Skip to main content

3 - The 7 Essential Evidence Sources in a Security Incident

A complete, modern guide for building defensible, audit-ready investigations.

Overview

During a security incident, everyone - security directors, property managers, legal teams, executives, insurers, and sometimes law enforcement - relies on one thing:

👉 A complete, accurate, and quickly assembled body of evidence.

But here’s the problem:

Most organizations only gather 2 out of the 7 required evidence types, leaving major gaps, unverified assumptions, and incomplete narratives.

This article breaks down the 7 evidence categories that must be included in any credible incident record. We’ll explain what they include, why they matter, how they’re often missed, and how BluSKY’s SceneIT, BluEYES, and SummarEYES automate the process.

Access Control Events

Access logs are the backbone of incident reconstruction. They identify who interacted with which door, when, and how.

What’s included:

  • Accepted access events
  • Denied access events
  • Door-forced or held-open events
  • Credential type (card, mobile, biometric)
  • Anti-passback indicators
  • Tailgating analytics (RaceTrack)
  • Timestamp, door location, direction
  • Associated visitor or tenant information

Why this matters:

  • Access logs establish:
  • Who was authorized
  • Who attempted access
  • Where an individual entered
  • When the timeline begins

Common problems without BluSKY:

  • Logs stored on local controllers, not centralized
  • Time drift with NVRs and elevator logs
  • Lack of correlation with video
  • When access logs don’t match video timeframes, the entire report becomes questionable.

Elevator Events

This is the #1 most commonly missing evidence source in traditional investigations.

  • Elevator events show:
  • Which car a person used
  • What floors they traveled to
  • Whether special modes were triggered
  • Entry and exit points not covered by cameras
  • Handoff between turnstiles → elevator

What’s included:

  • Car assignment
  • Floor dispatch
  • Travel time
  • Arrival times
  • Door hold events
  • Destination dispatch analytics
  • Alarm conditions (faults, bypass modes)

Why this matters:

Elevators often fill major blind spots between:

  • Lobby
  • Turnstiles
  • Office floors
  • Secured areas

They are the physical bridge that completes the movement timeline.

Common problems without BluSKY:

  • Elevator logs are siloed in proprietary software
  • Logs require manual export
  • No automatic correlation with access or video
  • No snapshots at elevator events

BluSKY treats elevators as first-class evidence sources - not an afterthought.

Video Clips & Snapshots

Video is your most powerful evidence - but only when retrieved consistently and with proper context.

What’s included:

  • Entrance cameras
  • Lobby cams
  • Turnstile cams
  • Elevator interior cams
  • Floor landing cameras
  • Stairwell cams
  • PTZ incident pivots
  • AI-generated snapshots
  • Motion-triggered bookmarks

BluSKY supports:

  • Time-synced video
  • Auto-generated bookmarks
  • ROIs (regions of interest)
  • Multi-camera bundling
  • Instant retrieval

Why this matters:

  • Video bridges gaps between logs, showing:
  • Behavior
  • Direction
  • Objects carried
  • Interactions with equipment
  • Person-of-interest tracking

AI-Assisted Analytics

Modern investigations involve thousands of hours of cumulative footage, making manual review impossible. AI cuts through the noise.

AI provides the following:

  • Person-of-interest detection
  • Object recognition (bags, boxes, tools, unattended items)
  • Behavioral analytics (loitering, tailgating, abnormal activity)
  • Crowd formation indicators
  • Vehicle tracking (if applicable)
  • Elevated-risk detection (fall detection, anomalous movement)

Why this matters:

This evidence:

  • Accelerates investigations
  • Identifies critical moments
  • Reduces missed events
  • Provides objective, non-biased detection

Common problems without BluEYES:

  • Operators review hours of footage
  • “Wrong camera, wrong time” errors
  • Missed behavior indicators
  • Delayed response

BluEYES generates insights during the incident - not after.

Alarm & Intercom Data

Alarms and intercom logs add critical context:

  • Which zones triggered
  • When intercom buttons were pressed
  • Who answered calls
  • Whether there were prior warnings
  • Door-held or forced events
  • System faults before or during the incident

Alarm data includes:

  • Intrusion triggers
  • Glass break
  • Motion
  • Emergency buttons
  • Fire safety integration events
  • Faults and tamper alerts
  • Bypass mode logs

Intercom data includes:

  • Call request timing
  • Who answered
  • Associated door or camera
  • Duration
  • Recorded audio (if applicable)

Why this matters:

  • Intercom activity is often the earliest signal of trouble - or the first escalation.

Device Metadata

This is often overlooked but is essential for legal and operational review.

Device metadata includes:

  • Controller online/offline states
  • Camera health
  • Firmware versions
  • Last communication time
  • Storage health (NVR/VMS)
  • Sensor calibration
  • Redundancy status

Why this matters:

  • During investigations, a crucial question always emerges:

“Was the system functioning at the time?”

  • Without health metadata, you cannot answer this.

BluSKY advantage:

BluSKY tracks:

  • Real-time device health
  • Alerts on offline events
  • Firmware drift
  • Misconfigurations
  • Capacity issues

This becomes part of the incident narrative.

Narrative Summary

Finally, after gathering all technical logs, comes the human-readable story.

A complete narrative summary includes:

  • What happened
  • Who was involved
  • When it began
  • What the systems recorded
  • What actions were taken
  • What escalations occurred
  • What remediation is required
  • What opportunities for improvement exist

Why this matters:

This is the document executives, insurers, and legal rely on.

But it must be backed by:

  • Logs
  • Clips
  • Snapshots
  • Elevator data
  • AI analytics

Without the evidence, a narrative is incomplete.

Why Most Organizations Miss 3-5 of These Evidence Sources

Typical failure points:

  • Siloed systems
  • Manual exports
  • Time drift across devices
  • Lack of monitoring
  • No snapshots on event
  • No elevator integration
  • No unified analytics
  • No automation

BluSKY eliminates these barriers by producing evidence in real-time, automatically aligned, correlated, and bundled.

How BluSKY Automates These 7 Evidence Categories

SceneIT Triggers snapshots at the moment of access, alarm, or elevator event - capturing visual evidence instantly.

BluEYES Adds AI analytics and behavior recognition.

SummarEYES Creates a unified timeline and downloadable incident bundle that includes:

  • All logs
  • All video
  • All snapshots
  • All elevator activity
  • All analytics
  • Complete summary

Next Step

Continue to Article 4 - Incident Timeline Reconstruction Template, which explains how to turn these seven evidence sources into a unified sequence of events.