Evidence Collection, Chain of Custody, and Documentation

An examination produces evidence, but evidence is only useful if you can prove it's authentic and untampered. This lecture is about discipline — the unglamorous habits that determine whether your work survives in court or collapses under cross-examination. The principle is simple to state and hard to live by: document everything, secure everything, and track everything from the moment it comes into your possession.

Think about why this matters. Under the rules of evidence, before a document or file can be admitted, it has to be authenticated — someone has to establish that it is what it claims to be. F-R-E rule nine-oh-one captures that idea in U-S federal practice: authentication requires evidence sufficient to support a finding that the item is what its proponent says it is.

The opposing side's whole job is to make a judge doubt your evidence; your job is to make that doubt impossible by building an airtight record. On the exam, when a scenario hinges on whether evidence will hold up, ask first whether it can be authenticated and shown to be unaltered.

The central concept is chain of custody — a complete, unbroken record of everyone who handled a piece of evidence, when they had it, where it was stored, and what they did with it, from the moment of collection all the way to the courtroom. Every single time evidence changes hands or changes location, you log it: the date, the time, the person receiving it, and the purpose. Why so rigid?

Because if there's an unexplained gap — a stretch where no one can say where the item was or who controlled it — the other side can argue the evidence was altered, swapped, planted, or contaminated, and a judge may exclude it entirely. A perfect, damning piece of evidence with a broken chain of custody can become legally useless. So treat the custody log as part of the evidence itself, not paperwork you'll reconstruct later from memory.

Here's the recurring exam pattern: you'll get a scenario with a handoff that wasn't documented, or evidence left unattended on a desk overnight, and you'll be asked about the consequence. The consequence is a challenge to admissibility. Contemporaneous logging is the only thing that closes that door.

Handle physical and digital evidence differently, but with the same underlying care. For paper, preserve originals untouched — don't write on them, don't staple or fold them, don't highlight or annotate them; work from copies and keep the originals secured, because the best-evidence principle may require you to produce the original document later, and a marked-up original is a damaged original. For electronic evidence, the gold standard is to make a forensic image — a complete bit-for-bit copy — of the source and then analyze that copy, never the live original, so you don't change a single byte.

This is critical: simply opening a file or booting a suspect's laptop can alter access timestamps and overwrite data, which is exactly why you image first. Preserve metadata, the hidden data about the data, which often tells you who created or last modified a file and precisely when — invaluable when someone backdates a document. And use cryptographic hash values, a kind of digital fingerprint, to prove the image is identical to the source and hasn't changed since collection; if the hash matches, the copy is provably pristine.

Mishandled digital evidence — a phone searched live, a drive analyzed in place — is one of the most common ways otherwise strong cases fall apart.

A complex examination can generate thousands of documents, so organization is itself a skill. Build a logical, indexed system — often a document-control database — so you can find any item and show how it connects to your conclusions. Memorialize interviews promptly with memoranda while memory is fresh.

And document your reasoning along the way, not just your final answers, so the file shows how the evidence led to the conclusion. Contemporaneous, well-organized documentation does two things at once: it makes your report defensible, and it lets a colleague — or a court — retrace your steps. If it isn't written down, in practice it didn't happen.

Pulling it together: store evidence securely with restricted access, log every movement, analyze copies rather than originals, and verify those copies with hashes. These habits aren't bureaucracy for its own sake — they are precisely what makes your evidence admissible and your testimony credible when you're under cross-examination. A defense attorney can't change what your evidence shows, so instead they attack how you handled it; disciplined custody and integrity take that attack off the table.

For the exam, the recurring trap is a scenario where evidence was handled carelessly — the original was marked up, a laptop was searched live instead of imaged, the file lived on a shared drive anyone could edit, or a custody log has an unexplained gap — and you're asked about admissibility. Train yourself to spot the handling defect and connect it to the consequence. When the integrity of the evidence is in doubt, the evidence itself is in jeopardy, no matter how incriminating it looks.

Next, we turn to the most human part of investigation: the interview.