Overview#
When a defence team challenges whether a piece of digital evidence was accessed by an unauthorised officer between seizure and trial, the answer either exists in the audit record or it does not. There is no middle ground. The Evidence Audit Events module is built on the principle that every action taken against evidence must produce an immutable, verifiable record, captured the moment it happens and preserved in a form that cannot be quietly altered after the fact.
The system uses an event sourcing architecture: rather than storing only the current state of evidence, it stores every event that caused state to change. This means investigators, prosecutors, and compliance officers can reconstruct exactly what the evidence looked like at any point in its history. Criminal investigation units, digital forensics labs, financial regulators, and military intelligence units all depend on this kind of irrefutable timeline when evidence integrity is challenged.
Mermaid diagram
sequenceDiagram participant Actor as Investigator / System participant Gateway as Event Gateway participant Enrichment as Context Enrichment participant Store as Immutable Event Store participant Replica as Distributed Replica participant Subscriber as Subscriber / Alert Actor->>Gateway: Evidence Action (access, transfer, modify...) Gateway->>Enrichment: Enrich with geo, session, device context Enrichment->>Store: Write immutable event record Store->>Replica: Replicate to distributed nodes Store->>Subscriber: Publish real-time notification Subscriber-->>Actor: Alert (if anomaly detected) Note over Store: Cryptographic verification on every record
Key Features#
- Capture of 47 distinct domain event types spanning evidence operations, custody handoffs, and access control decisions
- Immutable audit records with cryptographic verification and distributed replication across multiple nodes, so no single failure can erase history
- Event sourcing enabling time-travel queries: any investigator can reconstruct the exact state of evidence at a specific date and time
- Versioned event schemas with backward compatibility, ensuring older records remain readable as the platform evolves
- Automatic context enrichment adding geolocation, session identifiers, and device information to every event without analyst effort
- Idempotent event processing with deduplication and guaranteed per-item ordering, so replay never produces false duplicates
- Real-time event notifications via subscriptions, allowing compliance systems and case managers to react to events as they occur
- Event replay capability for state reconstruction during forensic investigation of handling patterns or incident response
Use Cases#
- Producing legally defensible audit trails for evidence handling in criminal and civil proceedings, where every access or modification is documented with cryptographic proof
- Reconstructing evidence state at any historical point using event sourcing, answering questions like "what did this file contain on the day it was served to the defence?"
- Monitoring real-time evidence activity across an organisation for compliance oversight and early detection of policy violations
- Replaying event sequences during internal forensic investigations of how evidence was handled, by whom, and in what order
Integration#
The Evidence Audit Events module connects with evidence management, custody systems, and compliance reporting through an event-driven architecture with message-based distribution.
Last Reviewed: 2026-02-05 Last Updated: 2026-04-14