Certification & Online Trace Collection · service active
WACZ · ISO 28500/ eIDAS timestamping/ Client area
C.E.R.T.O.
Sign in Register free
IT EN
C.E.R.T.O. / Guides / Chain of custody

Chain of custody for digital evidence

Chain of custody · 29 June 2026 · C.E.R.T.O.

You can hold the right content — the email, the chat, the page — and still lose, if you cannot show that it reached the courtroom exactly as it was at the source. This is where the chain of custody comes in: the concept that, more than any other, decides whether digital evidence "holds".

What the chain of custody is

In the physical world it is the documented trail of who handled an exhibit, when and how, from the scene to the courtroom. For digital evidence the principle is the same, applied to a file: you must be able to prove that, from capture to filing, nothing changed — and that you know exactly who collected it, how and when.

The four questions it must answer

  • Integrity — is the file identical to the one captured? (no alteration)
  • Time — when was it captured, with a date that cannot be forged?
  • Origin — where did the content come from (which URL, mailbox, server)?
  • Identity — who performed the capture, with which tool?

As long as even one of these stays without a verifiable answer, the other side has a foothold to argue inadmissibility.

How it is built, technically

A solid digital chain of custody is not a statement but a set of cryptographic elements that check one another:

  • a battery of hashes (several digital fingerprints from different algorithms: MD5, SHA-1, SHA-256, SHA-512) answers integrity — if one bit changes, the fingerprints no longer match;
  • an RFC 3161 timestamp (a date certified by an independent third party) answers time;
  • an Ed25519 digital signature bound to the device identity, together with the operator's details, answers identity;
  • a structured description in CASE/UCO (an international standard language for digital evidence) ties it all together and answers origin.

Why evidence fails without it

Evidence with no chain of custody is like an exhibit with no label: even if genuine, it is disputable. The other side need only suggest it might have been altered, and the burden to disprove that falls on you — often without the means to do so. With a verifiable chain of custody, the evidence defends itself.

Standards matter

Using recognised formats — ISO/IEC 27037 (guidelines for handling digital evidence), SWGDE, BagIt and CASE/UCO — means speaking a language judges and technical experts already know, not a proprietary black box.

How C.E.R.T.O. provides it automatically

Every acquisition produces a BagIt bundle that already contains all of these elements — hashes, a double timestamp, a signature, a CASE/UCO description — without you having to be a forensic expert. And anyone can verify it independently.

Recommended: why a screenshot alone has no legal value.

Keep reading