C.E.R.T.O.
C.E.R.T.O.
Connect a cloud account and seal shared content, keeping metadata and folder structure.
C.E.R.T.O.'s Cloud module forensically acquires files from Google Drive, Dropbox and OneDrive. Cloud data lives on third-party servers and in the user's account, and can be modified or deleted remotely at any time: C.E.R.T.O. crystallises it as it was, with authenticated OAuth access, provider-side hash reconciliation (proof of provenance), sharing and revision analysis, and a double RFC 3161 timestamp. It is the tool for court-appointed and party experts, lawyers and law enforcement who must fix the contents of a cloud account before they change or vanish.
Cloud files are not in your hands: they live on third-party servers and in someone else's account, who can modify, share or delete them remotely at any time. Acquiring them forensically means fixing them before they change or vanish.
A document, a photo or a shared folder can be removed or altered with a click, even after a dispute. The acquisition crystallises them in the state they are in, with a certified date.
Provider-side hash reconciliation compares the fingerprint declared by the cloud with the one recomputed on the downloaded file: it proves the acquired bytes are exactly those stored by the provider.
Which files were shared with third parties or public via links: a decisive element to assess access, distribution and possible data exfiltration.
The provider-side version history (who changed what and when) and, where possible, the files in the trash: traces of activity and deleted-but-still-recoverable items.
Beyond downloading the files, C.E.R.T.O. automatically analyses their provenance, exposure, content and versioning, presenting the results in the report.
Comparison between the cloud-declared hash and the local one: proof that the acquired bytes match the provider's.
Files with public links or shared with third parties, to assess access, distribution and exfiltration risk.
Classification by content type and groups of files with the same SHA-256 (same content in different paths).
Comparison of real magic-bytes with the declared extension: disguised type, encrypted containers, double extension, executables.
For files with multiple provider-side versions: each revision with date, author and size, to highlight edits and activity over time.
The files in the provider trash at acquisition time: metadata and, where possible, content downloaded and hashed into the bundle.
A repeatable, documented procedure: from authenticated access to the cryptographic seal, every downloaded file leaves a verifiable trace inside the bundle.
Multi-source NTP sync with documented offset: the acquisition window is anchored.
Connection to the provider (Google Drive, Dropbox, OneDrive) via official OAuth: no password stored; provider, account and scopes are documented.
Enumeration of the account structure (folders and files, with sizes and dates), to build the cloud tree and the selection.
API download of the selected files (or everything, optionally including the trash), preserving the folder structure.
Comparison of the provider-declared hash with the locally recomputed one, and computation of MD5/SHA-1/SHA-256/SHA-512 for every file.
Automated analysis of sharing/exposure, categories, duplicates, content anomalies, revisions and deleted items.
manifest.json signed with Ed25519 + double RFC 3161 timestamp, packaging into a BagIt 1.0 bundle with a CASE/UCO description and verify.sh / verify.bat verifiers.
Each acquisition produces a coordinated set of artefacts, each with a precise forensic role, organised into clearly-named folders inside data/.
The copy of the files downloaded from the cloud, with the original folder structure (and, optionally, the trashed items): the authoritative media of the bundle.
evidence/files/ · evidence/deleted/
The map of the account structure (folders, files, sizes, dates): a snapshot of how the cloud was organised at acquisition time.
reports/cloud-tree.txt
Provider hash reconciliation, sharing/exposure, categories and duplicates, content anomalies, revisions and deleted items.
reports/forensic-analysis.json
The access details (provider, account, OAuth scopes, moment of authentication) and the log of the API calls made during the acquisition.
network/oauth-connection.txt · api-log.txt
The quadruple of hashes (MD5/SHA-1/SHA-256/SHA-512) of every file and the outcome of the reconciliation with the provider hash.
hashes/file-hashes.json
The report in PDF and TXT (operator, provider, account, file count, size, forensic statements) with its own RFC 3161 timestamp.
reports/report.pdf · report.tsr
The bundle does not need C.E.R.T.O. to be validated: anyone, even years from now, can verify its authenticity with standard tools. The BagIt 1.0 structure and the interactive dashboard make it self-explanatory.
data/tsa.tsr and outer seal on tagmanifest-sha256.txt.tsr. Free cascade Sectigo→DigiCert→GlobalSign; optional qualified eIDAS InfoCert.Forensic cloud acquisition, supported providers, hash reconciliation, deleted files and bundle verification: the most common questions.
Register for free and download C.E.R.T.O. Desktop for Windows and macOS from your client area.