Knogin
[Developers]

Evidence Audit Events

When a defence team challenges whether a piece of digital evidence was accessed by an unauthorised officer between seizure and trial, the answer either exists in the audit record or it does not. There is no middle ground

Back to All Modules
Category: ForensicsLast Updated: Feb 5, 2026
forensicsreal-timecomplianceblockchain

Overview#

When a defence team challenges whether a piece of digital evidence was accessed by an unauthorised officer between seizure and trial, the answer either exists in the audit record or it does not. There is no middle ground. The Evidence Audit Events module is built on the principle that every action taken against evidence must produce an immutable, verifiable record, captured the moment it happens and preserved in a form that cannot be quietly altered after the fact.

The system uses an event sourcing architecture: rather than storing only the current state of evidence, it stores every event that caused state to change. This means investigators, prosecutors, and compliance officers can reconstruct exactly what the evidence looked like at any point in its history. Criminal investigation units, digital forensics labs, financial regulators, and military intelligence units all depend on this kind of irrefutable timeline when evidence integrity is challenged.

Key Features#

  • Capture of 47 distinct domain event types spanning evidence operations, custody handoffs, and access control decisions
  • Immutable audit records with cryptographic verification and distributed replication across multiple nodes, so no single failure can erase history
  • Event sourcing enabling time-travel queries: any investigator can reconstruct the exact state of evidence at a specific date and time
  • Versioned event schemas with backward compatibility, ensuring older records remain readable as the platform evolves
  • Automatic context enrichment adding geolocation, session identifiers, and device information to every event without analyst effort
  • Idempotent event processing with deduplication and guaranteed per-item ordering, so replay never produces false duplicates
  • Real-time event notifications via subscriptions, allowing compliance systems and case managers to react to events as they occur
  • Event replay capability for state reconstruction during forensic investigation of handling patterns or incident response

Use Cases#

  • Producing legally defensible audit trails for evidence handling in criminal and civil proceedings, where every access or modification is documented with cryptographic proof
  • Reconstructing evidence state at any historical point using event sourcing, answering questions like "what did this file contain on the day it was served to the defence?"
  • Monitoring real-time evidence activity across an organisation for compliance oversight and early detection of policy violations
  • Replaying event sequences during internal forensic investigations of how evidence was handled, by whom, and in what order

Integration#

The Evidence Audit Events module connects with evidence management, custody systems, and compliance reporting through an event-driven architecture with message-based distribution.

Open Standards#

  • W3C Verifiable Credentials Data Model v2.0: Each evidence collection and custody transfer event issues a signed VC (JWT-serialised with an Ed25519 signature and issuer DID) that serves as a portable, cryptographically verifiable provenance record for that evidence item.
  • RFC 3161 (Internet X.509 PKI Time-Stamp Protocol): Audit event signatures can be bound to a trusted timestamp authority token embedded in the evidence export, anchoring the exact time of signing to a publicly verifiable timestamp chain.
  • FIPS 180-4 / SHA-256: Every audit record carries a SHA-256 digest of the event payload; Merkle tree nodes are SHA-256 hashes, enabling tamper-evident daily roots that can be recomputed and verified independently.
  • AES-256-GCM (NIST SP 800-38D): Evidence objects stored alongside audit records are encrypted at rest using AES-256-GCM, with the encryption algorithm recorded in the immutable audit entry.
  • ETSI TS 104 008 (CABCA): The continuous-auditing service runs scheduled and event-triggered assessment cycles aligned to this specification, recording ETSI TR 103 910 quality-criterion results and a Merkle root in each cycle's conformity record.
  • ArcSight Common Event Format (CEF): The SIEM export service serialises audit trail events as CEF log lines (version 0), enabling direct ingestion by platforms such as Splunk, Elastic SIEM, Microsoft Sentinel, and IBM QRadar.
  • GraphQL (June 2018 specification): All queries, mutations, and real-time subscriptions for audit events, Merkle roots, chain-of-custody entries, and Verifiable Credentials are exposed through a strongly-typed GraphQL API.

Last Reviewed: 2026-02-05 Last Updated: 2026-04-14

Ready to Build?

Get started with our APIs or contact our integration team for support.