What Is Chain of Custody? A Plain-English Guide for Beginners

Introduction

If you have ever heard a lawyer, investigator or auditor talk about evidence being “thrown out on a technicality,” the technicality is often a broken chain of custody. The phrase sounds intimidating, but the idea behind it is simple and worth understanding whether you handle physical items, digital files, or both. This beginner-friendly guide answers the question what is chain of custody in plain English: what it is, why it matters, what a custody log records, what tends to break it, and how a simple practice — hashing — can keep it intact. No legal background is needed to follow along.

What Chain of Custody Actually Is

Chain of custody is an unbroken, documented trail of who handled a piece of evidence, when they handled it, and why. Think of it as a relay race: each time evidence passes from one hand to the next, the handoff is recorded so there is never a moment where you cannot say who was responsible for it. The “chain” is the sequence of those handoffs, and “custody” is the responsibility for the evidence at each link. The aim is to be able to account for the item at every step, from the moment it is collected to the moment it is presented or relied upon. When every link is recorded, the chain is intact and the evidence can speak for itself.

Why It Matters

Chain of custody matters because a broken chain lets the other side challenge whether the evidence is authentic. If there is any gap — a stretch of time where nobody can say where the evidence was or who could reach it — a reviewer or a court may reasonably doubt that the item is genuine and unaltered. Once that doubt exists, the evidence can be weakened or set aside entirely, no matter how relevant it is. A clean, documented chain removes the doubt in advance. It does not make weak evidence strong, but it stops strong evidence from being dismissed over how it was handled. For anyone who may one day need their files to be believed, that protection is the whole point.

What a Custody Log Records

A custody log is the written record of the chain. For each step it captures four things: the handler who took possession, the date and time of the handoff, the action taken (collected, copied, transferred, analysed or stored), and — for digital evidence — the hash of the file at that step. The first three answer who, when and what. The fourth is what turns the log from a list of names into verifiable proof: a recorded hash at each handoff lets anyone confirm later that the file itself did not change between steps. A good log reads like a continuous story with no missing pages.

What Breaks a Chain of Custody

Chains usually break for mundane reasons rather than dramatic ones. The three most common are gaps in the record (a missing entry or an unexplained period where the evidence was unaccounted for), undocumented access (someone handled or could have handled the item without it being written down), and no integrity check (no way to prove the file is still bit-for-bit identical to what was collected). Any one of these creates an opening: if you cannot show where the evidence was, who touched it, or that it is unchanged, the chain is weakened and the evidence becomes challengeable. Discipline at every handoff is what prevents these gaps.

How Hashing Strengthens Custody

For digital evidence, hashing is the simplest and most powerful way to keep a chain solid. A cryptographic hash is a fixed-length digital fingerprint of a file’s contents; change a single byte and the fingerprint changes completely. If you record the hash when the file is collected and recompute it at each later handoff, a matching value proves the file did not change between handoffs. That turns the custody log into something anyone can verify for themselves rather than something they have to take on trust. You can compute and check these values offline with the e-Dex hash tool, and a recipient can later confirm a sealed certificate using the e-Dex certificate verifier. Hashing alone is not the whole chain — for the wider picture see our guide to the chain of custody for digital evidence, beyond hashing — but it is the verifiable thread that runs through every link.

Frequently Asked Questions

What is chain of custody in simple terms?
Chain of custody is the unbroken, documented trail that records who handled a piece of evidence, when they handled it, and why. Each time the evidence moves from one person or place to another, that handoff is written down. The goal is to be able to account for the evidence at every moment from collection to presentation, so that nobody can credibly claim it was tampered with along the way.

Why does chain of custody matter?
It matters because a broken chain lets the other side challenge the authenticity of the evidence. If there is a gap where nobody can say where the evidence was or who had access to it, a reviewer or court may doubt that it is genuine and unaltered. A complete, documented chain removes that doubt and lets the evidence be judged on its merits rather than dismissed over handling concerns.

What does a chain of custody log record?
A custody log records, for every step, the handler who took possession, the exact date and time of the handoff, the action taken (collected, copied, transferred, analysed, stored), and ideally a cryptographic hash of the file captured at that step. Recording the hash at each handoff turns the log from a list of names into verifiable proof that the file itself never changed between steps.

What breaks a chain of custody?
A chain breaks when there are gaps in the record, undocumented access to the evidence, or no integrity check to prove the file is unchanged. A missing entry, an unexplained period where the evidence was unaccounted for, or an inability to show the file is bit-for-bit identical to what was collected all weaken or break the chain and open the door to a challenge.

How does hashing strengthen chain of custody?
A cryptographic hash is a digital fingerprint of a file. If you record the hash when evidence is collected and recompute it at each later handoff, a matching value proves the file did not change between handoffs. This turns the custody log into something verifiable: instead of trusting that nobody altered the file, anyone can recompute the hash and confirm it for themselves. A free offline tool such as e-Dex can compute and verify these hashes on your own machine.

Conclusion

Chain of custody is not a piece of legal jargon to be afraid of — it is simply the documented story of who held a piece of evidence, when and why, told without any missing pages. Keep the log complete, avoid undocumented access, and record a hash at every handoff, and your evidence stays defensible. The hashing part is the easiest to get right, and it runs entirely on your own computer. You can start in minutes, offline and free, with e-Dex — the Digital Evidence Integrity Suite. Download it free and give every link in your chain something verifiable to stand on.