What is the Chain of Custody?

During investigations, it is common that a variety of sources of evidence are collected. ‘Chain of Custody’ is a term that is used when handling evidence (sometimes referred to as exhibits). Evidence can be in the form of a physical object or, as seen more nowadays, digital evidence. A record of who has handled the evidence, who has accessed, edited, or altered it is imperative to ensure that it has not been tampered with in any way that could have a prejudicial effect on an investigation.

Chain of Custody is also known within the Law Enforcement sector as ‘evidence continuity’ and is seen as a vital part of an investigation. Various courts within the Australian legal system place immense value on the accurate recording of exhibit movement to ensure that matters heard before the court are done so in a fair and equitable manner. The New South Wales Police improved their system of recording evidence after the 1998 Wood Royal Commission enquiry exposed evidence tampering by Police.

Investigators should always follow the best practice guidelines as outlined below when handling evidence, recording evidence, and tracking the movement of evidence.

The importance of accurate recording of evidence

Evidence and exhibits play a major role in investigations and it is essential that accurate recording of the evidence is done. Evidence that is relied upon in an investigation and/or presented to a court, tribunal or other proceedings can impact the outcome of a matter. Therefore, accuracy and integrity of the evidence is essential.

Properly documenting the details of evidence can ensure that the original piece of evidence is not altered or tampered with (and that this has been properly documented). Altering or tampering with evidence can occur either with intent to influence a specific outcome or without. However, regardless of the intent, the fact remains that any changes to an original piece of evidence may impact not only the integrity of the piece of evidence but also the integrity of the investigation upon which that evidence is based.

Consequentially, an improper chain of custody of evidence can lead to several negative outcomes, including the evidence bring deemed inadmissible or unreliable and the matter not being able to be proved to the standard required before the court (or other proceedings for which the evidence is being relied upon). Furthermore, casting any doubt over the authenticity and reliability of one piece of evidence can potentially have a flow-on effect on other pieces of evidence in a matter.

Establishing and saving a chain of evidence document

To establish a complete and reliable Chain of Custody, it is imperative that the following is accurately documented:

• What is the item?
• Who collected the item?
• When was it collected?
• By whom or where was it collected from?
• Where is the item being stored?

A document showing the chain of custody is required for each piece of evidence, regardless of whether it is in a physical or digital form.

In order to preserve evidence, the chain of custody document should commence from the first time evidence is obtained or handled, through to the process of examination, analysis, reporting and the time of presentation. It is essential to avoid the possibility of any suggestion that the evidence has been compromised or mishandled in any way.

A ‘Chain of Custody’ document should be contained in a version-controlled digital document, or it could be held in a shared drive. The document needs to be clearly labelled and records kept of when the evidence was accessed. This digital document must have the ability to export a full forensic audit if necessary and/or required.

The key stages of recording evidence in a Chain of Custody document are:

1. Data Collection: This is where the chain of custody process is initiated. It involves identification, labelling, recording, and the acquisition of data from all the possible relevant sources that preserve the integrity of the data and evidence collected.

2. Examination: During this process, the chain of custody information is documented outlining the forensic process undertaken. It is important to capture screenshots throughout the process to show the tasks that are completed, and any further evidence identified.

3. Analysis: This stage is the result of the examination stage. In the Analysis stage, legally justifiable methods and techniques are used to derive useful information to address questions posed in the particular case.

4. Reporting: This is the documentation phase of the Examination and Analysis stage. Reporting includes the following:

• • A statement regarding Chain of Custody;
  • An explanation of the various tools used;
  • A description of the analysis of various data sources;
  • Any issues or vulnerabilities identified; and
  • Recommendations for additional forensics measures that can be taken.

An accurate and complete chain of custody is a vital part of every investigation

The importance of the chain of custody for evidence and accurate record-keeping when handling evidence is a key aspect of investigations and information gathering.

All Investigators, whether in law enforcement or other investigations (including corporate investigations), should be equipped and familiar with the knowledge and process relating to the chain of custody of evidence. This will ensure accurate and reliable evidence being able to be presented. Subsequently, the outcome or decision made for the matter can be done so with all evidence being considered equally.

Key Takeaways

• Chain of Custody is a term referring to the order and way physical or electronic evidence in investigations is handled.
• It is important to show that all evidence was handled in line with best practice procedures, by documenting all relevant details in the ‘Chain of Custody’ document.
• Items found to form part of an inadequate or inaccurate chain of custody document may be deemed inadmissible.