Chain of Custody for Media Evidence

Maintaining an unbroken, documented chain of custody for digital media evidence, from the moment a device is seized through every processing step to its presentation in court.

Last updated: 10 Jun 2026

Digital media evidence has a peculiar vulnerability that physical evidence does not: it can be altered without leaving a visible trace. A knife with bloodstains looks different after cleaning. An MP4 file overwritten with different footage looks identical to the original from the outside. This is why the chain of custody for media evidence cannot rely on physical description alone. It must be built on cryptographic verification at every step.

Chain of custody is the documented record proving that a piece of evidence is the same item that was collected at the scene, handled by specific identified individuals, stored under defined conditions, and presented in court. For a knife, that documentation is largely about physical handling. For a video file, it is about hash values, version numbers, write-blocker logs, and the careful separation of originals from working copies.

This topic walks through each stage of the journey a digital media exhibit takes, from a DVR on a retail counter to a frame displayed on a courtroom screen. At each stage the question is the same: can we prove this file has not been altered since it was seized? The answer requires specific practices and specific documentation, and the gaps in that documentation are exactly where defence challenges focus.

Key terms

Hash value: A fixed-length digital fingerprint produced by running a file through a cryptographic algorithm such as SHA-256 or MD5. Identical files produce identical hashes; any alteration produces a different hash. Used at acquisition and at every subsequent stage to verify file integrity.
Write-blocker: Hardware or software that intercepts write commands to storage media during forensic imaging, permitting reads but preventing any alteration. Required when imaging hard drives, USB media, SD cards, and similar storage.
Proprietary DVR format: Video storage format used by commercial CCTV/DVR systems that is specific to the manufacturer, often unplayable without the vendor's own software. The native proprietary file must be preserved as the primary exhibit before any conversion.
Working copy: A copy of an exhibit on which examination work is performed, created from a verified forensic image. The original or master copy is preserved untouched; the working copy may be processed, enhanced, or exported without altering the master.
Continuity witness: The person who can testify to each transfer of the exhibit, from collector to analyst to storage to court. Every transfer must be logged with date, time, persons involved, and the item's condition or hash state at the time of transfer.
Versioning convention: A systematic file-naming or directory structure that identifies which version of a processed file is current, preserves earlier processing stages, and prevents overwriting. Critical for multimedia casework where multiple processing steps produce multiple intermediate files.

Seizure and initial documentation

The first five minutes set the evidentiary quality of everything that follows.

When a DVR or NVR is seized, the first-responder's job is documentation, not analysis. The device must be photographed in situ before removal, showing its connections, the cables attached, any indicator lights, and the screen state. The serial number, make, and model are recorded. If the device is on, the on-screen time display is photographed alongside a reference clock to capture any time offset.

Where possible, the device is powered off safely according to the manufacturer's guidance to prevent overwriting of the circular buffer. Some DVRs will continue recording and overwriting footage if left running. Others may corrupt the file system if simply unplugged. Knowing which applies requires either manufacturer documentation or a decision by a forensically trained examiner at the scene, not a patrol officer improvising.

Forensic acquisition and hash verification

Hash verification is not a formality. It is the proof.

Forensic acquisition creates a verified bitstream copy of the source media. For a DVR hard drive, this means attaching the drive through a hardware write-blocker, imaging it with a tool such as FTK Imager or dcfldd, and recording the hash values of both the source drive and the resulting image. The hashes must match. This matching is the proof that the forensic copy is identical to the original.

Attach via write-blocker
Connect the source drive or media to the forensic workstation through a validated write-blocker. Record the write-blocker make, model, and firmware version in the case notes.
Image the source
Run the imaging tool to create a forensic image (E01, AFF4, or raw dd format). The tool computes and records MD5 and/or SHA-256 hashes of the source during the read pass.
Verify the image
The tool rehashes the completed image file and compares it to the source hash. A match confirms bit-for-bit accuracy. Record both hash values in the case notes and in the exhibit documentation.
Seal and label
Seal the source media in an anti-static bag, label with the exhibit reference number, and store under documented conditions. The forensic image is the working base; the source is locked away.

For video exported directly from a DVR via its internal interface rather than by imaging the drive, the process is different and the risks are higher. The export is typically a proprietary-format file produced by the DVR's own software. The examiner must hash the export immediately after it is copied to a forensic drive, before any other handling. This hash becomes the integrity anchor for everything that follows.

Handling proprietary formats and conversion to standard containers

Converting a proprietary DVR export is an evidence-handling step, not a technical convenience.

DVR manufacturers use proprietary file formats and playback software for competitive and technical reasons. Formats from major manufacturers such as Hikvision, Dahua, Bosch, and Milestone each have their own structure and often require vendor-specific players. When an analyst converts a proprietary file to a standard container format such as MP4, they are performing an operation that changes the binary content of the file. The converted file's hash will differ from the original.

This is not inherently a problem. It becomes a problem if the documentation does not record that the conversion happened, which tool performed it, what version of that tool was used, and that the conversion was performed on an authenticated copy of the original. The native proprietary file must remain as the primary exhibit, and the converted version must be clearly labelled as a secondary working copy.

Chain of custody for DVR video evidence, showing hash anchors at each transfer.

Versioning and naming conventions for processed files

A folder called 'final_FINAL_v3_use_this_one.mp4' is a chain-of-custody failure.

Multimedia casework produces many files. A single DVR footage review may generate the original export, a converted working copy, frame extracts, enhanced versions of individual frames, and annotated composites for court. Without a disciplined versioning system, the examiner cannot reconstruct which version was used for which analysis, and a court cannot verify the lineage of an exhibit.

Exhibit reference prefix: every file name begins with the case number and exhibit reference, so files from different cases cannot be mixed.
Descriptor and version number: a brief descriptor and an incrementing version number (v01, v02) prevent ambiguity about which file is current.
Date stamp: ISO 8601 format (YYYYMMDD) as part of the file name makes chronological ordering automatic and removes reliance on operating system timestamps, which can change.
Processing log: a text or spreadsheet log accompanies the file set, recording what operation produced each version, which tool and version was used, the input file hash, and the output file hash.

This is not bureaucracy for its own sake. When defence counsel asks in cross-examination which specific file the expert used to produce enhanced frame 14 in exhibit P7, the expert must be able to answer precisely. An examiner who cannot is admitting that their process was undocumented and therefore not reproducible. That is the point at which a court may exclude their evidence.

The continuity witness and transfer documentation

Every handover of the exhibit must be recorded as if a court will scrutinise it, because it will.

Chain of custody documentation serves the court, not just the analyst who produced it. The prosecution must be able to account for where the exhibit was at every point between seizure and presentation. This typically means a property log or exhibit register that records the exhibit reference number, date and time of each transfer, the names and roles of the transferring and receiving parties, the method of transfer, and the storage location and conditions.

For digital media, transfers include the initial seizure, delivery to the forensic laboratory, any transfer to a specialist analyst (face comparison, video analysis), return to the exhibit store, and delivery to court. Each of these is a potential break point. A gap in the register, even a minor administrative gap, can be exploited by defence to suggest the opportunity for tampering, even if no tampering occurred.

Worked example

Reconstructing the evidential gap in an ATM fraud case

Four days, three agencies, no hash records: how a gap was traced and partially closed.

ATM fraud is identified at a bank branch. The bank's security team exports the CCTV footage covering the fraud period from their NVR to a USB drive using the NVR's proprietary export function. The USB is handed to local police, who pass it to a regional digital forensics unit four days later. The unit extracts still frames and provides them to an investigating officer, who uses them in a suspect identification procedure.

The bank security team did not hash the exported file at the time of export. Four days passed before the file reached a forensic unit. Those four days represent a period in which the USB could have been accessed and the file altered without detection.
The forensic unit hashes the file on receipt and records the hash. This creates an integrity anchor from the moment of laboratory receipt forward, but it cannot address what happened before receipt.
To partially close the gap, the forensic unit requests the NVR's internal event log from the bank. The log shows the export was performed once, at a specific date and time. The file creation timestamp on the USB matches. The NVR log cannot prove the file was not subsequently altered on the USB, but it corroborates the export event and the file size at export.
The defence challenges the gap. The prosecution's response notes that the file's internal structure (DVR timestamp overlays, codec header data) is consistent throughout and shows no signs of re-encoding or editing, and that the NVR log corroborates the export event. The court admits the footage but notes the documentation deficiency. The lesson: hash at acquisition, not at first convenient opportunity.

Check your understanding

Question 1 of 4· 0 answered

A forensic examiner images a DVR hard drive and records MD5 hash values of both the source drive and the forensic image. The hashes match. What does this prove?

Key Takeaways

Hash verification at acquisition is the foundation of media evidence integrity: matching hashes on the source and forensic image prove bit-for-bit accuracy at the moment of imaging.
Write-blockers prevent write commands from reaching source media during imaging; where unavailable, a documented read-only software mount is the alternative, not proceeding without protection.
Proprietary DVR formats must be preserved as the primary exhibit; any conversion to a standard format is a documented secondary working-copy step, never a replacement of the original.
Versioning conventions and processing logs allow any examiner to reconstruct exactly which file was used at which stage of the analysis, which is what cross-examination will test.
Every transfer of a digital media exhibit must be logged with date, time, persons, and file hash; gaps in this record are the points defence counsel will target in a chain-of-custody challenge.

Why is hash verification central to media evidence chain of custody?

A cryptographic hash (SHA-256 or MD5) computed on a file produces a unique fixed-length value. If even a single bit changes, the hash changes. Recording the hash at acquisition and at every subsequent stage proves that the file in court is identical to what was seized. Any undocumented change is exposed.

What is a write-blocker and when is one required?

A write-blocker is a hardware or software device that intercepts write commands sent to storage media, allowing reads to proceed but blocking any alteration. It is required whenever forensic imaging is performed on storage media. For network-acquired video from a DVR or cloud system, the equivalent principle is using read-only API access and logging all queries.

How do you handle proprietary DVR formats that require vendor software to play back?

The standard practice is to preserve the native proprietary file as the primary exhibit, document the vendor software version used to play or export it, and export a secondary working copy in a standard format such as MP4 or AVI. The hash of the native file is the integrity anchor. The export is a working copy and must be labelled as such.

What creates an evidential gap in the journey from DVR to courtroom?

Common gaps include: failing to hash the DVR export at the point of acquisition; transferring video via email or file-sharing without recording metadata; opening and re-saving video in a non-forensic tool that changes the file; and having multiple unnumbered copies with no clear lineage. Any break in the documented chain gives defence an argument that the file may have been altered.

Test yourself on Forensic Audio, Video and Image Analysis with free, timed mocks.

Practice Forensic Audio, Video and Image Analysis questions

Found this useful? Pass it along.

Spotted an error in this page? Report a correction or read our editorial standards.

Key Takeaways

Hash verification at acquisition is the foundation of media evidence integrity: matching hashes on the source and forensic image prove bit-for-bit accuracy at the moment of imaging.

Write-blockers prevent write commands from reaching source media during imaging; where unavailable, a documented read-only software mount is the alternative, not proceeding without protection.

Proprietary DVR formats must be preserved as the primary exhibit; any conversion to a standard format is a documented secondary working-copy step, never a replacement of the original.

Versioning conventions and processing logs allow any examiner to reconstruct exactly which file was used at which stage of the analysis, which is what cross-examination will test.

Every transfer of a digital media exhibit must be logged with date, time, persons, and file hash; gaps in this record are the points defence counsel will target in a chain-of-custody challenge.

Why is hash verification central to media evidence chain of custody?

What is a write-blocker and when is one required?

How do you handle proprietary DVR formats that require vendor software to play back?

What creates an evidential gap in the journey from DVR to courtroom?

Your journey to becoming a forensic professional starts here.

Key Takeaways

Key Takeaways