Blog Details

Introduction

A defence lawyer's most reliable line of attack on digital evidence is rarely "the file is fake" — it is "you cannot prove the file is the same one you seized." Between the moment a phone, laptop or disk image is collected and the moment it is produced in court, it passes through many hands: the first responder, the seizure officer, the forensic analyst, the property store. If any of those handoffs leaves a gap, the door opens to a tampering challenge. The practical answer is to prove digital evidence was not altered at every step — not by promising it, but by recording a verifiable fingerprint each time custody changes. That is exactly what the hash-before / hash-after feature in e-Dex (formerly Hash Calculator) is built to do.

Why "List of Names" Custody Is Not Enough

A traditional chain of custody is essentially a sign-out sheet: who held the exhibit, when, and why. It answers the question of where the evidence was, but it says nothing about whether the bytes changed while it was there. A signature on a register proves that a person took the package; it does not prove that the package they handed on was identical to the one they received. To rebut a tampering argument convincingly, the custody record has to carry proof of integrity, not just proof of possession.

The Hash: A Fingerprint That Changes If Anything Changes

A cryptographic hash (MD5, SHA-256, SHA-512, BLAKE3 and others) is a fixed-length digital fingerprint computed over a file. Two properties make it ideal for evidence: the same input always produces the same hash, and changing even a single bit produces a completely different hash. Recompute the hash of an exhibit at any later moment and you instantly know whether it is bit-for-bit identical to what was collected. The hash is the mathematical heart of any honest claim that evidence is unchanged.

Hash-Before / Hash-After at Every Handoff

e-Dex applies that fingerprint to each custody step. As the exhibit moves through its lifecycle — Seized → Transferred → Analyzed and onward — the custodian records the evidence hash as received (the "hash before") and the hash after their step is complete. e-Dex then compares the two automatically. When they are equal it prints "Integrity across handoff: MATCH - evidence unchanged". When they differ, it does not quietly paper over the gap: it flags the handoff as CHANGED, so the discrepancy is surfaced, investigated and explained on the record rather than discovered later by the other side.

A Custody Log That Is Itself Tamper-Evident

A per-step integrity check is only trustworthy if the log holding those checks cannot be quietly rewritten. In e-Dex the entire custody log is append-only and hash-chained: each entry incorporates the hash of the entry before it, the way links are joined in a physical chain. Add a new step and it locks on to the end; try to edit, delete or reorder an earlier entry and the chain no longer computes — the tampering is immediately visible. So it is not only the evidence that is protected from silent alteration; the record of the evidence's journey is protected too.

From a Sign-Out Sheet to a Provable Integrity Record

Put together, these two ideas change what the chain of custody actually is. Instead of a list of names that asks the court to take possession on trust, you have a continuous, provable integrity record: every handoff carries a before-and-after fingerprint, every verdict is explicit, and the log binding it all together breaks loudly if touched. For a deeper treatment of how integrity, possession and documentation fit together, see our companion article on chain of custody for digital evidence beyond hashing.

Why This Matters in an Indian Courtroom

In India, electronic records are tendered with a certificate under Section 63 of the Bharatiya Sakshya Adhiniyam 2023 (the successor to Section 65B of the Indian Evidence Act), and the integrity of the record is routinely probed in cross-examination. A custody record that can show MATCH at each handoff — and a chained log that demonstrably has not been altered — gives the deponent something concrete to point to when tampering is alleged. It does not win the argument by itself, but it moves the conversation from "trust us" to "here is the proof," which is precisely where you want it.

A Note on Legal Advice

e-Dex helps you produce a clear, integrity-backed custody record; it is a tool, not a substitute for legal counsel and not a guarantee of admissibility. Whether and how such a record is accepted depends on the facts of your matter, who deposes, and the current text of the statute and any applicable rules. Always read the provision as it stands and take qualified advice where the stakes warrant it.

Frequently Asked Questions

How do you prove digital evidence was not altered in court?
You compute a cryptographic hash (such as SHA-256) of the evidence when it is collected and again at any later point. If the two hashes match, the file is bit-for-bit identical to what was seized; if even one byte changed, the hash changes completely. e-Dex records this hash before and after every custody handoff and prints an explicit MATCH or CHANGED verdict, so integrity is provable rather than merely asserted.

What is the difference between hash-before and hash-after?
The hash-before is the hash of the evidence as the custodian received it at the start of their step. The hash-after is the hash once their step is complete. When the two are equal, e-Dex prints "Integrity across handoff: MATCH - evidence unchanged"; if they differ, it flags CHANGED so the discrepancy is investigated and explained rather than hidden.

Does e-Dex need an internet connection to verify evidence integrity?
No. e-Dex runs fully offline on your own Windows machine. Hashing, the hash-before / hash-after comparison and the append-only custody log all work without any network connection. An internet connection is only used if you choose to apply an optional RFC-3161 trusted timestamp from a Time-Stamping Authority.

How is the chain of custody made tamper-evident?
The custody log is append-only and hash-chained: each entry incorporates the hash of the entry before it, like links in a chain. Editing, deleting or reordering any entry breaks the chain and is immediately detectable. This turns the chain of custody from a list of names into a continuous, verifiable integrity record.

Is a hash-based integrity record admissible as evidence in India?
Admissibility is decided by the court on the facts of each matter and the applicable law, including Section 63 of the Bharatiya Sakshya Adhiniyam 2023 and the certificate requirements that succeed Section 65B of the Indian Evidence Act. e-Dex is a tool that helps you produce a clear, integrity-backed record to support such evidence; it does not by itself guarantee admissibility, and it is not a substitute for legal advice. For more on the certificate itself, see our guide to the evidence integrity certificate.

Conclusion

Tampering challenges thrive on gaps. The way to close them is to make integrity visible at every step: record the hash as the evidence is received, record it again after each handoff, let the tool declare MATCH or CHANGED, and keep the whole log in a chained, append-only form that breaks if touched. That turns a fragile sign-out sheet into a continuous, provable record you can stand behind under cross-examination. Download e-Dex — the Digital Evidence Integrity Suite and build a chain of custody that proves, rather than promises, that your evidence was not altered.