Chain of Custody
What is Chain of Custody?
Chain of CustodyThe chronological, documented trail showing every person, location, and action affecting a piece of evidence from seizure through final disposition.
Chain of custody (CoC) preserves the integrity and admissibility of digital and physical evidence. Every transfer is logged with timestamps, identifiers (case number, exhibit ID, hash values), and signatures, while items are stored in tamper-evident containers in access-controlled facilities. Best practice aligns with ISO/IEC 27037, NIST SP 800-86, and ACPO/SWGDE guidance: acquire with write blockers, calculate cryptographic hashes (SHA-256) before and after copying, and maintain duplicate working copies. A broken chain — missing entries, mismatched hashes, unsealed containers — can render evidence inadmissible and undermine litigation, insurance claims, or regulatory enquiries.
● Examples
- 01
A signed CoC form tracking a seized laptop from acquisition to courtroom production.
- 02
A SHA-256 hash log demonstrating that a disk image was not altered between collection and analysis.
● Frequently asked questions
What is Chain of Custody?
The chronological, documented trail showing every person, location, and action affecting a piece of evidence from seizure through final disposition. It belongs to the Forensics & IR category of cybersecurity.
What does Chain of Custody mean?
The chronological, documented trail showing every person, location, and action affecting a piece of evidence from seizure through final disposition.
How do you defend against Chain of Custody?
Defences for Chain of Custody typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Chain of Custody?
Common alternative names include: CoC, Evidence custody chain.