Bearpoint Foundation provides comprehensive research so a lawyer can litigate. We do not provide legal services and nothing on this page is legal advice. Federal Rules of Evidence and state-court authentication standards evolve. Always verify current FRE 901 and the relevant state-court rules before relying on any specific authentication pathway.
What Chain of Custody Means (And Why Pro Se Litigants Almost Never Build One)
Chain of custody is the documented record of who handled a piece of evidence, when, and how. It traces a file from the moment it left the source to the moment it appears in court, with every transfer and every transformation logged. Federal Rule of Evidence 901(a) requires authentication "sufficient to support a finding that the item is what the proponent claims it is." Without a chain of custody, evidence can be excluded as unreliable or given so little weight that it functionally disappears at trial.
Most pro se litigants treat receipt of a document as the end of the documentation process. In reality it is the beginning. The party who can prove the file in evidence is bit-for-bit identical to the file produced six months earlier has resolved authentication before the other side can raise it. The party who saved a download to their desktop, edited it, renamed it, and emailed it to themselves has, in evidentiary terms, no idea what they are holding.
Why SHA-256 Is the Right Tool
SHA-256 is a cryptographic hash function. It maps any digital file to a fixed 256-bit fingerprint, conventionally written as 64 hexadecimal characters. Two properties matter for evidentiary purposes. First, the same file always produces the same hash. Second, changing one byte produces an entirely different hash with no recognizable relationship to the original. As of 2026 SHA-256 has no known collision vulnerabilities. Federal courts and federal agencies, including the FBI Computer Analysis Response Team, NIST (FIPS 180-4), and the Department of Defense, treat SHA-256 fingerprints as forensically reliable proof of evidence integrity.
Hashing on Day One
The single most important habit. When you receive any digital file (email, PDF, screenshot, audio, video), compute the SHA-256 hash immediately and log it. Three command-line options cover nearly every environment:
- Windows PowerShell:
Get-FileHash -Algorithm SHA256 path\to\file - macOS or Linux:
shasum -a 256 path/to/file - Free GUI tools: HashCheck (Windows), GPGTools (macOS), both adding right-click hashing
Save the hash, the filename, the date and time of receipt, and the source in a single log file. That log is your custody document. It needs to be contemporaneous, accurate, and never edited after the fact. If you must correct an entry, add a new line with its own timestamp; never overwrite history.
The Mirror Pattern
Never work on originals. The day a file arrives, copy it to a read-only mirror directory and treat that copy as the canonical reference. All analysis, redaction, conversion, and annotation happens on disposable working copies. If a working copy gets corrupted, re-derive a fresh copy from the read-only mirror and re-hash to confirm integrity against the day-one log. On Windows, set the read-only attribute. On macOS or Linux, chmod 444 the files. Cloud-only storage is not a substitute for a local mirror; a vendor outage or account dispute should never sit between you and your evidence.
Metadata Preservation
The file contents are only half the evidence. Metadata, the embedded record of who created the file, when, with what software, on what device, is often where spoliation becomes visible. For PDFs, exiftool -a -G -s file.pdf outputs every metadata field grouped by source, including Producer, Creator, CreateDate, ModifyDate, and embedded XMP. For emails, retain the native .eml or .msg file, never a screenshot or text export, because the headers contain the routing path, DKIM signatures, and Message-ID that authenticate the message. For images, preserve the EXIF block (camera model, GPS if present, timestamps). Spoliation often surfaces in metadata before it surfaces in content; preserving metadata is forensic insurance.
The Custody Log Format
A defensible custody log needs at minimum seven fields per entry: (1) date and time of receipt, (2) source, meaning the person, agency, or portal the file came from, (3) the filename as received, (4) the SHA-256 hash, (5) the file size in bytes, (6) any transformations applied (e.g., "converted DOCX to PDF for archival 2026-03-15"), and (7) the person who handled the file at each step. A simple CSV or markdown table is sufficient. Complex case management software is unnecessary at the documentation phase. Keep one master log per case, append-only. Back it up daily. Print a copy quarterly; paper is immune to ransomware.
Authentication at Trial: FRE 901 Pathways
Federal Rule of Evidence 901(b) lists illustrative methods of authentication. For digital evidence the most reliable subsections are 901(b)(1), testimony of a witness with knowledge, satisfied by the person who received and hashed the file; 901(b)(4), distinctive characteristics, including the SHA-256 hash itself as a forensic fingerprint; and 901(b)(9), evidence describing a process or system, satisfied by documenting the hashing workflow. A complete custody log with SHA-256 hashes supports authentication under multiple subsections simultaneously, which makes the foundation harder to attack on cross-examination. Self-authentication under FRE 902(13) and 902(14), the digital-evidence amendments effective December 2017, allows certified electronic records and certified data copied from electronic devices to come in without a sponsoring witness, provided a qualified person executes a written certification. The SHA-256 hash is the linchpin of that certification.
Hash Verification at Production
When producing evidence to opposing counsel or the court, include the SHA-256 hash alongside each file, either in a cover letter, in a Bates index, or in the file metadata. Opposing counsel can then verify integrity at their end with one command. Any subsequent dispute about whether evidence was altered is resolved by re-hashing the file in question and comparing. The hash also gets entered into the record at production, which creates a tamper-evident reference that no party can later edit without that edit being immediately visible.
Audio and Video Evidence Special Considerations
Body camera footage, recorded calls, and security video each carry forensic risk. Preserve the native container format whenever possible (.mp4, .mov, .wav, .m4a). Transcoding to a different format, even one that looks visually identical, changes every byte and therefore changes the SHA-256 hash. If transcoding is necessary for usability, retain BOTH the original (read-only) and the working copy with separate hashes for each, and document the conversion as a transformation event in the custody log with the exact command or software used. For phone-captured audio or video, preserve the device file rather than a re-recording; AirDrop or USB transfer preserves the original container, while texting it to yourself often re-encodes it.
The Print-Then-Scan Anti-Pattern
Paradoxically common when pro se litigants try to "preserve" digital evidence by printing it and filing the paper. Printing a digital file destroys metadata, breaks the hash chain, and creates authentication headaches because the paper is a derivative work whose relationship to the original cannot be proven without the original. Always preserve the native digital file AND any printed exhibit; the digital is the master, the paper is a courtesy copy for the bench. The same logic applies to scanning a digital PDF "to make it cleaner" or screenshotting an email "for the file." These habits feel productive and quietly degrade the evidentiary record.
The Notary-Free Alternative: Sworn Declaration Under Penalty of Perjury
Federal law (28 U.S.C. § 1746) and most state laws, including Washington (RCW 9A.72.085), permit an unsworn declaration signed under penalty of perjury to substitute for a notarized affidavit in nearly every context. A signed declaration stating, in substance, "I received the file titled X on (date) at (time) from (source), and the SHA-256 hash at the moment of receipt was (hash)," carries evidentiary weight without notarization and can be executed in minutes. Sign each declaration as soon as practical after the event.
Common Mistakes
- Hashing only at the end of a case, which defeats the timeline purpose. The forensic value of the hash comes from when it was recorded.
- Using MD5 or SHA-1, both of which have published collision attacks. SHA-256 is the modern standard.
- Modifying originals during analysis. Once altered, the day-one hash no longer matches anything.
- Storing hashes only in memory or chat messages instead of a written log that survives account suspension.
- Failing to preserve email native files. A printed email is not an email; it is a photocopy of one.
- Using cloud-only storage without local backups. Cloud providers can suspend, delete, or be subpoenaed.
- Renaming files without logging the rename. The hash is unchanged, but the mismatch invites cross-examination.
When to Bring in Bearpoint
The Foundation provides forensic-grade evidence architecture and custody infrastructure for civil rights matters. We help advocates and pro se litigants stand up the hashing workflow, the mirror discipline, and the declaration templates before authentication objections start landing. We do not replace counsel and we do not litigate. Email info@bearpointfdn.org.