Knogin
[Developers]

Surveillance Clip Extraction and Legal Hold

The moment an alert fires on a fixed surveillance camera, the system preserves a cryptographically verifiable video clip of the event before anyone has to lift a finger. No race to find the footage, no manual download, n

Back to All Modules
Category: ForensicsLast Updated: May 26, 2026
forensicscomplianceblockchain

Overview#

The moment an alert fires on a fixed surveillance camera, the system preserves a cryptographically verifiable video clip of the event before anyone has to lift a finger. No race to find the footage, no manual download, no third-party evidence locker: the seconds before and after the event are already captured, hashed, and stored with a complete chain of custody.

For security operations centres, law enforcement agencies, and critical-infrastructure operators, that automatic preservation is the difference between solid evidence and a gap in the record. Each clip carries a SHA-256 digest computed over its raw bytes and re-verified after storage, so its integrity can be demonstrated in court or before a regulator. When litigation or a formal proceeding begins, authorised users place a legal hold on any clip through the API, recording who acted, when, and why, all without ever leaving the platform.

Key Features#

  • Event-Triggered Clip Extraction: When an event is detected on a fixed camera, the service automatically extracts a video segment spanning a configurable pre-event and post-event buffer, defaulting to 30 seconds before and 60 seconds after, so the lead-up and aftermath are preserved together as a single coherent clip.

  • Cryptographic Integrity by Design: A SHA-256 digest is computed over the raw clip bytes at extraction time. After the clip is written to storage, the service reads it back and recomputes the hash, confirming a bit-for-bit match before the database index row is committed. A clip is only indexed once its stored copy is proven identical to the captured original.

  • Complete Evidence Bundle: Every preserved event produces a primary clip in H.265, a JPEG thumbnail, a 15-second VP9 / WebM preview transcoded with FFmpeg, a structured JSON metadata document, and a chain-of-custody JSON artifact, all uploaded together under a structured organisation, date, camera, and incident key hierarchy.

  • Chain of Custody from the First Second: The chain-of-custody artifact records the clip lifecycle in machine-readable form, stamped with ISO 8601 timestamps and tied to the originating camera and incident, establishing provenance from the instant of capture onward.

  • Legal Hold and Lift: Authorised users place or lift a legal hold on any preserved clip through the API. The action records the acting user identity, a timestamp, and a free-text reason on the clip record and writes the same detail to the operations audit log, producing a defensible record of every custody decision.

  • Tenant-Scoped Access Control: All read and write operations are gated by ontology-based role-based access control scoped to the authenticated tenant, so users only ever see and act on clips belonging to their own organisation.

  • Idempotent Preservation: Repeated extraction requests for the same source recording and incident return the existing clip rather than creating duplicates, keeping the evidence record clean even under retries or replayed alerts.

  • Audit-Backed Operations: Custody-relevant actions are written to a tamper-evident operations audit log, giving compliance and legal teams a single authoritative trail of who did what to each piece of evidence.

Use Cases#

Security Operations Centres#

Preserve footage of intrusions, tampering, and safety incidents the instant an alert fires, with integrity that can be demonstrated long after the event. Operators reviewing an incident already have the clip, thumbnail, and preview ready, with no need to pull recordings from individual camera systems.

Law Enforcement Agencies#

Capture event footage with a verifiable chain of custody suitable for disclosure and courtroom presentation. When a clip becomes relevant to a case, investigators place it on legal hold through the API, recording the reason and preserving it against deletion or retention expiry.

Critical-Infrastructure Operators#

Protect substations, pipelines, ports, and utilities by automatically preserving evidence of perimeter breaches and equipment interference. Clips on legal hold remain available for regulatory proceedings and incident investigations without manual archiving.

Legal and Compliance Teams#

Respond to litigation holds and regulatory requests by placing relevant clips on hold directly through the platform, with every hold and lift attributed to a named user and reason in the audit log.

Integration#

The capability is exposed through a typed GraphQL API and REST endpoints secured with OAuth 2.0 Bearer tokens and JWT-based authentication. Event-detection pipelines feed extraction requests over a versioned message contract, and clips, thumbnails, and previews are stored in Cloudflare R2 under a predictable key hierarchy that downstream evidence and case-management tools can resolve.

Customers plug their existing camera estate and event-detection pipeline into the extraction path and immediately gain preserved, hash-verified evidence with no bespoke storage to operate. Legal hold actions are driven from a GraphQL mutation, so case-management and e-discovery workflows can place and lift holds programmatically and reflect custody state in their own systems. Webhook-style event ingestion and a normalised clip metadata model mean the same integration pattern works across every camera and site.

Open Standards#

  • SHA-256 (FIPS 180-4): Used as the clip integrity digest, computed over the raw clip bytes at extraction and recomputed on read-back from storage to guarantee bit-for-bit integrity before indexing.
  • ISO 8601: Date and time fields throughout the clip metadata and chain-of-custody documents, including clip start and clip end and every custody timestamp, are encoded in ISO 8601 for unambiguous cross-system interpretation.
  • H.265 / HEVC (ITU-T H.265 | ISO/IEC 23008-2): The primary storage codec for extracted clips, delivering efficient high-quality compression for long-term evidence retention.
  • VP9 / WebM (open, royalty-free codec): The 15-second preview is transcoded to VP9 in a WebM container with FFmpeg, providing a license-free, broadly playable preview format.
  • OAuth 2.0 / Bearer Token (RFC 6749 / RFC 6750): All API endpoints accept OAuth 2.0 Bearer tokens, validated before any clip data or custody action is permitted.
  • JSON Web Token (RFC 7519): Authenticated identity and tenant scope are carried as signed JWT claims, validated on every request before access-control decisions are applied.
  • GraphQL (June 2018 specification): Clip retrieval and legal hold operations are exposed through a typed GraphQL API that enforces permission checks on each resolver.

Security and Compliance#

Integrity is enforced structurally rather than assumed: a clip is never indexed until its stored copy has been read back and proven identical to the captured original by SHA-256 comparison. Every legal hold and lift is attributed to a named user with a timestamp and reason and is recorded both on the clip record and in the operations audit log, producing a defensible custody trail. Access to clips and custody actions is restricted by ontology-based role-based access control scoped to the authenticated tenant, ensuring strict isolation between organisations. The chain-of-custody artifact stored alongside each clip provides a self-contained, machine-readable record of provenance suitable for evidentiary and regulatory scrutiny.

Last Reviewed: 2026-05-26 Last Updated: 2026-05-26

Ready to Build?

Get started with our APIs or contact our integration team for support.