Digital Evidence: Chain of Custody and Preservation Requests
How investigators keep digital evidence admissible: chain of custody, MD5/SHA-256 hashing, 2703(f) preservation, and India's BSA 2023 Section 63 certificate.
Digital evidence wins or loses on one question a defence lawyer will always ask: can you prove this is the same data you seized, unchanged, and account for everyone who touched it? This reference is for cyber-police and digital-forensics investigators who need a working grasp of the three things that decide whether evidence survives in court — the chain of custody, the integrity controls behind it, and the preservation request that stops a platform deleting data before your legal process arrives. It is general professional guidance, not legal advice; always work to your own jurisdiction's rules of evidence and your agency's standard operating procedures.
- Chain of custody is the unbroken, documented record of who held the evidence, when, and why — a single gap can get it excluded.
- Integrity rests on cryptographic hashes (record both MD5 and SHA-256), write-blockers, and working only on a verified image, never the original.
- Collect in order of volatility (RFC 3227): capture RAM and live state before you pull the plug, or it is gone for good.
- For cloud data, a preservation request freezes it; it does not hand it over. Disclosure still needs separate legal process.
- Admissibility is jurisdiction-specific: the US leans on the examiner's testimony and audit trail; India now requires a Section 63 certificate under the BSA 2023.
Why digital evidence is fragile
Unlike a knife or a paper document, digital evidence is volatile and trivially altered. Powering a phone on or off, connecting a drive without a write-blocker, opening a file, or leaving a device on a network can change timestamps, overwrite unallocated space, trigger a remote wipe, or lose the contents of memory forever.
Cloud-hosted data is worse: it sits on infrastructure you do not control, subject to the provider's retention and deletion schedules, which can purge logs and messages within days. Because the data is so easy to change, accidentally or deliberately, courts demand proof that it was not. That proof is the chain of custody, backed by cryptographic integrity controls.
The chain-of-custody principle
Chain of custody is the documented, unbroken record of evidence from the moment of seizure to its presentation in court. For every item it must answer: who collected it, when, how, where it has been stored, and every transfer of possession in between.
- Each hand-off — investigator to property store, store to lab, lab to court — is logged with date, time, names and signatures.
- A gap in that record lets the other side argue the evidence could have been tampered with, and that argument alone can have it excluded or its weight reduced.
- The cure is prevention, not repair: log every hand-off, every time, contemporaneously.
Integrity: hashing, write-blockers and imaging
The technical backbone of the chain is the cryptographic hash — a fixed-length digital fingerprint of the data. As soon as a device is acquired, the examiner calculates a hash; if even one bit later changes, the hash changes completely, so a matching value at trial demonstrates the data is bit-for-bit identical to what was seized. Three working rules support this:
- Use a write-blocker. A hardware or software write-blocker lets the examiner read a source drive while physically preventing any write back to it, so the act of imaging cannot alter the original.
- Make a forensic image. Acquire a complete bit-stream copy (not a simple file copy), capturing deleted files and unallocated space, and hash both the original and the image to prove they match.
- Work on copies, never originals. All analysis runs on a verified working copy. The original is sealed and stored; if a copy is ever questioned, you re-derive it from the untouched original and the hashes prove continuity.
Record both an MD5 and a SHA-256 hash. MD5 is fast and universally produced by forensic tools, but it is cryptographically broken against engineered collisions: chosen-prefix collision attacks have been demonstrated since 2007, and in 2012 the Flame malware deployed a novel, previously unknown variant of the attack to forge a code-signing certificate and impersonate Windows Update. SHA-256 has no practical collision attack, so it is the value to rely on for integrity while MD5 serves as a fast, widely recognised cross-check.
Live vs dead acquisition and the order of volatility
A dead (static) acquisition images storage from a powered-down or write-blocked device. A live acquisition captures a running system — RAM, running processes, network connections, encryption keys held only in memory — before shutdown destroys them. Live capture changes the system slightly by its nature, so it must be done by a competent examiner with the justification documented.
RFC 3227 codifies the order of volatility: collect the most ephemeral data first and the most persistent last. Skip a high-volatility source and it cannot be recovered.
| Order | Data source | Why it is fragile |
|---|---|---|
| 1 (most volatile) | CPU registers, cache | Lost the instant power or context changes |
| 2 | Routing table, ARP cache, process table, kernel statistics, RAM | Lost on shutdown; holds live network and process state and in-memory keys |
| 3 | Temporary file systems | Cleared on reboot or routine cleanup |
| 4 | Disk and other persistent storage | Survives power-off but can be overwritten if the system keeps running |
| 5 (least volatile) | Remote logs; then physical configuration and network topology; then archival media (RFC 3227 lists these as three separate tiers) | Relatively durable, but subject to provider retention windows |
Standards and frameworks
Three references dominate practice. A competent examiner should be able to name the one they followed and why.
- ACPO Good Practice Guide for Digital Evidence (UK). Published by the Association of Chief Police Officers (ACPO was disbanded in 2015 and its functions passed to the National Police Chiefs' Council; the guide remains the working UK reference). Its four principles: (1) no action should change data later relied on in court; (2) anyone accessing original data must be competent and able to explain their actions; (3) an audit trail must be created and preserved so an independent party can repeat the process and reach the same result; (4) the case officer has overall responsibility for compliance.
- NIST SP 800-86 (US). The Guide to Integrating Forensic Techniques into Incident Response sets out the four-phase model — collection, examination, analysis, reporting — widely used in US practice. It is foundational rather than recent, so pair it with current SWGDE guidance on specific techniques.
- ISO/IEC 27037:2012 (international). Guidelines for identification, collection, acquisition and preservation of digital evidence. It defines two roles — the Digital Evidence First Responder (DEFR) and the Digital Evidence Specialist (DES) — and four quality principles your process must satisfy: auditability, repeatability, reproducibility and justifiability.
Preservation requests and platform letters
The most time-critical move in a cyber investigation is usually not seizing a device — it is stopping a provider from deleting cloud data before you can lawfully obtain it. In the United States, 18 U.S.C. § 2703(f) lets a governmental entity require a provider of electronic communication or remote computing services to take all necessary steps to preserve records in its possession pending legal process.
- A preservation request freezes existing data; it does not disclose it. It is a holding action while you prepare a subpoena, court order or warrant. To receive content you still need the appropriate process under § 2703(a) to (d).
- The provider must preserve for 90 days, extendable for one further 90-day period on a renewed request — up to 180 days total. No prior judicial approval is needed, which is exactly why it is the fast first step.
In practice you send the request through the provider's law-enforcement channel — the LE and LERS (Law Enforcement Request System) portals platforms publish for verified police and government requests. Identify the account precisely (handle, email, phone, user ID, URLs), state the legal basis, specify the data categories to preserve (content, metadata, logs, IP history, subscriber records) and the date range, and keep the confirmation and reference number for your chain-of-custody file. See our platform-by-platform LERS guides in the Law Enforcement Resources hub for the exact portal per service.
Most jurisdictions have an equivalent. The Council of Europe's Budapest Convention (Article 16) obliges signatory states to provide for expedited preservation of stored computer data, and many countries have domestic powers mirroring it; mutual legal assistance channels and emergency disclosure requests handle cross-border cases. Whatever the route, the principle holds: preserve first, disclose second.
India: admissibility under the BSA 2023
India's law of evidence changed on 1 July 2024, when the Bharatiya Sakshya Adhiniyam (BSA) 2023 replaced the Indian Evidence Act 1872. Electronic records are now governed by Section 63, which replaced the well-known Section 65B and largely re-enacts its framework.
- An electronic record is admissible as a document only with a certificate under Section 63(4) identifying the record, describing how it was produced, and giving particulars of the device involved.
- The certificate must be signed by the person in charge of the device or relevant activities and by an expert. This dual-signature requirement comes from the Schedule prescribed under Section 63(4)(c) (Part A signed by the device custodian, Part B by an expert), and is a notable change from the single certificate under 65B.
On the certificate's status, the Supreme Court's three-judge ruling in Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal (decided 14 July 2020, under Section 65B) held the certificate mandatory for admitting electronic records where the original is not produced; it overruled the contrary view in Shafhi Mohammad and reaffirmed Anvar P.V. Where a party genuinely cannot obtain the certificate, it may apply to the court to summon the person controlling the device to produce it. That reasoning carries directly into the Section 63 regime. The operational takeaway: treat the certificate as part of the evidence package prepared at collection, not an afterthought patched together before trial.
The end-to-end handling procedure
- Seize and isolate. Secure the scene and the device. Isolate it from networks (airplane mode, Faraday bag, or pull the cable) to prevent remote wipe and stop data changing.
- Decide on live capture. Following the order of volatility, deliberately decide whether to capture RAM and running state before powering down, and record that decision and its justification.
- Image and hash. Acquire a full forensic bit-stream image using a write-blocker. Immediately compute and record MD5 and SHA-256 of both source and image, and confirm they match.
- Document everything. Photograph the device and its state; record make, model, serial numbers, condition, the tools and versions used, and the examiner's name and qualifications.
- Store securely. Seal the original in tamper-evident packaging in a controlled evidence store with restricted, logged access. Analyse only the verified working copy.
- Log every transfer. Each time custody changes hands, record date, time, from-whom, to-whom, purpose and signatures. The log must be continuous and gap-free.
- Present with authentication. Produce the evidence with its hash values, chain-of-custody log, and the jurisdiction's required authentication — in India the Section 63 certificate; elsewhere the examiner's statement and audit trail demonstrating integrity.
Comparing the preservation regimes
| Mechanism | Jurisdiction | What it does | Key requirement |
|---|---|---|---|
| 18 U.S.C. § 2703(f) preservation request | United States | Compels a provider to preserve existing data pending legal process | 90 days, extendable once for a further 90; no prior judicial approval; disclosure needs separate § 2703 process |
| Expedited preservation (Budapest Convention, Art. 16) | Council of Europe signatories and international | Fast freeze of stored data, including via mutual legal assistance for cross-border cases | Domestic implementing law varies; disclosure follows separate legal process |
| Section 63 certificate (BSA 2023) | India | Authenticates an electronic record for admissibility in court | Mandatory certificate under s.63(4); dual signature (device custodian plus expert); per Arjun Panditrao, no substitute where original is not produced |
| ACPO four principles | United Kingdom | Governs how evidence is acquired and handled to keep it sound | No alteration of data; competence; preserved audit trail; case-officer responsibility |
Frequently asked questions
Why hash with both MD5 and SHA-256 if MD5 is broken? MD5 is weak against deliberately engineered collisions but remains a fast integrity check that forensic tools produce by default and courts recognise. Recording both gives you a universally accepted value plus a collision-resistant one (SHA-256), so the image's integrity is robust either way. Rely on SHA-256 for the security claim.
Does a preservation request let me read the data? No. A § 2703(f) request, and its overseas equivalents, only freezes the data so it cannot be deleted. To obtain the contents you still need the appropriate legal process — a subpoena, court order, or search warrant depending on the data category and jurisdiction.
What happens if the chain of custody has a gap? An unlogged transfer, a missing signature, or an unexplained storage period gives the defence grounds to argue the evidence may have been altered or substituted. Even if nothing was actually wrong, the doubt can lead a court to reduce the evidence's weight or exclude it entirely.
Should I ever examine a device while it is running? Sometimes you must — to capture RAM, live network connections, or encryption keys held only in memory before shutdown destroys them. A live acquisition inevitably changes the system slightly, so it should be done by a competent examiner who records what was done and why, consistent with the order of volatility.
Hero image: Digital forensics laboratory by ViktorDFC, via Wikimedia Commons, CC BY-SA 4.0.