Documentary Evidence and Chain of Custody in Fraud Audits

Forensic audit findings depend on evidence that is authentic, complete, and capable of withstanding legal scrutiny, which requires strict chain-of-custody documentation from the moment records are obtained. This topic covers the types of documentary evidence encountered in fraud audits, authentication standards, imaging versus originals, and the treatment of electronically stored information under major evidence frameworks.

Last updated: 24 Jun 2026

Documentary evidence in a fraud audit is any record, physical or electronic, that a forensic auditor gathers, preserves, and relies upon to support a finding of fraudulent conduct. For that evidence to be usable, it must be authentic (genuinely what it purports to be), complete (not selectively extracted to distort meaning), and admissible (collected and handled in accordance with the rules of the jurisdiction where proceedings may occur). Chain of custody is the mechanism that ties those three requirements together: it is the continuous, documented record of who had the evidence, when, and what they did with it, from first collection to final presentation in court or before a regulator. A break in that chain does not automatically destroy the evidence, but it gives opposing counsel a credible basis to challenge it, and in some jurisdictions courts may exclude it entirely.

Fraud auditors encounter several categories of documentary evidence. Financial records include ledgers, bank statements, invoices, purchase orders, contracts, and payroll records. Corporate governance documents include board minutes, resolutions, authorisation logs, and internal audit reports. Electronic records, now the dominant category in most investigations, include emails, spreadsheets, database exports, accounting system transaction logs, and communication platform archives. Third-party records obtained from banks, suppliers, customers, or government registries complete the picture. Each category carries its own authentication challenge and its own preservation risk.

The legal frameworks that govern admissibility differ by jurisdiction but share common principles. The US Federal Rules of Evidence (FRE), particularly Rules 901 to 903 on authentication and the Best Evidence Rule in Rule 1001, set the standard that US practitioners must meet. England and Wales apply the Civil Evidence Act 1995 and the Criminal Justice Act 2003. India's Bharatiya Sakshya Adhiniyam 2023, which replaced the Indian Evidence Act 1872, modernised the treatment of electronic records under what are now Sections 57 to 63. The EU General Data Protection Regulation 2016/679 adds a parallel constraint: some personal data collected as evidence may face admissibility challenges if it was obtained in ways that violated data-subject rights. Forensic auditors working across borders must map their evidence-collection plan to each relevant framework before starting.

By the end of this topic you will be able to:

Identify and classify the main categories of documentary evidence encountered in fraud audits and explain the authentication challenge specific to each.
Describe the components of a chain-of-custody record and explain why each component matters for admissibility.
Explain the forensic imaging process for electronically stored information, including the role of cryptographic hash verification.
Compare the authentication standards for documentary evidence under the US Federal Rules of Evidence, the UK Civil Evidence Act, and India's Bharatiya Sakshya Adhiniyam 2023.
Apply chain-of-custody principles to a scenario involving mixed paper and electronic records obtained from a corporate suspect.

Key terms

Chain of custody: The unbroken, documented record of who collected a piece of evidence, when, where, and how it was handled, stored, and transferred from collection through final presentation. Each transfer of custody is recorded with date, time, and the names and signatures of both parties.
Authentication: The process of establishing that a document is what it purports to be. Under the US FRE Rule 901, the proponent must produce evidence sufficient to support a finding that the document is genuine. Methods include witness testimony, expert comparison, and distinctive characteristics such as metadata, server logs, or digital signatures.
Forensic image: A bit-for-bit copy of a digital storage medium, created using write-blocked hardware to prevent any alteration of the source. A cryptographic hash (SHA-256 or MD5) is computed for both the source and the copy; matching hashes verify the copy is identical to the original.
Electronically stored information (ESI): Any information created, stored, or transmitted in electronic form, including emails, database records, spreadsheets, accounting system logs, chat messages, and metadata. ESI is now the primary category of evidence in most fraud investigations and carries specific preservation and collection obligations.
Best Evidence Rule: The principle, codified in FRE Rule 1002, that the original of a document is required to prove its content. Under Rule 1003, a duplicate is generally admissible unless a genuine question is raised as to the original's authenticity. In practice, verified forensic images of electronic media are accepted as originals under this rule.
Write blocker: A hardware or software device interposed between a digital storage medium and the forensic workstation that prevents any write commands from reaching the source medium. Use of a write blocker is the baseline standard for forensic acquisition; its absence means the examiner cannot demonstrate the source was not altered during imaging.

Categories of documentary evidence in fraud audits

Forensic auditors work with a broad range of documentary evidence, and each category presents a distinct set of authentication and preservation challenges. Understanding those challenges before collection begins is the difference between evidence that survives disclosure and evidence that gets excluded.

Category	Typical examples	Primary authentication risk
Financial records	Bank statements, invoices, ledgers, payroll	Alteration or selective omission; verify against originals held by the bank or counterparty
Corporate governance	Board minutes, resolutions, authorisation logs	Backdating; compare with external corroboration such as meeting attendance records or email timestamps
ESI	Emails, spreadsheets, accounting system logs, chat archives	Metadata tampering, spoliation; forensic imaging with hash verification is required
Third-party records	Bank subpoenas, supplier invoices, government registry extracts	Completeness; obtain directly from the third party under formal request or subpoena
Physical exhibits	Cash, cheque stubs, physical contracts, stamps	Contamination or substitution; seal and photograph at point of seizure

Third-party records are among the most reliable because they are obtained directly from sources independent of the suspect organisation. A bank statement obtained directly from the bank under a court order is far harder to challenge than a bank statement obtained from the suspect's own files. Where possible, the forensic auditor should seek to verify internally obtained records against an independent counterpart copy.

Chain-of-custody documentation: components and practice

A chain-of-custody record must capture, for every piece of evidence: the unique identifier assigned to the item, the description of the item, the date and time it was collected, the location from which it was collected, the name and signature of the person who collected it, and the condition of the item at collection. Every subsequent transfer of the item from one custodian to another must be recorded with the same date, time, and dual signature. The record must be contemporaneous: entries written from memory after the fact are weaker than entries made at the moment of each action.

Physical evidence is typically sealed in a tamper-evident evidence bag immediately after collection. The bag is labelled with the case number, item number, description, date, time, and collector's initials. The bag is not opened except for examination, and each opening is recorded. Digital evidence items such as hard drives or USB devices are sealed in antistatic bags after forensic imaging is complete, with the hash value recorded on the bag and in the chain-of-custody form.

Storage conditions matter. Paper documents should be stored in a dry, climate-controlled environment. Electronic media should be stored away from magnets, heat, and humidity. Both categories should be stored in a secured, access-controlled location, with an access log recording every entry. Where evidence is voluminous, evidence management software can maintain the chain-of-custody record digitally, but the underlying discipline is the same: every touch is recorded.

Forensic imaging and electronically stored information

The forensic imaging process for a hard drive or other digital medium follows a defined sequence. First, the device is connected to the forensic workstation through a write blocker. The write blocker intercepts any write commands sent by the operating system (Windows frequently issues write commands when a drive is mounted, even if the user takes no deliberate action) and prevents them from reaching the source device. Second, imaging software such as FTK Imager, EnCase, or open-source tools like dc3dd creates a sector-by-sector copy of the entire device, including deleted file areas and slack space. Third, the software computes a cryptographic hash of the source device before imaging and of the image after imaging. If the two hashes match, the copy is verified as identical to the source.

Hash algorithms commonly used in forensic work include MD5 (128-bit, faster but now considered cryptographically weak) and SHA-256 (256-bit, the current standard). In practice, many tools compute both and record both in the acquisition report. The hash value is recorded in the chain-of-custody form alongside the acquisition report, which documents the tool used, its version, the date and time of acquisition, the examiner's name, and the source device's identifying information (make, model, serial number).

Metadata is a critical component of ESI evidence and one that is frequently misunderstood or inadvertently destroyed. File system metadata includes creation timestamp, last-modified timestamp, last-accessed timestamp, and file size. Document metadata embedded in files such as Word documents or PDFs may include author name, revision history, and comments. Email metadata includes routing headers that show the path the message took through mail servers, which can confirm or refute a sender's claim that a message was not sent from their account. Forensic images preserve all of this; printouts or PDF exports of files do not.

Authentication standards across major jurisdictions

Authentication standards share a common logic across jurisdictions but differ in their specifics. In each case the proponent of the evidence must satisfy the court that the document is what it purports to be, and the method of doing so depends on the type of document and the nature of any challenge.

Jurisdiction	Primary statute or rule	Key electronic records provision
United States	Federal Rules of Evidence, Rules 901 to 903 and 1001 to 1006	FRE 901(b)(9): process or system evidence; FRE 902(13)-(14): self-authenticating records with certification
England and Wales	Civil Evidence Act 1995; Criminal Justice Act 2003, s.117	CJA 2003, s.117: business documents prepared in the course of a trade are admissible if the conditions are met; challenges go to weight
India	Bharatiya Sakshya Adhiniyam 2023, Sections 57 to 63	Section 63: electronic records are admissible with a certificate from the person responsible for the computer, attesting accuracy and normal operation
European Union (civil)	National rules of civil procedure; GDPR 2016/679 for personal data	GDPR may restrict cross-border transfer or use of personal data as evidence; consent or legitimate interest must be established
Australia	Evidence Act 1995 (Cth), s.146 to s.147	s.146: presumption of reliability for electronic documents produced in the ordinary course of business; rebuttable by contrary evidence

India's Bharatiya Sakshya Adhiniyam 2023 is the current statute. Its predecessor, the Indian Evidence Act 1872, had a more limited and sometimes litigated certificate mechanism for electronic records (the old Section 65B). The 2023 Act updated the framework to better address cloud storage, encrypted communications, and forensic imaging. Practitioners working on Indian fraud matters should confirm which version of the statute applies based on the date the proceedings were initiated.

US FRE Rule 902(13) and (14), added in 2017, allow machine-generated records and electronic data to be self-authenticating if accompanied by a written certification from a qualified person. This significantly reduced the burden of authentication for common ESI categories such as server logs and network traffic records, which previously required testimony from a custodian of records in every case.

Originals, copies, and the best evidence principle

The Best Evidence Rule, as it is commonly called, requires the proponent of a document to produce the original when the content of the document is in dispute. The rationale is that copies are more susceptible to alteration than originals, and that if the original exists and can be produced, there is no reason to accept something less. In modern practice, the rule has been substantially qualified for electronic records.

Under FRE Rule 1001(e), an electronic original includes any printout or other output readable by sight that accurately reflects the electronic data. Under Rule 1003, a duplicate (defined as a counterpart produced by the same impression as the original, or by photography, or by mechanical or electronic re-recording) is admissible to the same extent as an original unless a genuine question is raised about the authenticity of the original or it would be unfair to admit the duplicate instead. A verified forensic image, with hash values matching the source, satisfies the definition of a duplicate and is generally admitted as the functional equivalent of the original device.

For paper documents, the forensic auditor's practice is to retain the original securely, use certified copies for working purposes, and produce the original for examination if challenged. Certified copies are produced by photographing or scanning the original in the presence of a witness, who signs a certification that the copy is a true and complete copy of the original. Where originals cannot be retained (for example, documents that belong to a third party who will not surrender them), the examiner photographs them on site, documents the circumstances, and notes that originals remain with the third party.

Practical chain-of-custody challenges in complex fraud investigations

In practice, fraud investigations rarely involve a single, tidy set of records obtained from one location. Auditors commonly face mixed-media collections (paper and electronic records obtained simultaneously from the same location), records obtained in multiple tranches over weeks or months, records obtained from multiple jurisdictions under different legal authorities, and records that arrive in formats that must be converted for analysis without breaking the evidence chain.

Format conversion is a common challenge. An accounting database backup file must be restored into a forensic copy of the software to be readable. The restoration process must be documented to show that the content of the restored database matches the content of the original backup, typically by comparing record counts and hash values where the software permits. A similar issue arises when email archives in proprietary formats (such as Outlook PST files) are converted to standard formats (such as EML or MBOX) for ingestion into review platforms. The conversion process must be logged and the original proprietary archive preserved.

International evidence collection adds another layer of complexity. Evidence obtained in a foreign jurisdiction may need to be collected under that country's mutual legal assistance framework, or through letters rogatory, to be admissible in domestic proceedings. Evidence collected without compliance with the foreign jurisdiction's laws may be excluded in domestic courts, and the collection itself may expose the investigators to liability in the foreign jurisdiction. Forensic auditors engaged in cross-border investigations should confirm the applicable legal authority for collection in each jurisdiction before any evidence is touched.

Worked example

Chain of custody in a mixed-media corporate fraud investigation

Tracing the chain of custody for paper and electronic records seized from a corporate finance director's office during an unannounced site visit.

A forensic audit team arrives at a company's head office following a whistleblower referral alleging that the finance director has been creating fictitious suppliers and approving payments to accounts he controls. The site visit is unannounced. The team must collect evidence from the finance director's office (paper files and a personal laptop) and from the accounts payable system server room.

Preparation. Before arriving, the team prepares pre-numbered evidence bags, chain-of-custody forms, a write blocker, forensic imaging software on a dedicated forensic laptop, tamper-evident seals, and a digital camera. A log is started recording the team members present, the date and time, and the legal authority under which the collection is being made (in this case, the company's internal investigation authority and consent from the board).
Paper records. The team photographs the office before anything is touched. Paper files relevant to supplier accounts are identified, photographed in situ, and placed into numbered evidence bags. Each bag is sealed and labelled with the case number, item number, description, location found, date, time, and the initials of the two team members present. The chain-of-custody form records the same information. The office is photographed again after collection.
Laptop imaging. The laptop is photographed in situ and its serial number recorded. A write blocker is connected between the laptop's storage drive and the forensic laptop. FTK Imager acquires a bit-for-bit image of the drive. The tool records a SHA-256 hash of the source and the image; the values are identical, confirming the image is verified. The acquisition report is saved. The original laptop drive is reassembled, the laptop is sealed in an antistatic evidence bag with the hash values noted on the bag, and the chain-of-custody form is updated.
Server room. The accounts payable system database is hosted on a server. Rather than imaging the entire server (which would disrupt operations), the database administrator, under the team's supervision, exports the relevant tables (suppliers, payments, approval logs) to a file. The team records the export process in writing, including the SQL commands used. The export file's SHA-256 hash is computed immediately and recorded. The export is placed on a write-once USB device and sealed. The chain-of-custody form records the database administrator's name and role, the team member supervising, the date and time, and the hash value.
Transfer and storage. All evidence items are transported to the team's secure evidence room. Each item is logged into the evidence management system on arrival, with date, time, and the name of the person taking custody. The evidence room is access-controlled with an entry log. Subsequent accesses by reviewers are each recorded. When the forensic image of the laptop is loaded into the review platform, this action is recorded in the chain-of-custody form as a transfer from physical custody to the review environment, with the verified hash confirming no change.
Reporting. The final audit report identifies each exhibit by its evidence item number, describes what it is and where it was obtained, states the chain-of-custody record reference, and summarises what the item demonstrates. If the matter proceeds to litigation, the chain-of-custody forms and acquisition reports are disclosed to the opposing party. The forensic auditor who collected each item can give testimony about the collection process.

Check your understanding

Question 1 of 4· 0 answered

A forensic auditor images a suspect's hard drive without using a write blocker. The hash values of the source and image match. What is the primary problem with this evidence?

Key Takeaways

Chain of custody is the continuous, documented record of every person who handled a piece of evidence and every action taken with it; any undocumented gap is a basis for an admissibility challenge, even if the evidence itself has not been altered.
Forensic imaging uses write-blocked hardware to create a bit-for-bit copy of digital media, with cryptographic hash values (SHA-256) verifying the copy is identical to the source; without a write blocker, this verification is impossible.
Authentication requirements are consistent in principle across major jurisdictions but differ in mechanics: US FRE Rule 901 and the 2017 self-authentication rules, the UK's Criminal Justice Act 2003 Section 117, Australia's Evidence Act 1995, and India's Bharatiya Sakshya Adhiniyam 2023 Sections 57 to 63 all require the proponent to establish that the record is genuine and accurately reflects the system that produced it.
Metadata is probative evidence: file creation, modification, and access timestamps, email routing headers, and embedded document revision histories can confirm or contradict a suspect's account of when and how a document was created.
Legal holds must be issued at the outset of an investigation to cloud providers and internal custodians alike; failure to preserve relevant evidence can result in spoliation sanctions including adverse inference instructions or case-dispositive penalties.

What is chain of custody in a forensic audit?

Chain of custody is the documented, unbroken record of who collected each piece of evidence, when, from where, and how it was handled, stored, and transferred thereafter. It demonstrates that the evidence presented in court or to a regulator is the same, unaltered material that was originally obtained. Any gap in the chain can give opposing counsel grounds to challenge admissibility.

What is the difference between a forensic image and an original document?

A forensic image is a bit-for-bit copy of a digital storage device, verified by a cryptographic hash (typically SHA-256) that confirms the copy matches the source exactly. The original device is preserved untouched. For paper documents, the original is retained and a certified copy is used for working purposes. Courts in most jurisdictions accept forensic images of digital media as equivalent to originals when the hash verification is documented.

What does authentication mean in the context of documentary evidence?

Authentication is the process of establishing that a document is what it purports to be. Under the US Federal Rules of Evidence, Rule 901 requires the proponent to produce evidence sufficient to support a finding of authenticity. This can be done through testimony of a witness with knowledge, comparison by an expert, or distinctive characteristics such as letterhead, signatures, or metadata. Electronic records may also be authenticated through hash values, server logs, or audit trails.

How should electronically stored information (ESI) be handled in a fraud audit?

ESI should be collected using write-blocked devices to prevent any modification of the source. A forensic image is created and the hash value is recorded. The original device is sealed and stored securely. A chain-of-custody form records each access to the image. Metadata (including creation date, modification date, and author fields) is preserved intact because it can be as probative as the document content itself.

Which legal frameworks govern documentary evidence in fraud cases?

The US Federal Rules of Evidence (FRE), particularly Rules 901 to 903 on authentication and Rule 1001 on original documents, are the primary US framework. The UK's Civil Evidence Act 1995 and Criminal Justice Act 2003 govern admissibility in England and Wales. India's Bharatiya Sakshya Adhiniyam 2023 replaced the Indian Evidence Act 1872 and addresses electronic records under Sections 57 to 63. The EU GDPR also constrains how certain personal data evidence may be collected and used.

Test yourself on Forensic Auditing and Fraud Examination with free, timed mocks.

Practice Forensic Auditing and Fraud Examination questions

Found this useful? Pass it along.

Spotted an error in this page? Report a correction or read our editorial standards.

Key Takeaways

Your journey to becoming a forensic professional starts here.