How to Build an Evidence Pack for a Case: A Step-by-Step Guide

Introduction: What an Evidence Pack Is

When a case turns on digital files — emails, photos, exported records, log files — the work does not end when you collect them. You still have to move them, store them and hand them to someone else in a way that survives scrutiny. The cleanest way to do that is to build an evidence pack: a self-contained, verifiable bundle of a case's digital evidence. Everything the case needs travels together in one package — the files, a record of their integrity, and the paperwork that explains them — so the set can be checked as a single unit. This guide explains how to build an evidence pack, what goes inside it, and why hashing lets anyone confirm it has not been tampered with. It is general information for practitioners, not legal advice.

What Goes In an Evidence Pack

A good pack has five parts. First, the evidence files themselves — the actual material the case relies on. Second, a manifest of hashes: a list naming every file with its cryptographic fingerprint. Third, the chain-of-custody log, recording who handled the evidence, when, and what they did with it. Fourth, any certificates — an integrity certificate proving the files are unaltered, and any formal court certificate the matter requires. Fifth, a plain README that describes the pack's layout and tells a newcomer exactly how to verify it. The manifest and README are what turn a loose pile of files into something a stranger can trust. For the custody side, our chain-of-custody checklist is a useful companion.

Why Hashing Makes the Pack Self-Verifying

The manifest is the clever part. A cryptographic hash is a fixed-length fingerprint computed over a file's bytes; change a single byte and the hash changes completely. By recording a hash for each file, the pack carries its own proof of integrity. Anyone who receives it can re-hash the contents and compare the results against the manifest — if every value matches, nothing changed in transit or storage. This is exactly the idea behind the generic BagIt style of packaging, where a manifest of checksums ships alongside the payload so the bundle validates itself. You do not have to trust the courier, the disk or the sender; the maths does the proving. That self-verifying quality is what separates an evidence pack from a plain zip file.

Step-by-Step: Building the Pack

1. Collect. Gather the material into a clean working folder. Keep the originals untouched and work on copies so the source is never modified.
2. Hash each item. Compute a hash — SHA-256 is a sound default — for every file, giving each one a fixed fingerprint.
3. Write the manifest. List each file with its hash. This is the index that makes the pack self-verifying.
4. Add custody and certificates. Drop in the chain-of-custody log and any integrity or court certificates so the pack records both who handled the evidence and that it is unaltered.
5. Package. Bundle the files, manifest, custody log, certificates and README into one folder or archive.
6. Verify the pack. Before it leaves your hands, re-hash the contents against the manifest and confirm a clean match. A free offline tool such as e-Dex handles the hashing, the manifest values and the integrity certificate on your own machine.

Handing the Pack Over

The whole point of a self-verifying pack is that the recipient does not have to take your word for anything. When you hand it over, the other side opens the README, runs the same hashing on each file, and compares the output to the manifest. They verify independently — counsel, an expert, an opposing party or a regulator can all confirm the contents are exactly as packaged without having been present at collection. The custody log then explains the human story of who touched the evidence, and the certificates back the integrity claim. If you are scoping a larger collection effort, our defensible e-discovery collection checklist pairs well with this packaging step.

Best Practices

A few habits keep packs defensible over time. Keep the originals sealed and separate; the pack should always be built from copies so the source can be reproduced if questioned. Version your packs — if you add or correct material later, issue a new, clearly numbered pack rather than quietly editing an old one, and note the change in the custody log. Store the manifest safely, ideally in more than one place, because the manifest is the reference point the entire verification depends on; if it is lost or altered, the self-checking property is gone. Finally, record the algorithm you used so a future verifier knows which hash to recompute. None of this needs special infrastructure — it is discipline plus a reliable hashing tool.

Frequently Asked Questions

What is an evidence pack for a case?
An evidence pack is a self-contained, verifiable bundle of a case's digital evidence. It gathers the evidence files together with a manifest of their hashes, the chain-of-custody log, any integrity certificates and a README into one package, so the whole set can be moved, stored and checked as a single unit. Because the manifest records a hash for every file, anyone who receives the pack can re-hash the contents and confirm nothing has changed.

What goes inside an evidence pack?
Five things: the evidence files themselves, a manifest listing each file with its cryptographic hash, the chain-of-custody log recording who handled the evidence and when, any integrity or court certificates that back the files, and a README that explains the pack's structure and how to verify it. The manifest and README make the pack understandable and checkable by someone who was not involved in building it.

How does hashing make an evidence pack self-verifying?
A cryptographic hash is a fixed-length fingerprint of a file's contents; change one byte and the hash changes completely. By recording a hash for every file in the manifest, the pack carries its own proof of integrity. A recipient simply re-hashes each file and compares the result against the manifest. If every value matches, the contents are unaltered. This is the idea behind the generic BagIt approach, where a manifest of checksums travels alongside the payload.

Do I need an internet connection to build an evidence pack?
No. Hashing files, writing the manifest and assembling the pack all happen locally on your own Windows machine. A free offline tool such as e-Dex computes the hashes and produces the integrity certificate without your evidence files ever leaving your computer. An internet connection is only needed if you choose to add an optional trusted timestamp.

How does the recipient verify an evidence pack independently?
The recipient opens the README, runs the same hashing on each file in the pack, and compares the results against the values in the manifest. They do not need to trust the sender or have been present at collection; the maths does the proving. If every hash matches, the files are exactly as packaged, and the custody log and certificates explain the rest of the story.

Conclusion

An evidence pack turns a scattered collection of files into one self-contained, self-verifying unit: the evidence, a manifest of hashes, the custody log, the certificates and a README, all travelling together so anyone can confirm the contents are unaltered. Build it from copies, version it, store the manifest safely, and let the recipient prove it for themselves. You can assemble and verify a pack in minutes, fully offline, on a single Windows machine with e-Dex — the free Digital Evidence Integrity Suite. Download it free and package your next case with confidence.