// alignment · public · forward-looking

international standards alignment

4004forensic tools
·
52case types
·
56industry verticals
·
52methodology guides
·
50quick-start checklists
·
54fixture packs
·
54published proof pages
·
43compare pairs
·
3995vendor-fidelity audits
·
45glossary terms

all counts derive from the on-disk catalog at render time. nothing on this page is hand-maintained. last reviewed: 2026-05-26 (synced to the forensics changelog entry for this surface).

this page documents where fatcousin forensics stands today against every major international standard for digital evidence — SWGDE, NIST, ISO/IEC, ACPO/NPCC, ENFSI, RFC 3227, Daubert, Frye, OSAC, and ASTM E2916. it is updated as alignment changes and never claims more than the architecture supports. gaps are named as planned milestones with a clear path to completion, not as permanent limitations.

how to read this page

SATISFIES: fatcousin fully meets this requirement through existing architecture and documentation.
IN PROGRESS: fatcousin's architecture supports this; formal documentation or third-party validation is underway.
PLANNED: not yet done; on the active roadmap with a clear path to completion. see the roadmap section at the bottom of this page for what closes each one.
OUT OF SCOPE: requirement applies to physical evidence collection or laboratory equipment; fatcousin is a browser-based analysis tool and the requirement does not apply by definition.

// section 1 · swgde

SWGDE — scientific working group on digital evidence

authorityFBI-backed · US Department of Justice · used by federal law enforcementurlswgde.orgjurisdictionUnited States (primary), globally referenced by courts worldwide

SWGDE 18-Q-001 v2.1 (March 2024): Minimum Requirements for Testing Tools Used in Digital and Multimedia Forensics

the most directly applicable SWGDE document for fatcousin.

5.3 forensic analysis tools — fatcousin's primary category per SWGDE taxonomy

requirement	status	evidence
Known dataset testing with documented expected results	SATISFIES	fixture packs with MANIFEST.sha256 hashes + published goldens — see evidence library and proof index
Testing before tool deployment	SATISFIES	CI suite runs on every push/PR — goldens enforced automatically
Testing after major updates	SATISFIES	CI enforcement is automatic; version-gated
Results documented	SATISFIES	public, live quality dashboard
Anomalies documented	IN PROGRESS	vendor-fidelity audit flags schema mismatches; per-tool anomaly log being formalized
Independent tester	PLANNED	third-party credentialed examiner validation on the roadmap (see roadmap section below)

5.6 in-house developed tools — applies directly; fatcousin tools are custom-built

requirement	status	evidence
Known dataset used	SATISFIES	fixture packs
Results published	SATISFIES	quality dashboard is public
Independent tester for critical tools	PLANNED	credentialed examiner engagement is the next milestone (see roadmap section below)

section 6 · documentation of testing results — required fields

field	status	evidence
Purpose and scope of testing	SATISFIES	rubric documents this fully
Who performed testing	IN PROGRESS	self-reported today; independent validation planned
Date	SATISFIES	changelog with dates + commit hashes
Testing procedure	SATISFIES	vendor-fidelity audit methodology
Datasets / expected results	SATISFIES	fixture packs + published goldens — evidence library
Actual results	SATISFIES	quality dashboard
Anomalies and significance	IN PROGRESS	vendor-fidelity audit; per-tool formalization in progress
Limitations	SATISFIES	scope page

SWGDE 18-F-001 v2.0 (July 2025): Best Practices for Computer Forensic Examinations

requirement	status	evidence
Evidence integrity / hash verification	SATISFIES	SHA-256 input/output hashes in chain of custody log
Documentation of examination steps	SATISFIES	session manager captures all steps — see sessions
Chain of custody	SATISFIES	immutable session log in .fc-case archive
Tool version recording	SATISFIES	version captured in every session
Report writing	SATISFIES	exhibit report export

SWGDE 23-Q-001 v1.1 (2024): Best Practices for Personnel Presenting Digital Evidence in Legal Proceedings

requirement	status	evidence
Output reproducible	SATISFIES	reproducibility report export + deterministic goldens
Tool version documented	SATISFIES	session records exact version
Methodology explainable	SATISFIES	methodology guides + rubric
Limitations disclosed	SATISFIES	scope page + disclaimer

SWGDE 12-F-006 v2.0 (2024): Core Competencies for Digital Forensics

this document defines examiner competencies, not tool requirements. fatcousin's alignment is in the affirmative behavior — methodology guides reference recommended examiner qualifications and the scope page + disclaimer explicitly state that fatcousin does not replace a qualified examiner.

status	note
SATISFIES	the "tools must not claim to substitute for examiner competency" expectation — methodology pages defer to qualified examiners; the rubric, scope page, and disclaimer say so explicitly.

SWGDE 18-F-002 v2.0 (2025): Best Practices for Digital Evidence Collection

this covers physical evidence collection — write blockers, Faraday cages, field seizure procedures. fatcousin is a browser-based analysis tool. physical collection requirements are OUT OF SCOPE by definition — they apply to hardware, not to browser-based analysis software.

SWGDE 21-F-001 v1.1 (2024): Best Practices for Acquiring Online Content

status	note
IN PROGRESS	online content analysis tools exist in fatcousin; formal mapping against 21-F-001 requirements in progress.

SWGDE 23-F-004 v1.1 (2024): Best Practices for Cloud Service Provider Evidence

status	note
IN PROGRESS	cloud forensics vertical exists; formal SWGDE 23-F-004 alignment mapping in progress.

// section 2 · nist

NIST — national institute of standards and technology

authorityUS federal government · Department of Commerceurlnist.gov · cftt.nist.govjurisdictionUnited States (primary), globally referenced

NIST SP 800-86: Guide to Integrating Forensic Techniques into Incident Response

four forensic phases:

collection phase

requirement	status	evidence
Minimize alteration of original evidence	SATISFIES	browser-only, read-only processing, zero writes
Document chain of custody	SATISFIES	immutable session log
Validated tools	IN PROGRESS	self-validated today; CFTT submission planned

examination phase

requirement	status	evidence
Forensically sound methods	SATISFIES	local processing, no data transmission
Document examination steps	SATISFIES	session manager
Hash verification	SATISFIES	SHA-256 input/output hashes

analysis phase

requirement	status	evidence
Documented methodology	SATISFIES	methodology guides per case type (52 guides)
Reproducible results	SATISFIES	deterministic engines + published goldens + fixture packs
Tool version recorded	SATISFIES	session captures exact version

reporting phase

requirement	status	evidence
Tool name + version in report	SATISFIES	exhibit report captures this
Methodology explainable	SATISFIES	methodology guides
Limitations disclosed	SATISFIES	scope page + disclaimer

NIST CFTT — Computer Forensics Tool Testing Program

status	note
PLANNED	formal submission of flagship tools planned. the fixture pack + published goldens architecture is structurally compatible with CFTT methodology. target tools: `checksum-verifier`, `disk-image-hasher`, `file-autopsy`, `apk-analyzer`. CFTT federated testing is available for string searching — relevant to fatcousin's search tools.

// section 3 · iso/iec international standards

ISO/IEC international standards

authorityInternational Organization for Standardization + International Electrotechnical Commissionjurisdictionglobal — broad international membership

ISO/IEC 27037:2012 — Identification, Collection, Acquisition, and Preservation of Digital Evidence

most widely cited international standard. core principle: minimization of alteration.

requirement	status	evidence
Minimize alteration of evidence	SATISFIES	browser-only, read-only, zero writes
Document who/when/how	SATISFIES	session manager records all examiner actions with timestamps
Cryptographic hash verification	SATISFIES	SHA-256 input/output hashes in chain of custody log
Chain of custody	SATISFIES	immutable session log in .fc-case archive
Write blocking	OUT OF SCOPE	browser tools process in memory; no write to storage media. architectural equivalent exists through read-only processing.
Bit-for-bit copy verification	OUT OF SCOPE	fatcousin analyzes files; it does not image disks. disk imaging is outside browser tool scope.

ISO/IEC 27041:2015 — Assurance in Selecting and Testing Incident Investigative Methods

requirement	status	evidence
Tool selection criteria documented	SATISFIES	public rubric with B-minimum grading methodology
Tool testing methodology	SATISFIES	vendor-fidelity audit + fixture packs
Performance verification	SATISFIES	goldens + CI on every push
Independence of testing from development	PLANNED	self-tested today; third-party examiner validation planned

ISO/IEC 27042:2015 — Analysis and Interpretation of Digital Evidence

requirement	status	evidence
Structured analysis methodology	SATISFIES	methodology guides per case type
Chain of custody during analysis	SATISFIES	session manager
Reproducible results (same inputs → same outputs)	SATISFIES	deterministic engines + published goldens
Integrity of analytical process	SATISFIES	local-first, zero telemetry, no external transmission during analysis
Limitations acknowledged	SATISFIES	scope page + per-tool maturity badges in rubric

ISO/IEC 27043:2015 — Incident Investigation Principles and Processes

requirement	status	evidence
Incident readiness	SATISFIES	50 quick-start sheets for first-10-minutes triage
Investigation framework	SATISFIES	case-type organization (52 types) maps to 27043 phases
Process documentation	SATISFIES	methodology guides cover all phases

ISO/IEC 27050 — Electronic Discovery

status	note
IN PROGRESS	eDiscovery vertical exists with dedicated tools; formal ISO 27050 alignment mapping in progress.

// section 4 · acpo / npcc

ACPO / NPCC — UK good practice guide for digital evidence

authorityAssociation of Chief Police Officers (now NPCC) · version 5, 2012jurisdictionUK (primary), globally cited — referenced in proceedings worldwide

the four ACPO principles are the foundational global framework for digital evidence integrity.

principle 1 — no action should change data which may subsequently be relied upon in court

principle	status	evidence
no action should change data which may subsequently be relied upon in court.	SATISFIES	browser-only processing, zero writes to evidence files, all processing in memory. evidence files are never modified.

principle 2 — a person accessing original data must be competent to do so and able to explain their actions

principle	status	evidence
a person accessing original data must be competent to do so and able to explain their actions.	SATISFIES	scope page, disclaimer, and methodology guides explicitly require examiner qualification. fatcousin does not replace a competent examiner — this is stated in the disclaimer and scope page.

principle 3 — an audit trail of all processes should be created and preserved

principle	status	evidence
an audit trail of all processes should be created and preserved. an independent third party should be able to examine those processes and achieve the same result.	SATISFIES	immutable chain-of-custody log, session manager, reproducibility report export, deterministic engines with published goldens. the reproducibility report is specifically designed for third-party verification.

principle 4 — the person in charge of the investigation has overall responsibility

principle	status	evidence
the person in charge of the investigation has overall responsibility for ensuring the law and these principles are adhered to.	SATISFIES	disclaimer section 6 explicitly places legal responsibility on the user/investigator. fatcousin provides the tools; the investigator holds responsibility.

// section 5 · enfsi

ENFSI — european network of forensic science institutes

authorityEU-recognized monopoly organization for forensic science in Europe · broad institutional membership across the EUurlenfsi.eujurisdictionEurope (primary), globally referenced

ENFSI best practice manual for the forensic examination of digital technology

requirement	status	evidence
Evidence integrity	SATISFIES	same as ISO 27037 — browser-only, read-only, hash-verified
Chain of custody	SATISFIES	.fc-case session log
Methodology documentation	SATISFIES	methodology guides
Reproducibility	SATISFIES	deterministic engines + published goldens
Quality management documentation	SATISFIES	public rubric + quality dashboard
Formal QMS (ISO 17025/17020)	PLANNED	not yet established. planned as fatcousin matures toward laboratory-grade validation.
External accreditation	PLANNED	not yet accredited. roadmap item.

ENFSI quality assurance programme

requirement	status	evidence
Public quality documentation	SATISFIES	quality dashboard + rubric
Internal proficiency testing	SATISFIES	fixture packs function as internal proficiency tests with known inputs and expected outputs
External proficiency testing	PLANNED	participation in external comparison exercises planned

// section 6 · rfc 3227

RFC 3227 — IETF guidelines for evidence collection and archiving

authorityInternet Engineering Task Force Best Current Practice (BCP 55)publishedFebruary 2002jurisdictioninternet standard, globally applicable

principle	status	evidence
Capture accurate picture of system	SATISFIES	tools produce faithful representations; hash-verified
Keep detailed notes with dates and times	SATISFIES	session manager timestamps all actions
UTC time notation	IN PROGRESS	local timestamp recorded; UTC normalization documentation in progress
Be prepared to testify outlining all actions	SATISFIES	session log + exhibit report designed for this purpose
Order of volatility (most volatile first)	SATISFIES	50 quick-start guides explicitly address evidence collection order
Chain of custody	SATISFIES	.fc-case session log
Transparency of collection process	SATISFIES	local process monitor (VERIFY panel) on every forensics page — shows every operation in real time

// section 7 · daubert

Daubert standard

authorityUS Supreme Court — Daubert v. Merrell Dow Pharmaceuticals (1993)codifiedFederal Rules of Evidence Rule 702jurisdictionUS federal courts + majority of US state courts

the five Daubert factors for admissibility of expert testimony and forensic evidence:

factor 1 — testability: can the technique be tested?

factor	status	evidence
Can the technique be tested?	SATISFIES	fixture packs with known inputs + published goldens. any examiner can reproduce exact outputs using any fixture pack — see evidence library. the CI suite proves testability on every release.

factor 2 — peer review and publication

factor	status	evidence
Has the technique been subjected to peer review and publication?	PLANNED	quality dashboard, rubric, and changelog are public and open to scrutiny. formal academic peer review (DFRWS submission) is the next step. open-source / transparent tools satisfy this factor more readily than closed-source tools — the openness of fatcousin's methodology is directly relevant.

factor 3 — known error rate

factor	status	evidence
Is the known or potential error rate acceptable?	IN PROGRESS	vendor-fidelity audit (3995 audits) documents tool gaps and schema mismatches across the fleet. formal error rate per tool category is being formalized for publication.

factor 4 — standards and controls

factor	status	evidence
Are there standards controlling the technique's operation?	SATISFIES	public rubric with B-minimum grading, CI enforcement on every push, versioning, vendor-fidelity audit methodology — all documented publicly and verifiable.

factor 5 — general acceptance

factor	status	evidence
Is the technique generally accepted in the relevant scientific community?	IN PROGRESS	fatcousin is a new tool and does not yet claim general acceptance. SWGDE alignment, NIST CFTT submission, and academic peer review are the active path to this factor; until those land, this row remains IN PROGRESS.

important: Daubert admissibility is determined by the court, not by the tool vendor. fatcousin's exhibit report and chain of custody system are designed to support admissibility arguments, but no tool vendor can guarantee admissibility in any specific proceeding.

// section 8 · frye

Frye standard

authorityFrye v. United States (1923)jurisdictionused in some US states including New York, California, Florida, and others

requires that scientific techniques be "generally accepted in the relevant scientific community."

status	note
IN PROGRESS	SWGDE alignment addresses the general acceptance requirement for US law enforcement. planned third-party validation and peer review are the active path to this standard; until those land, this row remains IN PROGRESS.

// section 9 · osac

OSAC — organization of scientific area committees

authorityNIST-hosted body · develops and endorses forensics standards for US courtsurlnist.gov/osacjurisdictionUnited States

OSAC has formally endorsed the following SWGDE documents. fatcousin's alignment status with each:

OSAC-endorsed SWGDE document	status	note
SWGDE 17-F-002: Best Practices for Computer Forensic Acquisitions	OUT OF SCOPE	covers physical acquisition (disk imaging, write blockers, hardware seizure). fatcousin is a browser-based analysis tool and does not perform acquisition; the document is out of scope by architecture.
SWGDE 18-Q-001: Minimum Requirements for Testing Tools	SATISFIES	fully addressed in SWGDE Section 1 above (5.3, 5.6, Section 6 tables).
SWGDE 21-F-001: Best Practices for Acquiring Online Content	IN PROGRESS	addressed in SWGDE Section 1 above.
SWGDE 23-F-003: Best Practices for IoT Seizure and Analysis	OUT OF SCOPE	"seizure" portion is physical evidence collection and out of scope. IoT artifact analysis where exports are available (smart-home logs, IoT pcaps) is covered by the smart-home compromise case type; formal 23-F-003 mapping pending.
SWGDE 23-F-004: Best Practices for Cloud Evidence	IN PROGRESS	addressed in SWGDE Section 1 above.

status	note
IN PROGRESS	overall OSAC alignment is in progress as the underlying SWGDE alignment matures. analysis-tool-relevant documents are addressed in their dedicated sections; physical-acquisition documents are out of scope by architecture.

// terminology · swgde / astm e2916 alignment

terminology · SWGDE / ASTM E2916 alignment

fatcousin maintains its own forensics glossary with 45 terms. terminology is being harmonized with SWGDE's published glossary (swgde.org/glossary) and the ASTM E2916 Standard Terminology for Digital and Multimedia Evidence Examination. where fatcousin uses the same term as SWGDE/ASTM, alignment is noted; where fatcousin uses a different term for the same concept, it is flagged for harmonization. courts and opposing counsel will challenge terminology that does not match accepted standards — this is an active maintenance surface.

ASTM E2916 — Standard Terminology for Digital and Multimedia Evidence Examination

authorityASTM International (US-based international standards body)jurisdictionUS-facing, referenced in SWGDE documents

status	note
IN PROGRESS	fatcousin glossary exists at /forensics/glossary with 45 terms. formal harmonization with ASTM E2916 terminology in progress. this is required for SWGDE alignment to be complete — SWGDE 18-Q-001 references ASTM E2916 directly in its references section.

// source documents · canonical references

source documents

canonical publication URLs for every standard referenced on this page. links point to the issuing body directly; if a URL changes upstream, the standard's name remains the lookup key.

document	source
SWGDE 18-Q-001 — Minimum Requirements for Testing Tools	swgde.org
SWGDE Forensics document list	swgde.org
SWGDE Quality & Standards document list	swgde.org
NIST SP 800-86 — Guide to Integrating Forensic Techniques into Incident Response	nvlpubs.nist.gov (PDF)
NIST CFTT — Computer Forensics Tool Testing Program	cftt.nist.gov
NIST OSAC — Digital Evidence Subcommittee	nist.gov
ACPO Good Practice Guide for Digital Evidence v5 (2012)	digital-detective.net (PDF mirror)
ENFSI Best Practice Manuals (digital evidence working group)	enfsi.eu
RFC 3227 — IETF Guidelines for Evidence Collection and Archiving (BCP 55)	rfc-editor.org
Daubert v. Merrell Dow Pharmaceuticals (1993) — overview	forensisgroup.com
ISO/IEC 27037, 27041, 27042, 27043, 27050 — purchase via ISO	iso.org
ASTM E2916 — Standard Terminology for Digital and Multimedia Evidence Examination	astm.org
Digital Evidence Standards Compared — cross-standard overview	truescreen.io

// roadmap · what closes the gaps

roadmap · what closes the gaps

every PLANNED and IN PROGRESS row above maps to one of the milestones below. each milestone has a clear completion criterion.

independent third-party examiner validation. a credentialed examiner (EnCE / GCFE / GCFA) runs the fixture packs end-to-end, publishes findings publicly. closes the "independent tester" and "who performed testing" rows under SWGDE and the "independence of testing from development" row under ISO/IEC 27041.
NIST CFTT formal tool submission for flagship tools. target submissions: checksum-verifier, disk-image-hasher, file-autopsy, apk-analyzer. closes the NIST CFTT row and contributes to Daubert factor 2 (peer review) and factor 5 (general acceptance).
DFRWS academic peer review submission. a write-up of the local-first browser-based forensics architecture, the fixture/goldens test substrate, and the session-based chain-of-custody model. closes Daubert factor 2.
formal error rate publication per tool category. derived from the existing vendor-fidelity audit corpus and the published goldens. closes Daubert factor 3.
SWGDE alignment document publication. a hand-maintained alignment matrix submitted to SWGDE for review, mapping every SWGDE 18-Q-001 / 18-F-001 / 23-Q-001 requirement to fatcousin behavior. closes Frye and OSAC general-acceptance rows.
ASTM E2916 terminology harmonization in forensics glossary. closes ASTM E2916 row and is a prerequisite for full SWGDE alignment.
ISO 17025 / 17020 QMS establishment. formal quality management system documentation. closes ENFSI QMS row and the external-accreditation row.
external proficiency testing. participation in ENFSI-style comparison exercises with other digital forensics labs. closes ENFSI external-proficiency row.
per-tool anomaly log formalization. currently captured implicitly via the vendor-fidelity audit (3995 audits today); formalized into a per-tool published anomaly register. closes the SWGDE "anomalies documented" row.
UTC normalization documentation. documentation pass on RFC 3227 UTC time notation requirements, plus surface UTC labeling everywhere a timestamp is displayed. closes the RFC 3227 UTC row.
formal SWGDE 21-F-001 mapping document. a per-requirement alignment matrix for acquiring online content — covers our archive / screenshot / web evidence tooling against the document's requirements. closes the SWGDE 21-F-001 IN PROGRESS row.
formal SWGDE 23-F-004 mapping document. per-requirement alignment matrix for cloud service provider evidence — covers our cloud / SaaS forensics vertical. closes the SWGDE 23-F-004 IN PROGRESS row.
formal ISO/IEC 27050 mapping document. per-requirement alignment matrix for the electronic discovery lifecycle — covers our eDiscovery vertical. closes the ISO/IEC 27050 IN PROGRESS row.
formal SWGDE 23-F-003 IoT mapping document. per-requirement alignment matrix for the analysis portion of IoT evidence (export-driven artifact analysis) — physical seizure remains OUT OF SCOPE by architecture. closes the OSAC 23-F-003 analysis-coverage note.