Forensic logging vs activity monitoring: what is actually admissible in court
Activity monitoring tells you what happened. Forensic logging produces evidence. The difference matters when it stops being a security question and starts being a legal one.
Most teams already have activity monitoring. So why is forensic logging a separate category? Because there is a sharp line between knowing what happened and being able to prove it to a third party who is willing to disagree with you.
§ What activity monitoring is good at
Activity monitoring surfaces anomalies fast. Login from an unusual country, a process spawning a shell, a sudden spike in outbound traffic. The job is detection: get a human looking at the right thing within minutes. It is not built to be evidence. The data is normalised, enriched, and frequently re-written by the pipeline.
§ What forensic logging adds
- +Original capture: events recorded close to source, with the timestamps the operating system reported.
- +Tamper evidence: each event hashed into a chain, so any later edit produces a detectable break (see hash chains explained).
- +Chain of custody: the path from event to report is documented, deterministic, reproducible.
§ What courts actually look for
- +Authenticity: was the evidence produced by the system it claims to be from, and not altered since?
- +Chain of custody: can the producer account for everyone who has touched it?
- +System reliability: does the system produce consistent, reproducible output under normal operating conditions?
Activity monitoring almost never passes the first question without help. Forensic logging is designed to pass it standalone.
§ When you actually need it
The moment a security incident becomes a legal matter. Insider data theft, employment disputes, regulator investigations, repair-shop incidents (see our catalogue), custody disputes over jointly used devices.
§ What to look for in a forensic recorder
- +Hash-chained or Merkle-anchored event log, not just append-only storage.
- +Independent shadow copy, separately keyed.
- +Local-first capture; events signed before any network transit.
- +Documented, reproducible verification by any third party.
- +Public threat model.
Black Box meets these in its default install. The verifier is open, the chain is SHA-256, and the threat model is documented.
FREQUENTLY ASKED
Common questions
Does my EDR replace forensic logging?+
No. EDR is a security tool, forensic logging is a legal tool. They complement each other and a serious programme runs both.
Can a regular SIEM produce admissible evidence?+
Sometimes, with significant effort. The pipeline normalisation and re-writing typically used by SIEMs makes authentication harder. Forensic recorders are designed to skip that gap.
NEXT STEP
Want a forensic recorder
on your machine?
Black Box ships free for individuals. 2.9 MB installer, digitally signed, no card required.
KEEP READING
Related on Alcyone Secure
Hash chains, explained for non-cryptographers
What a hash chain is, why it makes a log file tamper-evident, and what it does not do. A short, no-math explainer for product, security, and ops teams.
6 MIN READ →INVESTIGATIONPhone and laptop repair shop privacy breaches: every documented incident from 2021 to 2025
A working catalogue of real, sourced incidents where phone and laptop repair shops snooped, copied, or leaked customer data. Apple, Geek Squad, Trivandrum, Kolkata, Singapore, Guelph and more.
14 MIN READ →COMPLIANCEDPDP Act 2023, explained for Indian businesses (and what auditors actually look for)
A practical, founder-friendly walkthrough of India Digital Personal Data Protection Act 2023: what changed, what auditors test for, and why audit trails are the easiest mistake to fix.
9 MIN READ →