Certification & Online Trace Collection · service active
WACZ · ISO 28500/ eIDAS timestamping/ Client area
C.E.R.T.O.
Sign in Register free
IT EN
C.E.R.T.O. / Use cases

Nine stories where evidence vanishes.

A review gone by midnight, a chat “deleted for everyone”, a Telegram channel wiped the moment it senses legal action, a shared Drive cleaned out remotely. Every C.E.R.T.O. module is born from a concrete problem: turning ephemeral online content into a stable, dated and verifiable exhibit before it disappears. Here we tell it through nine complete scenarios, one per module.

The review that was gone by midnight.

A client discovers a fake, defamatory review that is sinking the reputation of his restaurant. He knows a single report is enough for the author to take it down: tomorrow it may be gone. The lawyer cannot walk into court with a phone screenshot — it would be dismissed in two lines.

With the Web pages module he acquires the page in the exact state it appears. The result is not an image, but a bundle: the WACZ archive replayable offline byte for byte, full-page screenshots, the HTTP traffic (HAR), TLS certificates and the HTML rendered after JavaScript runs, sealed with a double timestamp. When the author deletes the review, the evidence is already frozen and verifiable by anyone — even the opposing expert.

In the bundle: WACZ archive · full-page screenshots · HAR traffic · TLS · video · RFC 3161
Open the module

Her photo, on someone else's site.

A photographer finds one of her protected shots used without a licence in a company's online catalogue. To act she must prove two things: that the file was exactly there, and when. A normal download leaves no admissible trace of origin and date.

The Files module downloads the exact byte-stream delivered by the server and records URL, IP, HTTP headers and TLS certificates, computing four cryptographic hashes and applying the double timestamp. The extracted EXIF/XMP metadata reveal the camera signature and the editing history: proof that the image is hers, published there, on that date.

In the bundle: original file · HTTP headers · server IP · EXIF/XMP · MD5/SHA-256 · RFC 3161
Open the module

“I never received that certified mail.”

In a commercial dispute the other party denies receiving the formal notice sent by certified mail (PEC) and questions the genuineness of the message in the client's mailbox. Forwarding the email is not enough: headers are lost and receipts can be tampered with.

The Email/PEC module connects to the mailbox read-onlyEXAMINE, BODY.PEEK: flags do not change, the mailbox stays intact — and preserves the original EML with all headers. For PEC it validates the transport envelope, the daticert.xml and the provider's S/MIME signature (AgID-accredited), acquiring the acceptance and delivery receipts. Certified origin and date of the message become incontestable.

In the bundle: EML original · Received header chain · daticert.xml · S/MIME signature · PEC receipts
Open the module

The messages the boss can delete for everyone.

An employee suffers pressure and verbal harassment documented only in a WhatsApp chat with her manager. She knows a single tap lets him delete the messages “for everyone”, and that media — photos, videos, audio — expire on WhatsApp's servers: after a while they can no longer be downloaded. She must act before they vanish.

Operating from WhatsApp Web, the module captures messages, attachments and media, session metadata and records a video of the whole operation, computing the hash of every item. The conversation is faithfully reconstructed in an offline dashboard and sealed with a double RFC 3161 timestamp: evidence that survives even if the other party deletes everything.

In the bundle: messages · media & attachments · session video · account metadata · RFC 3161
Open the module

A channel selling fakes to 40,000 subscribers.

A brand discovers a Telegram channel peddling counterfeit copies of its products to tens of thousands of subscribers. The admins can make it private or wipe it the moment they sense legal action: its content must be frozen now.

The Telegram module acquires private chats, groups, supergroups and channels from Telegram Web: posts with date and author, hundreds of media, the metadata, always with a session video. The rate is flat whatever the volume — a channel with thousands of items costs the same as a short chat — and every media item carries its own fingerprint into the bundle.

In the bundle: channel posts · media (photo/video/doc) · metadata · session video · SHA-256
Open the module

The photo that “proves” too much.

In a damages case one party files a photograph as decisive evidence. The other side challenges its authenticity: is it original or retouched? Was it really taken in that place and on that date? The attached screenshot cannot answer.

The Images module certifies the file and runs an in-depth forensic analysis: it extracts EXIF/IPTC/XMP metadata and GPS coordinates, computes cryptographic and perceptual hashes and runs Error Level Analysis, histogram, Luminance Gradient, Level Sweep and the JPEG quantization tables. It distinguishes normal photographic development from traces of re-processing, giving the expert every technical element to rule on authenticity.

In the bundle: EXIF/IPTC/XMP · GPS · perceptual hashes · ELA · JPEG tables · C2PA provenance
Open the module

What can only be seen on screen.

During an internal inspection one must fix the state of a business application or a home-banking dashboard: it is not an archivable web page, it is a live application, visible only on the operator's monitor at that instant. A “normal” screenshot is an editable file, devoid of context.

It is not a simple screenshot: the operator only selects the monitor or region and triggers the capture, but does not interact with the acquired image, nor can they modify it — the system produces it. Together the PC and display state is acquired, with cryptographic and perceptual hashes, and everything is immediately sealed with a double RFC 3161 timestamp.

In the bundle: system-produced image · PC & display state · cryptographic and perceptual hashes · RFC 3161
Open the module

The server that might change tonight.

In a dispute over a website one must freeze the contents of the remote server before it is modified or cleaned out. Downloading files by hand, one by one, guarantees neither completeness nor integrity, and risks altering the source state.

The FTP/SFTP module accesses read-only — without modifying, deleting or altering any file — and recursively copies the whole filesystem, preserving its tree map and computing the hash of every file. The rate is flat, independent of size and file count: whether you copy one file or a whole site, the exhibit is a complete, verifiable snapshot of the server.

In the bundle: recursive read-only copy · server tree · per-file hashes · RFC 3161
Open the module

The Drive the other party can wipe remotely.

In a corporate case — or a separation — the relevant documents live in a shared Google Drive, Dropbox or OneDrive account. A few clicks, from anywhere in the world, are enough to modify them, re-share them or delete them. By the time it reaches court, they may be gone.

The Cloud module accesses via official OAuth (no password stored) and copies the files comparing the provider-declared hash with the locally recomputed one — proof of provenance, not just integrity. It analyses sharing and exposure, revision history and, where possible, the trash: the cloud account crystallised as it was, before it changes.

In the bundle: files + provider hash comparison · sharing · revisions · trash · OAuth · RFC 3161
Open the module
Who relies on it

One tool, different professions.

The common thread: not being able to afford contestable evidence.

Lawyers, court & party experts. They bring pages, emails, chats and documents to court with a full chain of custody, knowing the bundle withstands technical cross-examination because anyone can reproduce the verification, even offline.

Cybersecurity & DFIR. During incident response they freeze phishing pages, compromised servers and volatile traces before they vanish, with hashes and a timestamp that fix the “when”.

Companies & compliance. They document trademark infringement, counterfeit channels, audits and due diligence with admissible exhibits, without relying on improvised screenshots.

Investigators & OSINT. They fix social content, profiles and cloud accounts at the exact moment they are visible, before they are made private or deleted.

Law enforcement & judicial police. They collect digital sources of evidence in the field with a repeatable, documented procedure, ready for filing and for expert cross-examination.

Journalists & fact-checkers. They preserve online posts, articles and statements before they are removed or retracted, with a certified date that protects the source and the story.

Insurance & anti-fraud experts. They document claims, listings and suspect profiles, and verify the authenticity of photos filed to support a payout.

Labour consultants & HR. They handle whistleblowing reports and internal investigations, collecting chats, emails and screens in a non-altering, defensible way.

Notaries & attestation professionals. They give certified date and integrity to digital content, from online documents to web pages, with a bundle anyone can verify.

Public administration & bodies. They record the state of portals, services and online publications for audits, disputes and transparency.

Brand owners & creators. They prove unauthorised use of trademarks, photos and original content, fixing the infringement while it is online.

Mediators, arbitrators & ADR. They bring neutral, incontestable digital evidence to the table, cutting down disputes over the authenticity of exhibits.

Unions & worker associations. They document communications and content relevant to protecting workers, with evidentiary value.

Your next exhibit, certified.

Whatever your field, C.E.R.T.O. produces digital evidence with full legal value, on Windows and macOS.

Register free Contact us