Evidence Management | Differences Between Chain of Custody & Audit Trails

Evidence Management | Differences Between Chain of Custody & Audit Trails

There is some confusion in our industry concerning the differences between chain of custody and audit trail. It’s fair to say that they have complimentary value to one another, but they are definitely separate items, and their importance in that regard is paramount to the entire evidence management process. Today we will discuss the two most important reports concerning individual evidence items, how they work together at times, and why you need a system that separates the two.

What is Chain of Custody?

Many people became familiar with this phrase when watching the drama that was the OJ Simpson murder trial. During his trial, his defense was able to argue successfully to remove certain evidence from consideration because chain of custody over numerous items had been compromised through various bad practices, many of which were common at the time.

In short, chain of custody is physical documentation of the sequence of custody, control, transfer, analysis, and disposition of evidence. Let’s say an officer recovers a shoe from a given crime scene. They should be recording on an official document where they recovered the item from, best practice would include photography of the item in a logical sequence of discovery, to collection. If that officer has to transfer custody of the item to another officer, that transfer from one officer to the other should be recorded in the chain of custody document. This process continues upon placing the evidence in temporary storage, into an evidence room, and all the way to disposition, including disposal.

Chain of custody is mandatory, and the loss of any recording of the information for it will ruin the integrity and value of that evidence, and more than likely mean it will be stricken from the case, and that could lead to a dismissal.

One way to think of chain of custody is that it documents activities taken by people with the item, starting from the discovery of the item, and capturing all the things those people do with that item, in terms of transactions, between themselves, or other people, ending with the disposition of the item. Keep in mind this is a simplified way of viewing chain of custody. Certainly, there is nuance that is lost in this idea, but it’s a way of separating chain of custody from audit trails.

What is an Audit Trail?

We find that a lot of people confuse chain of custody and audit trails. There are some valid reasons for this, but we will separate the two for you now, and forever put this discussion to rest.

One thing to remember, audit trails has not always applied to physical evidence, but originally was tied to documentary evidence, and then soon after was tied to digital evidence. There is some application in physical evidence now, and we’ll discuss that in this section.

The Internal Revenue Service (IRS) has used this phrase for quite a while, defining it as documentary evidence that records a given business’ processes and financial activities. For their purposes, the IRS is reliant on these documents when they audit a given business. It assists them in understanding how a business conducts its operations when it comes to spending and receiving money, as well as understanding a full picture of their tax obligations.

Applying audit trail principles to other official process became a best practice over a number of industries, from medical, government, construction, and others that are tied to regulation compliance. As documents became electronic, the principles of audit trail began to be applied other electronic content that was related to business and government. And soon, the concept was introduced to digital evidence. It really makes sense, because when you manage digital assets (evidence), you need to be able to express every activity concerning that file, but not everything done to a digital file is going to meet the threshold we discussed concerning chain of custody. For example, a digital evidence manager may have to move digital evidence from one location to another, but in the same storage stack. Technically, this is an activity. But if this manager is already assigned the evidence, it may not qualify for chain of custody, since the file is not moving from outside of the storage rack in question, instead moving to a different position in the rack. This scenario can be tricky, and there isn’t always a clear answer to this, which is why it brought this up right at the beginning.

But, easier ways of explaining the separation of audit trail responsibilities is file authentication. Any digital evidence management system should have automated functions where digital evidence is verified as still remaining as it did when it was entered into the system. Audit trails also need to record dates, times, locations, and personnel who so much as searched for files in the system, and selected a given file. This is another example of something you wouldn’t find on chain of custody, but definitely must be recorded and associated with the file in question.

When it comes to physical evidence, the principles of an audit trail can be applied, but it can require more action by your property and evidence manager. As an example, when a compliance review is completed in your evidence room, and specific items are selected to record compliance, the simple act of retrieving, recording, and verifying those items should be documented to an audit log. A compliance review does not change custody of the item in question, nor does it destroy evidentiary value. Recording the activity ensures that both goals are achieved, and that compliance is met across not just the review, but in the actual documentation of the review.

When does Chain of Custody and Audit Trail come Together?

The intersection of these two mandatory reports, is when chain of custody data is placed within an audit trail. While chain of custody will record many specific details about a transfer between two officers, on the audit trail, the date/time, names of officers, type of activity, and location will be recorded. But it’s all very simple data that gets attached to the audit log. And this is the only intersection you can expect between the two. They are truly two different items altogether, and they have some complimentary qualities, but they are really basic.

If you’re dealing with a company that tries to merge the two together in their conversation, they may not under the differences, and that is a big clue that you’re talking to the wrong person about the solution you need.


Chain of custody, audit trail. They are simple documents, that mean everything to your evidence, and the acceptance of that evidence in court. You need to know the differences, and where information comes together. More importantly, the people building your software need to know these things. If they’re combining the two, they’re not serving your needs, and they’re going to get you into trouble. Don’t let others create problems for you.

Be safe out there!

Related Reads