how to verify fatcousin exports
fatcousin is not collection-stage chain-of-custody software. it ships a hash-anchored analysis-phase session custody log inside each .fc-case export. this page shows how to check manifest integrity, optional ed25519 signatures, proof-engine reproducibility, and the local-first network contract — without trusting the website ui alone.
what you can verify
- manifest.sha256 sidecar — sha256sum-format sidecar over
manifest.jsonbytes inside the zip. recomputed hash must match the sidecar. - optional ed25519 signatures — when present,
signature.jsoncarries detached signatures over the canonical custody log payload and overmanifest.jsonbytes. verify both against the embedded public key. - append-only custody events — the session custody log records discrete events (runs, exports, corrections). corrections are new events, not silent edits. this is not a per-event hash chain or blockchain-style linkage.
- golden replay (proof / fixture tools only) — committed fixture packs at /forensics/proof let you replay engine output against known-good hashes. this validates tool behavior on synthetic evidence — not live case files you processed in a private session.
verify in the browser
drag a .fc-case file onto /forensics/sessions (or use the import control). before anything lands in your browser store, the import preview shows integrity notices. read them before confirming.
- manifest.sha256
- match — recomputed sha256 of
manifest.jsonmatches the sidecar in the archive - mismatch — sidecar and actual manifest bytes disagree; archive modified after export
- sidecar absent — older export (pre-3.1); content may still load but there is no in-zip tamper check on the manifest
- match — recomputed sha256 of
- signature.json
- both signatures ok — custody log payload and manifest signatures verify against the embedded public key
- partial fail — one signature ok, one fail; archive modified after signing or key mismatch
- algorithm unsupported — signed archive opened in a browser that cannot verify that algorithm; try a recent chromium / firefox / safari
- absent — unsigned export; fine if you did not expect a signature
- duplicate session id — if your store already has that id, import lands as a new copy with a fresh id and the suffix
(imported); existing work is untouched - missing embedded attachments — warning only, not a hard fail. run manifests still reference attachment hashes so you can re-run the originating tool to repopulate
verify offline (on request)
browser import at /forensics/sessions is the primary verification path — manifest sidecar match, optional ed25519 signatures, and import warnings use the same checks as offline tooling.
qualified reviewers (counsel, opposing experts, dfir leadership) can email labs@fatcousin.com to request offline .fc-case verification tooling. the public site does not ship source access.
verify tool output / goldens
each forensics tool run can emit a reproducibility receipt: tool slug, semver, build sha, input and output sha-256 digests. for proof scenarios, committed golden json files capture expected engine output on synthetic fixture packs.
- open any scenario at /forensics/proof, download the evidence pack, and replay in your browser — compare output digests to the receipt on the proof page
- each proof page publishes downloadable goldens and evidence zips via the site api — no source checkout required
golden replay is an engineering reproducibility check — it supports examiner testimony and counsel review but is not a substitute for upstream acquisition integrity or qualified legal advice.
verify nothing left the device
user evidence bytes are never uploaded. confirm independently:
- open browser devtools → network tab while running a tool or importing a session. you should see static assets (tool bundles, wasm, fonts) — not post bodies containing your files
- click verify → in the bottom-right corner on any page. the global verify panel logs outbound fetch, xhr, websocket, worker, and wasm activity from a wrapped monitor bus — if it shows no network requests while you process files, the local-first contract held for that session
- architecture detail: whitepaper · local-first
honest limits
verification here covers analysis-phase session artifacts and proof-engine reproducibility — not whether upstream imaging followed lab sop, not whether a judge will admit anything, and not whether pre-export browser storage was tampered with before you signed at export time.
- what ships and what does not: scope · record-keeping
- external standard mapping (qualified rows): standards · analysis-phase
- citation templates for reports: /forensics/cite