Features

Eleven cryptographic seals,
executed before you put the phone down.

The complete pipeline detailed step by step — what each operation guarantees, the standards it conforms to, and what to cite in an expert report.

LOCUS — home screen: capture photo, video and audio

For each step we list: what the app does, which reference standard applies, which artefact lands in the bundle.

01

NTP sync

Authoritative time fix from time.cloudflare.com

02

Capture

Native camera, raw frame, no filters applied

03

Watermark

3-line burn-in: time · UUID · GPS+heading

04

EXIF inject

Camera metadata preserved + LOCUS UserComment

05

Triple hash

MD5 · SHA-256 · SHA-512 in one pass

06

RFC 3161 TSA

Sectigo→DigiCert→GlobalSign + InfoCert eIDAS opt-in

07

Ed25519 manifest

Device-bound keypair, manifest signed

08

CASE / UCO

JSON-LD sidecar: Image · Device · Location · Provenance

09

PDF report

Forensic report ready for the case file

10

BagIt assembly

RFC 8493 packaging + tagmanifest TSA

11

Registry + e-mail

Only metadata + fingerprints on the server (never the media), certified e-mail notification

Trust model

Three concentric layers that reinforce each other

Reliability does not rest on a single mechanism. Logical chain: file bytes → hash in the manifest → manifest hash in the tag manifest → tag-manifest digest in the timestamp → signature of the accredited TSA.

1

Content hash (fixity)

Every file has a SHA-256 digest recorded in the manifests: changing a single byte makes verification fail.

2

Digital signature (authenticity)

The LOCUS manifest — gathering hashes and metadata — is signed with the device's Ed25519 private key.

3

Timestamp (trusted time)

Two RFC 3161 tokens from an accredited TSA bind both the media digest and the whole-package digest to a certain date and time.

The final seal. The tagmanifest-sha256.txt file holds the hashes of every control file (including the CASE/UCO sidecar); a timestamp is applied to it, « sealing » the whole bundle: any later alteration becomes detectable and provably subsequent to the certified date.

Bundle structure

A self-verifiable BagIt v1.0 folder

The root and the manifest are common to all types; the payload (data/) changes according to the captured media.

LOCUS-<Tipo>-<uuid>/
├─ bagit.txt                    BagIt format declaration
├─ bag-info.txt                 package metadata (incl. Conformance)
├─ manifest-sha256.txt          SHA-256 hashes of files in data/
├─ tagmanifest-sha256.txt       SHA-256 hashes of control files
├─ tagmanifest-sha256.txt.tsr   RFC 3161 timestamp (the seal)
├─ tsa-ca.pem                   TSA CA chain (for verification)
├─ README.txt                   verification instructions
├─ verify.sh / verify.bat       verification scripts (macOS/Linux and Windows)
├─ data/                        PAYLOAD — depends on type
└─ metadata/evidence.case.jsonld  CASE/UCO chain of custody
Payload file PhotoVideoAudio
media.jpg / .mp4 / .wav
original.jpg
manifest.json
tsa.tsr
device.json
camera.json / camera.jsonl
gps.jsonl
mappa-gps.png
commento.m4a
waveform.png
frames/ + frames-strip.jpg
histogram.png
frames-hist/*.png
report.pdf · interactive.html
in-media provenance APP11 BMFF

Authenticity and fidelity

In-media provenance and signed disclosure

LOCUS separates two questions: « does this file come from this acquisition? » and « how faithful is the content to what was captured? ». It covers both, honestly stating the limits.

LOCUS-PROV-v1 provenance. Beyond the package seal, LOCUS embeds a provenance statement in the file itself, so authenticity travels with the media: an APP11/JUMBF segment for JPEG (ISO/IEC 19566-5), a BMFF uuid box for MP4 (ISO/IEC 14496-12); WAV audio carries no embedded provenance by the nature of the format. It is a manifest inspired by C2PA/JUMBF but not standard C2PA: it uses a proprietary label and is not automatically recognised by c2patool.

Declared fidelity. The capture pipeline is declared in the capture object of the signed manifest: origin (live capture, no import on iOS), the device's computational processing (HDR/multi-frame fusion, which cannot be disabled and is declared honestly, without passing the photo off as raw sensor data) and generative AI editing (ai_editing = none-by-LOCUS). The pipeline declaration is itself intact and non-repudiable.

Aspect AudioPhotoVideo
Capture Lossless PCM (WAV) Computational JPEG System-recorded stream
Computational processing None System, not controllable System
Raw sensor data No No
Generative AI editing None None None
Fidelity of the authoritative Not re-encoded Pre-watermark original kept media.mp4 not re-encoded
Capture API AVAudioRecorder UIImagePickerController AVCaptureMovieFileOutput

§ 04 · Compliance

Standards baked in.
Not bolted on afterwards.

Conformity references — not certification logos — that govern the bundle structure.

Reference Scope Where in LOCUS
ISO/IEC 27037:2012 Identification, collection, acquisition and preservation of digital evidence Full pipeline
SWGDE 18-F-002 · 17-V-002 · 23-I-001 Digital-evidence acquisition · forensic video/audio · imaging best practices Capture flow, chain of custody
RFC 3161 Time-Stamp Protocol with authoritative trusted authority Media + tagmanifest
Provenance LOCUS-PROV-v1 Content provenance, inspired by C2PA/JUMBF (NOT standard C2PA) APP11 (JPEG) · BMFF uuid box (MP4)
CASE 1.3 / UCO 1.4 Cyber-investigation Analysis Standard Expression JSON-LD sidecar
BagIt RFC 8493 v1.0 Hierarchical filesystem packaging for transfer Bundle root
EXIF 2.32 Exchangeable image file format Preserved unaltered in JPEG
eIDAS 910/2014 Qualified electronic time-stamps (legal value in EU) Optional via InfoCert TSA