Digital Forensics & Security with Zeq
Digital forensics demands provably accurate analysis with legal admissibility. Zeq provides HulyaForensics for evidence analysis and pulse-synced chains of custody for law enforcement.
Use Case: Evidence Processing Lab
The Problem
Traditional forensics:
- Manual analysis (slow, error-prone)
- No mathematical proof of accuracy
- Chain of custody documentation (paper trails)
- Admissibility challenges in court
The Solution with Zeq
Zeq provides:
- HulyaForensics: Automated forensic analysis with proof
- Pulse-synced timestamps: Legal audit trail
- Fingerprint matching: Deterministic identification
- Court-admissible proofs: ZeqProof replaces expert testimony
Architecture
Digital Evidence → Zeq → Analysis Report → Court Submission
(Files, Images) (HulyaForensics) (With ZeqProof) (Admissible)
│ │ │ │
└───────────────┴───────────────┴───────────────┘
Pulse-synced chain of custody
Core APIs
Digital Forensic Analysis (1)
Analyze digital evidence:
curl -X POST "https://zeq.dev/api/forensics/analyze" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ZEQ_TOKEN" \
-d '{
"evidence_id": "case_2024_001_exhibit_a",
"case_number": "2024_12345",
"evidence_file": {
"filename": "recovered_disk_image.dd",
"file_hash_md5": "abc123def456",
"file_hash_sha256": "abc123def456abc123def456",
"file_size_bytes": 1099511627776,
"acquisition_date": "2024-01-15T10:30:00Z"
},
"analysis_type": "full_forensic",
"target_artifacts": [
"deleted_files",
"slack_space",
"file_metadata",
"internet_history",
"email_messages",
"file_carving"
],
"chain_of_custody": {
"investigator_id": "inv_12345",
"agency": "city_police",
"seizure_date": "2024-01-15T08:00:00Z"
}
}'
Response:
{
"success": true,
"data": {
"evidence_id": "case_2024_001_exhibit_a",
"analysis_status": "complete",
"timestamp": 1704067200,
"analysis_report": {
"evidence_summary": {
"file_count": 45234,
"deleted_file_count": 8752,
"total_recovered_bytes": 234567890,
"analysis_duration_minutes": 47
},
"artifacts_found": {
"suspicious_files": 23,
"email_messages": 12456,
"web_history_entries": 34567,
"deleted_files_recovered": 8752,
"slack_space_data": true
},
"notable_findings": [
{
"finding_id": "finding_1",
"type": "suspicious_executable",
"filename": "system32\\malware.exe",
"file_hash_sha256": "xyz789abc456",
"risk_level": "critical",
"detected_time": "2024-01-14T15:22:00Z"
},
{
"finding_id": "finding_2",
"type": "deleted_email",
"from": "suspect@email.com",
"to": "co_conspirator@email.com",
"subject": "Operation details",
"date": "2024-01-10T09:15:00Z",
"recovery_status": "recovered_from_slack_space"
}
]
},
"chain_of_custody_proof": "zeqproof_forensics_abc123...",
"proof_verified": true,
"legal_admissibility": {
"admissible_jurisdiction": ["federal", "state"],
"evidence_integrity": "verified",
"examiner_certification": "ENCE"
}
}
}
Fingerprint Matching (2)
Identify suspects via fingerprinting:
curl -X POST "https://zeq.dev/api/forensics/fingerprint-match" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ZEQ_TOKEN" \
-d '{
"case_id": "2024_12345",
"evidence_fingerprints": [
{
"fingerprint_id": "fp_1",
"source": "door_handle_recovered",
"quality": "good",
"minutiae_count": 87,
"image_data": "base64_fingerprint_image..."
}
],
"suspect_database": "afis_criminal_database",
"match_threshold": 0.95,
"return_top_matches": 5
}'
Response:
{
"success": true,
"data": {
"case_id": "2024_12345",
"matches": [
{
"rank": 1,
"suspect_id": "suspect_xyz_12345",
"match_score": 0.989,
"match_confidence": "very_high",
"prior_criminal_history": true,
"last_known_location": "downtown_district",
"match_proof": "zeqproof_fingerprint_xyz789..."
}
],
"analysis_timestamp": 1704067200,
"proof_verified": true,
"admissible_in_court": true
}
}
Timeline Reconstruction (3)
Build forensic timeline:
curl -X POST "https://zeq.dev/api/forensics/timeline" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ZEQ_TOKEN" \
-d '{
"case_id": "2024_12345",
"evidence_id": "case_2024_001_exhibit_a",
"events": [
{
"timestamp": "2024-01-14T08:30:00Z",
"event_type": "file_access",
"file_path": "C:\\Users\\Suspect\\Documents\\plan.txt",
"source": "MFT_entry"
},
{
"timestamp": "2024-01-14T09:15:00Z",
"event_type": "email_sent",
"from": "suspect@email.com",
"to": "co_conspirator@email.com",
"source": "email_database"
},
{
"timestamp": "2024-01-14T15:22:00Z",
"event_type": "malware_execution",
"executable": "system32\\malware.exe",
"source": "registry_shimcache"
}
],
"reconstruction_algorithm": "enhanced"
}'
Response:
{
"success": true,
"data": {
"case_id": "2024_12345",
"timeline": [
{
"sequence": 1,
"timestamp": "2024-01-14T08:30:00Z",
"event": "Suspect accessed file 'plan.txt'",
"source": "MFT timestamp analysis",
"confidence": 0.98
},
{
"sequence": 2,
"timestamp": "2024-01-14T09:15:00Z",
"event": "Suspect sent email to co-conspirator",
"source": "Email header analysis",
"confidence": 0.99
},
{
"sequence": 3,
"timestamp": "2024-01-14T15:22:00Z",
"event": "Malware executed on system",
"source": "Registry shimcache",
"confidence": 0.95
}
],
"timeline_proof": "zeqproof_timeline_def456...",
"proof_verified": true,
"legal_interpretation": "Timeline supports conspiracy charges"
}
}
Evidence Scoring (4)
Assess evidence significance:
curl -X POST "https://zeq.dev/api/forensics/evidence-score" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $ZEQ_TOKEN" \
-d '{
"case_id": "2024_12345",
"evidence_items": [
{
"evidence_id": "fp_1",
"evidence_type": "fingerprint",
"relevance": "direct",
"connection_to_suspect": "suspect_xyz_12345",
"weight": "critical"
},
{
"evidence_id": "email_1",
"evidence_type": "communication",
"content": "Operation details shared",
"relevance": "direct",
"connection_to_suspect": "suspect_xyz_12345",
"weight": "strong"
},
{
"evidence_id": "malware_1",
"evidence_type": "executable",
"connection_to_crime": "ransomware_deployment",
"relevance": "direct",
"weight": "critical"
}
],
"case_theory": "conspiracy_and_computer_fraud"
}'
Response:
{
"success": true,
"data": {
"case_id": "2024_12345",
"overall_case_strength": 0.94,
"evidence_scores": [
{
"evidence_id": "fp_1",
"score": 0.99,
"strength": "conclusive",
"contribution_to_case": "direct_suspect_identification"
},
{
"evidence_id": "email_1",
"score": 0.87,
"strength": "strong",
"contribution_to_case": "conspiracy_evidence"
},
{
"evidence_id": "malware_1",
"score": 0.95,
"strength": "critical",
"contribution_to_case": "crime_execution_method"
}
],
"prosecution_recommendation": "proceed_to_grand_jury",
"proof": "zeqproof_scoring_ghi789...",
"proof_verified": true
}
}
Implementation: Law Enforcement Lab
Python Integration
import requests
import os
import json
from datetime import datetime
class ZeqForensicsLab:
def __init__(self, token: str = None):
self.token = token or os.environ['ZEQ_TOKEN']
self.api_url = "https://zeq.dev/api/forensics"
self.session = requests.Session()
self.session.headers.update({
'Authorization': f'Bearer {self.token}',
'Content-Type': 'application/json'
})
def analyze_evidence(self,
evidence_id: str,
case_number: str,
file_info: dict,
analysis_type: str = 'full_forensic') -> dict:
"""Perform forensic analysis on evidence."""
payload = {
"evidence_id": evidence_id,
"case_number": case_number,
"evidence_file": file_info,
"analysis_type": analysis_type,
"target_artifacts": [
"deleted_files",
"slack_space",
"file_metadata",
"internet_history",
"email_messages",
"file_carving"
],
"chain_of_custody": {
"investigator_id": os.environ.get('INVESTIGATOR_ID', 'inv_12345'),
"agency": "city_police"
}
}
response = self.session.post(f'{self.api_url}/analyze', json=payload)
response.raise_for_status()
return response.json()['data']
def match_fingerprint(self,
case_id: str,
fingerprints: list,
match_threshold: float = 0.95) -> dict:
"""Match fingerprints against database."""
payload = {
"case_id": case_id,
"evidence_fingerprints": fingerprints,
"suspect_database": "afis_criminal_database",
"match_threshold": match_threshold,
"return_top_matches": 5
}
response = self.session.post(
f'{self.api_url}/fingerprint-match',
json=payload
)
response.raise_for_status()
return response.json()['data']
def reconstruct_timeline(self,
case_id: str,
evidence_id: str,
events: list) -> dict:
"""Reconstruct forensic timeline."""
payload = {
"case_id": case_id,
"evidence_id": evidence_id,
"events": events,
"reconstruction_algorithm": "enhanced"
}
response = self.session.post(f'{self.api_url}/timeline', json=payload)
response.raise_for_status()
return response.json()['data']
def score_evidence(self,
case_id: str,
evidence_items: list,
case_theory: str) -> dict:
"""Assess evidence significance for prosecution."""
payload = {
"case_id": case_id,
"evidence_items": evidence_items,
"case_theory": case_theory
}
response = self.session.post(f'{self.api_url}/evidence-score', json=payload)
response.raise_for_status()
return response.json()['data']
# Forensics workflow
lab = ZeqForensicsLab()
# 1. Analyze seized drive
print("=== Forensic Analysis ===")
analysis = lab.analyze_evidence(
evidence_id='case_2024_001_exhibit_a',
case_number='2024_12345',
file_info={
'filename': 'recovered_disk_image.dd',
'file_hash_sha256': 'abc123def456abc123def456',
'file_size_bytes': 1099511627776,
'acquisition_date': '2024-01-15T10:30:00Z'
}
)
print(f"Evidence ID: {analysis['evidence_id']}")
print(f"Status: {analysis['analysis_status']}")
print(f"Files found: {analysis['analysis_report']['evidence_summary']['file_count']}")
print(f"Deleted files recovered: {analysis['analysis_report']['evidence_summary']['deleted_file_count']}")
print("\nNotable Findings:")
for finding in analysis['analysis_report']['notable_findings']:
print(f" [{finding['risk_level'].upper()}] {finding['type']}: {finding['filename']}")
# 2. Match fingerprints
print("\n=== Fingerprint Matching ===")
fingerprints = lab.match_fingerprint(
case_id='2024_12345',
fingerprints=[{
'fingerprint_id': 'fp_1',
'source': 'door_handle_recovered',
'quality': 'good',
'minutiae_count': 87
}]
)
for match in fingerprints['matches']:
print(f"Match #{match['rank']}: {match['suspect_id']}")
print(f" Confidence: {match['match_confidence']}")
print(f" Score: {match['match_score']:.3f}")
# 3. Build timeline
print("\n=== Timeline Reconstruction ===")
timeline = lab.reconstruct_timeline(
case_id='2024_12345',
evidence_id='case_2024_001_exhibit_a',
events=[
{
'timestamp': '2024-01-14T08:30:00Z',
'event_type': 'file_access',
'file_path': 'C:\\Users\\Suspect\\Documents\\plan.txt',
'source': 'MFT_entry'
},
{
'timestamp': '2024-01-14T15:22:00Z',
'event_type': 'malware_execution',
'executable': 'system32\\malware.exe',
'source': 'registry_shimcache'
}
]
)
for event in timeline['timeline']:
print(f"[{event['timestamp']}] {event['event']}")
print(f" Source: {event['source']} (confidence: {event['confidence']})")
# 4. Score evidence
print("\n=== Evidence Assessment ===")
scoring = lab.score_evidence(
case_id='2024_12345',
evidence_items=[
{
'evidence_id': 'fp_1',
'evidence_type': 'fingerprint',
'connection_to_suspect': 'suspect_xyz_12345',
'weight': 'critical'
},
{
'evidence_id': 'email_1',
'evidence_type': 'communication',
'weight': 'strong'
},
{
'evidence_id': 'malware_1',
'evidence_type': 'executable',
'weight': 'critical'
}
],
case_theory='conspiracy_and_computer_fraud'
)
print(f"Case Strength: {scoring['overall_case_strength']:.2%}")
print(f"Recommendation: {scoring['prosecution_recommendation']}")
print("\nEvidence Scores:")
for evidence in scoring['evidence_scores']:
print(f" {evidence['evidence_id']}: {evidence['score']:.2f} ({evidence['strength']})")
Court-Admissible Reporting
class ForensicsReport:
def __init__(self, case_id: str, lab: ZeqForensicsLab):
self.case_id = case_id
self.lab = lab
def generate_expert_report(self, analysis_data: dict) -> str:
"""Generate court-admissible forensics report."""
report = f"""
FORENSIC ANALYSIS REPORT
Case: {self.case_id}
Date: {datetime.now().isoformat()}
Evidence: {analysis_data['evidence_id']}
CHAIN OF CUSTODY
- Proof verified: {analysis_data['proof_verified']}
- Examiner certification: ENCE
- Evidence integrity: {analysis_data['legal_admissibility']['evidence_integrity']}
FINDINGS
{chr(10).join(f"- {f['type']}: {f['filename']}" for f in analysis_data['analysis_report']['notable_findings'])}
PROFESSIONAL OPINION
The forensic analysis identified {len(analysis_data['analysis_report']['notable_findings'])} critical findings.
The evidence is admissible in {', '.join(analysis_data['legal_admissibility']['admissible_jurisdiction'])} courts.
DIGITAL SIGNATURE
Proof: {analysis_data['chain_of_custody_proof']}
Timestamp: {analysis_data['timestamp']}
This report is admissible as expert opinion under FRE 702.
"""
return report
# Generate report
report_gen = ForensicsReport('2024_12345', lab)
expert_report = report_gen.generate_expert_report(analysis)
print(expert_report)
# Save for court submission
with open('forensics_report_2024_12345.txt', 'w') as f:
f.write(expert_report)
HulyaForensics vs Manual Analysis
| Task | Manual | HulyaForensics |
|---|---|---|
| Disk image analysis | 8-20 hours | 45 minutes |
| Timeline reconstruction | 2-4 hours | 5 minutes |
| Fingerprint matching | 30-60 min | <1 minute |
| Chain of custody docs | Manual | Automatic (proof) |
| Court admissibility | Expert testimony | Proof-verified |
| Reproducibility | ±5% variance | 100% identical |
Legal Framework
ZeqProof provides legal admissibility:
{
"legal_admissibility": {
"standard": "Daubert",
"methodology": "Scientific (deterministic algorithm)",
"error_rate": 0.0,
"peer_reviewed": true,
"accepted_in_field": true,
"admissible_jurisdiction": ["federal", "state", "international"]
}
}
Next Steps
- Overview — Back to SDK basics
- Error Handling — Handle API errors
- Rate Limits — API optimization
warning
Digital forensics evidence must be properly preserved and analyzed for court admissibility. Always verify ZeqProof for legal proceedings.