Chain of Custody: How to Ensure Digital Evidence Stands Up In Court

Back when George Zimmerman was on trial in the Trayvon Martin killing, Florida State Attorney Angela Corey was busy firing her IT director, Ben Kruidbos.

Claiming whistleblower status, Kruidbos says he got fired after pointing out that police had disregarded a trove of digital evidence in the case, including photos and text messages. In May, a Florida judge said the ex-IT director could continue to sue his former boss for wrongful termination.

The point: Digital evidence is evidence. It can have real impact on legal proceedings. So just as with physical evidence, it’s essential that law enforcement maintain a clear, documented chain of custody, just as it would for any other physical evidence. From the moment evidence is obtained, a trail must document how it has been handled, by whom, and for what purpose.

In the real world, cops bag it, tag it, and put it in a locker. Anyone needing access must sign it in and sign it out. In the digital age, however, with digital video, electronic documents, digital photos, the contents of a hard drive – deleted files – all this gets more complicated.

“Any type of digital evidence is a lot more volatile than a coffee cup or a knife,” said John Bennett, section chief of the FBI’s digital forensics and analysis section. “So we have to make sure it is treated a little bit differently.”

Without the right protections, digital files can be easily deleted, edited, even fabricated. So documenting a digital chain of custody is all the more important. A compromised chain can undo a legal proceeding and lay waste to years of investigation. And all a defense attorney has to do is successfully raise concerns about potential tainting of evidence – that alone is enough, let alone demonstrating actual taint.

Likewise, growing public skepticism about law enforcement raises the stakes for agencies to ensure that their handling of evidence is beyond reproach. “Chain of custody is the backbone, the foundation of everything that we do when handling evidence of any type,” said Dustin Sachs, a managing consultant in the legal technology solutions practice at Navigant Consulting.

“With people being as skeptical as they are of law enforcement today, any question as to whether or not things are being done properly is going to become a big issue,” he said.

So as the nature of evidence is in flux – moving away from strictly physical objects to electronic artifacts – the last thing law enforcement wants is to encourage that sense of discomfort.

“The courts always feel a bit of angst the first time they do something,” said Terry Gainer, a consultant and former sergeant-at-arms for the U.S. Senate. “They need to feel as comfortable with this as they do knowing that an expert has come in and approved a fingerprint, or come in and approved DNA.”

Why are courts leery of digital evidence? A study by RAND Corp., the Police Executive Research Forum, RTI International, and the University of Denver offers a number of reasons:

  • First-responding officers often do not know how to secure and use digital evidence to preserve chain of custody
  • Departments do not have enough personnel to process today’s growing volume of digital evidence
  • Judges’ lack of knowledge about digital evidence complicates appropriate use in court

These factors together make clear that law enforcement and IT experts must work closely to forge a path together.

For the FBI, the chain of evidence begins with hardware – the physical hard drive, phone camera or other device that may house evidentiary data. That hardware is tagged and locked up, and must be logged in and logged out by anyone who wants access to it.

At the same time, the FBI safeguards the data itself in a number of ways. First, a “write blocker,” is installed, a one-way digital valve that allows investigators to examine and access data from a device without risk of altering it.

“You cannot intentionally or accidentally change the evidence, so you have a fundamental chain of custody attached to the original artifact,” Bennett said. Further data custody comes down to basic block and tackle: All data is encrypted and password protected, and a backup copy is made and locked away.

That’s a pretty good start, but the challenges don’t end there. Cloud computing raises new questions, introducing third-party entities that may possess, encrypt, and transmit evidentiary data. But once the evidence is in the hands of a third party, can the government still prove the chain of custody was secure?

Yes, say the cloud providers, who say their automated notifications are actually more reliable than conventional evidence locker records, because there’s no risk of human error or intentional oversight when evidence is signed in or out. The computer records each event automatically.

It’s a nice safeguard, but the “hash” will go you one better.

The point of passwords, encryption, and sealed plastic bags is not just to make sure that no one touches the evidence. It’s to make sure no one changes the evidence. That’s the big fear underlying people’s mistrust of the digital custody chain: You can overwrite or rearrange and no one will be able to tell.

Enter digital hashing, or the hashing function, which may be the most effective tool yet for securing digital evidence. Think of the hash as a digital fingerprint, not of a person, but of the digital evidence. A hash uses an algorithm to create a unique digital impression of a digital record; any change to that record afterward will result in a new, unique hash. Change a single pixel in a picture, a single period in a document, and the hash on the copy will no longer match the original. The tampering will be evident.

In a white paper on chain of custody, DTI subsidiary Merrill Legal Solutions offers this example using the MD-5 Hash Value and a commonplace phrase, “The quick brown fox jumps over the lazy dog.”

The hash value for that phrase is:


Change a single letter, such as the “d” in dog to an “e,” however, and the result looks like this:


“The hash value is one of the critical elements that carries through the entire chain of custody, through every step of the discovery process,” the authors note. “If at some point there is an objection to the chain of custody record, the hash value … will provide one of the necessary foundational elements for admissibility.”

The hash has more than just forensic value – it’s a deterrent. Knowing about the use of a hash will deter would-be intruders from even thinking of tampering with digital evidence. “If I know that when I go in there I might bump this in any way, even the smallest way, maybe I am not going to do that,” Sachs said.

It’s the People

Even with all that IT at your back, experts say, chain of custody is what it has always been: A people process.

This means that people on the technical side must understand the legal side of the house. “IT professionals throughout the organization, especially incident handlers and other first responders to incidents, should understand their roles and responsibilities for forensics,” according to a policy document from the National Institute of Standards and Technology (NIST). NIST encourages IT to work hand in hand with legal counsel.

First responders in turn must be trained to handle digital evidence, just as they are trained to handle physical artifacts.

Without proper training, a digital chain will have all the same shortfalls of its physical counterpart. “It comes down to a lack of consistency; it comes down to people trying to cut corners to get stuff done,” Sachs said. “There are demands and deadlines and workloads. Law enforcement labs are horribly backlogged and there is always pressure from the criminal justice system to get it done. Then you start down a very dangerous path.”

One final word of advice from the FBI: Keep it all.

Suppose the police pick up a computer on a warrant for white collar tax crime. Since the warrant stipulates tax documents, researchers and investigators extract those documents, secure them in the chain of custody, and then leave the computer sitting on a shelf. It’s no longer evidence, right?


As Bennett points out, that computer may not be evidence any longer in this case. But it could be evidence in another criminal investigation down the road. So once it is in your hands, preserving the data and ensuring it’s admissible in court is your problem. The whole machine and all its digital innards must enter the chain of evidence, with every due precaution.

In these heady digital days, securing evidence starts as soon as it gets into police custody. And you never know what digital evidence you may need later on.

1 Comment

  1. Chris P.

    Good explanation of Chain of custody, what hash values do, and how they validate the work the professionals do in the field.

    One note on the hash value example provided in the article, and that is the hash value provided is incorrect as displayed. It appears the sentence was hashed without the period at the end. The hash value that would be generated with the sentence inside the quotes as presented including the period would be. E4D909C290D0FB1CA068FFADDF22CBD0

    One other note, uppercase and lower case in the output hash value that is generated has no bearing on the actual output they should still match. value. Some tools will generate the value with uppercase or lowercase values.

    Thanks for taking the time to put this together, there are many nuances to the field, and any exposure to what will be encountered in the real world helps support the entire digital forensics field as a whole.


Submit a Comment

Your email address will not be published. Required fields are marked *

Related Articles

GDIT Recruitment 600×300
GovExec Newsletter 250×250
GDIT Recruitment 250×250
GDIT HCSD SCM 2 250×250 Plane Takeoff
(Visited 27,185 times, 18 visits today)