Who touched it, when, and how you can prove it
Chain of custody is the unbroken, documented account of an item of evidence from the moment it is collected to the moment it is offered in court. For physical evidence it is a sign-out sheet. For digital evidence it is that plusa mathematical guarantee — the hash — that the bytes have not changed in anyone's hands. Litigators do not have to run the exam, but they do need to know what a defensible chain looks like, because the other side will look for the place it breaks. This is informational, not legal advice.
What a defensible chain documents
The recognized collection standards — notably the Scientific Working Group on Digital Evidence's best practices — describe contemporaneous custody documentation that records, for every item:
- A unique identifier for the item.
- The date and time it was received, and from whom.
- Every transfer of custody thereafter, with the receiving custodian named.
- Where it was stored and how access was controlled.
- The acquisition and verification hash values that prove integrity.
ISO/IEC 27037sets out parallel international guidance for the identification, collection, acquisition, and preservation of digital evidence. The throughline is the same: contemporaneous, specific, and signed — not reconstructed from memory months later.
How custody connects to authentication
A clean chain is how you authenticate under Federal Rule of Evidence 901. Rule 901(b)(9)authenticates evidence by showing a process or system produces an accurate result — precisely what the documented acquisition-and-verification workflow demonstrates. And the recorded hashes feed Rule 902(14), which lets data copied from a device self-authenticate on a qualified person's certificate, subject to pretrial notice. Judge Grimm's opinion in Lorraine v. Markel remains the roadmap for how authentication fits with the rest of the evidentiary chain; for the text-message-specific walkthrough of 901 and 902, see how to authenticate text messages in court.
How to challenge the other side's chain
When you are on the attacking side, the questions write themselves: Is there a custody record at all, or a reconstruction? Are there unexplained gaps in time or possession? Were acquisition hashes recorded, and do the verification hashes match? Was the original write-protected during imaging? Each unanswered question is an argument that the evidence is not what its proponent claims — or at least that it deserves less weight.
What this means for your matter
Whether you are offering or attacking digital evidence, the custody record is where the fight is won or quietly lost. Insist on contemporaneous documentation and verifiable hashes from the first collection, and keep them in a system built for it — an evidence vault with chain of custody baked in beats a spreadsheet assembled the week before trial.
Sources
- Scientific Working Group on Digital Evidence (SWGDE), SWGDE Best Practices for Digital Evidence Collection (18-F-002). https://www.swgde.org/documents/published-complete-listing/18-f-002-swgde-best-practices-for-digital-evidence-collection/
- Legal Information Institute, Cornell Law School, Federal Rule of Evidence 901 — Authenticating or Identifying Evidence. https://www.law.cornell.edu/rules/fre/rule_901
- Legal Information Institute, Cornell Law School, Federal Rule of Evidence 902 — Evidence That Is Self-Authenticating. https://www.law.cornell.edu/rules/fre/rule_902
- U.S. District Court for the District of Maryland (Grimm, M.J.), Lorraine v. Markel American Insurance Co., 241 F.R.D. 534 (D. Md. 2007). https://www.ediscoverylaw.com/2007/12/01/lorraine-v-markel-am-ins-co-241-f-r-d-534-d-md-2007/
- International Organization for Standardization, ISO/IEC 27037:2012 — Guidelines for identification, collection, acquisition and preservation of digital evidence. https://www.iso.org/standard/44381.html
