Machine Security System With Evidence Recording for Legal and Insurance Purposes

When a gaming machine compromise results in legal action (criminal prosecution of the attacker) or an insurance claim (coverage for the revenue loss), the operator must provide evidence that proves the compromise occurred, documents the method used, and quantifies the financial loss. A security system with evidence recording capability collects this evidence automatically, without relying on operator memory or incomplete manual documentation. This article describes the components of a machine security system that records evidence for legal and insurance purposes.

Evidence Component 1: Tamper-Evident Seals With Serial Numbers

A tamper-evident seal is a sticker or tag placed on the machine’s cabinet seams and access panels. The seal has a unique serial number. If the cabinet is opened, the seal breaks or shows visible damage. The intact seal with the verified serial number is evidence that the cabinet was not opened between the seal’s application and the inspection. The broken seal is evidence that the cabinet was opened. The seal’s serial number enables verification that the seal on the machine is the same seal that was applied — preventing an attacker from replacing a broken seal with a new seal of a different serial number.

Implementation: apply one seal across the main cabinet seam and one seal across the service panel. Photograph each seal with its serial number visible. Record the seal serial numbers in the security event log. Inspect the seals weekly. Photograph the seals at each inspection. If a seal is broken or shows damage, it is evidence of unauthorized cabinet access. The photographs of the intact seal at the previous inspection and the broken seal at the current inspection provide before-and-after evidence of tampering. The seal serial numbers prevent seal replacement. Tamper-evident seals cost 0.50-2 dollars each and are replaced annually.

Evidence Component 2: Machine Audit Trail Export With Cryptographic Verification

The machine’s audit trail is the primary evidence of what the machine recorded during the compromise period. The audit trail must be exported from the machine and stored securely — ideally on a separate device that cannot be modified after export. The exported audit trail should be cryptographically verified (a hash calculated at export time and stored separately — any modification of the exported file changes the hash and is detected).

Export procedure: export the audit trail for the period covering the compromise events (from one week before the first event to the current date). The export should include all records: revenue records, payout records, credit records, error log entries, and service menu access log entries. Save the export file to an encrypted USB drive (as described in the data leakage prevention article). Calculate the SHA-256 hash of the export file using a hash calculation tool. Record the hash value in the security event log. Store the export file and the hash value separately — if one is compromised, the other provides verification. For insurance claims and legal proceedings, provide the audit trail export and the hash verification demonstrating that the file has not been modified since export. The audit trail export is the most important single piece of evidence because it records precisely what happened on the machine.

Evidence Component 3: Bus Monitor Recording With Timestamped Anomalies

A bus monitor connected to the machine’s communication port records all bus traffic during the monitoring period. The recording includes timestamps for every bus message. When the recording is analyzed, anomalous messages (external control signals) are identified with timestamps. The recording file with the highlighted anomalous messages is evidence of the specific external control commands that were injected onto the bus, proving the existence and method of the compromise.

Evidence handling: export the bus monitor recording for the period covering the compromise events. Save the recording file in a lossless format (the bus monitor’s native format or a common format such as CSV with message fields). Include the bus monitor’s own authentication hash if the monitor supports it (some advanced monitors append a cryptographic signature to the recording that verifies the recording was not modified). Store the recording file with the audit trail export. For legal proceedings, provide the recording file and the analysis report identifying the anomalous messages. The bus monitor recording is the definitive evidence of external signal injection because it records the actual injected signals with their timing and content.

Evidence Component 4: CCTV Footage Correlated With Event Timestamps

CCTV footage from the venue’s security cameras provides visual evidence that correlates with the security events. The footage shows: the machine during idle periods (confirming that no player was present — so any machine activity was self-triggered), the machine during the anomaly events (if the event timing is precisely known, the footage may capture the moment of the event), and the physical area around the machine (identifying who approached the machine, when, and what they did). CCTV footage is the primary evidence for identifying the attacker and for proving that the machine activity was player-independent (confirming external manipulation).

Evidence handling: export the CCTV footage for the time periods corresponding to the recorded security events. Include a time offset of 2 minutes before and after each event timestamp to capture any preceding or following activity. Label each exported clip with the event ID from the security event log. Save the clips in a compressed video format. For legal proceedings, provide the clips with the corresponding event log entries and timestamps. CCTV footage is the most compelling evidence for law enforcement and insurance because it visually demonstrates the event. The combination of audit trail data, bus monitor recordings, and CCTV footage forms a complete evidence package that proves the compromise by multiple independent methods.

Evidence Component 5: Chain of Custody Documentation

Chain of custody is the documentation of who handled each piece of evidence, when they handled it, and what they did with it. The chain of custody proves that the evidence was not tampered with between collection and presentation. For each piece of evidence (seals, audit trail export, bus monitor recording, CCTV clips), record: the evidence identifier (linked to the event ID), the date and time of collection, the person who collected it (name and role), the method of collection (how it was obtained — USB export, bus monitor download, camera DVR export), the digital hash value (for digital evidence), the storage location (encrypted USB drive serial number, cloud folder path), and every subsequent transfer of the evidence (date, from person, to person, purpose of transfer). The chain of custody is maintained in the security event log alongside the event records. For legal proceedings, the chain of custody is required for the evidence to be admissible. Without it, the evidence may be challenged as potentially tampered with.

Frequently Asked Questions

Q: Do I need all five evidence components for every incident?
A: For criminal prosecution: yes — all five components form the minimum admissible evidence package. For insurance claims: Components 1, 2, and 5 are usually sufficient, plus a brief description of the incident. Check the specific requirements of your insurance policy. For internal investigation: Components 2 and 3 are sufficient for technical identification of the compromise method. Component 4 adds visual confirmation. Component 5 should be maintained for any incident with significant revenue loss (above 500 dollars) or potential legal action.

Q: How long does it take to collect all five evidence components?
A: Seals (Component 1): 2 minutes per machine. Audit trail export (Component 2): 3-5 minutes per machine. Bus monitor recording export (Component 3): 2-5 minutes if the monitor is already connected. CCTV export (Component 4): 5-10 minutes per incident. Chain of custody documentation (Component 5): 5-10 minutes per incident. Total: 17-32 minutes per machine per incident. This time investment is justified by the evidence it produces for legal and insurance purposes.

Q: Can I collect the evidence retroactively — after the compromise is discovered?
A: Components 2 (audit trail) and 3 (bus monitor recording) can be exported after the fact if they were being recorded during the compromise period. Component 4 (CCTV) can be exported from the DVR if the footage has not been overwritten (most DVRs overwrite after 7-30 days, so export quickly). Component 1 (seals) can only identify that a seal is broken — it cannot tell you when it was broken unless it was inspected shortly before the break. The seal provides before-and-after evidence only if photographs exist from the previous inspection. Component 5 (chain of custody) must be completed at the time of evidence collection — it cannot be retroactively fabricated. For all five components, the best evidence is collected as close to the event as possible.