Chain of Custody


  • All information on a file’s travels from its original creation version to its final production version. A detailed account of the location of each document/file from the beginning of a project until the end. A sound chain of custody verifies that you have not altered information either in the copying process or during analysis. If you cannot show the chain of custody, you may have a difficult time disproving that outside influences might have tampered with the data. A chain of custody failure — i.e., the mishandling of electronic evidence (even fully recovered files) — can cause a litigation defeat.  1
  • A process used to maintain and document the chronological history of the handling of electronic evidence. A chain of custody ensures that the data presented is “as originally acquired” and has not been altered prior to admission into evidence. Some providers maintain an electronic chain-of-custody link between all electronic data and its original physical media throughout the production process.  2  3
  • An accounting of the control (custody) of real evidence at all times until the moment it is offered in evidence. Chain of custody helps to show that the evidence being offered has not been tampered with and is authentic. Chain of custody is important for electronic evidence because it can be easily altered.  4
  • Chain of custody refers to the chronological documentation and/or paper trail showing the seizure, custody, control, transfer, analysis, and disposition of evidence, physical or electronic. Because evidence can be used in court to convict persons of crimes, it must be handled in a scrupulously careful manner to avoid later allegations of tampering or misconduct, which can compromise the case of the prosecution toward acquittal or become grounds for overturning a guilty verdict upon appeal. The idea behind recording the chain of custody is to establish that the alleged evidence is in fact related to the alleged crime – rather than, for example, having been planted fraudulently to make someone appear guilty.Establishing chain of custody is especially important when the evidence consists of fungible goods. In practice, this most often applies to illegal drugs that have been seized by law enforcement personnel. In such cases, the defendant may disclaim any knowledge of possession of the controlled substance in question. Accordingly, the chain of custody documentation and testimony is presented by the prosecution to establish that the substance in evidence was in fact in the possession of the defendant.

    An identifiable person must always have the physical custody of a piece of evidence. In practice, this means that a police officer or detective will take charge of a piece of evidence, document its collection, and hand it over to an evidence clerk for storage in a secure place. These transactions, and every succeeding transaction between the collection of the evidence and its appearance in court, should be completely documented chronologically in order to withstand legal challenges to the authenticity of the evidence. Documentation should include the conditions under which the evidence is gathered, the identity of all evidence handlers, duration of evidence custody, security conditions while handling or storing the evidence, and the manner in which evidence is transferred to subsequent custodians each time such a transfer occurs (along with the signatures of persons involved at each step).  5


  1. Fenwick & West LLP, FWPS eDiscovery Terminology (11/6/2005). Citing Feldman, The Essentials of Computer Discovery, Computer Forensics Inc. (1/1/2001), 
  2. RenewData, Glossary (10/5/2005).
  3. Vinson & Elkins LLP Practice Support, EDD Glossary.
  4. Ibis Consulting, Glossary.
  5. EDRM Presentation Guide.