Recipe: Audit evidence collection writer
A structured pattern for collecting, timestamping, and sealing forensic audit evidence during automated compliance checks. Designed for environments where chain-of-custody integrity is non-negotiable.
Prerequisites
- Meridian agent v3.2+ with evidence module enabled
- HMAC signing key provisioned in agent config
- Write access to evidence staging directory
Evidence bundle structure
evidence_bundle/ ├── manifest.json # HMAC-signed index ├── artifacts/ │ ├── registry.reg # Captured hive export │ ├── eventlog.evtx # Relevant event entries │ └── memory.dmp # Process snapshot └── chain.json # Hash chain links
Collection flow
- 1Open evidence session — generate session UUID, create staging directory, record wall-clock and monotonic timestamps.
- 2Capture artifacts — execute collectors in parallel with per-artifact timeouts. Hash each artifact with SHA-256 before writing.
- 3Build hash chain — link artifacts sequentially, sign chain head with HMAC-SHA256.
- 4Seal and close — write manifest, compute bundle checksum, mark session immutable.
Integrity verification
Validate any bundle by recomputing the hash chain from leaf artifacts up to the signed chain head. Compare against the manifest HMAC. A mismatch at any link indicates tampering or corruption. The verifier ships as a standalone binary requiring only the original signing key.