LEGALAUDIT

Methodology

The Mythos forensic methodology

Every dossier follows ISO 27037, NIST SP 800-86 and ENISA ETL. The result: a document a postal-police investigator and a magistrate can use.

Last methodology review: 2026-06-02

The pillars of a Mythos dossier

Six structural guarantees baked into every dossier — before any content is written.

CTU expert persona

The dossier is drafted under the persona of a court-registered forensic IT expert (CTU, art. 359 Italian Code of Criminal Procedure), with magistrate-grade language and complete forensic vocabulary.

E-N evidence citations

Every claim is anchored to at least one canonical evidence (cf. E-N). The appendix catalog lists artefacts and tool outputs with SHA-256.

WORM hash chain

The PDF is sealed with SHA-256 and anchored to a Write-Once-Read-Many audit chain: any later modification would break the chain in a detectable way.

Tracked instrumentation

Forensic tools, versions and vendors are declared at the foot of the document so the analysis remains reproducible years later.

TLP classification

Every page carries a Traffic Light Protocol marking to govern document sharing, following international best practice.

Multi-modal

A single pipeline analyses text, images, PDF, email, URL, crypto addresses and phone numbers, applying the right forensic framework per modality.

The 9 sections of the dossier

The canonical structure of a Mythos dossier — the same one your counsel would file with the prosecutor.

  1. 01

    Executive summary

    Expert synthesis of the case: subject, principal signals, verdict and confidence percentage. Cites at least two E-N references.

  2. 02

    Findings per forensic dimension

    For every detected dimension (impersonation, tampering, reputation, etc.) the signal and its technical-legal implication, in magistrate-grade prose.

  3. 03

    Forensic evidence analysis

    Evidence-by-evidence analysis: type, size, truncated hash, observed metadata (EXIF, headers, structure), tool signals and expert interpretation for each E-N.

  4. 04

    Chain of custody

    Chronological custody events (acquisition, hashing, analysis, generation, WORM anchor) with UTC timestamps and responsible actor.

  5. 05

    Risk verdict

    Risk level plus confidence percentage with the list of converging evidence justifying it. HIGH-RISK threshold: at least 3 independent signals.

  6. 06

    Operational recommendations

    Prioritised actions across three levels: P0 within 24h, P1 within 7 days, P2 consolidation. Every recommendation is tied to at least one evidence.

  7. 07

    Independence statement

    Expert's declaration (no conflict of interest, limits of static analysis) and notice that the document does not replace legal counsel.

  8. 08

    Forensic methodology

    Reference frameworks (ISO 27037, NIST SP 800-86, ENISA ETL), 5-stage pipeline, signal-convergence criteria and reproducibility guarantees.

  9. 09

    Appendix — Evidence catalog

    Table of all evidences E-1 ... E-N with type, SHA-256 (when applicable), acquisition timestamp and short label.

Anatomy of a dossier

Here is what a complete Mythos dossier looks like. Synthetic teaching case, real structure.

Anatomy of a dossier

A forensic dossier a magistrate can actually read

Every Mythos dossier is structured as a CTU-grade forensic expert report: cover page with verdict and verification QR, automatic table of contents, synoptic indicator matrix, E-1...E-N evidence catalog with SHA-256, and chronological chain of custody.

Document preview
Page 1 of the Mythos dossier: cover page with verdict, verification QR and signatory block
Cover · verdict · verification QR
Page 2 of the Mythos dossier: auto-paginated table of contents and synoptic indicator matrix
Table of contents · synoptic matrix
Download the complete example (PDF)

44 KB · 19 pages · A4

Anonymised. Synthetic teaching case (WhatsApp "hi mum" + IBAN + tampered ID).

Defensible forensic structure

The same layout your counsel would file with the prosecutor. No marketing template.

  • TLP-coded header on every page
  • Automatic paginated table of contents
  • Synoptic indicator matrix
  • E-1...E-N evidence catalog with SHA-256
  • cf. E-N citations on every claim
  • Chronological chain of custody
  • Legal references (Italian Penal Code 359 / 640 / 494 / 615 ter)
  • Quantified confidence interval on the verdict
  • Public QR for authenticity verification
  • Tamper-evident WORM hash chain

Standards we honour

The frameworks and regulations the methodology rests on.

  • ISO 27037:2012
  • NIST SP 800-86
  • ENISA ETL
  • Budapest Convention 2001
  • GDPR EU 2016/679
  • eIDAS
  • Daubert / Frye

Independent verification

Every Mythos dossier carries a QR code on its cover that opens /verify/<id>. The page republishes the SHA-256 hash of the PDF and its position in the WORM audit chain: anyone can confirm, even years later, that the document has not been tampered with.

Download an example dossier

19-page PDF, synthetic teaching case (WhatsApp "hi mum" + IBAN + tampered ID). Real structure, anonymised data.

Download example (PDF, 44 KB)

The Mythos forensic methodology