Knogin
[Developers]

Evidence Object Domain

A detective seizes a laptop from a fraud suspect's premises. The device is bagged, tagged, and handed to digital forensics. Three days later, a forensic examiner extracts a disk image and uploads it to the investigation.

Back to All Modules
Category: Api DomainsLast Updated: Feb 5, 2026
api-domainsaicomplianceblockchain

Overview#

A detective seizes a laptop from a fraud suspect's premises. The device is bagged, tagged, and handed to digital forensics. Three days later, a forensic examiner extracts a disk image and uploads it to the investigation. Two weeks after that, the case moves to disclosure and a redacted copy of key documents is sent to defence counsel. Six months later, the case goes to trial. At every step, the platform must answer: who handled this item, when, and what did they do with it? The Evidence Object domain provides that unbroken chain of custody, from initial upload through court submission.

Physical and digital evidence carry different handling challenges but the same legal requirements. Courts need to see that an item has been accounted for at every point in its lifecycle. Any gap in the record weakens admissibility. Evidence Object closes those gaps with digital signatures on each custody transfer, file hash verification on each access, and automatic malware scanning on upload.

Key Features#

  • Evidence object creation with full provenance tracking: source system, collection method, and collector identity
  • Chain of custody with digital signatures, handler identification, and integrity verification at each transfer
  • Cloud storage integration for secure evidence file management
  • Malware scanning with quarantine and security event generation for blocked uploads
  • File hash verification for integrity assurance on upload and access
  • Disclosure bundle management: bundling, recipient tracking, and status management for legal compliance
  • AI-powered auto-redaction with manual override and full audit trail
  • Court-ready report generation with evidence packaging
  • Filename sanitisation to prevent path traversal attacks
  • AES-256-GCM encryption at rest with fixity verification and Digital Notary integration

Use Cases#

  • Uploading and tracking evidence files with full provenance metadata from the point of collection
  • Transferring evidence custody between handlers with digital signatures that satisfy court evidentiary standards
  • Creating legal disclosure bundles for court proceedings, tracking which materials have been sent to which recipients
  • Applying redactions to sensitive evidence before disclosure, with manual override where AI redaction requires correction

Industry Context#

Serious crime units in national police services rely on digital chain of custody records to support prosecution in courts from District level through the Supreme Court. Counter-terrorism agencies apply classification controls to evidence objects that cannot be disclosed to defence without authorisation review. Financial crime teams create disclosure bundles for regulatory investigations where regulators require structured, timestamped evidence packages. Corporate legal departments build court-ready evidence packages for commercial litigation from digital document repositories.

Integration#

The Evidence Object domain integrates with Disclosure for legal workflows, Redaction for PII handling, Export for evidence packaging, Intelligence for profile enrichment, and Investigation for case management. All evidence files are stored encrypted (AES-256-GCM) in cloud object storage, with file hashes and fixity records held in PostgreSQL.

Open Standards#

  • NIST FIPS 180-4 (SHA-2): SHA-256 and SHA-512 are computed on every evidence file at upload and re-verified on each access to provide the primary cryptographic fixity record for admissibility.
  • NIST FIPS 202 (SHA-3): SHA3-256 is computed alongside SHA-2 hashes as a quantum-resistant supplementary fixity check, stored in the integrity record for future-proofing against algorithm breaks.
  • RFC 3161 (Internet X.509 PKI Time-Stamp Protocol): Disclosure bundles request a Time-Stamp Authority token over the manifest SHA-256, producing a cryptographically verifiable timestamp that courts can validate independently.
  • CMS / PKCS #7 (RFC 5652): Each disclosure bundle includes a detached CMS/PKCS #7 signature file (SIGNATURE.p7s) over the manifest, providing non-repudiation for the disclosed evidence set.
  • NIST FIPS 204 (ML-DSA / Dilithium-3): An optional hybrid ECDSA-P256 + ML-DSA-65 post-quantum signature is applied to evidence hashes at upload, guarding long-retention evidence against future quantum decryption attacks.
  • AES-256-GCM (NIST SP 800-38D): Evidence files are encrypted at rest using AES-256-GCM with fixity verification on decryption, ensuring confidentiality and authenticated integrity for stored exhibits.
  • GraphQL (June 2018 specification): All evidence object operations, creation, custody transfers, disclosure bundle management, and integrity queries, are exposed through a typed GraphQL API.
  • ISO 8601 / RFC 3339: All custody record timestamps, provenance collection times, and disclosure bundle events are stored and transmitted as ISO 8601 date-time strings, ensuring unambiguous temporal ordering for court records.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.