Compliance
Eight reference standards.
One bundle.
LOCUS does not claim certification logos it cannot earn. It claims conformity — and ships the artefacts that demonstrate it. Each section below explains the standard in plain language, where it touches the bundle, and where the auditor will look.
-
§ 01 ISO/IEC 27037:2012
Guidelines for identification, collection, acquisition and preservation of digital evidence
The ISO/IEC 27037:2012 standard is the international reference framework for handling potential digital evidence. It defines the four canonical phases of evidence handling — identification, collection, acquisition and preservation — and the principles that govern them: relevance, sufficiency, reliability and reproducibility. It is the standard most often cited in Italian and EU forensic case law to assess whether a digital exhibit can be admitted at trial.
-
§ 02 SWGDE 18-F-002 · 17-V-002 · 23-I-001
SWGDE best practices for forensic acquisition: digital evidence (18-F-002), forensic video/audio (17-V-002) and imaging (23-I-001)
Published by the Scientific Working Group on Digital Evidence (SWGDE) and widely adopted by US/EU law enforcement and forensic labs, these documents codify the operational best practices for acquiring digital evidence on a scene: 18-F-002 is the acquisition anchor, 17-V-002 covers forensic video and audio (used for the video service), 23-I-001 covers imaging (still images and video frames). They address chain of custody, contamination prevention, documentation completeness and the technical metadata that must accompany every capture. Note: LOCUS is a tool that creates evidence in the field, therefore it does not claim 18-F-003 — which concerns the mobile device as the evidence to be extracted, a different scenario.
-
§ 03 RFC 3161
Internet X.509 Public Key Infrastructure — Time-Stamp Protocol (TSP)
RFC 3161 defines the protocol used by Time-Stamp Authorities (TSAs) to issue a cryptographic proof that a specific digital file existed in a specific form at a specific time. The proof — a signed token — is verifiable years later by anyone, without depending on the issuer being online or even still in business. It is the technical backbone of every modern legally-binding digital timestamp.
-
§ 04 Provenance LOCUS-PROV-v1 (C2PA/JUMBF-inspired)
In-media provenance manifest, inspired by C2PA/JUMBF
C2PA is the open standard for content provenance promoted by Adobe, Microsoft, BBC, Intel and others: a tamper-evident manifest embedded inside the media file describing device, software and operations from capture to publication. LOCUS embeds a provenance manifest inspired by C2PA/JUMBF — but, to be transparent, it is not standard C2PA: it uses a proprietary container (APP11 id LOCUS-PROV for JPEG, BMFF uuid box LOCUS-PROV-v1 for MP4), not the standard C2PA UUID, so it is not verifiable with c2patool or Content Credentials.
-
§ 05 CASE 1.3 / UCO 1.4
Cyber-investigation Analysis Standard Expression / Unified Cyber Ontology
CASE and UCO are the open vocabularies adopted by INTERPOL, NIST and most digital-forensics suites (Magnet AXIOM, Cellebrite, X-Ways) to express investigation entities — images, devices, locations, observed time, provenance records — in a tool-agnostic JSON-LD graph. Producing a CASE sidecar means your bundle is directly importable into any forensic platform that understands the standard.
-
§ 06 BagIt RFC 8493 v1.0
The BagIt File Packaging Format
BagIt is the Library of Congress standard for hierarchical file packaging, designed for long-term preservation and transfer of archival material. A "bag" is a directory containing the payload (data/), a manifest with SHA-256 of every file (manifest-sha256.txt), a tag manifest with hashes of the manifests themselves (tagmanifest-sha256.txt) and human-readable metadata (bag-info.txt).
-
§ 07 EXIF 2.32
Exchangeable image file format for digital still cameras
EXIF is the metadata standard maintained by the Japan Electronics and Information Technology Industries Association that every consumer camera and smartphone uses to embed shooting parameters (ISO, aperture, focal length, exposure, white balance, lens model, GPS) directly inside the JPEG. Preserving the original EXIF is essential to demonstrate the genuine origin of an image.
-
§ 08 eIDAS 910/2014
Regulation (EU) No 910/2014 on electronic identification and trust services
The eIDAS Regulation is the EU legal framework that gives qualified electronic timestamps the same legal value as paper-based timestamps under national law. A qualified timestamp can only be issued by a Qualified Trust Service Provider listed in the EU Trusted List. In court, a qualified eIDAS timestamp shifts the burden of proof: it is presumed accurate unless disproven.
Confidentiality
Privacy by design: the server never holds the evidence
The actual evidence content — photos, frames, video, audio — is never transmitted or stored on our servers. It stays only in the sealed BagIt bundle held by the operator. The server receives only a representation that does not reveal the content yet stays verifiably bound to the media.
- What goes to the server. A histogram image (luminance + RGB channel distribution) and a triple of perceptual hashes — aHash, dHash and pHash (DCT) — computed on-device and signed in the manifest (Ed25519) together with the rest of the chain of custody. For video the histograms and hashes are per-frame; for audio they apply to the waveform.
- Complementary, not substitutive. The perceptual hashes are robust (they survive recompression) but are not the integrity anchor: byte-for-byte integrity remains guaranteed by the MD5/SHA-256/SHA-512 cryptographic hashes and the signature. The pHash serves to confirm that the published histogram genuinely corresponds to the sealed media, and to recognise a re-exported copy of the same evidence.
- GPS position. The public verification page shows neither the real image nor the GPS position: it states only that the position is present and signed in the bundle. Coordinates, map and track remain in the sealed bundle (accessible to whoever holds it).
- Offline verification. The Locus Validator recomputes the histogram and perceptual hashes from the media in the bundle and confirms they match the signed values — fully offline, with no dependency on the server.
References
Standards and regulations the bundle rests on
Each bundle's conformance statement is calibrated to the media: domain standards are cited only where relevant (17-V-002 for video, 23-I-001 for images and frames). Standards outside the scope — such as mobile-device extraction (SWGDE 18-F-003) — are not cited, because LOCUS does not extract data from a device but uses it as a capture instrument to generate new evidence.
| Technical and forensic standards | Title / reference |
|---|---|
| ISO/IEC 27037:2012 | Guidelines for identification, collection, acquisition and preservation of digital evidence. |
| IETF RFC 8493 | The BagIt File Packaging Format (V1.0). |
| IETF RFC 3161 | Internet X.509 PKI Time-Stamp Protocol (TSP). |
| IETF RFC 8032 | Edwards-Curve Digital Signature Algorithm (EdDSA). |
| FIPS PUB 180-4 | Secure Hash Standard (SHA-2). |
| ISO/IEC 14496-12 | ISO Base Media File Format (BMFF). |
| ISO/IEC 19566-5 | JPEG Universal Metadata Box Format (JUMBF). |
| SWGDE 18-F-002 | Best Practices for Digital Evidence Collection. |
| SWGDE 23-I-001 | Legal and Scientific Support Related to the Admissibility of Image Examinations. |
| SWGDE 17-V-002 | Best Practices for Data Acquisition from Digital Video Recorders. |
| SWGDE 15-M-001 | Training Guidelines for Video Analysis, Image Analysis, and Photography. |
| CASE / UCO | Cyber-investigation Analysis Standard Expression / Unified Cyber Ontology. |
| C2PA | Coalition for Content Provenance and Authenticity (provenance reference framework). |
| Regulatory references | Subject |
|---|---|
| Reg. (UE) 910/2014 — eIDAS | Trust services, including electronic and qualified timestamps. |
| Reg. (UE) 2016/679 — GDPR | Protection of personal data present in acquisitions. |