C.E.R.T.O.
C.E.R.T.O.
Preserve messages directly from the mailbox, with full headers and proof of sender authenticity.
C.E.R.T.O.'s Email/PEC module performs the forensic acquisition of emails and certified mail: it connects to the IMAP server in read-only mode, preserves the original EML with headers, body and attachments, verifies DKIM/SPF/DMARC and — for PEC — validates daticert.xml and the provider's S/MIME signature. Everything is sealed as digital evidence with hashes, an RFC 3161 timestamp and an Ed25519 signature. It is the tool for court-appointed and party experts, lawyers and law enforcement who must prove the content, origin and date of a message.
A repeatable, non-invasive procedure: the mailbox is read in read-only mode and every message is preserved in its original format, then cryptographically sealed.
Multi-source NTP sync (Google/Cloudflare/pool) with documented offset and roundtrip: the moment of acquisition is anchored.
IMAP connection over SSL/TLS in EXAMINE (read-only) mode, with password or Microsoft OAuth. Server, port, IP and server capabilities are recorded.
Messages are read with BODY.PEEK: flags are not modified, messages are not marked as “read”. The mailbox stays exactly as it was.
The complete original EML is saved — headers, MIME body and attachments — exactly as received from the server, without reformatting.
For ordinary emails: DKIM, SPF and DMARC verification and analysis of the Received header chain (the delivery hops, with IPs and servers).
For certified mail: validation of the transport envelope and daticert.xml and cryptographic verification of the provider's S/MIME signature (AgID-accredited), with the receipts.
Each message is also rendered to PDF and PNG for a faithful, immediate review alongside the authoritative EML.
MD5 + SHA-1 + SHA-256 + SHA-512 (FIPS 180-4) cryptographic hashes of every file: the inventory that anchors the integrity of the whole bundle.
manifest.json signed with Ed25519 + double RFC 3161 timestamp, packaging into a BagIt 1.0 bundle with a CASE/UCO description and verify.sh / verify.bat verifiers.
Each email/PEC acquisition produces a coordinated set of artefacts, each with a precise forensic role, organised into clearly-named folders inside data/.
The message in its original RFC 822/MIME format — full headers, body and attachments — exactly as delivered by the server: it is the authoritative media of the bundle.
evidence/email/…/message.eml
A faithful rendering of the message as PDF and PNG image, to review the content as it appears, alongside the technical EML.
evidence/email/…/message.pdf · message.png
Each attachment is extracted and kept with its own cryptographic hash, so its presence and integrity in the message can be proven.
evidence/email/…/attachments/
Verification of the sender's authenticity signatures and analysis of the Received header chain (the delivery hops), with a pass/fail outcome.
network/dkim-verification.json · header-analysis.json
The IMAP session log (server, port, capabilities, read-only mode) and the X.509 certificate chains of the mail server.
logs/imap-protocol.txt · tls/certificates/
The report in PDF and TXT with its own RFC 3161 timestamp and the complete hash inventory (MD5/SHA-1/SHA-256/SHA-512) of all artefacts.
reports/report.pdf · hashes/file-hashes.json
When the mailbox contains PEC messages, C.E.R.T.O. recognises and validates their legal structure: transport envelope, daticert.xml, the provider's S/MIME signature and receipts.
The provider-signed envelope and the daticert.xml file (sender, recipients, subject, identifier, date) are validated against the mandatory AgID fields.
The provider's S/MIME signature is cryptographically verified and the certificate is checked to be issued by an AgID-accredited CA: origin and integrity proven.
The PEC receipts (acceptance, delivery, non-delivery) are recognised and acquired: they document the legal path of the message.
The bundle does not need C.E.R.T.O. to be validated: anyone, even years from now, can verify its authenticity with standard tools. The BagIt 1.0 structure and the interactive dashboard make it self-explanatory.
data/tsa.tsr and outer seal on tagmanifest-sha256.txt.tsr. Free cascade Sectigo→DigiCert→GlobalSign; optional qualified eIDAS InfoCert.Forensic email and PEC acquisition, non-invasive read, evidence validity and bundle verification: the most common questions.
Register for free and download C.E.R.T.O. Desktop for Windows and macOS from your client area.