Evidence
Chain of custody for digital evidence
When a document may later be questioned, it is not enough for it to be genuine. You have to be able to show that it is genuine, and that it has not changed since you took hold of it.
When a document may later be questioned, it is not enough for it to be genuine. You have to be able to show that it is genuine, and show that it has not changed since you took hold of it. That is what chain of custody does. It is the documented, unbroken account of who held a piece of evidence, when, and what they did with it, from the moment of acquisition onward. For digital material the principles are the same as for a physical object, but the techniques are specific, and a few small habits at the start determine whether the record holds up under scrutiny.
This is a practitioner overview, not legal advice. Rules of evidence and admissibility vary by jurisdiction and by context. When the stakes are legal, work with counsel and, where warranted, a qualified forensic examiner.
What authenticity means for a digital object
Authenticity is the claim that a record is what it purports to be, made by whom it purports to be made, and unchanged in any way that matters. For a born-digital object, three questions sit underneath that claim. Where did it come from and how was it acquired? Has it been altered since acquisition? And can you account for it continuously the whole time it was in your keeping? Chain of custody is the mechanism that lets you answer all three with evidence rather than assertion.
The hash at acquisition is the anchor
The single most important technical step happens at the very beginning. At the moment you take custody of a digital object, you compute a cryptographic hash of it, most commonly SHA-256, and you record that value. That hash is a fingerprint of the exact bytes as they were when you received them. From then on, anyone can recompute the hash and compare. If it still matches, the object is provably unchanged since acquisition. If it does not match, the object has been altered, even by a single bit, and you will know.
This is why the hash has to be taken as early as possible and written down somewhere durable. A hash captured a week later only proves the file has not changed since that week, which leaves the intervening time unaccounted for. Captured at acquisition, alongside the date, the time, and who took it, it anchors the entire chain that follows.
Work on copies, preserve the original
A bedrock rule of digital evidence handling is that you do not work on the original. You acquire it, hash it, set it aside untouched, and then make a verified copy to examine and process. In formal digital forensics this is done with write-blockers and bit-for-bit disk imaging so that the source medium is never modified, and the working image is itself hashed and confirmed to match the source.
Most records practitioners are not running a forensic lab, and that is fine. The principle scales down. When material arrives, preserve exactly what you received, verify a copy against its hash, and do all handling and description on the copy. If you ever have to explain your process, "the original was hashed on arrival, set aside, and never altered; all work was done on a verified copy" is a clean and defensible account.
What a custody log actually records
The chain-of-custody log is the running record that makes the whole thing credible. There is no single mandated format, but a defensible log answers, for the entire life of the item in your care, who did what, when, and why. A usable entry captures:
- The item: a unique identifier and a short description, plus the acquisition hash it is tied to.
- Acquisition: the date and time you took custody, from whom or from what source, and the method used.
- Each transfer: every time custody moved from one person or system to another: who released it, who received it, when, and how.
- Each action: every process performed on it (copying, imaging, verification, migration, examination), with the date, the person or tool responsible, and the outcome.
- Storage: where the item was held between actions, and how access to that location was controlled.
The goal is continuity with no gaps. A period during which nobody can say where the item was or who could reach it is exactly the weakness that undermines an authenticity claim. Note that this is the same discipline the preservation world calls event-based provenance; the PREMIS approach to metadata records precisely these dated, attributed events, and a good custody log is one honest way to implement it.
Small practices that keep a chain strong
Record contemporaneously, not from memory. An entry written at the time of the action is far stronger than one reconstructed weeks later, and reconstructed logs invite exactly the doubt you are trying to remove. Keep the log itself protected and, ideally, append-only, so it cannot be quietly edited after the fact. Store the acquisition hashes separately from the files they describe, so that a single compromised location cannot alter both the evidence and the record of its integrity. And re-verify on a schedule and after every transfer, so that if a copy degrades you catch it against a copy that has not.
An authenticity claim is only as strong as the weakest undocumented gap in the record of custody. The technical steps are easy; the discipline of recording them every time is the real work.
Where to go deeper
Forensic and archival references
For the forensic handling of digital evidence, the U.S. National Institute of Standards and Technology publishes guidance through its computer forensics program, and NIST Special Publication 800-86 offers a well-known guide to integrating forensic techniques into incident handling. For the records and archives view of authenticity and trustworthy digital records over time, the research from the InterPARES project is the standard reference. Read whichever matches your stakes: the forensic material when admissibility is the concern, the archival material when long-term trustworthiness is.