Certification & Online Trace Collection · service active
WACZ · ISO 28500/ eIDAS timestamping/ Client area
C.E.R.T.O.
Sign in Register free
IT EN
C.E.R.T.O. / Modules / Screenshot
05 · SHOT

Screenshot

Capture a forensic desktop screenshot — full screen or region — with anti-tampering shielding, a system-environment snapshot and a timestamp, sealed into a verifiable bundle.

C.E.R.T.O. Desktop “Screenshot” screen: you select the monitor (with preview and native resolution) and start “Capture full screen” or “Capture region”. The operator does not interact with the image: the system produces and seals it.

C.E.R.T.O.'s Screenshot module captures the computer screen as digital evidence — full screen or region, on any connected monitor. It is not a simple screenshot: the operator only selects the source and triggers the capture, but does not interact with the acquired image, nor can they modify it; together with the image the PC state is acquired (environment, system, monitors) and everything is immediately sealed with hashes, analysis and a double RFC 3161 timestamp. It is the tool for court-appointed and party experts, lawyers and law enforcement who must fix what appears on screen with evidentiary value.

Key features

What this module does.

  • Full-screen or region capture, including multi-monitor setups.
  • Forensic anti-tampering shielding during capture.
  • Watermark, system-environment snapshot and active processes.
  • MD5/SHA-1/SHA-256/SHA-512 hashes and timestamp.
  • BagIt 1.0 bundle signed with Ed25519, double RFC 3161 timestamp and CASE/UCO.
Final forensic report: the interactive dashboard of the screenshot bundle — summary, captured image, acquired displays, analysis, perceptual hashes, operator environment, chain of custody and integrity check.
A substantial difference

Not a “simple screenshot”.

A hand-saved screenshot is an editable file, with no context and no guarantees. Here the image is produced by the system and sealed at once, together with the state of the computer: evidence, not a mere capture.

The operator does not interact with the image

They only select the monitor or region and trigger the capture: they do not open, retouch or modify the acquired image. There is no manual editing or saving step.

The PC state is acquired

Together with the image, C.E.R.T.O. records the operator environment, the system information and the list of connected monitors with their resolution: the context in which the screen was captured.

System capture, multi-monitor

The image is produced by the operating system's capture APIs, at each screen's native resolution (e.g. 3840×2160), full screen or by region, on any of the monitors.

Immediate seal

Cryptographic and perceptual hashes, forensic analysis, double RFC 3161 timestamp and Ed25519 signature are applied at once: the image is not an editable file, but a closed, verifiable exhibit.

In the report: comparison between the captured original and the watermarked version, with the file properties and the hashes of both versions. The capture is at the monitors' native resolution (here 3840×2160).
Forensic pipeline

How the module operates.

A repeatable, documented procedure: from selecting the source to the cryptographic seal, every step leaves a verifiable trace inside the bundle.

01 · NTP

Synchronised time

Multi-source NTP sync with documented offset and roundtrip: the moment of capture is anchored.

02 · SOURCE

Source selection

The operator chooses the monitor (with preview and resolution) or a region; the list of connected displays is detected and documented.

03 · CAPTURE

System capture

The image is produced by the system's capture APIs at native resolution: no operator interaction with the result.

04 · STATE

Computer state

Snapshot of the operator environment and system information (user, hostname, monitors, OS): the context of the capture.

05 · HASH

Fingerprints

Cryptographic MD5/SHA-1/SHA-256/SHA-512 hashes and perceptual hashes (aHash/dHash/pHash/wHash) of the captured image.

06 · ANALYSIS

Analysis & watermark

Forensic image analysis (ELA, histogram, statistics) and generation of a watermarked version alongside the authoritative original.

07 · SEAL

Signature & double timestamp

manifest.json signed with Ed25519 + double RFC 3161 timestamp, packaging into a BagIt 1.0 bundle with a CASE/UCO description and verify.sh / verify.bat verifiers.

Bundle contents

Everything that gets generated.

Each capture produces a coordinated set of artefacts, each with a precise forensic role, organised into clearly-named folders inside data/.

Captured image

The screenshot produced by the system, kept as is with its own hash: it is the authoritative media of the bundle, never modified by hand.

evidence/<screenshot>

Watermarked version

A C.E.R.T.O.-watermarked copy for review and sharing, with its own hash distinct from the original's.

evidence/<screenshot>_watermarked

Acquired displays

The list of connected monitors with resolution and scale factor at capture time: the hardware context of the screen.

metadata/displays.json

Operator environment

The snapshot of the environment and system information (user, hostname, operating system): who performed the capture and where.

reports/system-information.txt

Analysis & perceptual hashes

The forensic image analysis (ELA, histogram, statistics) and the perceptual hashes, to document its state and find any modified versions.

reports/analysis/ · hashes/perceptual-hashes.json

Forensic report & hashes

The report in PDF and TXT with its own RFC 3161 timestamp and the complete hash inventory (MD5/SHA-1/SHA-256/SHA-512) of all artefacts.

reports/report.pdf · hashes/file-hashes.json

Self-validation

A bundle that proves itself.

The bundle does not need C.E.R.T.O. to be validated: anyone, even years from now, can verify its authenticity with standard tools. The BagIt 1.0 structure and the interactive dashboard make it self-explanatory.

  • interactive.html — the navigable offline dashboard: captured image, acquired displays, analysis, perceptual hashes, operator environment, hash inventory and client-side integrity check.
  • manifest.json signed with Ed25519 (RFC 8032), bound to the identity of the device registered at first launch.
  • Double RFC 3161 timestamp: inner anchor on data/tsa.tsr and outer seal on tagmanifest-sha256.txt.tsr. Free cascade Sectigo→DigiCert→GlobalSign; optional qualified eIDAS InfoCert.
  • manifest-sha256.txt and tagmanifest-sha256.txt (RFC 8493): fixity of the payload and of the control files; no file can be added or altered without the check failing.
  • metadata/evidence.case.jsonldCASE 1.3 / UCO 1.4 description of the evidence, and tsa-ca.pem for verifying the timestamp even offline.
  • verify.sh / verify.bat — standalone verifiers: they recompute the hashes, check the double timestamp and the signature, and declare “VALID BUNDLE”.
FAQ

Frequently asked questions

Forensic desktop screenshot, non-interactive capture, PC state and bundle verification: the most common questions.

Why is it not a “simple screenshot”?
Because the operator only selects the monitor or region and triggers the capture: they do not interact with the acquired image, nor can they modify it. The image is produced by the system, together with a snapshot of the PC state, and immediately sealed with hashes and a timestamp — it is not an editable file saved by hand.
What is acquired besides the image?
The state of the computer at capture time: operator environment and system information, the list and resolution of connected monitors, NTP-synchronised time, cryptographic and perceptual hashes and the result of the forensic image analysis.
Can you capture multiple monitors or just a portion of the screen?
Yes: you can capture the full screen of any connected monitor (at its native resolution, e.g. 3840×2160) or select a specific region. All detected displays are documented in the bundle.
How is it guaranteed the screenshot was not altered?
The captured image is immediately hashed (MD5/SHA-1/SHA-256/SHA-512) and sealed with a double RFC 3161 timestamp and an Ed25519 signature in the BagIt bundle; a watermarked version accompanies the authoritative original. Any later modification makes the verification fail.
Is the certified screenshot valid as evidence in court?
The bundle follows recognised standards (ISO/IEC 27037, BagIt RFC 8493, RFC 3161, CASE/UCO) with an Ed25519 signature and a double timestamp; authenticity and integrity can be verified by anyone, even offline. The non-interactive capture and the acquisition of context strengthen the evidentiary value; the final assessment rests with the adjudicating authority.
What is the difference from the “Image Evidence Collection” module?
The Images module certifies an existing image file supplied by the operator; the Screenshot module captures the computer screen anew and acquires its state. In both cases it follows the same in-depth analysis and the same forensic packaging.

Collect evidence with the Screenshot module.

Register for free and download C.E.R.T.O. Desktop for Windows and macOS from your client area.