Trackr.Live The landing site for Trackr Services
§ Trackr.Live

Evidence Handling and Chain of Custody

Chain of custody is the documented record of who possessed an evidence item, when, and what was done to it, maintained continuously from the moment of acquisition until the evidence is released or destroyed. Evidence handling is the broader procedural and technical practice of preserving that evidence in a state that allows the chain to mean something: the write blockers, the hash verification, the sealed storage, the imaging methodology, the documentation discipline that runs through every analytical step. The two practices are inseparable. A chain of custody without intact evidence is paperwork. Intact evidence without a chain of custody is a finding that cannot be defended.

This page covers the foundations. What the chain of custody actually documents. What hash verification proves and does not prove. What write blockers do and do not protect against. How physical and digital evidence handling proceed in parallel. How the resulting record holds up against legal challenge. The companion subpages cover acquisition methodology (Forensic Acquisition and Imaging) and the legal admissibility framework (Court Admissibility and Expert Testimony) in more depth.

The boring procedural rigor is the point. The findings produced at the end of a forensic examination are only as defensible as the chain that connects them back to the evidence as originally acquired. Almost every successful impeachment of forensic findings in court traces back to a chain-of-custody failure, not to an analytical mistake. The seemingly excessive documentation, the dual-control procedures, the hashing at every transfer — these exist because each of them is the answer to a specific cross-examination question that someone has lost a case to in the past.

The principle layer

A small number of principles underlie nearly every chain-of-custody methodology in active use, regardless of which standard or jurisdiction is in scope.

Integrity preservation. The evidence must not be altered between acquisition and presentation. In digital forensics, this principle is the foundation for the use of write blockers, forensically sound imaging tools, and hash verification: the technical mechanisms that prove the data the examiner is working with is identical to the data on the source media. The principle does not require that nothing be done with the evidence. It requires that anything done be documented, reproducible, and demonstrably non-destructive.

Documented custody. Every person who possessed the evidence, and every action they took with it, must be recorded. The record must be continuous. Gaps in the chain are presumed to be opportunities for tampering, regardless of whether tampering occurred. The mechanism is procedural and is intentionally boring: who, what, when, where, why, signed at each transfer.

Examiner competence. The person handling the evidence must be qualified to do so. The standard does not require formal certification in every jurisdiction, but it does require that the examiner be able to defend their methodological choices, version selections, and procedural decisions on the stand if the case reaches court. This is the principle that connects chain of custody to the broader admissibility framework. Daubert challenges are usually challenges to examiner methodology, not to the chain itself.

Audit trail. Every action taken on the evidence must produce an auditable record. The record exists for two reasons: to allow another competent examiner to reproduce the work, and to allow opposing counsel to cross-examine the work in detail. The audit trail is the practical mechanism that makes the methodology defensible.

The four ACPO principles, codified in the UK Good Practice Guide for Digital Evidence, are the most concise canonical statement of these principles and are recognizable in nearly every other forensic methodology document. The principles, in slightly modernized form:

  1. No action taken should change data held on a computer or storage media that may subsequently be relied upon in court.
  2. In circumstances where a person finds it necessary to access original data, that person must be competent to do so and able to give evidence explaining the relevance and implications of their actions.
  3. An audit trail or other record of all processes applied to digital evidence should be created and preserved.
  4. The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.

NIST SP 800-86, SWGDE, ISO/IEC 27037, and ASTM E2916 all restate these principles in their own vocabulary. The convergence is not accidental; the legal requirements that produced these principles are nearly identical across jurisdictions.

Chain-of-custody mechanics

A chain-of-custody form is a continuous log that records, at minimum: a unique evidence identifier (case number, item number), a description of the item, the location where it was acquired, the name and signature of the person who acquired it, the date and time of acquisition, and an entry for every subsequent transfer (date, time, transferring party, receiving party, purpose, signatures).

The form itself is a procedural artifact whose specific layout varies by organization, but the data captured is essentially constant. The entries are appended; existing entries are not modified. Crossing out and rewriting entries is a chain-of-custody failure on its own. The standard mitigation for a clerical error in the log is to add a new dated entry that corrects the previous one, signed by the custodian making the correction.

In environments where the volume justifies it, the paper form has been displaced by purpose-built evidence management systems (EMSs) that produce the same record electronically with the same continuity requirements. The legal weight of an EMS-produced record is equivalent to a paper record as long as the system itself has the integrity controls that the standards require: append-only entries, authentication for every transfer, cryptographic integrity of the log file. Most commercial EMS platforms meet these requirements; in-house systems sometimes do not, and the methodology has to defend the in-house implementation if it is used.

The chain-of-custody record is separate from the analytical log of operations performed on the evidence. The two records overlap but serve different purposes. The chain records possession and transfers; the analytical log records the actions taken on the evidence during examination. Both are required. One is not a substitute for the other.

Hash verification

Cryptographic hashing is the technical mechanism that connects the abstract requirement of “the evidence has not been altered” to a concrete, verifiable proof. At acquisition, the examiner computes a hash of the source media (or the acquired image of it, depending on the methodology) and records the hash value in the chain of custody. Every analytical step that produces a derivative of the evidence is hashed against the original to prove that no alteration has occurred.

The hash algorithms used in modern forensic practice include MD5, SHA-1, and SHA-256, with SHA-512 occasionally seen for high-assurance work. The choice of algorithm is the subject of ongoing methodological debate that requires more nuance than the cryptographic community’s view of these algorithms would suggest at first glance.

MD5 has been cryptographically broken for collision resistance since 2004 (Wang et al.) and is treated as insecure for any application where an adversary might construct a malicious collision. SHA-1 has been similarly broken since the SHAttered demonstration in 2017. Modern cryptographic practice has moved on from both algorithms entirely.

Forensic practice has not. MD5 and SHA-1 remain in continuous operational use for forensic verification, not because forensic examiners are unaware of the cryptographic weaknesses, but because the threat model that the hash is defending against is categorically different. The forensic use of hashing is integrity-against-error, not integrity-against-adversary. The hash on a forensic image is protecting against bit rot, transmission corruption, copy errors, and incidental alteration during analysis. None of those require collision resistance to detect. An adversary capable of constructing a hash collision is not the threat the chain is defending against. The chain is defending against the question “can you prove this file is the same file you acquired.”

For that threat model, MD5 and SHA-1 are adequate. The probability of an accidental MD5 collision on a forensic image is astronomically small. The probability of a transmission error producing one is similarly negligible. The cryptographic weakness against deliberate collision construction is irrelevant to the question being answered.

Modern practice records SHA-256 alongside the legacy MD5 and SHA-1 hashes, not in place of them. This serves several purposes. It future-proofs the record against algorithms whose status may change. It allows verification against tools that only support one algorithm. It provides a hedge if the cryptographic position on MD5 changes in ways that produce litigation surprises. The cost of computing three hashes at acquisition is trivial; the benefit of having multiple hashes recorded is substantial.

The hash is recorded:

  • On the chain-of-custody form at acquisition.
  • In the EMS or case management system.
  • On the imaging tool’s output report.
  • Sometimes printed and physically attached to the evidence bag.

Verification happens at each subsequent step: every time the evidence is transferred, every time a working copy is made, every time the examination tool processes the data. This is the practical mechanism that detects any alteration. If the hash at verification does not match the hash at acquisition, the chain has broken, and the methodology has to acknowledge the break and explain it. There is no clean recovery from a hash mismatch. The analysis from that point forward is suspect.

Write blockers

A write blocker is a hardware or software device that sits between the examiner’s system and the source evidence media, allowing read access to the media while preventing any write that the examiner’s system might attempt, intentional or otherwise. The mechanism exists because connecting an unprotected source drive to a typical operating system will produce writes within seconds: file system journal updates, the OS’s attempt to mount the volume, the antivirus scan, the indexing service, the thumbnail generator, and a long list of background processes that assume any storage device they see is one they can safely modify.

Write blockers split into two categories with very different operational characteristics.

Hardware write blockers are physical devices that interpose between the source media and the examiner’s system at the interface level. The major commercial vendors are Tableau (an OpenText line), WiebeTech (CRU), and Atola. Hardware write blockers exist for every common storage interface: SATA, SAS, IDE, USB, FireWire, NVMe, eMMC. The interposition is enforced at the protocol level. Write commands from the host are dropped before they reach the source media, and the protection is independent of what software is running on the examiner’s system.

Hardware write blockers are the gold standard for forensic acquisition. The protection is reliable, the methodology is well-documented, and the validation testing required to certify a hardware write blocker — NIST’s CFTT (Computer Forensics Tool Testing) program publishes test results for the major models — provides the methodological support that holds up under cross-examination.

Software write blockers modify the examiner’s operating system to prevent writes to designated devices. The protection is implemented in the OS storage stack, typically through a kernel-mode filter driver on Windows or a similar mechanism on Linux. The major examples include the Linux block-device read-only setting (blockdev --setro), forensic Linux distributions configured for read-only mounts (CAINE, SIFT, Tsurugi), and commercial software write-block products.

Software write blockers are less reliable than hardware because they depend on the OS stack behaving correctly. A driver bug, a misconfiguration, or a write that bypasses the protected path can still cause writes to the source media. The mitigation is to use software write blockers only in well-characterized environments (specific forensic distributions, specific OS versions, specific hardware) and to verify the protection’s behavior through testing before relying on it.

The practical workflow is to use a hardware write blocker for the initial acquisition, regardless of what the eventual analysis environment will be. Once a forensic image has been acquired with hardware protection, subsequent analysis can be performed on the image (which is a file, not the source media) without further write-blocking, since the image is the working copy and any alteration to it does not affect the source.

The most common write-blocker failure mode is not the device itself but the procedural lapse of forgetting to use it. The methodology has to enforce write-blocker use at the procedural level, typically by requiring the chain of custody to record the specific write blocker used (make, model, serial number, firmware version) at the acquisition step. An acquisition log that omits the write blocker is a chain-of-custody failure that opens every subsequent finding to challenge.

Physical evidence handling

The digital aspects of evidence handling sit on top of a physical handling layer that has its own procedural requirements.

Sealed storage. Evidence in transit and between examination sessions is stored in tamper-evident containers: sealed evidence bags with unique serial numbers, signed across the seal by the custodian. The seal must be intact when the next custodian breaks it, and any breach of the seal is recorded in the chain. The seal is not cryptographically secure (a determined adversary can bypass any physical seal given time and tools), but the seal serves the same role as the hash. It shifts the question from “was the evidence altered” to “can the breach be detected,” and the answer is yes if the procedure is followed.

Evidence rooms and lockers. Long-term evidence storage is housed in access-controlled facilities: rooms with limited keyholders, badge logging, video surveillance, and environmental controls. The dual-access requirement (two custodians present for any access to evidence storage) is standard in law-enforcement contexts and is sometimes implemented in corporate contexts where the case may reach court.

Environmental controls. Digital storage media degrade over time. Magnetic media (hard drives, tape) are sensitive to magnetic fields, humidity, and temperature. Optical media (DVDs, Blu-ray) degrade slowly under any conditions and faster under heat or UV. Flash media (SSDs, USB drives, memory cards) lose charge over years and may become unreadable if stored without periodic power application. The methodology has to account for the storage horizon. Evidence that will be analyzed within weeks has different requirements from evidence that may be sealed for years pending litigation.

Transport. Evidence in transit is at elevated risk for both physical damage and chain-of-custody breaks. Standard practice is to transport evidence in tamper-evident containers, in vehicles or shipping methods that maintain the chain (signed receipts at each handoff), and with documentation that allows the chain to be reconstructed if the package is delayed or rerouted.

The physical layer is the part of evidence handling that experienced forensic examiners sometimes underweight because the digital integrity controls feel more rigorous. The legal weight is the same: a broken physical seal is a chain failure even if the digital hash still verifies. The defensibility of the analysis depends on both layers being intact.

Imaging and the bit-for-bit principle

The standard forensic acquisition produces a bit-for-bit image of the source media: a copy that captures every byte of the source, including unallocated space, slack space, and file system metadata, without interpretation. The image is the working copy; the source is sealed and stored. All subsequent analysis happens on the image, not on the source.

The bit-for-bit principle protects against a class of methodology challenges. An analysis that only acquires allocated content (a file copy, a logical backup) is missing the deleted-but-recoverable data, the unallocated remnants of previous files, and the file system structures that establish timeline. A defense attorney can credibly challenge the completeness of such an acquisition. A bit-for-bit image cannot be challenged on completeness grounds; the question of completeness reduces to the technical question of whether the imaging tool actually captured everything on the source.

The image format itself matters. The major forensic image formats are raw dd, the Expert Witness Format (E01, EWF), and the Advanced Forensic Format (AFF and AFF4). They differ in what they record alongside the bit stream. Raw dd captures only the data. EWF wraps the data in a container that includes the acquisition metadata, examiner identity, hash values, and case information. AFF4 extends this with additional integrity controls and storage efficiency. The choice of format is partly a tooling question and partly a methodology question. The standards do not mandate a specific format, but most U.S. forensic practice has converged on EWF for compatibility with the dominant commercial tools and on raw dd plus a metadata sidecar for open-source workflows.

The verification math is recorded with the image: the hash of the source as computed during acquisition, the hash of the image as computed by the imaging tool, and (in EWF and AFF4) the hash of each chunk within the image. Mismatch at any layer is a methodology failure that has to be acknowledged and explained. The full acquisition methodology is covered in the Forensic Acquisition and Imaging subpage.

The legal weight of chain of custody

In U.S. federal courts, evidence is admissible under the Federal Rules of Evidence (FRE). Rule 901 governs authentication: the requirement that the proponent of evidence demonstrate that the item is what they claim it is. For digital evidence, authentication typically rests on the chain of custody plus the hash verification. The chain establishes that the item has been continuously under documented control, and the hash establishes that the item has not been altered. The two together satisfy Rule 901.

Rule 902 governs self-authenticating evidence: items that authenticate themselves through their inherent characteristics. The 2017 amendment to Rule 902 added Rule 902(14), which makes data copied from electronic devices self-authenticating if accompanied by a certification from a qualified person that the copy was made using a method that produces an accurate result and a written record of the chain of custody. The amendment substantially reduced the in-court testimony burden for routine digital evidence but did not change the underlying chain-of-custody requirements.

Daubert challenges (under Daubert v. Merrell Dow Pharmaceuticals, 1993) attack the methodology rather than the chain directly, but methodology failures and chain failures are often the same thing in practice. A Daubert challenge to the imaging methodology is a challenge to whether the chain at the acquisition step was properly maintained.

Breaks in the chain of custody do not necessarily render evidence inadmissible, but they shift the analytical question from “is the methodology sound” to “is this particular evidence still trustworthy.” The standard judicial response to a chain-of-custody gap is to admit the evidence with the gap noted and let the trier of fact weigh the impact. The practical consequence is that gaps reduce the persuasive weight of the evidence even when they don’t bar its admission, and a sufficiently serious gap can result in suppression.

The litigation record over the past two decades has produced a consistent pattern: forensic findings are almost never impeached on the analytical methodology when the chain of custody is intact, and forensic findings are very often impeached on the chain even when the analysis was correct. The disproportionate effect of chain-of-custody failures on case outcomes is the reason the procedural rigor is the way it is.

Practical failure modes

The chain-of-custody failure modes that recur across forensic engagements, regardless of methodology framework or jurisdiction.

The undocumented handoff. An examiner takes possession of evidence informally, completes some analytical work, then formalizes the chain after the fact. The retroactive entry is a chain failure on its own; the analysis performed during the undocumented period is suspect.

The missing write-blocker entry. The acquisition log records the source media, the destination image, the examiner, the timestamp, and the hash, but omits the make and model of the write blocker used. The omission is treated as evidence that no write blocker was used. The acquisition is challengeable.

The mismatched hash that gets recalculated. The hash at acquisition does not match the hash at the next verification step. The examiner recalculates and records the new hash as the “correct” one without acknowledging the mismatch. The methodology has been broken; the recalculation makes the break worse.

The corrected entry without a separate corrective entry. An entry on the chain-of-custody form is wrong (a date, a name, a transfer purpose). The custodian crosses it out and writes the corrected information over it. The crossed-out entry is treated as evidence of tampering. The correct approach is a new dated entry referencing the prior error.

The unsealed transport. Evidence moves between physical locations without tamper-evident sealing. The destination custodian cannot certify that the evidence is in the state it left the prior custodian. The chain is intact in name but not in substance.

The shared evidence locker. Multiple cases are stored in a single access-controlled space without per-case access controls. Any authorized custodian could in principle have accessed any case’s evidence. The shared-access model is not a chain failure on its own but does increase the burden of demonstrating per-case integrity.

The over-disclosed image. A forensic image is shared with parties who do not need access (defense counsel, opposing experts, collaborators) without tracking. Each unauthorized recipient is a chain stop that was not documented. The image’s integrity is intact (hashes still match) but the chain of who has had access is broken.

The retention gap. Evidence is held past the retention horizon of the case management system, the EMS schema changes, and the older records cannot be retrieved in their original form. The chain still exists in principle but cannot be presented in a defensible form.

The mitigations are procedural and largely a matter of organizational discipline. Most forensic practices that maintain consistent chain-of-custody integrity do so because the procedural framework is treated as non-negotiable: every acquisition follows the same checklist, every transfer requires the same documentation, every methodology change is approved before adoption. The procedural rigor is not difficult; it is just unforgiving of inattention.

Standards and references

The authoritative sources for chain-of-custody methodology:

  • NIST SP 800-86 (Guide to Integrating Forensic Techniques into Incident Response) covers chain of custody at a high level and is the foundational U.S. federal reference.
  • NIST SP 800-101 (Guidelines on Mobile Device Forensics) extends the methodology to mobile-specific concerns.
  • SWGDE Best Practices for Computer Forensic Acquisitions is the U.S. practitioner reference, written by examiners for examiners.
  • ISO/IEC 27037 covers the identification, collection, acquisition, and preservation of digital evidence with international applicability.
  • ISO/IEC 27042 covers the analysis and interpretation phase, where chain-of-custody requirements continue.
  • ACPO Good Practice Guide for Digital Evidence is the UK reference and the source of the four ACPO principles.
  • ASTM E2916 covers terminology and is referenced when forensic findings must align with broader forensic-science accreditation.
  • NIST CFTT (Computer Forensics Tool Testing) publishes validation results for forensic acquisition tools and write blockers. The CFTT reports are routinely cited in expert testimony to establish that a particular tool’s behavior is known and reproducible.

Compatibility across these standards is high at the principle level. Operational specifics differ in ways that matter: NIST’s emphasis is on integrating forensic technique with federal incident response; SWGDE focuses on examiner workflow; ISO emphasizes international applicability and audit; ACPO frames the principles in law-enforcement vocabulary. Forensic engagements that span jurisdictions sometimes need to satisfy multiple standards simultaneously, which is achievable but requires methodology documentation that maps the requirements of each standard onto the actual procedural steps performed.

Chain of custody is not glamorous, and the discipline as a whole has occasionally suffered from being treated as procedural overhead by examiners who would rather focus on the analytical work. The procedural overhead is the work. The analysis is only as defensible as the chain that connects it back to the evidence, and the chain is only as defensible as the discipline with which it has been maintained. The successful forensic engagements are not the ones with the most sophisticated analytical methodology. They are the ones where the procedural rigor was so consistent that the analytical findings could speak for themselves without the chain becoming the story.