|---|
| Capture | Lossless PCM (WAV) | Computational JPEG | System-recorded stream |
| Computational processing | None | System, not controllable | System |
| Raw sensor data | — | No | No |
| Generative AI editing | None | None | None |
| Fidelity of the authoritative | Not re-encoded | Pre-watermark original kept | media.mp4 not re-encoded |
| Capture API | AVAudioRecorder | UIImagePickerController | AVCaptureMovieFileOutput |
§ 04 · Compliance
Standards baked in.
Not bolted on afterwards.
Conformity references — not certification logos — that govern the bundle structure.
| Reference | Scope | Where in LOCUS |
|---|---|---|
| ISO/IEC 27037:2012 | Identification, collection, acquisition and preservation of digital evidence | Full pipeline |
| SWGDE 18-F-002 · 17-V-002 · 23-I-001 | Digital-evidence acquisition · forensic video/audio · imaging best practices | Capture flow, chain of custody |
| RFC 3161 | Time-Stamp Protocol with authoritative trusted authority | Media + tagmanifest |
| Provenance LOCUS-PROV-v1 | Content provenance, inspired by C2PA/JUMBF (NOT standard C2PA) | APP11 (JPEG) · BMFF uuid box (MP4) |
| CASE 1.3 / UCO 1.4 | Cyber-investigation Analysis Standard Expression | JSON-LD sidecar |
| BagIt RFC 8493 v1.0 | Hierarchical filesystem packaging for transfer | Bundle root |
| EXIF 2.32 | Exchangeable image file format | Preserved unaltered in JPEG |
| eIDAS 910/2014 | Qualified electronic time-stamps (legal value in EU) | Optional via InfoCert TSA |