What is a chain of custody?

A chain of custody is the documented, unbroken record of everyone who handled a piece of digital evidence, when and why, from seizure to court. Any gap can render the evidence inadmissible.

Why hash evidence before and after acquisition?

A SHA-256 hash taken before imaging and an identical hash taken after proves that not a single bit changed during copying. Matching hashes are the mathematical foundation of integrity and admissibility.

Why never work on the original media?

Examiners always work on a forensic copy and use a write-blocker on the original. Any write to the original alters the evidence and destroys its integrity, so a court will reject it.

Which standard does this checklist follow?

It follows the four ISO/IEC 27037 phases: identification, collection, acquisition and preservation, with the steps that most affect court admissibility marked as critical.

Chain of Custody Checklist Generator

Build a tailored ISO/IEC 27037 chain of custody checklist for your digital evidence, track each step, and print a court-ready summary. The steps that make or break admissibility are highlighted.

Evidence type

Case reference

Seizure date

Handled by

0 / 11 steps complete (0%)

Critical steps for admissibility: 0 / 7. Missing any of these can break the chain in court.

Identification

Scene and evidence location photographed (wide and close-up) (critical)
By Locard's exchange principle every contact leaves a trace. Scene records establish the context and original state of the evidence for the court.
Evidence identified with a unique label/number (make, model, serial)
Without unique identification you cannot prove later that it is the same item; it opens the door to mix-up or substitution claims.

Collection

Never worked ON the original media; all work done on a copy/image (critical)
Any write to the original alters the evidence and destroys its integrity. A court will not admit evidence that has been changed.
Write-blocker used (hardware or software) (critical)
A write-blocker physically or logically prevents the OS from writing to the original disk. Connecting it without one contaminates the evidence.

Acquisition

SHA-256 hash of source media computed and recorded BEFORE imaging (critical)
The pre-hash is the evidence's baseline fingerprint. Without it you cannot mathematically prove integrity was preserved afterwards.
Bit-for-bit forensic image acquired (E01/dd), not a partial copy
A logical copy misses deleted areas and slack space. A full image preserves the entire evidence pool and keeps it re-verifiable.
SHA-256 hash computed AFTER imaging and MATCHED the pre-hash (critical)
Equality of pre-hash and post-hash proves not a single bit changed during copying. This is the cornerstone of courtroom admissibility.

Preservation

Evidence and labels photographed (serial number legible)
Visual records lock in the physical state of the evidence at handover, preventing later claims of damage or tampering.
Evidence bagged and sealed in a tamper-evident manner (critical)
A seal reveals whether access occurred during storage. A broken seal means a break in the chain and casts doubt on the evidence.
Every transfer logged in the custody record (who, to whom, when, why) (critical)
An unbroken custody log documents every hand-off. A single gap is enough for the opposing side to challenge the evidence's validity.
Evidence stored in a restricted, logged safe/storage
Controlled storage prevents unauthorized access and physically backs up the integrity of the custody log.

Printable summary

Evidence type: Hard disk / HDD-SSD

Case reference: (not set)

Seizure date: (not set)

Handled by: (not set)

Completion: 0/11 (0%)

This checklist follows the ISO/IEC 27037 phases (identification, collection, acquisition, preservation). The make-or-break points for court admissibility are: never work on the original, hash before and after acquisition (and match them), keep an unbroken custody log, and remember Locard's principle, every contact leaves a trace.

What makes digital evidence admissible in court

Admissibility rarely fails on the analysis itself; it fails on process. The make-or-break points are working only on a forensic copy (never the original), recording a SHA-256 hash before and after acquisition and showing they match, and keeping an unbroken custody log. Locard's exchange principle reminds us that every contact leaves a trace, which is exactly why documentation matters. For the report side, see our international forensic report format template.

The four ISO/IEC 27037 phases

Identification finds and labels the evidence, collection physically secures it with a write-blocker, acquisition creates a verified bit-for-bit image, and preservation seals, logs and stores it. To go deeper into the discipline, read our digital forensics overview.

Need a forensic examiner?

If you are handling evidence that may reach a courtroom, a documented chain of custody is not optional. Our team handles seizure, imaging and reporting end to end. See our digital forensics and evidence service.