Digital evidence standards: ISO 27037, SWGDE, BagIt, CASE/UCO
Digital evidence does not hold up because you say so: it holds up when it is built with recognised rules that judges and technical experts can read. Using international standards means exactly this — no proprietary format, no "black box" to attack. Here are the four standards that matter, in plain words, and where you actually find them in the bundle C.E.R.T.O. produces.
The four standards, in plain words
ISO/IEC 27037
It is the international guideline (ISO/IEC 27037:2012) on how to identify, collect, acquire and preserve digital evidence without altering it. It is not a law: it is the methodological reference that shows you worked "by the book". In the C.E.R.T.O. bundle it is declared in bag-info.txt and followed by the whole workflow: clock synchronisation (NTP), hashing, timestamp, detailed acquisition log.
SWGDE
The Scientific Working Group on Digital Evidence publishes the most recognised operational best practices in digital forensics (the bundle cites SWGDE 18-F-002). It is the shared "how it is done" of the international technical community. C.E.R.T.O. states conformance in bag-info.txt and documents the methodology in the reports.
BagIt (RFC 8493)
It is the container format (the IETF standard RFC 8493, version 1.0): it defines how to package the data and how to verify its integrity. A data/ folder with all the acquired content, a manifest-sha256.txt listing each file's fingerprint, and a tagmanifest-sha256.txt protecting the control files. It is the standard "sealed envelope": anyone can recompute the fingerprints and check that nothing changed.
CASE/UCO
It is the ontology (CASE 1.3 / UCO 1.4) for describing evidence and chain of custody in an interoperable way: a JSON-LD file that relates the exhibit, its origin, the operator and the times, in a structure other forensic tools can read. In the bundle it is the file metadata/evidence.case.jsonld.
Where you find each standard in the bundle
| Standard | What it governs | Where, in the C.E.R.T.O. bundle |
|---|---|---|
| ISO/IEC 27037 | How to identify, collect, acquire and preserve evidence | Declared in bag-info.txt; followed by NTP, hashing, timestamp and logs |
| SWGDE | Operational best practices in digital forensics | bag-info.txt (Conformance) + methodology in the reports |
| BagIt (RFC 8493) | The container format and integrity verification | bagit.txt, manifest-sha256.txt, tagmanifest-sha256.txt, the data/ folder |
| CASE/UCO | How evidence and chain of custody are described, interoperably | metadata/evidence.case.jsonld |
The bag-info.txt itself sums it up in one conformance line: ISO/IEC 27037:2012; SWGDE 18-F-002; BagIt RFC 8493 v1.0; CASE 1.3/UCO 1.4; RFC 3161.
Standards are not enough if no one can read them
A conformant bundle is useless if only a technician can open it. That is why C.E.R.T.O. produces, alongside the raw data, three ways to read and validate the same acquisition, designed for non-technical readers too.
1. The interactive.html page: catalogs, reports and validates
Inside the bundle there is an interactive.html file: a self-contained web page that opens in any browser, with no internet and no special software. It is not a plain index: it catalogs (lists all acquired content), reports (summarises operator, times and NTP synchronisation, declared forensic scope, network data, methodology and visited pages) and validates (shows the screenshots, the file inventory with each fingerprint, and lets you inspect the evidence as if browsing the real site). It is the fastest way for a judge or a non-technical lawyer to understand, in minutes, what was captured and how.
2. The report.pdf: the formal forensic report
A readable, printable PDF report, ready to attach to a brief or a complaint: acquired URL and domain, remote server IP, acquisition code, the time window (UTC and local time), NTP synchronisation and the file inventory with MD5, SHA-1 and SHA-256.
3. The report.txt: the same content in plain text
The plain-text version of the same report, easy to read and to archive. And one detail matters: the report is itself timestamped (the report.tsr file, under RFC 3161), so even the summary document has a certain date.
Why all this matters in court
Open standards plus readable outputs mean one thing: your evidence does not ask for trust, it proves it. The other side's expert finds no black box to attack, only formats they know and can re-check — and anyone can verify the bundle independently, offline. It is the technical foundation of the chain of custody.
Frequently asked questions
Does ISO 27037 conformance make evidence automatically admissible?
No. Admissibility is decided by the court case by case. But conformance to ISO 27037 and SWGDE strengthens the evidence, because it shows a recognised method and reduces the grounds for challenge.
Do I need special software to open the bundle?
No. The interactive.html file and the reports open in an ordinary browser; cryptographic verification uses standard, widely available tools (such as OpenSSL), works offline, and the certificates it needs are already inside the bundle.
What is CASE/UCO good for, in practice?
It lets the evidence be described in a language shared with other forensic tools: useful when the bundle has to fit into an expert's or an authority's workflow.
See also: how to capture a web page as evidence.