Air-gapped forensic verification for digital evidence
FACTUM is a command-line tool that runs inside a sealed container with zero network access. It takes an evidence bag, runs seven verification checks, and produces a deterministic verdict: the evidence is intact, or it is not.
Zero network connections. Every check runs offline. Trust anchors are bundled inside the evidence bag. Nothing leaves the container.
Same evidence bag equals same verdict. Always. Run it twice, run it on a different machine. The output is identical.
If anything is wrong, uncertain, or missing, the verdict defaults to fail. No result is issued without full verification. No ambiguity is accepted.
This is a visualization of what happens inside the FACTUM container. The actual tool is a command-line program with no GUI and no web interface. What you see below represents the seven verification steps (0-6) that execute when you run a single command.
Most verification tools check the package. FACTUM checks itself first. The container runs 22 self-verification checks before touching the evidence. If the verifier has been modified, it refuses to run.
Step 0 is Network Isolation. Before any evidence is read, the container proves it has no network connectivity. Sockets are blocked. The import hook is active. Only then do steps 1-6 run.
Other tools trust the runtime. FACTUM treats the runtime as hostile. It checks for shadowed imports, writable memory mappings, unexpected files, and pre-bootstrap code execution. Exit code 4 means the container itself is compromised. Not a software error. A deliberate containment breach detection. The C bootstrap wrapper terminates the process before Python loads.
No network. Not "network optional." Not "works offline too." The container is built with --network none. There is no HTTP client. There are no sockets. The trust anchors are bundled. The CRLs are bundled.
Verify that sealed evidence bags have not been tampered with. Produce verification reports with full cryptographic chain of custody.
Demonstrate to regulators that your evidence handling process is deterministic, auditable, and not dependent on any single tool vendor or cloud service.
Gate release artifacts through a tamper-resistant verification pipeline. If the verifier itself is compromised, it refuses to produce a verdict.
A structured package of files following the BagIt format (RFC 8493). It contains the original files, their checksums, a cryptographic Merkle tree, an RFC 3161 timestamp token, and trust anchors. Everything needed for verification is inside the bag.
No. FACTUM runs inside a container with no network access. Trust anchors and certificate revocation lists are bundled inside the evidence bag at seal time.
Docker on x86_64 Linux. FACTUM is distributed as a Docker image. One command. No installation or host dependencies beyond Docker.
A JSON file at /output/factum_report.json containing the verdict, assurance level, step-by-step results, and a self-integrity hash. See the example output on this page.
Evidence bags are created by sealing tools. LexDelta, developed by Smart Sustainability Lab, produces bags with all the cryptographic artifacts FACTUM needs. FACTUM is a verifier only. It never modifies the evidence.
FACTUM verifies BagIt bags (RFC 8493). Basic integrity checking works on standard BagIt bags. The full 7-step pipeline requires cryptographic artifacts including a Merkle tree, timestamp token, certificate chain, and revocation data. LexDelta produces bags with all of these.
Not yet. Licensing details will be published at launch. Contact us for early access or partnership discussions.
FACTUM is under active development by Smart Sustainability Lab. Code release and licensing details are expected Q3 2026.
For early access, university validation partnerships, or commercial licensing inquiries: