C.E.R.T.O.
C.E.R.T.O.
Acquire WhatsApp chats with their media and metadata, sealing every element with its own fingerprint.
C.E.R.T.O.'s WhatsApp module performs the forensic acquisition of WhatsApp conversations operating from WhatsApp Web: once the account is linked with the QR code, it captures the messages, the media (photos, videos, audio, documents) and the session metadata, while recording a video of the whole session. Everything is sealed as digital evidence with a per-element hash, a double RFC 3161 timestamp and an Ed25519 signature. Timeliness matters: on WhatsApp media and messages can expire or be deleted for everyone. It is the tool for court-appointed and party experts, lawyers and law enforcement who must fix a chat before it vanishes.
The contents of a chat do not stay available forever. Media expire on the server, messages can be “deleted for everyone” and a conversation can be wiped in an instant. Acquiring it promptly means fixing it while it is still there.
Photos, videos, audio and documents are not downloadable from WhatsApp's servers indefinitely: after a certain time the attachment may no longer be retrievable, even if the message remains visible. Acquiring early crystallises them while they are still present.
The other party can delete a message for all participants, making it disappear from the conversation. What has been acquired and sealed, however, stays in the bundle with its certified date.
Chats are end-to-end encrypted: they exist only on the devices linked to the account. There is no central archive to retrieve them from later — if you lose access, you lose the evidence.
The acquisition is recorded in full as a video: it transparently documents what the operator saw and did, from the QR linking to the chat capture, strengthening genuineness and repeatability.
C.E.R.T.O. operates via WhatsApp Web: you link the account by scanning the QR code with your phone — just like for normal use on the computer — while the software extracts chats, media and metadata and records the entire session.
You scan the WhatsApp Web QR code with your phone: the account is linked to the web client, exactly as in everyday use.
From start to finish, the screen is recorded as a video: every operation performed during the acquisition is documented and repeatable.
The account conversations are listed and you choose those to acquire (single or multiple), with the option to download media.
Extraction of messages (text, date, time, delivery status) and download of media and attachments still available, before they expire.
The bundle includes an interactive dashboard: the conversation is faithfully reconstructed (bubbles, dates, delivery states, clickable media) and the log records every step of the acquisition, event by event.
Text, date, time and delivery state (✓, ✓✓) of every message, in the original order of the conversation.
Downloaded images, videos, audio and documents are embedded and openable directly from the dashboard, each with its own hashes.
Account identifiers (WID/LID), platform, language, cookies and storage of the web client: the technical context of the acquisition.
Every step of the acquisition is recorded with a timestamp: a complete, verifiable trace of how it was carried out.
A repeatable, documented procedure: from synchronised time to the cryptographic seal, every message and every media item leaves a verifiable trace inside the bundle.
Multi-source NTP sync with documented offset: the acquisition window is anchored.
Linking the account via QR code and starting the video recording of the whole session.
Capture of account and session metadata: WID/LID, platform, language, cookies, localStorage and the client IndexedDB.
Extraction of the messages of the selected conversations, with date, time, delivery state and original order.
Download of the media and attachments still available and computation of MD5/SHA-1/SHA-256 for each item.
manifest.json signed with Ed25519 + double RFC 3161 timestamp, packaging into a BagIt 1.0 bundle with a CASE/UCO description and verify.sh / verify.bat verifiers.
Each acquisition produces a coordinated set of artefacts, each with a precise forensic role, organised into clearly-named folders inside data/.
The acquired conversations in browsable HTML and structured JSON: text, date, time, delivery state and media references, in their original order.
evidence/chats/
Photos, videos, audio and documents downloaded from the chats, preserved in their original format: the authoritative media of the bundle.
evidence/media/
The video of the entire acquisition session (.webm) and the extracted frames: the transparent proof of how the operation was carried out.
evidence/session/recording.webm
The account and session metadata (WID/LID, platform, language) and the web client state: cookies, localStorage and IndexedDB at acquisition time.
evidence/session/ · network/
The hashes (MD5/SHA-1/SHA-256) of every media item and every artefact of the bundle: the fingerprint that proves their integrity.
hashes/media-hashes.json
The forensic report (PDF/TXT) with its own RFC 3161 timestamp and the detailed acquisition log, event by event, with timestamps.
reports/report.pdf · acquisition-log.txt
The bundle does not need C.E.R.T.O. to be validated: anyone, even years from now, can verify its authenticity with standard tools. The BagIt 1.0 structure and the interactive dashboard make it self-explanatory.
data/tsa.tsr and outer seal on tagmanifest-sha256.txt.tsr. Free cascade Sectigo→DigiCert→GlobalSign; optional qualified eIDAS InfoCert.WhatsApp acquisition from WhatsApp Web, media expiry, session video, cost and bundle verification: the most common questions.
Register for free and download C.E.R.T.O. Desktop for Windows and macOS from your client area.