What is Chain of Custody?

George Socha
George Socha

What is Chain of Custody?

Simple in concept, chain of custody for electronically stored information (ESI) can be challenging in practice. In this post, I will discuss what chain of custody is; why it matters, particularly in civil litigation and investigations; and what you might hope for in a chain-of-custody system. Finally, I will preview the new Reveal Central virtual barcode system – an important tool to help meet your ESI chain-of-custody needs.


What is Chain of Custody?

Chain of custody is, according to the NIST Computer Security Resource Center,

A process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer.

As explained at Nolo, “The chain of custody shows the path the evidence took from the crime scene (or elsewhere) to the courtroom to ensure it's what the party says it is and it hasn't been tampered with.”

Chain of custody is important in the legal field – in investigations, civil matters, and criminal ones. Chain of custody matters in other areas as well. Fraud examiners need to keep track of when they receive evidence and when it leaves their care, custody, or control. It plays an important role in security and risk mitigation for critical infrastructure sectors and their assets. It is a key component of ensuring the successful operation of elections. Chain of custody even matters in the fields like medicine, not just when medical professionals might need to testify but for clinical use, when tracing food products, or when tracking of controlled or prohibited substances.

The concept of chain of custody applies to all information we collect and intend potentially to use in civil matters, criminal ones, and investigations. This includes information we gather from people’s heads, information stored in tangible objects, information found on paper, and ESI.

That last group, ESI, is our focus for today.

Why Does Chain of Custody Matter?

For Authentication

The most frequently cited reason for why chain of custody matters seems to be for authenticating evidence at trial.

As a litigator, I rarely needed to present evidence of chain of custody for authentication. Few of my cases went to trial. According to a 2019 Pew Research Center article, only 2% of federal criminal defendants go to trial. In an article from a 2017 issue of Duke Law School’s Judicature, the authors noted that civil trials continue to disappear, with approximately 1% of all civil cases filed in federal court being resolved by trial.

In those cases that go to trial, according to Rule 901 of the Federal Rules of Evidence,

To satisfy the requirement of authenticating or identifying an item of evidence, the proponent must produce evidence sufficient to support a finding that the item is what the proponent claims it is.

Much more common, in my experience, is for parties to stipulate to the authenticity of documents, an approach advocated in this article from the Summer 2004 edition of the Oregon State Bar's Litigation Journal.

For Effectiveness and Efficiency

From my experience, a far more compelling reason to track chain of custody is the power quick access to that information can give you as you work up your case and take it to trial or as you pursue an investigation.

In matters I worked on as an attorney, testifying expert witness, and consultant, the most frequent reason to record and maintain readily accessible chain of custody information was to allow for a more efficient, effective process.

If, for example, you plan to use chat messages, email communications, word processing documents and the like when questioning a witness, you should know the provenance of that information. If you do not have information about where a document came from, you may not know whether it is something a witness was likely to have seen. Not knowing that might be okay during an interview. Not knowing and getting it wrong could decimate your cross examination at trial.

If you were to learn at one am that an unanticipated witness would take the stand at ten am, you would want ready access to the documents and information that you could tie to that person. For the early morning searches that you would need to conduct, chain-of-custody information can help you focus on the documents you likely will be able to get admitted. And if you do find that damning piece of information, having that chain of custody readily available will mean you can focus more of your limited time on preparing substantive lines of questioning, less of figuring out how to get the document properly admitted so that you can present it to the witness in a just a few hours.

Long before you get to trial – if you ever do – having access to reliably chain-of-custody information can help streamline deposition and motion preparation; the information can better inform you about the costs versus benefits of attempting to use a specific document. And if you do choose to use a specific document, already having chain-of-custody information available means (a) you don’t need to spend the time trying to dig it up or reconstruct it during preparations and (b) you don’t need to expend precious time during the deposition or hearing laying that foundation.

Why Have an Integrated Chain-of-Custody System?

As a consulting or testifying expert, I have been brought into far too many matters where one or more of the parties had little to no ability to authoritatively state where certain pieces of information came from.

Sometimes they did not collect and save that information.

Sometimes they had the information but had not maintained it in an organized fashion.

At times they had the information and had it in an organized form, but lacked the tools needed to make effective use of the chain-of-custody information.

In none of the matters I worked on, did the end clients, service providers, or law firms have a single system they could use to track and work with chain-of-custody information as they also collected, processed, and worked with electronically stored information (ESI) or other evidence.

Reveal Central’s Virtual Barcode System

On March 20, Reveal announced the acquisition of LIGL, the provider of the legal industry’s first and only cloud-based digital evidence and lifecycle management platform.

The purchase of LIGL allows Reveal to integrate the leading SaaS-based legal hold, evidence collection management, and eDiscovery workflow automation technology directly onto its Reveal 11 platform - offering users greater simplicity and efficiency. We will be rolling out this integrated function, called Reveal Central, in the months to come.

One part of Reveal Central is a chain-of-custody virtual barcode system. The system automatically generates a unique prefix for each matter, assigns a Preservation Name to each set of date put on hold in place, assigns a Volume BarCode to each set of data collected, and assigns an Export Set BarCode to each set of data exported to hosting. All four sets of numbers are related to each other so that you can use this information to track electronic evidence from the point of preservation or collection on.

Here is how that process works.

Prefix Automatically Assigned

When a new case is created in Reveal Central, the case automatically is assigned a unique Prefix. That Prefix is used to track all data for that matter. In this example, the Prefix is FKCA:

Preservation Name BarCode

If data is preserved in place, a Preservation Name is automatically assigned to the set of data being preserved:

The Preservation Name has five parts:

The five parts are:

DH: Which stands for Data Hold.

L7V2: The four-letter prefix assigned to the matter.

MST: The three-character code assigned to the source. Here the source, MST, is Microsoft Teams.

001: These three digits are the tracking number assigned to the custodian.

001: The second set of three digits is the sequential code indicating the number of the preservation applied to date from this source for this custodian in this matter.

Volume BarCode Assigned When Data Collected

When data is collected, a Volume BarCode is automatically assigned to set of data collected. For this exercise, I have highlighted four sets of data that have been collected. (These are mockups, as O365 did not yet exist during the days of Enron.)

One set of data is from Vladi Pimonov. The three other sets come from Vince Kaminski. The source for these sets of data is same, O365 Exchange Server:


The Volume BarCode has four parts:

The four parts are:

KFCA: The four-letter prefix assigned to the matter.

002: The three-digit tracking number assigned to the custodian. Here the custodian, 002, is Vince Kaminski.

OES: The three-character code assigned to the source. Here the source, OES, is O365 Exchange Server.

001: The three-digit sequential code indicating the number of the collection from this source for this custodian in this matter. Here, 001 lets us know that this is the first collection of data from the O365 Exchanger Server for Vince Kaminski in this matter.

Export Set BarCode Assigned When Data Exported to Processing

When a set of data is exported to hosting, an Export Set BarCode is automatically assigned to that dataset. Here are the same sets of data shown above, now with Export Set BarCodes:

The Export Set BarCode also has four parts:

The four parts are:

KFCA: The four-letter prefix assigned to the matter.

002: The three-digit tracking number assigned to the custodian. Here the custodian, 002, is Vince Kaminski.

EXP: The three-character code assigned to the action. Here the action, EXP, is the export of data to hosting.

001: The three-letter sequential code indicating the number of the collection from this source for this custodian in this matter. Here, 001 lets us know that this is the first collection of data from the O365 Exchanger Server for Vince Kaminski in this matter.

Three of the four parts carry over from the Volume BarCode to the Export Set BarCode:

How the Reveal Central Virtual Barcode System Can Help Address Your Chain-of-Custody Needs

With the Reveal Central virtual barcode system, you can more efficiently and reliably record chain-of-custody information for the ESI you handle. As soon as you collect ESI, each set of data automatically is assigned a tracking code. When you move data to hosting, a second tracking code automatically is applied. You do not need to take any additional steps to record this chain-of-custody information. That means (1) you do not need to remember to log that information, (2) you don’t need to worry about logging the information incorrectly, and (3) you don’t need to remember where you kept the logged information.

Because the virtual barcode system is integrated into Reveal Central, you have better access to chain-of-custody information. You do not need to go to a different platform. You do not need to deal with connecting information stored in one system (say one that tracks when you downloaded a selection of custodian data from O365) to information stored in another system (such as when your processed that data).

As we further integrate Reveal Central into the larger Reveal platform, you will be able to use the virtual barcodes to track ESI through its full life cycle in the matter. And that will mean one less headache the next time you prepare to question that surprise witness you know you will get.

Want to Learn More?

If your organization is interested in learning more about Reveal Central, Reveal 11, and how Reveal uses AI as an integral part of its AI-powered end-to-end legal document review platform, please contact us.