Forensic Watermarking Forensic Watermarking
  1. Iconik
  2. Knowledgebase
  3. Knowledgebase

Forensic Watermarking

Knowledgebase

See all 19 articles

Iconik uses Castlabs' STARDUSTmark forensic watermarking technology to apply invisible watermarks to content shared with external collaborators. The implementation embeds an invisible, per-recipient identifier into shared video proxies so leaks can be traced back to a specific viewer - even after re-encoding, compression, or off-screen capture.

Forensic watermarking is applied on shares only (not on in-app proxies or originals stored in Iconik).

 

NB: Forensic Watermarking is a paid add-on available to Iconik Enterprise and Pro customers, it's not available by default. If you want to enable Forensic Watermarking as part of our Pro/Enterprise security add-on, contact your sales or customer success manager for more information and pricing.

What gets watermarked (and when)

Watermarked

  • Share link playback proxies generated for external recipients.
  • Watermarking is applied per share and (critically) can be unique per recipient, meaning Iconik will generate distinct proxy outputs for different viewers, on demand

Not watermarked

  • Playback of assets inside Iconik when not shared.
  • Originals “at rest” in Iconik storage.

Admin configuration (Enterprise Security)

Forensic watermarking is controlled by admins in System settings, alongside other watermark/DRM controls (Enterprise Security).

Expected behaviors:

  • Setting is default off.
  • When enabled, the UI shows protection indicators in share-related UX.
  • When forensic watermarking is enabled, magic links must be enabled to ensure recipients are authenticated (so a watermark can be attributed to a person/guest).
Screenshot 2026-06-18 at 9.17.20 am.png

End-to-end flow (high level)

  1. Admin enables forensic watermarking in System settings (and any user/group policy if configured).
  2. A user creates a share link for a video asset.
  3. When a recipient plays the asset via the share:
    • Iconik ensures the recipient is authenticated (magic link / guest identity).
    • Iconik generates or serves a watermarked proxy for that recipient.
  4. The proxy is produced through the watermarking pipeline that integrates with Castlabs.

Leak response / watermark extraction workflow

When a customer reports a suspected leak, the investigation typically includes:

  1. Identify the source asset
    • Engineering will usually need the customer’s Iconik domain identifier and the asset ID to find the original/share context.
  2. Run watermark extraction in Castlabs
    • Use Castlabs’ STARDUSTmark portal/extraction workflow on the leaked material.
  3. Map the extracted watermark back to a viewer
    • Compare the extracted watermark result against Iconik’s internal records of users/guests who viewed that asset/share.

Operational notes / troubleshooting

“Does watermarking apply to normal Iconik playback?”

No, today both DRM and forensic watermarking are applied to shared proxies only.

“Why do we require magic links?”

To ensure every watermarked playback can be attributed to an authenticated recipient (needed for traceability).

“What data do we need for extraction?”

  • The leaked material itself
  • Asset ID of the leaked material (required)
  • Version ID (optional) - helps narrow the result, but is often hard to determine from the leaked material alone.