Chain of Custody
Maintain court-admissible chain of custody with SHA-256 hashing, timestamp verification, comprehensive audit trails, and export documentation.
Chain of Custody#
Maintaining an unbroken chain of custody is essential for the admissibility of digital evidence. FrameCounsel automates the documentation required to demonstrate that video evidence has not been altered, tampered with, or mishandled from the moment it enters your possession.
Chain of custody is not just a documentation exercise. It is the legal foundation that determines whether your evidence reaches the jury or gets excluded. Every design decision in FrameCounsel is made with this reality in mind.
Why Chain of Custody Breaks When Data Touches the Cloud#
Cloud Processing Breaks the Chain
The moment evidence data is uploaded to a cloud server for processing, you have introduced a third party into the chain of custody. You cannot testify to what happened to that data on someone else's server. You cannot verify who accessed it, whether copies were made, or whether the data was modified during processing. The chain is broken, and opposing counsel will exploit that gap.
Cloud-based forensic tools create a fatal weakness in your evidence handling:
- You lose physical control: Once data leaves your machine, it resides on servers you do not own, in data centers you cannot access, managed by employees you have not vetted
- Server-side processing is a black box: You cannot testify under oath about what happened to your evidence file on a remote server. Was it cached? Was it logged? Was it processed alongside other users' data?
- Copies may exist without your knowledge: Cloud infrastructure involves load balancers, caches, CDNs, backup systems, and disaster recovery replicas. Your evidence may exist in multiple locations you do not control.
- Access logs are not yours: The cloud provider's access logs are their property. You may not be able to obtain them, and even if you can, you cannot independently verify their completeness.
- Metadata leakage: Even if the file contents are "encrypted in transit," the metadata about your upload (file name, size, timestamps, your IP address, your account identity) is visible to the cloud provider.
How Opposing Counsel Exploits Cloud Processing#
A savvy prosecutor or opposing attorney will ask:
- "Can you testify that no unauthorized person accessed this evidence file?"
- "Can you confirm that the file was not modified during cloud processing?"
- "Do you have complete access logs for every system that touched this file?"
- "Can you rule out that copies of this evidence exist on the provider's backup servers?"
If you used a cloud tool at any point in your evidence handling, the honest answer to all of these questions is no. FrameCounsel ensures you can answer yes to every one.
Warning About Other Tools#
Many "forensic" tools marketed to attorneys upload evidence to cloud servers for processing. Be especially cautious of:
- Tools that require an internet connection for analysis features
- Tools that describe their AI as "cloud-powered" or "server-side"
- Tools where the processing takes place in a web browser
- Tools that require you to create an account and upload files to "your workspace" (which is their server)
- Any tool that processes your evidence on infrastructure you do not physically control
Simple Test
If a forensic tool works faster than your Mac's hardware could process the same file locally, it is almost certainly sending your data to a cloud server for processing. FrameCounsel's processing speed is determined by your Mac's Neural Engine, which is your guarantee that the work is happening on your machine.
How FrameCounsel Maintains Chain from Import to Court#
FrameCounsel provides an unbroken, cryptographically verifiable chain of custody from the moment evidence enters your possession to the moment it is presented in court.
Step 1: Evidence Import and Hashing#
Every file imported into FrameCounsel is immediately hashed using the SHA-256 cryptographic algorithm. This hash serves as a digital fingerprint that uniquely identifies the file's exact contents.
- The hash is computed at import time and stored in the case database
- Any modification to the file, even a single byte, would produce a completely different hash
- Hashes can be verified at any time by selecting the file and choosing Tools > Verify Integrity
- Hash values are included in all exported reports and court documentation
Hash Verification
Press to run an integrity check on all evidence files in the current case. FrameCounsel recomputes every hash and compares it against the original import hash, flagging any discrepancies immediately.
Step 2: Continuous Integrity Monitoring#
Throughout the life of the case, FrameCounsel continuously monitors evidence integrity:
- Pre-analysis verification: Before any AI pipeline runs, the file hash is recomputed and verified
- Post-processing documentation: After any enhancement or processing, new derivative files receive their own hashes, and the processing chain is fully documented
- Background verification: Periodic background checks ensure no file has been modified outside of FrameCounsel
- Export verification: Before any report or court document is generated, all referenced evidence is re-verified
Step 3: Immutable Audit Trail#
Every action is logged in an append-only, cryptographically chained audit trail. Each entry includes:
| Field | Description |
|---|---|
| Timestamp | UTC time of the action |
| User | The macOS account that performed the action |
| Action | The specific operation (import, view, analyze, enhance, export, etc.) |
| Target | The evidence file or case element affected |
| Parameters | Details of the action (e.g., enhancement settings, export format) |
| Hash Before/After | File hashes before and after any processing step |
| Entry Hash | SHA-256 hash of this log entry, chaining it to the previous entry |
The audit trail is tamper-evident: modifying or removing any entry breaks the cryptographic chain, making the alteration immediately detectable.
View the audit trail from Tools > Audit Trail or press .
Opposing Counsel Requests
When opposing counsel requests verification of evidence handling, export the audit trail as a standalone document. This provides a complete, verifiable record of every action taken on the evidence without requiring access to your full case file.
Step 4: Court-Ready Export#
When it is time to present evidence in court, FrameCounsel generates a complete chain-of-custody package that includes:
- The evidence file itself with its current SHA-256 hash
- The original import hash for comparison
- The complete audit trail for that evidence file
- A Certificate of Authenticity with digital signature
- Documentation of every processing step and its parameters
The Pro-G40 as Physical Chain of Custody#
The SanDisk Professional Pro-G40 Thunderbolt SSD is not just a storage device -- it is a physical chain-of-custody mechanism. When your FrameCounsel workspace lives on a Pro-G40, you gain capabilities that no cloud service can replicate:
Physical Security Controls#
- Unplug and lock in a safe: When you are done working, disconnect the drive and secure it in a locked, fireproof safe. You now have physical proof that no one accessed the evidence during off-hours.
- Physical access log: Maintain a sign-out sheet for the drive, documenting who took custody, when, and for what purpose. This is the gold standard for chain of custody.
- Transport to court: Bring the drive to the courthouse. Plug it into your courtroom Mac. Present evidence directly from the same drive where the analysis was performed. No file transfers, no email attachments, no cloud downloads.
- Transport to experts: Hand the drive to your expert witness. They plug it in, review the analysis in FrameCounsel, and return the drive. The audit trail documents their access.
- Transport to jail: Bring the drive to client meetings at detention facilities. Review evidence with your client without any data traversing facility networks.
Hardware Encryption#
The Pro-G40 includes built-in 256-bit AES hardware encryption. Combined with FrameCounsel's software encryption, your evidence is protected by two independent layers:
- Drive-level: The Pro-G40's hardware encryption prevents access to the raw drive contents without the drive password
- Application-level: FrameCounsel's workspace encryption prevents access to case data without your FrameCounsel credentials
Even if the drive is stolen, an attacker faces two independent encryption barriers.
IP68 Durability Rating#
Evidence drives get transported in briefcases, car trunks, and courthouse hallways. The Pro-G40 is built for it:
- IP68: Dust-tight and waterproof (submersible to 2 meters for 30 minutes)
- 3-meter drop protection: Survives falls from desk height onto hard floors
- 4,000 lb crush resistance: Withstands being stepped on or having heavy objects placed on it
- Thunderbolt 3 speeds: Up to 3,000 MB/s read, so scrubbing through 4K body camera footage is instantaneous
Evidence Drive Protocol
Create a formal evidence drive protocol for your firm: log every checkout and return, store the drive in a safe when not in use, and include the drive access log in your chain-of-custody documentation. This level of physical control is something no cloud service can ever provide.
Timestamp Verification#
FrameCounsel records precise timestamps for every significant event in the evidence lifecycle:
- Import time - When the file was first added to the case project
- Analysis events - When each analysis pipeline was run on the file
- Access log - Every time the file was opened, viewed, or played back
- Modification events - Any non-destructive enhancements, annotations, or edits applied
- Export events - When and in what format the evidence was exported
All timestamps use the system clock synchronized via NTP (when network is available) and are recorded in UTC to avoid timezone ambiguity.
Court-Admissible Documentation#
FrameCounsel generates chain-of-custody documentation formatted to meet the evidentiary standards of federal and state courts:
- Certificate of Authenticity - A signed declaration that the evidence has been maintained in an unbroken chain with hash verification
- Evidence Handling Log - A chronological record of every person and process that accessed the evidence
- Integrity Report - A technical report documenting the hashing algorithm, verification results, and any processing applied to the evidence
Export Formats#
Chain of custody documentation can be exported in:
- PDF - Formatted for court filing with digital signatures
- XML - Machine-readable format for integration with case management systems
- JSON - Structured data for custom reporting workflows
Export from File > Export Chain of Custody and select the scope (single file, all evidence, or entire case).
Next Steps#
Review Privacy & Security for a comprehensive guide to air-gapped mode, evidence vault setup, and cloud AI threats. Then generate professional court-ready output with Court Reports.