Knogin
[Developers]

Audit Domain

A defence solicitor challenges the integrity of digital evidence presented at trial. The prosecution needs to demonstrate that the evidence was never altered, not just that they believe it wasn't, but with cryptographic

Back to All Modules
Category: Api DomainsLast Updated: Feb 5, 2026
api-domainscomplianceblockchain

Overview#

A defence solicitor challenges the integrity of digital evidence presented at trial. The prosecution needs to demonstrate that the evidence was never altered, not just that they believe it wasn't, but with cryptographic proof. The Audit domain provides exactly that: an immutable, tamper-evident chain of custody where every access, transfer, and modification is recorded and independently verifiable by any party with the appropriate tools.

This is not a convenience feature. In jurisdictions where digital evidence admissibility depends on provable chain of custody, a system without cryptographic audit capability cannot meet the standard. The Audit domain is built for that requirement from the ground up.

Key Features#

  • Immutable Audit Logging: All custody events are append-only with cryptographic chaining, ensuring a tamper-evident record that cannot be altered after creation.
  • Chain-of-Custody Tracking: Complete lineage tracking that records who handled evidence, what actions were taken, when they occurred, and why.
  • Multi-Algorithm Integrity Verification: Defense-in-depth approach using multiple hash algorithms to protect against algorithm-specific vulnerabilities and future-proof evidence integrity.
  • Legal Hold Enforcement: Prevents deletion or modification of evidence during legal proceedings, with support for litigation, regulatory, and internal investigation holds.
  • Chain Certification: Legal certification of chain integrity for court admissibility, including expert review, digital signature, and report generation.
  • Retention Policy Management: Configurable retention periods with support for archival, deletion, and anonymisation actions that respect legal hold constraints.
  • Advanced Querying and Search: Full-text search, date range filtering, action type filtering, actor filtering, and flexible sorting across audit logs.
  • Timeline Visualisation: Chronological event ordering with significant event highlighting and entity type classification for visual audit trail analysis.
  • Multi-Format Export: Export audit trails in JSON and CSV formats for analysis, reporting, and compliance documentation.
  • Statistical Analytics: Aggregated statistics including event breakdowns by action type and actor, unique evidence and investigation counts, and chain health metrics.

Use Cases#

Law enforcement evidence management teams maintain a cryptographically verifiable chain of custody for digital evidence, ensuring every access, transfer, and modification is recorded and independently verifiable for court proceedings.

Compliance officers at regulated financial institutions manage retention policies and legal holds to meet regulatory requirements, with automated archival of aged records while preserving evidence under active legal proceedings.

Forensic investigators validate chain integrity to confirm that evidence has not been tampered with, receiving an integrity score and detailed validation report suitable for legal certification and expert witness presentation.

Regulatory auditors search and export detailed audit trails filtered by time period, action type, or actor to generate compliance reports for bodies such as the FCA, SEC, or national data protection authorities.

Legal teams apply and release legal holds on evidence related to active litigation, with full audit tracking of hold lifecycle events ensuring the hold chain itself is defensible in court.

Integration#

The Audit domain integrates with the Evidence domain for automatic custody tracking on upload and access, the Investigation domain for investigation-wide audit trails, the User domain for actor attribution and access control, and the Storage domain for hash verification on file retrieval.

Open Standards#

  • NIST FIPS 180-4 and FIPS 202 (SHA-256, SHA-512, SHA3-256): All audit chain events and evidence files are hashed using these NIST-standardised algorithms, with multi-algorithm verification applied in parallel to guard against single-algorithm compromise.
  • RFC 7693 (BLAKE2b): BLAKE2b is implemented as a fourth hash algorithm alongside the FIPS-family digests, providing a defence-in-depth layer for evidence integrity verification.
  • RFC 2104 (HMAC) / OWASP ASVS V6.2.8: All hash comparisons in chain-link validation use constant-time comparison via HMAC primitives to prevent timing side-channel leakage during integrity verification.
  • AES-256-GCM (NIST SP 800-38D): Evidence files stored at rest are flagged as encrypted with AES-256-GCM, and the encryption algorithm is recorded in each integrity record for chain-of-custody completeness.
  • HP ArcSight Common Event Format (CEF): The audit trail SIEM export service produces CEF-formatted log lines for ingestion into Splunk, Microsoft Sentinel, Elastic, and IBM QRadar.
  • NENA i3 Standard (NENA-STA-010): A dedicated NG911 audit action vocabulary aligns custody events for emergency communications workflows with the NENA i3 action taxonomy, supporting admissibility and MLTS compliance queries.
  • ISO 8601 / RFC 3339: All event timestamps are serialised in ISO 8601 extended format throughout the chain, ensuring unambiguous timezone-aware timestamps for legal and regulatory reporting.
  • Regulation (EU) 2016/679 (GDPR): Retention policy management defaults to a seven-year minimum aligned with GDPR and SOX requirements, and legal-hold enforcement blocks deletion of evidence under active regulatory proceedings.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.