TIGER Prototype v1.0 · For Law Enforcement Demonstration Only

Executive Briefing

TIGER

Telecommunications Intelligence Gathering
and Evidence Repository

Prepared for law enforcement stakeholder review

Mission Statement

TIGER (Telecom Incident Gateway for Evidence Reporting) provides a centralized, secure, and auditable platform for telecommunications carriers to submit structured evidence to law enforcement investigators — standardizing the flow of CDRs, access logs, identity records, and victim corroboration into a single, role-controlled system.

The Problem

Law enforcement agencies routinely request Call Detail Records, network logs, and subscriber data from telecommunications carriers during criminal investigations. Today, that process is slow, inconsistent, and fragmented.

→Each carrier delivers data in a different format — CSV, XML, proprietary exports.

→Investigators must manually normalize data before analysis can begin.

→Evidence arrives with no standardized integrity verification (hash, custody log).

→Victim corroboration is handled ad hoc, with no cross-reference against carrier records.

→There is no shared platform for multi-agency access to a single evidence package.

→Audit trails are inconsistent or absent — creating chain-of-custody risk.

Proposed Solution

TIGER replaces the current ad-hoc process with a structured evidence exchange model in which carriers submit data through a controlled portal, the platform normalizes it into a canonical schema, and authorized government investigators access the standardized package through a dedicated review console.

Carriers

Submit evidence and CDRs through a secure portal with org-scoped access.

Platform

Normalizes, hashes, keys, and audit-logs every record and action.

Investigators

Review structured evidence packages with full CDR and victim linkage.

Core Capabilities

📋

Incident Management

Carriers create structured case files — cases with priority, status, and visibility controls. Every incident is tenant-isolated by organization ID at the database layer.

🔒

Evidence Intake

Files are uploaded via S3 presigned URLs with SHA-256 integrity verification, legal hold flags, and retention class classification. Evidence is appended-only once ingested.

📞

CDR Normalization

Carrier-specific CSV column layouts are mapped to a canonical TIGER schema. Every call record receives a deterministic TGX-CDR key encoding origin, destination, and timestamp.

🛡️

Victim Corroboration

Anonymous public submissions are matched against carrier CDRs by phone number and call time. High-confidence matches are linked automatically; ambiguous cases surface for investigator review.

🔗

Cross-Agency Assignment

Carriers control incident visibility — private, shared with a specific agency, or platform-wide. Assignment and sharing actions are audit-logged with actor, timestamp, and metadata.

📜

Immutable Audit Trail

Thirty-plus event types are captured: authentication, uploads, CDR ingestion, agency assignments, victim linkage, and admin actions. The full chain of custody is reconstructable from audit_events alone.

Controls & Safeguards

HTTPS / TLS	All traffic encrypted in transit via Nginx and Let's Encrypt
JWT Authentication	HS256 signed tokens, 8-hour expiry, auto-redirect on 401
Organization Isolation	Every DB query is scoped to organization_id — no lateral data access possible
Role-Based Access Control	Five roles: platform_admin, carrier_admin, carrier_analyst, gov_admin, gov_analyst
S3 Presigned Upload	Backend issues short-lived URLs; raw bytes never traverse the application server
Incident Visibility Control	Private → shared_with_agency → platform_wide — carrier-controlled
Audit Event Logging	Immutable event log with IP address, user agent, structured JSON metadata
Public/Staff Access Split	Victim portal is fully anonymous; all staff portals require authenticated JWT

Why This Helps Investigators

One platform — all carriers

Instead of receiving inconsistent ZIP files from AT&T, Verizon, and T-Mobile in different formats, investigators receive structured evidence packages in a standard schema.

Corroboration at scale

Victim reports are automatically matched against carrier CDRs. A single investigation can surface dozens of corroborating contacts across multiple carrier datasets.

Legally defensible chain of custody

Every evidence file carries a SHA-256 hash. Every CDR record carries a deterministic key. Every action is logged. The audit trail is the chain of custody.

No lateral data exposure

DEA analysts cannot see FBI cases. Carrier A cannot see Carrier B data. Victim information is accessible only to authorized reviewers. All controls are enforced at the data layer.

Speed of investigation

Normalized CDR data is immediately searchable by phone number, call time, and batch. Investigators spend time on analysis — not format conversion.

Deployment Path

Phase 1

Prototype (Now)

Live

EC2 single-instance, SQLite, mocked S3, JWT auth, full RBAC, audit trail, all five portals.

Phase 2

Hardening

PostgreSQL/RDS migration, real S3 credentials, RS256 JWT, rate limiting, WAF rules.

Phase 3

Scale

Multi-worker Uvicorn or ECS/Fargate, CloudFront CDN, multi-region replication.

Phase 4

Compliance

FedRAMP-adjacent IAM, VPC isolation, KMS encryption at rest, SSO/SAML for carrier/gov.

Phase 5

Operations

Multi-carrier onboarding tooling, org provisioning workflows, SLA monitoring.

7-Minute Demo Script

Minute 1

1. The Problem

Carriers hold evidence in different formats, with inconsistent packaging and no standard intake model. Every investigation starts with format normalization — before any analysis can begin. TIGER solves that.

Minute 2

2. The Solution

TIGER provides a centralized evidence intake model with structured incident creation, SHA-256 verified file uploads, canonical CDR ingestion, victim corroboration, and full auditability from a single platform.

Minute 3

3. Carrier Workflow

[Log in as AT&T carrier admin] A carrier creates an incident, uploads evidence, imports a CDR batch — show the canonical records in the CDR Records tab — and shares the case with the assigned agency.

Minute 4

4. Government Workflow

[Log in as DEA gov analyst] The investigator sees only assigned/shared incidents. Open incident #1 — review the evidence file with its SHA-256 hash, filter CDR records by phone number, and open the Victim Reports tab.

Minute 5

5. Victim Corroboration

[Stay in Gov portal] This victim report was automatically matched to CDR record TGX-2026-01-01. For ambiguous cases, a gov_admin manually links the report to the correct CDR — a legally defensible action logged to audit_events.

Minute 6

6. Audit & Controls

[Log in as platform admin] Every action you just saw — login, upload, CDR import, assignment, linkage — is here in the audit trail. Filter by action type, actor ID, or incident. This is the chain of custody.

Minute 7

7. Prototype & Path Forward

This prototype runs on EC2 with SQLite and a mocked S3 flow. The architecture is designed for production: swap SQLite for PostgreSQL/RDS in one config line, add AWS credentials for real S3, containerize for ECS. The RBAC, audit trail, and data model are production-ready today.

TIGER Prototype v1.0 · Demonstration and law enforcement stakeholder review only
Not for operational deployment without additional hardening review

Demo Playbook →Architecture →← Home