Skip to content

June 30, 2026 · Technology

How Cryptographic Hashing Makes Evidence Tamper-Evident

A hash is a digital fingerprint. Paired with a hash chain, it turns a custody log into a record that reveals any alteration. Here is how it works, in plain terms.

Digital evidence has a problem physical evidence does not: you can copy or change it without leaving a mark. A file edited a year later can look identical to the original. Cryptographic hashing is the tool forensics uses to solve this — and it is what makes a modern custody record tamper-evident.

What a hash is

A cryptographic hash function takes any input — a file, a disk image, a block of text — and produces a fixed-length string called a digest, or hash. The same input always produces the same hash. SHA-256, the current standard, always produces 256 bits (64 hexadecimal characters).

Three properties make hashes useful for evidence:

  • Deterministic — identical input always yields identical output.
  • Avalanche effect — changing a single bit of input changes roughly half the output bits, so the new hash looks completely unrelated.
  • Practically irreversible and collision-resistant — you cannot feasibly work backward from a hash, or find two different inputs with the same hash.

The practical upshot: compute a hash at acquisition, recompute it later, and compare. Match means bit-for-bit identical. Any difference — even one byte — and the hashes diverge entirely. (Older functions like MD5 and SHA-1 are no longer considered collision-resistant and have been retired from security-critical use in favor of the SHA-2 family.)

From single hashes to a hash chain

Hashing one file proves that file is unchanged. But a custody log has many entries, and we want to prove the whole sequence is intact — and that no one inserted, removed, or reordered entries. That is what a hash chain does.

In a hash chain, each entry includes the hash of the previous entry as part of its own input:

hash(entry N) = SHA-256( contents of entry N + hash of entry N-1 )

Because every entry's hash depends on the one before it, the entries are linked like a chain. Change any earlier entry — even slightly — and its hash changes, which changes the next entry's hash, and so on down the line. The tampering cannot be hidden: it propagates all the way to the end. This is the same principle that underlies tamper-evident ledgers generally.

Why this matters for admissibility

Under FRE 902(14), data copied from an electronic device can be self-authenticating when authenticated by a process of digital identification — in practice, hash comparison — supported by a qualified person's certification. In other words, hashing is not just good practice; it is a recognized path to getting digital evidence admitted without a live authentication witness.

And under NIST SP 800-86, integrity verification through hashing is woven through the entire forensic process, from collection to reporting.

How CustodyTrack uses hashing

CustodyTrack applies both ideas:

  • When a form is created, its contents are sealed with a content hash — a fingerprint of the record.
  • Each custody event (creation, transfer, acceptance) is linked to the previous one in a per-form hash chain, and every event is also written into a global ledger chained across all records.
  • Anyone can verify a record using its verification code. The system recomputes the chain and confirms it is intact — no need to trust the custodian, the platform, or anyone else.

The effect is a custody record that does not merely claim to be unaltered. It can be proven unaltered, by anyone, at any time — which is exactly what tamper-evident means.

Sources

  1. [1] SP 800-86: Guide to Integrating Forensic Techniques into Incident Response National Institute of Standards and Technology
  2. [2] Federal Rule of Evidence 902 — Evidence That Is Self-Authenticating Legal Information Institute, Cornell Law School

Every factual claim in this briefing was checked against these sources before publication. Sources are limited to courts, government and law-enforcement agencies, standards bodies, and open-access scholarship.