Compliance

Eight reference standards.
One bundle.

LOCUS does not claim certification logos it cannot earn. It claims conformity — and ships the artefacts that demonstrate it. Each section below explains the standard in plain language, where it touches the bundle, and where the auditor will look.

LOCUS — in-app bundle verification: BagIt, triple hashes, RFC 3161 timestamp and Ed25519 signature
  1. § 01

    ISO/IEC 27037:2012

    Guidelines for identification, collection, acquisition and preservation of digital evidence

    The ISO/IEC 27037:2012 standard is the international reference framework for handling potential digital evidence. It defines the four canonical phases of evidence handling — identification, collection, acquisition and preservation — and the principles that govern them: relevance, sufficiency, reliability and reproducibility. It is the standard most often cited in Italian and EU forensic case law to assess whether a digital exhibit can be admitted at trial.

    Read the standard

  2. § 02

    SWGDE 18-F-002 · 17-V-002 · 23-I-001

    SWGDE best practices for forensic acquisition: digital evidence (18-F-002), forensic video/audio (17-V-002) and imaging (23-I-001)

    Published by the Scientific Working Group on Digital Evidence (SWGDE) and widely adopted by US/EU law enforcement and forensic labs, these documents codify the operational best practices for acquiring digital evidence on a scene: 18-F-002 is the acquisition anchor, 17-V-002 covers forensic video and audio (used for the video service), 23-I-001 covers imaging (still images and video frames). They address chain of custody, contamination prevention, documentation completeness and the technical metadata that must accompany every capture. Note: LOCUS is a tool that creates evidence in the field, therefore it does not claim 18-F-003 — which concerns the mobile device as the evidence to be extracted, a different scenario.

    Read the standard

  3. § 03

    RFC 3161

    Internet X.509 Public Key Infrastructure — Time-Stamp Protocol (TSP)

    RFC 3161 defines the protocol used by Time-Stamp Authorities (TSAs) to issue a cryptographic proof that a specific digital file existed in a specific form at a specific time. The proof — a signed token — is verifiable years later by anyone, without depending on the issuer being online or even still in business. It is the technical backbone of every modern legally-binding digital timestamp.

    Read the standard

  4. § 04

    Provenance LOCUS-PROV-v1 (C2PA/JUMBF-inspired)

    In-media provenance manifest, inspired by C2PA/JUMBF

    C2PA is the open standard for content provenance promoted by Adobe, Microsoft, BBC, Intel and others: a tamper-evident manifest embedded inside the media file describing device, software and operations from capture to publication. LOCUS embeds a provenance manifest inspired by C2PA/JUMBF — but, to be transparent, it is not standard C2PA: it uses a proprietary container (APP11 id LOCUS-PROV for JPEG, BMFF uuid box LOCUS-PROV-v1 for MP4), not the standard C2PA UUID, so it is not verifiable with c2patool or Content Credentials.

    Read the standard

  5. § 05

    CASE 1.3 / UCO 1.4

    Cyber-investigation Analysis Standard Expression / Unified Cyber Ontology

    CASE and UCO are the open vocabularies adopted by INTERPOL, NIST and most digital-forensics suites (Magnet AXIOM, Cellebrite, X-Ways) to express investigation entities — images, devices, locations, observed time, provenance records — in a tool-agnostic JSON-LD graph. Producing a CASE sidecar means your bundle is directly importable into any forensic platform that understands the standard.

    Read the standard

  6. § 06

    BagIt RFC 8493 v1.0

    The BagIt File Packaging Format

    BagIt is the Library of Congress standard for hierarchical file packaging, designed for long-term preservation and transfer of archival material. A "bag" is a directory containing the payload (data/), a manifest with SHA-256 of every file (manifest-sha256.txt), a tag manifest with hashes of the manifests themselves (tagmanifest-sha256.txt) and human-readable metadata (bag-info.txt).

    Read the standard

  7. § 07

    EXIF 2.32

    Exchangeable image file format for digital still cameras

    EXIF is the metadata standard maintained by the Japan Electronics and Information Technology Industries Association that every consumer camera and smartphone uses to embed shooting parameters (ISO, aperture, focal length, exposure, white balance, lens model, GPS) directly inside the JPEG. Preserving the original EXIF is essential to demonstrate the genuine origin of an image.

    Read the standard

  8. § 08

    eIDAS 910/2014

    Regulation (EU) No 910/2014 on electronic identification and trust services

    The eIDAS Regulation is the EU legal framework that gives qualified electronic timestamps the same legal value as paper-based timestamps under national law. A qualified timestamp can only be issued by a Qualified Trust Service Provider listed in the EU Trusted List. In court, a qualified eIDAS timestamp shifts the burden of proof: it is presumed accurate unless disproven.

    Read the standard

Confidentiality

Privacy by design: the server never holds the evidence

The actual evidence content — photos, frames, video, audio — is never transmitted or stored on our servers. It stays only in the sealed BagIt bundle held by the operator. The server receives only a representation that does not reveal the content yet stays verifiably bound to the media.

  • What goes to the server. A histogram image (luminance + RGB channel distribution) and a triple of perceptual hashes — aHash, dHash and pHash (DCT) — computed on-device and signed in the manifest (Ed25519) together with the rest of the chain of custody. For video the histograms and hashes are per-frame; for audio they apply to the waveform.
  • Complementary, not substitutive. The perceptual hashes are robust (they survive recompression) but are not the integrity anchor: byte-for-byte integrity remains guaranteed by the MD5/SHA-256/SHA-512 cryptographic hashes and the signature. The pHash serves to confirm that the published histogram genuinely corresponds to the sealed media, and to recognise a re-exported copy of the same evidence.
  • GPS position. The public verification page shows neither the real image nor the GPS position: it states only that the position is present and signed in the bundle. Coordinates, map and track remain in the sealed bundle (accessible to whoever holds it).
  • Offline verification. The Locus Validator recomputes the histogram and perceptual hashes from the media in the bundle and confirms they match the signed values — fully offline, with no dependency on the server.

References

Standards and regulations the bundle rests on

Each bundle's conformance statement is calibrated to the media: domain standards are cited only where relevant (17-V-002 for video, 23-I-001 for images and frames). Standards outside the scope — such as mobile-device extraction (SWGDE 18-F-003) — are not cited, because LOCUS does not extract data from a device but uses it as a capture instrument to generate new evidence.

Technical and forensic standardsTitle / reference
ISO/IEC 27037:2012Guidelines for identification, collection, acquisition and preservation of digital evidence.
IETF RFC 8493The BagIt File Packaging Format (V1.0).
IETF RFC 3161Internet X.509 PKI Time-Stamp Protocol (TSP).
IETF RFC 8032Edwards-Curve Digital Signature Algorithm (EdDSA).
FIPS PUB 180-4Secure Hash Standard (SHA-2).
ISO/IEC 14496-12ISO Base Media File Format (BMFF).
ISO/IEC 19566-5JPEG Universal Metadata Box Format (JUMBF).
SWGDE 18-F-002Best Practices for Digital Evidence Collection.
SWGDE 23-I-001Legal and Scientific Support Related to the Admissibility of Image Examinations.
SWGDE 17-V-002Best Practices for Data Acquisition from Digital Video Recorders.
SWGDE 15-M-001Training Guidelines for Video Analysis, Image Analysis, and Photography.
CASE / UCOCyber-investigation Analysis Standard Expression / Unified Cyber Ontology.
C2PACoalition for Content Provenance and Authenticity (provenance reference framework).
Regulatory referencesSubject
Reg. (UE) 910/2014 — eIDASTrust services, including electronic and qualified timestamps.
Reg. (UE) 2016/679 — GDPRProtection of personal data present in acquisitions.