Everything Haystack does is designed around one constraint: the evidence must be defensible. Here's how we get there — and why no one else has.
Every existing tool is either a back-lab analysis platform or a detective-facing workflow tool. Nobody guides a forensic examiner on scene, in real time, through evidence collection protocol. That's the gap Haystack fills.
| Product | Target User | Key Features | CJIS | The Gap |
|---|---|---|---|---|
| Truleo | Detectives / Patrol | Body cam analysis, report writing, witness interviews, LPR analysis | ✓ Yes | Targets detectives, not examiners. No on-scene protocol guidance. No SWGDE/NIST enforcement. |
| Cellebrite | Forensic Examiners | Mobile extraction, AI pattern analysis, timeline reconstruction | ✓ Yes | Back-lab only. Requires device in hand at the lab. Not an on-scene assistant. |
| Magnet AXIOM | Forensic Examiners | Deep artifact analysis, multi-platform, cloud acquisition | ✓ Yes | Back-lab tool. No real-time guidance. |
| Axon Evidence | All LE | Evidence management, chain of custody, auto-tagging | ✓ Yes | Evidence management, not collection guidance. |
| Autopsy | Forensic Examiners | Open-source disk/device analysis | ✗ No | Back-lab only. Free but no AI guidance. |
| Haystack | Forensic Examiners | On-scene real-time protocol assistant, SWGDE/NIST knowledge engine, compliance monitoring, chain of custody documentation | ✓ CJIS | The only tool that stands next to the examiner on scene. |
The FBI's CJIS Security Policy (v6.0, effective January 2025) governs any tool that touches Criminal Justice Information. These are the non-negotiables.
Mandatory as of October 2024. Every login requires 2+ factors — password + authenticator app or hardware token.
MediumAES-256 at rest. TLS 1.3 in transit. FIPS 140-3 validated modules required. The agency controls the encryption keys — not the vendor.
HardEvery action on CJI must be logged with timestamp, user ID, and action taken. No exceptions.
MediumLeast privilege. Examiner, supervisor, and admin roles with strictly defined permissions. Users only see what they need.
MediumAny vendor handling CJI must sign the FBI's Security Addendum — a legal commitment to maintain compliance.
EasyThe LLM cannot train on CJI data. Zero-retention agreements with the AI provider are required. Consumer APIs are not permitted.
HardA phased build plan from infrastructure foundation through ongoing standards monitoring.
Everything runs in AWS GovCloud — the same infrastructure used by Truleo and other CJIS-compliant LE platforms. Not standard AWS.
MediumThe agency holds and controls their own encryption keys via AWS Key Management Service. The vendor never touches them.
HardAll traffic encrypted end-to-end. Multi-factor authentication via AWS Cognito for every login.
EasySensitive evidence data is processed on-device or on agency hardware. Only non-sensitive queries reach the cloud LLM — the same architecture Truleo uses.
HardClaude or Llama via AWS Bedrock (GovCloud) with zero-retention agreements. No data leaves the GovCloud boundary.
MediumExaminer / supervisor / admin roles. Every prompt and action logged immutably with timestamp and user attribution.
MediumLegal step with the agency's CJIS compliance officer. Formalizes the vendor-agency security relationship.
EasyAll current SWGDE and NIST forensic standards ingested as the AI's core knowledge. Device-specific protocols for Android, iOS, MacOS, and Windows.
MediumScheduled checks for SWGDE and NIST document updates. Alerts when protocols change so the AI stays current with what courts expect.
MediumWhat the AI knows cold — and walks you through in real time. Based on SWGDE Best Practices v2.0 (2025) and NIST SP 800-101 Rev. 1.
Document screen state, visible apps, notifications, and physical condition before touching anything.
Unless legally authorized and operationally necessary.
Prevents remote wipe. This is time-critical. Every second the device is connected to a network is a risk.
Losing power can trigger full-disk encryption that locks out data permanently.
USB connections can alter the device state and compromise forensic integrity.
Capture all identifying information visible on screen before packaging.
Maintain signal isolation and prevent physical contamination during transport.
Date, time, description, who touched it. Complete at time of collection, not later.
Document screen, lock state, battery level, and any visible notifications.
iOS prompts "Trust This Computer?" — any unauthorized USB connection can trigger lockouts or alter device state.
If screen is accessible, use control center. If not, use Faraday bag. Remote wipe is real.
iOS locks USB data transfer after 1 hour unplugged. Time-critical — note the battery status and act accordingly.
If it dies and has a passcode, physical extraction becomes extremely difficult.
Without authorization, biometric unlock attempts can trigger lockout after failed tries.
Capture what's visible without interacting with the device.
Maintain signal isolation. Keep the device charged throughout transport and until acquisition begins.
Image the drive externally using a hardware write-blocker. Booting the device can alter evidence.
Document open applications, windows, file activity. Look for any destructive activity (wiping, encrypting).
Disconnect power at the wall or remove battery. Document all actions taken and the exact time.
If enabled and the device powers off, data may be permanently inaccessible.
Volatile memory contains encryption keys, running processes, and open files. This data is lost on shutdown.
Unplug ethernet. Block WiFi if possible without disturbing the device state.
Capture everything visible before disconnecting anything.
Remove drive and image with write-blocker (EnCase, FTK Imager, dd). Hash the image immediately (MD5 + SHA-256).
Capture everything visible: open windows, running apps, taskbar, notification area.
Note any encryption status before proceeding. Shutdown on an encrypted machine may lock out the drive.
Running processes, network connections, RAM — use WinPmem, DumpIt, or Magnet RAM Capture. This data is gone on shutdown.
Unplug ethernet. Disable WiFi adapter via device manager if accessible.
Any execution alters timestamps and can contaminate evidence.
USB devices, external drives, connected displays — document everything before disconnecting.
MD5 + SHA-256 on every image. This is the foundation of chain of integrity and the first line of defense against court challenges.
These are the failure modes that expose evidence to suppression — and legal liability to the agency.
Consumer LLM APIs with CJI data — Standard ChatGPT, Claude, or Gemini APIs may retain and train on inputs. Any AI touching CJI must have zero-retention agreements and run in a CJIS-compliant environment.
Storing evidence data outside agency control — CJI cannot be stored on standard commercial cloud (AWS us-east-1, Google Drive, Dropbox, etc.). GovCloud or on-premise only.
Vendor holding encryption keys — The agency must control its own cryptographic keys. If the vendor can decrypt your data, you're not compliant.
Skipping the CJIS Security Addendum — Every vendor with access to CJI must sign this FBI agreement. No exceptions.
Missing the MFA deadline — As of October 1, 2024, MFA is mandatory for all CJI access. Any tool without it puts the agency out of compliance.
Outdated forensic standards — SWGDE and NIST update their guidelines. An AI trained on 2022 standards giving 2025 protocol guidance is a courtroom liability waiting to happen.