Blog Details

Introduction

Ask most people how to prove a digital file hasn't been tampered with and they'll say "take a hash." They're right — a cryptographic hash is the single most important integrity check in digital forensics. But a hash on its own answers only one question: is this file identical to the one I hashed earlier? A court also wants to know who handled the evidence, when, and what was done to it. That is the chain of custody, and it is where a lone hash quietly falls short.

What "Chain of Custody" Actually Means

Chain of custody is the documented, unbroken history of a piece of evidence from the moment it was collected to the moment it is presented. Who acquired it? On what device, at what time? Who accessed it afterwards, and for what purpose? If there is a gap — or worse, if the record of handling could itself have been edited — opposing counsel has an opening to challenge admissibility. Integrity of the evidence and integrity of the record about the evidence are two different things, and both matter.

The Gap a Hash Leaves

A hash freezes a file's content, but it says nothing about process. It doesn't capture that the analyst opened the case on a given date, re-verified an exhibit, exported a report, or moved evidence between drives. Pasted into a spreadsheet, those notes are trivially editable and carry no proof of order or completeness. To be defensible, the handling log itself has to be tamper-evident.

A Tamper-Evident, Hash-Chained Audit Log

This is where e-Dex goes beyond a simple hash tool. Every significant action is written to an append-only audit log in which each entry includes the SHA-256 hash of the previous entry — a hash chain. Change or delete any past entry and every hash after it breaks, so tampering is immediately detectable. It is the same principle that makes a blockchain tamper-evident, applied to your evidence-handling history. e-Dex can verify the whole chain on demand and tell you it is intact.

Per-Action Custody Events

On top of the audit log, e-Dex records explicit chain-of-custody events — who did what, when — so the narrative history of an exhibit is captured as first-class data rather than scattered notes. Those events flow through to the evidence certificate, giving the court a clear, ordered account of custody alongside the integrity hashes.

Snapshot & Verify Drift

Evidence sometimes lives on media you revisit over weeks. e-Dex lets you take a snapshot baseline of a case's files and later verify against it, surfacing any drift — a file that changed, went missing, or was added — between visits. That turns "I think nothing changed" into a provable statement.

A Defendability Score You Can Act On

Because integrity is made of several moving parts, e-Dex distils them into a Defendability Score — a court-readiness rating that reflects how many files are verified, whether the audit chain is intact, whether snapshots and reports exist, and whether a strong primary algorithm was used. It is a quick way to see, before you walk into court, where your case is strong and where it needs shoring up.

Self-Verifying Evidence Packs

Finally, e-Dex can bundle a case into a self-verifying evidence pack (BagIt, with CASE-UCO / DFXML sidecars) that anyone can validate later — even on a machine without e-Dex installed. The pack carries its own manifests and hashes, so the recipient can confirm nothing was altered in transit, closing the custody loop end to end.

Conclusion

Hashing tells you a file is unchanged; chain of custody tells you the evidence was handled properly and the record proving it can itself be trusted. Court-defensible digital evidence needs both. e-Dex — the Digital Evidence Integrity Suite brings them together: integrity hashing, a tamper-evident audit chain, custody events, snapshot & verify, a Defendability Score and self-verifying packs — all on a single Windows machine.