Knogin
[Developers]

Evidence Domain

A serious crime investigator receives a batch of 340 documents from a seized device. An AI extraction pipeline processes the documents and surfaces 1,200 entity candidates, 85 financial transactions, and 60 possible enti

Back to All Modules
Category: Api DomainsLast Updated: Feb 5, 2026
api-domainsaicomplianceblockchain

Overview#

A serious crime investigator receives a batch of 340 documents from a seized device. An AI extraction pipeline processes the documents and surfaces 1,200 entity candidates, 85 financial transactions, and 60 possible entity matches against existing records. The investigator cannot manually verify every candidate before they can be used. The Evidence domain provides the structure to manage that review: pending extractions are queued, analysts approve or reject them individually or in bulk, and approved items are promoted directly into the investigation. Meanwhile, physical and digital evidence items are tracked through a chain of custody that records every handler, every transfer, and every export.

These two capabilities, AI-assisted review and custody tracking, are deliberately combined. Modern investigations mix digital intelligence processing with physical and forensic evidence management. Both require the same underlying guarantees: auditability, traceability, and export formats that satisfy legal and court standards.

Key Features#

  • Human-in-the-loop (HITL) review workflows for pending entity extractions, financial transactions, and entity matches
  • AI confidence scoring with configurable thresholds and approval or rejection workflows
  • Individual and bulk approval or rejection operations with analyst reasoning captured
  • Evidence upload with custody chain tracking and forensic timeline preservation
  • Evidence annotation with coordinate-based highlighting on documents
  • Export with chain of custody metadata in multiple formats (PDF, JSON, ZIP)
  • Cross-tenant admin operations for superuser oversight
  • Review statistics dashboard with pending, approved, and rejected counts plus velocity metrics
  • Audit logging for all review and custody operations
  • AES-256-GCM encryption for evidence at rest, with fixity verification and Digital Notary support

Use Cases#

  • Reviewing and approving AI-extracted entities from investigation documents before they are promoted to the entity graph
  • Managing physical and digital evidence with a complete chain of custody from collection through court submission
  • Bulk processing of entity extractions to handle high-volume document ingestion efficiently
  • Generating compliance-ready evidence exports with custody metadata for court filings

Industry Context#

National law enforcement agencies processing large-scale digital evidence seizures use HITL workflows to manage AI extraction output at scale without sacrificing human accountability. Serious fraud offices track financial document evidence through disclosure processes that require a demonstrable chain of custody. Prosecutors in Irish District through Supreme Court proceedings expect evidence packages with court-ready formatting and provenance metadata. Counter-terrorism units apply classification and secrecy level controls to evidence that cannot be shared without authorisation.

Integration#

The Evidence domain integrates with Entity for promoting approved extractions, Investigation for case association, Document for classification, Timeline for chronological display, Report for case inclusion, and Audit for access tracking. Evidence files are stored with AES-256-GCM encryption and fixity hashes verified on each access.

Open Standards#

  • AES-256-GCM (FIPS 197 / NIST SP 800-38D): Evidence files are encrypted at rest using AES-256 in Galois/Counter Mode, providing authenticated confidentiality for stored items; fixity verification re-checks the GCM authentication tag on every access to detect silent corruption or tampering.
  • FIPS 180-4 / SHA-2 family (SHA-256, SHA-512): Fixity hashes are computed at ingestion using SHA-256 and SHA-512 and recorded in the custody record; every subsequent access re-computes the digest and compares against the stored value, satisfying forensic integrity requirements for law enforcement and court proceedings.
  • RFC 3161 (Internet X.509 PKI Time-Stamp Protocol): Digital Notary support attaches RFC 3161 trusted-timestamping tokens to evidence items and custody-chain events, providing cryptographically verifiable proof that an item existed in its current state at the recorded point in time.
  • ISO 19005-3 (PDF/A-3): Court-ready evidence exports with embedded chain-of-custody metadata are produced in PDF/A-3 format, satisfying long-term archival preservation requirements for Irish District through Supreme Court proceedings and equivalent jurisdictions.
  • W3C Verifiable Credentials Data Model 2.0: Signed verifiable credentials of type EvidenceItem are optionally issued for evidence objects at ingestion, anchoring custodial provenance to a tamper-evident, standards-based credential that any conformant verifier can inspect without platform connectivity.
  • OASIS STIX 2.1 observed-data / file SCOs: Evidence items and their metadata can be exported as STIX Cyber-Observable Objects, enabling seamless transfer to threat-intelligence platforms and cross-agency sharing workflows that consume the application/stix+json media type.
  • NIST SP 800-53 Rev 5 (AU family): Audit and accountability controls AU-3, AU-9, and AU-10 are implemented as explicit service paths; every review decision, custody transfer, and export event is recorded with actor identity, timestamp, and before/after state to satisfy the non-repudiation requirements of the AU control family.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.