GH GambleHub

Storage of evidence and documentation

1) Purpose and results

The evidence and documentation storage system provides:
  • Legally significant immutable evidence.
  • Traceability: who, when, why created/changed/read.
  • Ready for audit "by button" (replicated "audit pack").
  • Privacy and retention (TTL, Legal Hold, deletion/anonymization).
  • Single circuit of rights and responsibilities (RACI) and quality metrics.

2) Taxonomy of artifacts (which we consider evidence)

Technical: access logs and admin actions, scanner outputs (SAST/DAST/SCA), secret scan reports, SOAR logs, IaC drift/clouds, configuration backups, KMS/HSM tracks.
Operating: ITSM tickets/incidents/changes, post-mortem protocols, DR/BCP test reports, access audit reports (re-cert).
Legal and regulatory: policies/standards/SOP with version log, DPA/SLA/addendums, notifications to regulators, responses to requests, CAPA/remediation.
Privacy and data: processing registers, DSAR cases, deletion/anonymization confirmations, retention schedules, Legal Hold magazines.
Vendors/third parties: Due Diligence results, certifications (SOC/ISO/PCI), pentest reports, SLA compliance.
Financial controls: AML/STR reports, limits and exclusions, SoD confirmations.

3) Design tenets

Immunity by default: WORM/Object Lock.
Integrity & Authenticity: hash chains, pale roots, digital signature and timestamps.
Minimal & Purpose-bound - Data only, aliasing/masking.
Case-based access: access by case and role, with end-to-end read/export log.
Policy-as-Code: retention/Legal Hold/artifact classes - in the rule repository.
Auditability: reproducible reports and "audit pack" with hash receipts.

4) Roles and RACI

RoleResponsibility
Evidence Platform Owner (A)Reliability, consistency, budget, availability
Compliance/GRC (R)Taxonomy, retention rules/Legal Hold, "audit pack"
SecOps/DFIR (R)Integrity, collection and capture of incident artifacts
Data Platform (R)Catalogs/Data Linearity, Reporting Marts
Legal/DPO (C)Privacy, legal grounds, cross-border aspects
IAM/IGA (C)Roles/SoDs, Archive Access ReCertifications
Internal Audit (I)Independent verification of procedures and samples

(R — Responsible; A — Accountable; C — Consulted; I — Informed)

5) Storage architecture (reference)

1. Receive area (ingest): reliable bus, mTLS, retrays, deduplication, metadata normalization (JSON).
2. Hot storage: quick search/reports (30-90 days).
3. Cold storage: object/archive (1-7 years), economy class.
4. WORM/Object Lock loop: an unchangeable archive of evidence with policies per bucket/object.
5. Integrity: hash batches, merkly trees, periodic anchoring; audit log.
6. Catalog/MDM of artifacts: register of types, schemes, owners, TTL, key search fields.
7. Access: RBAC/ABAC + case-based access; export with hash receipt; two-member control for sensitive kits.
8. Replication and DR: geo-distribution, RTO/RPO goals, regular recovery checks.

6) Policies-as-code (YAML example)

yaml id: EVD-RET-001 title: "Retention and Legal Hold (evidence)"
classes:
- name: "security_logs"
hot_days: 30 cold_days: 365 worm_years: 3
- name: "contracts_dpa"
hot_days: 0 cold_days: 2555  # ~7 лет worm_years: 7 legal_hold:
enabled: true override_ttl: true privacy:
mask_fields: ["email","phone","ip","account_id"]
export_policy: "case_based"
verification:
integrity_check: "daily"
anchor_cadence: "hourly"

7) Chain of Custody

Identification: unique object ID, source, schema version.
Fixation: SHA-256/512 hash, package signature, timestamp.
Transport: Manifest log (who/when downloaded/verified).
Access: accounting for all readings/exports; case/ticket reference.
Reporting: hash receipts, verification protocols, reconciliation results.

8) Retension, Legal Hold and Removal

Storage schedules by artifact class and jurisdiction.
Legal Hold for incidents/requests from the regulator - "freezing" deletions.
TTL deletion - only after automatic verification of the absence of active Hold.
Delete report - object list + aggregated hash summary.
Vendor offboarding - mirror retention, confirmation of destruction.

9) Privacy and minimization

Scope-minimum: store context, not "full payload."

Pseudonymization/masking of sensitive fields; separate re-identification keys.
Access "by case": for DSAR/incident - temporary rights with a log.
Cross-border: explicit labels of the country of storage/processing; copy control.

10) "Audit pack" (structure)

1. Organization description and RACI.
2. Policies/standards/SOP (current versions + changelog).
3. Systems and controls map + norm/certification mapping.
4. KPI/KRI metrics and period reports.
5. Selection artifacts: logs, configs, scans, DR/BCP, access revisions.
6. Vendor dossier: DPA/SLA, certificates, pentest reports.
7. CAPA/remediation: status, evidence of closure.
8. Packet hash receipt and access log.

11) Metrics and SLO

Integrity Pass: 100% successful hash chain checks.
Anchor Freshness p95: ≤ 2 hours between anchoring and verification.
Coverage: ≥ 98% of critical systems in the evidence directory.
Access Review SLA: 100% monthly re-attestation of archive rights.
Legal Hold Lag: ≤ 15 minutes from event to Hold installation.
Export SLA ("audit pack"): ≤ 8 hours to issue a full set.
PII Leak Rate: 0 critical leaks in archives.

12) Dashboards (minimum set)

Integrity & WORM: anchoring status, Object Lock, verification errors.
Coverage & Catalog: artifact class coverage, "holes," orphan objects.
Access & Exports: who read/unloaded what, anomalies, SoD conflicts.
Retention & Hold: TTL timers, active Legal Hold, deletion schedule.
Vendor Mirror: the state of mirror retainment with contractors.
Audit Readiness: on-button readiness and time to SLA.

13) SOP (standard procedures)

SOP-1: Loading Evidence

1. Source registration → 2) normalization/scheme → 3) hash and signature →

2. Write to WORM Zone → 5) Verify and Anchor → 6) Update Catalog.

SOP-2: Prepare "audit pack"

Open the case → collect a list of artifacts by selection → generate a packet → generate a hash receipt → legal review → issue it through the official channel → record access and a copy in WORM.

SOP-3: Legal Hold

Initiate Hold → tie classes/cases → stop deletion jobs → notify owners → log all operations → remove Hold according to Legal's decision.

SOP-4: TTL Deletion

Check active Hold → delete atomically → issue a hash summary report → update the directory.

SOP-5: Vendor Offboarding

Request a mirror storage report → export/transfer → confirmation of destruction from the vendor → verification and archive of certificates.

14) Artifact metadata (minimum)

UID, class, schema version, source, owner/contacts.
Date/time of creation and download, jurisdiction/region of storage.
Hash/signature/mercli-list and verification history.
TTL and Legal Hold status.
Links to related tickets/cases/policies.
Access/export history.

15) Integrity check (algorithm)

Daily sampling of batches → recalculation of hashes → reconciliation with the mercli-root → report on inconsistencies → automatic escalation and "freeze" of disputed segments before investigation.

16) Quality and testing

Schema compliance ≥ 99. 5% (deviations → blocking of reception).
Disaster Restore Drills - Quarterly Archive Recovery Tests.
Reperformability - reperform scripts for auditors (reproducibility of reports).
Versioned Playbooks - version of SOP and audit pack templates.

17) Antipatterns

Lack of WORM/immutability → controversial evidence.
Raw text without schemes → weak search/validity.
There is no catalog and owners → "nobody's" responsibility.
Archive as "storeroom": no metrics/dashboards, no DR tests.
Perpetual waivers with no expiration date.
Export without hash receipt and access log.
Mixing PI production data in artifacts without minimization.

18) Maturity model (M0-M4)

M0 Manual: scattered folders, no TTL/chain of custody.
M1 Catalogue: single register of artefacts, basic retention.
M2 Managed: WORM/Object Lock, integration with IAM, Legal Hold, dashboards.
M3 Assured: hash chains, anchoring, case-based access, "audit pack" by button.
M4 Continuous Assurance: automatic integrity checks, forecast risks, mirror retention at vendors, full DR exercises.

19) Related wiki articles

Logging and Logging

Audit Trail Activity Tracking

Legal Hold and Data Freeze

Data Retention and Deletion Schedules

Continuous Compliance Monitoring (CCM)

KPIs and compliance metrics

Due Diligence and Outsourcing Risks

Compliance Policy Change Management

Interaction with regulators and auditors

Total

Secure storage of evidence is not just an "archive," but a manageable and provably unchangeable system: WORM and hash chains, strict retention and Legal Hold policies, case-by-case access, directories and metrics reproduced by the "audit pack" and regular integrity checks. In such a system, the audit is predictable, the investigations are fast, and the risks are under control.

Contact

Get in Touch

Reach out with any questions or support needs.We are always ready to help!

Start Integration

Email is required. Telegram or WhatsApp — optional.

Your Name optional
Email optional
Subject optional
Message optional
Telegram optional
@
If you include Telegram — we will reply there as well, in addition to Email.
WhatsApp optional
Format: +country code and number (e.g., +380XXXXXXXXX).

By clicking this button, you agree to data processing.