Evidence that holds up. Forensic-grade chain of custody, built into the platform.
Almost no SIEM ships this. Caver gives every incident a court-admissible evidence locker: every byte you collect during an investigation is cryptographically pinned the moment it arrives and provably unchanged from upload to courtroom. Hashed on arrival, re-verified on every read, recorded in a Merkle transparency ledger, exported under a signature, and verifiable offline by a third party who does not trust Caver at all.
Ten guarantees. Every one cryptographic.
These are not policy promises in a compliance PDF. Each one is enforced by the platform, and the chain is checkable end to end by someone who has no access to, and no faith in, your deployment.
SHA-256 per artifact
Every file attached to a case is hashed the moment it arrives. Uploader, timestamp, and the triggering notable are recorded with it.
Re-verified on every read
The hash is recomputed on every fetch. If a stored byte ever diverges, the download is refused, not silently served.
RFC-6962 Merkle ledger
Every custody event appends to a Merkle transparency ledger, the same construction Certificate Transparency runs on. Rewriting history breaks the proofs.
Ed25519-signed exports
Every bundle that leaves the locker is signed. Change a single byte afterwards and verification fails loudly.
Sealed cases freeze
Sealing a case freezes its locker: no additions, no swaps, no quiet edits after the investigation closes.
Two-key delete + 24h sweep
No single admin can destroy evidence. Deletion takes two authorisations, then the artifact waits out a 24-hour sweep window before removal.
Malware-safe serving
Suspect binaries are stored quarantined and served safely, so the locker never becomes a malware distribution point.
8 export formats
From a court-ready signed PDF and a signed ZIP with the verifier bundled in, to STIX 2.1 and auditor-ready evidence packs.
Offline verifier CLI
caver-evidence-verify re-computes hashes, validates signatures, and walks the Merkle proof offline. A third party verifies without trusting Caver.
Chain of custody + legal hold
A complete who-touched-what-when record on every artifact, and legal holds that freeze deletion until released. Every hold action is logged.
Incidents end in front of people who were never in your SOC.
Incident response does not end when the alert closes. It ends in HR actions, insurance claims, regulator filings, and courtrooms, months later, in front of people who will ask exactly one question: can you prove this is what you found?
Evidence handling is where cases die
A hash nobody recorded. A file quietly re-saved. A screenshot with no provenance. Opposing counsel does not have to prove tampering, only raise doubt.
Screenshots are not proof
In most SIEMs, "evidence" is a PNG pasted into a ticket and a CSV sitting on a share drive. There is no integrity story, only an analyst’s word.
Your legal team gets provable integrity
Hand counsel a signed bundle and an independent verifier instead of testimony about process. The integrity argument becomes maths, not memory.
From attach to admissible. Seven links, no gaps.
Custody is not a report generated at the end. It is enforced at every step, from the second an artifact enters the locker to the moment opposing counsel checks the maths on their own laptop.
Attach
An analyst or an approval-gated playbook deposits the artifact into the case locker: an OCSF event slice, a PCAP, a forensic image, a screenshot, a sample.
Hash + sign
SHA-256 is computed on arrival and bound to the uploader’s identity and a signed timestamp. The artifact is pinned from its first second inside.
Ledger entry
The custody event appends to the RFC-6962 Merkle transparency ledger. From here, history cannot be rewritten without detection.
Every read re-verifies
Each fetch recomputes the hash and logs who read it, when, and why. A diverging byte refuses to serve.
Seal
The case closes and the locker freezes. No additions, no edits, no swaps. The record you present is the record you collected.
Signed export
The case leaves in any of 8 formats, including the court-ready signed PDF, under an Ed25519 signature covering the lot.
Offline verification
Opposing counsel, an auditor, or a regulator runs caver-evidence-verify against the bundle. No Caver access, no trust required. Exit 0, chain intact.
A record where every link is enforced by cryptography, and any broken link is loud.
Trust the proof, not the vendor.
caver-evidence-verify is a standalone offline CLI. A defence expert, opposing counsel, or auditor points it at an exported bundle and it re-computes every hash, validates every Ed25519 signature, and walks the Merkle proof, with zero access to your Caver deployment.
$ caver-evidence-verify --bundle case-2026-04127.evidence.zip verifying 41 artifacts... ✓ 41/41 SHA-256 valid ✓ 41/41 Ed25519 signatures valid ✓ ledger Merkle proof valid (root: 0x4f3a...) ✓ chain of custody intact through 2026-04-18T14:23:01Z → exit 0 · verified with zero access to the Caver deployment
What every artifact carries.
artifact_sha256 The bytes are unaltered since the moment of ingestion. ingest_timestamp + signature The artifact existed no later than this signed moment. ingest_actor Which user, playbook, or API caller deposited it, under their IdP identity. source_event Which notable, case, or episode triggered the deposit, fully linkable. ledger_merkle_root The ledger state at ingest, so the ledger itself cannot be edited undetected. access_log Every subsequent read: who, when, from where, with what justification. retention_policy The retention class applied at ingest, plus any legal holds layered on later. verification_payload Standalone hash + signature + ledger proof, downloadable for independent checking. Artifact-agnostic. If it serialises, it's evidence.
Anything you can turn into bytes lands with the same chain-of-custody guarantees, from a Parquet slice of the lake to a memory image off an endpoint.
OCSF event slices
A time-boxed, entity-boxed slice of the lake covering the incident window, attached automatically when a notable becomes a case.
PCAP + network captures
Triggered by a playbook step or attached by hand. Compression, hashing, and retention handled by the locker.
Endpoint forensic images
Disk and memory captures routed from your EDR through the forensic-acquire playbook step.
Screenshots
Dashboard state and annotated captures, with analyst identity and capture time recorded in the ledger.
File samples
Suspected malware lands quarantined by default and is only ever served malware-safe.
Analyst notes
Signed, versioned narrative. Edits create new versions, never overwrites, so the original voice survives.
Identity snapshots
The actor’s identity graph frozen at incident time, even after the org chart moves on.
Asset snapshots
The asset’s record and service-tree position frozen at incident time, before reality drifts.
Retention by policy, per evidence class
Every artifact takes a retention class at ingest, and the class drives the clock. Critical-incident evidence keeps its own schedule, and nothing silently ages out mid-litigation.
Legal hold, on top of everything
Counsel requests, an authorised user applies, and deletion freezes across the case until the hold is released. Every hold action is logged, and two-key delete still stands underneath.
Inside your SOAR, not beside it.
Standalone forensics tools live outside the investigation, so evidence reaches them late, partially, or never. The locker sits inside SLAM, Caver's case management and SOAR layer, where the incident already lives.
Lives inside SLAM cases
Notable fires, case opens, evidence attaches: one motion, in the same queue your analysts already triage. Custody starts at detection, not at a handoff.
One platform, one lake
Attach the OCSF event slice straight from the lake you query, under the same SSO, RBAC, and audit surface as the rest of the platform.
Nothing extra to buy
No separate forensics vault to procure, integrate, and forget to check. The locker ships inside the platform, so every case gets custody by default.
How incident evidence usually travels, and how it travels here.
- × A screenshot pasted into a ticket
- × A CSV export sitting on a share drive
- × Integrity backed by an analyst’s memory
- × Deletion is one admin away
- × Verification means re-asking the SOC
- ✓ SHA-256 pinned on arrival, re-verified on every read
- ✓ Ed25519-signed export from a sealed case
- ✓ Custody recorded in an RFC-6962 Merkle transparency ledger
- ✓ Two-key delete + 24h sweep, no single admin can destroy evidence
- ✓ An offline verifier CLI anyone can run, no Caver access needed
When the question is "can you prove it," one of these columns has an answer.
Put your next incident on the record.
Request evaluation access and see the locker inside a live case, from the first attached artifact to a signed export verified on your own machine.