Manifesto

Forensic Incident Capture
for the Enterprise

01

A recording is not evidence.

When an incident occurs — a trading error, a policy violation, a disputed transaction — you have seconds to capture what happened. Most organizations reach for a screen recorder. That is a mistake.

A screen recording produces a file. A file can be edited, backdated, or fabricated entirely. It carries no verifiable timestamp, no proof of origin, no guarantee that what you're watching is what actually happened.

A TraceProof incident produces evidence. There is a difference — and that difference is what holds up in front of a regulator, a lawyer, or a judge.

02

What TraceProof does.

TraceProof maintains a continuous screen buffer in the background and instantly seals a clip on trigger — hotkey, voice activity, mouse behavior, or automatic on-screen text recognition. Every incident is packaged with a dual hash, multi-source timestamp, and a blockchain-style chain of custody. The package is automatically uploaded to your server the moment it's sealed, before it can be tampered with locally.

DXGI Desktop Duplication capture — including DirectX overlays and HDR content invisible to conventional tools
HMAC-SHA256 package signing under a key protected by Windows DPAPI or hardware TPM
Timestamps cross-verified against three independent NTP servers and DNS SOA serial
Hash-linked chain of custody — deletion or modification of any entry is immediately detectable
Automatic upload to Evidence Vault before local tampering is possible
Standalone forensic verifier with JSON output for SIEM and investigation pipelines
03

Why it matters.

Ordinary screen recording produces a file. A TraceProof incident produces evidence. Every clip is signed with HMAC-SHA256 under a key protected by Windows DPAPI or TPM. Timestamps are cross-verified against three NTP servers and DNS. The full incident history is protected by a hash-linked chain — deletion or modification of any entry is immediately detectable.

A standalone verifier with JSON output integrates into existing investigation workflows and SIEM pipelines. When your compliance team, legal counsel, or regulator asks for proof — you have a package, not a story.

04

Who it's for.

TraceProof is built for environments where the integrity of the record is not optional.

Trading desks & brokers Capture market events, execution errors, and margin calls with legally defensible records.
Compliance & internal investigations Evidence that holds up to regulatory and legal scrutiny. Not just screenshots.
IT security Privileged user monitoring with court-admissible audit trails.
Outsourced compliance Multi-machine Evidence Vault with real-time webhook and incident management dashboard.
05

A note on responsible use.

TraceProof is designed for authorized monitoring of employer-owned devices, with appropriate notice to monitored employees as required by applicable law. It is not a surveillance tool. It is a forensic record-keeping system for environments that have a legitimate, documented need for tamper-evident incident capture.

Deploying TraceProof without employee notification where legally required, or on devices you do not own or have authority over, is your legal responsibility — not ours. Know your jurisdiction. Consult your counsel.

Evidence that was captured improperly is not evidence. TraceProof gives you the technical foundation. The legal framework is yours to establish.

2026
See the product →