Evidence Vault & Forensic Archive
THE RESET gathers manipulation artifacts across seven distinct evidence categories — from platform capture logs and behavioral telemetry to Instrumentation Mesh intercepts and GOVERNOR audit trails. Each item enters through a standardized intake gate, receives a potency classification (PL-1 through PL-4), and is bound to its originating case file. GOVERNOR maintains a cryptographic seal on every package and continuously validates integrity, so that material referred to external authorities arrives with provenance that withstands adversarial challenge.
Intake Standards
Material enters the Vault through one of three gates. Each gate applies different verification before GOVERNOR assigns a package identifier.
Operator Submission
Counter-manipulation operators submit raw captures — screenshots, API response dumps, field recordings — via the secure uplink on Pattern Fabric. GOVERNOR timestamps the upload, generates an SHA-512 digest, and places the package in quarantine until a custody officer co-signs within 48 hours.
Instrumentation Mesh Ingest
Sensor nodes on the Instrumentation Mesh forward anomaly captures automatically. Each intercept arrives with embedded node coordinates, signal metadata, and a pre-computed digest. GOVERNOR validates the node certificate chain before accepting the package — unsigned intercepts are rejected and flagged for review.
External & Inter-Directorate Transfer
Packages arriving from allied organizations or other TQH directorates enter through a dedicated transfer protocol. The originating entity provides its own custody log; GOVERNOR appends a bridge record, re-digests the material, and assigns a fresh TQH package identifier while preserving the upstream chain.
Potency Assignment
Once ingested, every package receives a potency level from PL-1 (routine) to PL-4 (strategic). The assigned level determines storage tier, access roster, and audit frequency. PL-3 and PL-4 packages require CAIRN countersignature and are stored in air-gapped vaults accessible only through GOVERNOR-mediated terminals.
Evidence Register
Active and archived packages across all potency levels. Each entry links to its originating case in Dispatch & Target Dossiers. GOVERNOR revalidates digest integrity on every retrieval and logs the accessor.
| Package ID | Case / Target | Category | PL | Status | Ingested |
|---|---|---|---|---|---|
QH-EVD-2091-0041 |
Helix Social QH-TGT-01 | Platform capture log — algorithmic feed-weight manipulation, 14-day snapshot | PL-2 | Sealed | 2091-01-22 |
QH-EVD-2091-0042 |
Tessellate Labs QH-TGT-02 | Technique specimen — dark-pattern SDK, decompiled & hashed binary | PL-3 | Sealed | 2091-02-09 |
QH-EVD-2091-0043 |
Veracity Media Group QH-TGT-04 | Behavioral telemetry — engagement heatmap, 200k session traces | PL-2 | Under analysis | 2091-02-17 |
QH-EVD-2091-0044 |
Greymarket Data Exchange QH-TGT-03 | Instrumentation Mesh intercept — non-consented profiling beacon traffic | PL-3 | Sealed | 2091-03-05 |
QH-EVD-2091-0045 |
Pulse QH-TGT-07 | Operator field recording — covert observation of compulsion-loop deployment | PL-2 | Sealed | 2091-03-28 |
QH-EVD-2091-0046 |
Helix Social QH-TGT-01 | GOVERNOR audit trail — model-drift log showing suppressed harm classifier | PL-4 | Contested | 2091-04-11 |
QH-EVD-2091-0047 |
Sable Persuasion Systems QH-TGT-06 | Technique specimen — deepfake generation pipeline, containerized snapshot | PL-3 | Sealed | 2091-04-30 |
QH-EVD-2091-0048 |
Tessellate Labs QH-TGT-02 | Counter-pattern efficacy report — A/B mitigation trial, 90-day results | PL-1 | Under analysis | 2091-05-19 |
QH-EVD-2091-0049 |
Veracity Media Group QH-TGT-04 | Platform capture log — coordinated inauthentic behavior, API metadata dump | PL-2 | Pending referral | 2091-06-02 |
QH-EVD-2091-0050 |
Crimson Signal Analytics QH-TGT-09 | Behavioral telemetry — attention-tracking pixel network, cross-platform graph | PL-3 | Sealed | 2091-06-08 |
QH-EVD-2091-0051 |
Greymarket Data Exchange QH-TGT-03 | Instrumentation Mesh intercept — UNDERTOW relay capture, encrypted payload | PL-4 | Sealed | 2091-06-14 |
QH-EVD-2091-0052 |
Pulse QH-TGT-07 | Operator field recording — variable-ratio reward mechanism in deployed app | PL-2 | Under analysis | 2091-06-21 |
Integrity Framework
Vault integrity rests on four independent mechanisms that operate in parallel. Failure in any single mechanism triggers an automatic hold on the affected package and alerts the on-duty custody officer.
Cryptographic Seal
SHA-512 digest computed at ingestion, stored separately from the package. GOVERNOR re-derives the digest on every access and compares. Divergence immediately quarantines the package.
Accessor Ledger
Every retrieval, viewing, duplication, or transfer is recorded with operator identity, timestamp, and terminal identifier. The ledger is append-only and write-protected by GOVERNOR's audit subsystem.
Dual-Custody Threshold
PL-3 and PL-4 packages require two authorized personnel for physical or logical access. A single-party access attempt is denied and logged as a potential compromise indicator.
Scheduled Re-Verification
GOVERNOR runs automated integrity sweeps on a rolling 72-hour cycle for PL-1/PL-2 and a 24-hour cycle for PL-3/PL-4. Any package that fails re-verification is escalated to CAIRN within one hour.
Handling Protocols
Access Controls
- Authorized roster. Only personnel listed on the package's access roster may retrieve it. Roster membership is granted by the case lead and confirmed by a custody officer. GOVERNOR enforces roster checks at the terminal level.
- Session limits. Digital packages are accessed through read-only GOVERNOR terminals with a maximum session duration of four hours. Extensions require custody officer approval and generate an audit annotation.
- No offline copies. Extracting a package to removable media or unmonitored storage is prohibited. Analytical working copies are generated by GOVERNOR with a watermark and reduced fidelity; the sealed original remains in the Vault at all times.
Transfer & Referral
- Internal movement. Packages moving between directorates require a signed transfer order from CAIRN and a receiving custody officer. Both parties co-sign the accessor ledger at point of handover.
- External referral. When a case is referred to prosecutors, regulators, or allied agencies, the transfer is executed through Legal & Deniability using the protocol defined in QH-LGL-EVID-0003. The sealed original is duplicated under dual custody, and the duplicate — not the original — is released. The Vault retains the primary package indefinitely.
- UNDERTOW relay packages. Material captured via UNDERTOW mobile relay platforms follows Gate B (automated) intake. The relay node's ephemeral certificate is validated against Pattern Fabric's root authority before GOVERNOR accepts the package.
Retention & Disposition
- Active cases. Packages are retained for the duration of the case plus a five-year post-closure hold. PL-4 packages are held for ten years regardless of case status.
- Scheduled destruction. When the retention window expires, disposal requires written authorization from CAIRN and Legal & Deniability. GOVERNOR generates a destruction certificate recording the package identifier, final digest, authorizing parties, and destruction method.
- Contested packages. Any package marked Contested is frozen in place until the integrity review concludes. Contested packages are excluded from referral and from analytical working-copy generation until cleared.
Evidence Categories
THE RESET recognizes seven formal evidence categories. Each category has distinct intake requirements, storage specifications, and admissibility considerations documented in the relevant annexes.
Platform Capture Logs
Screenshots, screen recordings, and API response dumps documenting algorithmic manipulation in situ. Captures must include visible timestamps, URL context, and authenticated session metadata to qualify for PL-2 or above.
Behavioral Telemetry
Attention-tracking data, engagement heatmaps, session-duration analytics, and scroll-depth traces. Telemetry packages must specify the collection method, consent status of subjects (if applicable), and statistical sample parameters.
Technique Specimens
Preserved manipulation artifacts — dark-pattern UI kits, decompiled SDKs, deepfake generation pipelines, and variable-ratio reward mechanisms captured intact. Specimens are containerized at intake to prevent inadvertent deployment.
Operator Field Recordings
Audio, video, and sensor logs from covert observation of manipulation deployment in real-world settings. Recordings carry geolocation tags and operator identification; Legal & Deniability pre-approves all field-recording operations.
GOVERNOR Audit Trails
AI governance logs generated by GOVERNOR during target monitoring — model-drift records, classifier suppression events, and anomaly flags. Trails are extracted through a dedicated export pipeline that preserves log sequence integrity.
Instrumentation Mesh Intercepts
Sensor-network captures from the distributed Instrumentation Mesh. Intercepts include beacon traffic, profiling signals, and protocol-level metadata. Each intercept embeds node coordinates and a mesh-segment certificate for provenance.
Counter-Pattern Efficacy Reports
Documented results from deployed counter-measures — A/B mitigation trials, inoculation-campaign metrics, and platform-response evaluations. Reports follow a standardized template and include raw data appendices sealed as sub-packages.
Uncategorized / Provisional
Material that does not fit established categories is provisionally held under CAT-00 and flagged for review. CAIRN assigns a permanent category within 30 days or approves a new category definition via the evidence governance board.
Cross-references: case origination flows from Dispatch & Target Dossiers; counter-operation context is maintained in Counter-Operations; legal standards governing referral and admissibility are defined in Legal & Deniability — Evidence Admissibility (QH-LGL-EVID-0003).
