Evidence Chain of Custody Compromised

Evidence handling has gaps or integrity issues (missing hash verification, broken custody log, unauthorized access to evidence storage, transfers without documented handoffs). Evidence may still be technically useful but legal admissibility is compromised; pivot to secondary preservation and early legal assessment.

Signals

•Gap in the custody log between transfers or handlers
•Evidence hash at current time does not match the hash recorded at acquisition
•Evidence-storage access logs show access by non-authorized individuals
•Multiple copies of the same evidence exist without documented provenance

Pivot Actions

1.Preserve a secondary copy of original evidence immediately while integrity is still potentially recoverable; document the timeline of the custody gap
2.Engage legal counsel for an admissibility assessment; not all chain-of-custody issues invalidate evidence but the counsel must weigh the risk
3.Re-acquire evidence from the original source where possible; each re-acquisition should have fresh, well-documented custody from the start
4.Document the custody failure formally; a transparent record of the issue is better than a concealed one and may preserve some evidentiary value

Alternate Evidence Sources

•Secondary evidence sources that were not part of the broken custody chain (cloud audit logs, SIEM-ingested copies, backup snapshots)
•Peer-system artifacts that corroborate the compromised evidence independently

Related Procedures

Document Chain of Custody for All Collected Evidence

preserve

Log Preservation and Snapshot

preserve

Volatile Memory Capture

preserve