Evidence Collection and Chain of Custody

The protocols forensic accountants follow to collect, preserve, and transfer financial evidence from the scene of discovery to the courtroom, keeping the chain of custody intact at every step.

Last updated: 10 Jun 2026

A forensic accountant can identify a sophisticated fraud from the pattern of transactions alone. But in court, identifying a pattern is not enough. The evidence that proves the pattern must be shown to be authentic: that it is what it purports to be, that it has not been altered since it was collected, and that it reached the courtroom through a documented, uninterrupted chain. This is the chain-of-custody requirement, and it applies just as rigorously to a spreadsheet exported from an accounting system as it does to physical exhibits in a homicide case.

Financial investigations involve an unusual breadth of evidence types: paper documents from filing rooms, electronic records from ERP systems, email archives, instant-message logs, bank statements obtained by subpoena, cloud-hosted accounting data, and increasingly, records from mobile devices and collaboration platforms. Each type has its own collection method, its own preservation requirements, and its own evidentiary standards in different jurisdictions. The forensic accountant who treats collection as an afterthought, rather than a discipline equal to the analysis itself, produces results that may be compelling analytically but legally fragile.

This topic covers the full lifecycle of financial evidence: the initial legal hold, document collection protocols for physical and electronic records, imaging financial systems, working with external auditors and regulators, managing third-party data, and the documentation that creates an unbreakable chain from collection to court. The goal throughout is evidence that survives the hardest cross-examination a skilled opposing counsel can mount.

Key terms

Chain of custody: The documented, unbroken record of every person who collected, handled, transferred, or stored evidence from its collection through its presentation in court. Each link in the chain must be verifiable to demonstrate the evidence is authentic and unaltered.
Forensic image: A bit-for-bit copy of a storage device or database, verified by a cryptographic hash. Work proceeds from the image, not the original, so the original remains pristine and its integrity can be demonstrated at any time.
Hash value: A fixed-length string generated from a file or dataset by a cryptographic algorithm (typically SHA-256 or MD5). Any change to the underlying data produces a completely different hash, making the hash a tamper-detection mechanism.
Custodian: In e-discovery, a person who possesses, controls, or has responsibility for documents or electronic records relevant to an investigation. Identifying custodians is the first step in scoping a document collection.
Write blocker: A hardware or software device that prevents any write operations to a storage device during forensic imaging. It ensures the image process does not alter the original data, which is critical for chain-of-custody and authenticity.
ERP system: Enterprise Resource Planning software (SAP, Oracle, Microsoft Dynamics, and similar platforms) that manages financial and operational records. ERP databases are often the primary source of transaction-level evidence in forensic accounting matters.

Legal hold: the starting gate

Evidence that is destroyed before collection does not exist. Evidence that was never preserved is gone before the investigation begins.

The legal hold was addressed in the context of engagement setup, but its operational implementation is an evidence-collection function. Once counsel issues the hold notice, the forensic accountant works with IT staff to confirm that automated deletion processes are suspended, that backup media is quarantined from routine overwriting cycles, and that a list of custodians and their relevant systems is compiled.

Two common failure points deserve attention. First, the hold notice goes to named individuals but not to the IT team managing the systems those individuals use. The individual stops deleting emails. The server continues its 30-day retention cycle and deletes the same emails from the mailbox. Second, the hold is issued for a named custodian's email, but the investigation later expands to include that custodian's collaboration-tool messages and file-sharing repositories, which were not covered. The hold document should describe data types, not just named people.

Physical document collection

Paper still matters, and paper has its own chain-of-custody requirements.

Many financial fraud investigations still involve substantial quantities of paper: original contracts, manually signed approval forms, handwritten notes, physical bank statements, and printed ledger reports. Physical documents require the same rigour as digital ones. They must be collected with a log, segregated by source, preserved in their original state, and stored in a secure location with access controls and a check-in/check-out record.

Document log: Every document collected should be assigned a unique reference number, recorded in a log with its description, source location, and the identity of the person who collected it and when.
Segregation: Documents from different sources or relating to different periods or entities should be kept physically separate to prevent cross-contamination of the evidentiary record.
Original vs copy: Where originals are seized, a certified copy is made for working purposes. The original is stored securely and is produced only when required for inspection or court. The distinction between the working copy and the original is documented in the chain-of-custody log.
Scanning and Bates numbering: Documents are typically scanned to create a working digital copy. Bates numbering (a sequential unique identifier stamped on each page) is applied during scanning to create an unambiguous reference system across the document set.

Imaging financial systems and ERP databases

The ERP is the ledger, and the ledger is the evidence.

The accounting system is usually the most important evidence source in a financial fraud investigation. It contains transaction records, journal entries, approval logs, user-activity audit trails, and in modern systems, timestamps that record exactly when each record was created or modified. Collecting this evidence requires a forensic image of the relevant data, not a management-prepared extract.

A management-prepared export (a CSV file emailed to the forensic accountant by the finance controller) is analytically useful but evidentially weak. The opposing party will argue that the person who prepared the extract could have modified or filtered the data. A forensic image of the database, taken by a qualified digital forensics practitioner with the hash values recorded at acquisition, removes that argument.

Forensic imaging workflow for an ERP database.

ERP systems vary in how their data can be extracted. Some require specialised tooling: SAP, for example, stores data in proprietary table structures that require knowledge of ABAP table naming conventions to extract correctly. Oracle Financials, Microsoft Dynamics, QuickBooks, and Xero each have different export formats and audit-trail architectures. The forensic accountant must understand the specific system's data model well enough to know whether an extract is complete and unmodified.

Email, messaging, and cloud-hosted data

The most incriminating evidence in modern fraud cases is often in the messages, not the ledger.

Email archives are a primary evidence source in financial investigations. They reveal intent, knowledge, and co-ordination that transaction records alone cannot prove. Collecting email evidence requires image-level collection from mail servers or enterprise archiving platforms (Microsoft 365 Purview, Google Vault), not user-by-user export from the email client, because client-side export can be manipulated and does not capture deleted-but-archived messages.

Instant messaging platforms have become increasingly significant in financial investigations. Slack, Microsoft Teams, WhatsApp, Signal, and Bloomberg Terminal messaging all potentially contain business records. Retention and collection rules for these platforms vary considerably: some have native legal-hold tools (Teams Compliance Center, Slack eDiscovery export), others require third-party collection tools or device imaging. Signal's disappearing-message feature and end-to-end encryption mean collection may need to happen from device images rather than server records.

Working with external auditors and regulators

Other professionals will have seen the same evidence. Co-ordinating the collection prevents duplication and contradiction.

Most organisations under forensic investigation are also subject to their annual statutory audit. The relationship between the forensic team and the external auditor is often complicated. The external auditor has independent obligations to their professional standards body and ultimately to shareholders or the public interest. The forensic team owes duties to its client, which may differ from what the external auditor needs to report. These tensions need to be managed explicitly.

In regulatory investigations, the forensic accountant may also need to co-ordinate with the regulator's own evidence collection. Regulatory bodies (the SEC in the US, the FCA in the UK, SEBI in India) have statutory powers to compel document production, and their collection processes generate their own evidential record. Working in parallel without communication leads to duplicated effort at best and contradictory evidence at worst.

Establish a joint document register if practical, so that all parties can see what has been collected, by whom, and when.
Agree on a single master copy of key documents rather than allowing multiple parties to maintain separate copies with different tracking schemes.
Clarify with counsel which materials produced to the regulator remain privileged from private litigation and which do not.
Document every point of contact with external auditors and regulators, including what was produced, to whom, and on what date.

Maintaining the chain of custody through to court

The chain starts at collection and does not end until the exhibit is released from court.

A chain-of-custody log for each piece of evidence should record: the unique reference number, description of the item, date and time of collection, identity of the person who collected it, location from which it was collected, and then a sequential record of every person who subsequently received custody of it, the date of each transfer, and the reason for the transfer.

Evidence chain-of-custody lifecycle.

For digital evidence, the hash value is the core integrity mechanism. The hash of the original image should be computed and recorded at the time of acquisition. Every time the image or a derivative is transferred, the hash of the transferred copy is computed and compared to the source. A match proves the data is identical. Any discrepancy must be explained before the evidence can be used.

Physical storage requirements for digital evidence include media that is write-protected or stored in read-only formats, labelled containers with unique identifiers, secure-room access restricted to named investigators, and climate controls that prevent media degradation. These requirements mirror those used in digital forensics laboratories and are increasingly treated as the standard in financial-investigation matters.

Worked example

Collecting the accounts-payable system after a tip-off

A whistleblower email arrives Friday evening. Monday morning, the collection team is on-site.

A manufacturing company's audit committee receives an anonymous tip that the head of accounts payable has been approving payments to fictitious vendors for approximately 18 months. Counsel retains the forensic team Friday evening. The matter is time-sensitive: the AP manager is still in post and has full access to the system. A collection plan is drafted that weekend and executed Monday morning before the AP manager arrives.

Friday night: legal hold. IT is contacted and all automated deletion processes for the AP module and the AP manager's email and file-sharing accounts are suspended. Hold notices are prepared for service Monday morning to all relevant custodians.
Monday 7 a.m.: system access suspension. Before the AP manager's work day begins, IT suspends their system access pending investigation, under the authority of the audit committee. This prevents deletion of records and is documented with a timestamp.
Monday 8 a.m.: forensic imaging. A digital forensics practitioner images the AP module of the ERP system and the AP manager's laptop using write blockers. Hash values are recorded at acquisition for each item. The imaging is witnessed by a second team member who signs the chain-of-custody form.
Monday 9 a.m.: email and collaboration data. A second team member extracts the AP manager's email archive from the enterprise email platform and their Microsoft Teams messages for the relevant period. The extract is generated by an admin-level tool, not the user's own client, and the generation process is logged.
Chain-of-custody log. Each item collected receives a unique reference number. The log records the collection date, the collector's name, the hash value, and the secure storage location. Access to the storage room is badge-controlled, and the access log becomes part of the evidential record.

By noon Monday, the investigation team is working from verified copies of the core evidence while the originals are in secure storage. The AP manager does not know what has been collected or when. When interviews begin two days later, the team can confront the subject with exhibits they cannot credibly claim have been altered. The chain-of-custody documentation, if challenged, is supported by the imaging practitioner's witness statement, the access logs, and the hash-verification records.

Check your understanding

Question 1 of 4· 0 answered

Why should a forensic accountant obtain a forensic image of the ERP database rather than accepting a management-prepared CSV export?

Key Takeaways

Chain of custody is the documented, unbroken record of every custodian from collection to court; a break in that chain gives opposing parties grounds to challenge authenticity and potentially exclude the evidence.
Forensic imaging with write blockers and hash verification is the standard for ERP and digital evidence collection; management-prepared extracts are analytically useful but evidentially weak without the same integrity verification.
Physical documents require their own chain-of-custody discipline: collection logs, Bates numbering, secure storage with access records, and clear distinction between originals and working copies.
Email, instant-messaging, and cloud-hosted data are increasingly central to financial fraud investigations; each platform has different collection tools and legal requirements, and cross-border data transfers may require formal legal mechanisms.
Co-ordination with external auditors and regulators, and clear documentation of every contact and production, prevents duplicated effort and conflicting evidence that can undermine the investigation at trial.

What does 'chain of custody' mean in a financial investigation?

Chain of custody is the documented, unbroken record of who collected evidence, who had custody of it at each subsequent point, and how it was stored and transferred. It proves that the evidence presented in court is the same evidence collected at the scene of investigation and that it has not been tampered with or contaminated.

How do you image a financial accounting system without disrupting the business?

The standard approach is to create a forensic image of the relevant databases and file systems, typically overnight or during low-usage periods, working with IT staff to minimise disruption. The image is a bit-for-bit copy of the original, verified by hash value, and the investigation proceeds from the copy rather than the live system. This preserves the original and avoids the business interruption that would come from seizing production servers.

What is a hash value and why does it matter for digital evidence?

A hash value (typically MD5 or SHA-256) is a fixed-length fingerprint generated from a file or dataset by a cryptographic algorithm. If even a single bit of the data changes, the hash changes completely. By recording the hash at collection and verifying it matches at each subsequent custody transfer, investigators can prove the data has not been altered.

How does a forensic accountant handle documents held by a third party, such as a bank or cloud provider?

Third-party records typically require a formal legal mechanism: a subpoena or court order in litigation, a regulatory production order in a regulatory inquiry, or a letter of request under mutual legal assistance treaty provisions for cross-border matters. The forensic accountant works with counsel to identify what is needed and then ensures that when the records arrive, they are received and logged under the same chain-of-custody discipline applied to internally collected evidence.

What happens if the chain of custody is broken?

A break in the chain of custody gives opposing parties grounds to challenge the authenticity and integrity of the evidence. Courts may exclude it, or the jury may be directed to treat it with caution. In the worst case, evidence central to the investigation becomes inadmissible. Preventing custody breaks is far simpler than arguing around them later.

Test yourself on Forensic Accounting and Financial Forensics with free, timed mocks.

Practice Forensic Accounting and Financial Forensics questions

Found this useful? Pass it along.

Spotted an error in this page? Report a correction or read our editorial standards.

Key Takeaways

Chain of custody is the documented, unbroken record of every custodian from collection to court; a break in that chain gives opposing parties grounds to challenge authenticity and potentially exclude the evidence.

Forensic imaging with write blockers and hash verification is the standard for ERP and digital evidence collection; management-prepared extracts are analytically useful but evidentially weak without the same integrity verification.

Physical documents require their own chain-of-custody discipline: collection logs, Bates numbering, secure storage with access records, and clear distinction between originals and working copies.

Email, instant-messaging, and cloud-hosted data are increasingly central to financial fraud investigations; each platform has different collection tools and legal requirements, and cross-border data transfers may require formal legal mechanisms.

Co-ordination with external auditors and regulators, and clear documentation of every contact and production, prevents duplicated effort and conflicting evidence that can undermine the investigation at trial.

What does 'chain of custody' mean in a financial investigation?

How do you image a financial accounting system without disrupting the business?

What is a hash value and why does it matter for digital evidence?

How does a forensic accountant handle documents held by a third party, such as a bank or cloud provider?

What happens if the chain of custody is broken?

Your journey to becoming a forensic professional starts here.

Key Takeaways

Key Takeaways