Chain of Custody & Seizure Procedures
"Integrity from crime scene to courtroom — where evidence battles are won or lost"
Electronic evidence is uniquely vulnerable to alteration without visible trace. The chain of custody and hash verification are your twin safeguards. A single gap can render the most incriminating evidence inadmissible.
Chain of Custody — The Concept
Definition: Chain of custody is the chronological documentation showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence from collection to court presentation.
Purpose: To demonstrate beyond reasonable doubt that the evidence presented is the SAME evidence seized, UNALTERED and UNTAMPERED.
Legal Foundation: While no specific section mandates chain of custody, it derives from general principles requiring authentication — reinforced by S.63 BSA's requirement that electronic records "correctly reproduce" the original.
The Six Links of the Chain
Gap in chain = Possibility of tampering, substitution, or contamination
Broken chain = Defence argument that evidence unreliable, should be excluded
Missing documentation = Court may exclude evidence or reduce weight
Electronic evidence is particularly vulnerable — can be altered without visible trace. Chain + hash verification are the twin safeguards.
As the ancient Roman maxim states: "Ei incumbit probatio qui dicit, non qui negat" — the burden lies on the one who asserts, not the one who denies.
Prosecution must positively establish authenticity. Defence merely needs to raise reasonable doubt. This asymmetry makes thorough documentation critical.
Hash Values — The Digital Fingerprint
Definition: A hash value is a fixed-length alphanumeric string generated by a mathematical algorithm from any digital data. Like a fingerprint, it's unique to that specific data.
Key Property: Even a single bit change produces a completely different hash. Perfect for verifying data integrity.
One-Way: You can generate hash from data, but cannot reverse-engineer data from hash.
Algorithm Comparison
| Algorithm | Output | Security | Evidence Use |
|---|---|---|---|
| MD5 | 128-bit (32 hex) | Weak — collisions possible | Legacy; supplement with SHA |
| SHA-1 | 160-bit (40 hex) | Deprecated — broken 2017 | Avoid for new evidence |
| SHA-256 | 256-bit (64 hex) | Strong — recommended | Industry standard |
| SHA-512 | 512-bit (128 hex) | Very Strong | High-security cases |
At Seizure: Calculate hash using write-blocker. Record in seizure memo with algorithm.
Before Examination: Verify forensic image hash matches seizure hash.
After Examination: Recalculate hash — must match original.
At Court: Exhibit hash should match seizure hash. Defence can request verification.
Matching hashes at all stages = Evidence integrity mathematically proven ✓
Seizure Procedures under BNSS
S.105 BNSS: Search of place — requires two independent witnesses from locality
S.106 BNSS: Search of person
S.107 BNSS: Search warrant requirements
S.108 BNSS: Search without warrant in urgent cases
IT Act S.80: Police (not below Inspector) can enter, search, arrest without warrant for cyber offences
Seizure Checklist
| Step | Requirement | Common Defects |
|---|---|---|
| Witnesses | Two independent from locality (S.105) | Police personnel; not present throughout |
| Seizure Memo | Detailed description of all items | Vague ("one laptop"); no serial numbers |
| Device State | Document ON/OFF, password protected | Not documented; turned off incorrectly |
| Hash Value | Calculate at scene if possible | No hash; calculated days later |
| Sealing | Tamper-evident with signatures | Ordinary seal; no signatures |
| Photos/Video | Device, screen, serial, seal, location | No photos; don't match device |
Device ON: Contains volatile data in RAM (encryption keys, sessions). Capture live data first if possible. Photograph screen. Don't just unplug!
Device OFF: Do NOT turn on — may trigger password lock, wipe, encryption. Send for forensic imaging directly.
Common Mistake: Turning device on "to check" — destroys volatile evidence, triggers encryption, enables spoliation allegations.
Risk: Remote wipe can erase device instantly (phones, corporate laptops)
Solution: Enable airplane mode OR place in Faraday bag to block signals
Document: Network state at seizure — WiFi/data on? Pending sync?
Documentation Requirements
The seizure memo (panchnama) is your foundation. Gaps here haunt you throughout trial.
Case: FIR No. [____] dated [____] | P.S. [____] | U/S [BNS/IT Act sections]
Seizure: Date: [DD/MM/YYYY] Time: [HH:MM] | Place: [Full address]
Item: Type: [Laptop/Mobile/etc] | Make: [____] Model: [____]
Serial: [____] | IMEI: [if mobile] | Color: [____]
Condition: [Working/Damaged] | Power: [ON/OFF] | Password: [Yes/No/Unknown]
Hash: Algorithm: [SHA-256] Value: [____]
[If hash not calculated: "To be calculated at FSL upon forensic imaging"]
Sealing: Sealed in [tamper-evident bag] with signatures of IO, Witnesses, Accused
Witnesses: 1. [Name, S/o, Age, Address] | 2. [Name, S/o, Age, Address]
Each transfer documents: Who (names + designation of both parties) | What (item ID, seal condition) | When (exact date/time) | Why (purpose) | Signatures (both parties)
Temperature: 15-25°C | Humidity: 40-60% | Magnetic Fields: Keep away from magnets, speakers
Access: Limited personnel, mandatory log | Backup: Verified forensic copy in separate location
Attack & Defence Strategies
Prosecution: Must positively establish unbroken chain and authenticity
Defence: Only needs to raise reasonable doubt about integrity
This asymmetry makes thorough documentation essential. Even minor gaps can be exploited.
- Gap in Chain: "Evidence was with IO until Jan 5, FSL received Jan 10. Who had custody for 5 days?"
- Improper Sealing: "Ordinary cloth seal, not tamper-evident. Anyone could open and reseal."
- Hash Mismatch: "Seizure hash X, examination hash Y. Mathematical proof of alteration."
- Delayed Hashing: "Hash calculated 3 weeks after seizure. What happened during that time?"
- Witness Issues: "Both witnesses are police informers. Not independent as required."
- Device Manipulation: "Device was ON at scene, arrived at FSL powered OFF. What else was done?"
- No Write-Blocker: "Without write-blocker, any access could have altered data."
- Complete Documentation: Chain register with signatures at every transfer
- Hash Verification: Matching hashes at seizure, FSL receipt, examination, court
- Seal Photos: Photographs of sealed evidence at each stage
- Witness Testimony: Each person in chain testifies to their handling
- Expert Evidence: Forensic expert explains integrity protocols followed
- Corroboration: Other evidence supporting electronic evidence reduces chain impact
For Prosecution: Assume every gap will be exploited. Document obsessively. Use SHA-256. Photograph seals at every stage.
For Defence: Request complete chain register immediately. Compare all hash values. Check witness credentials. Examine time gaps.
🎯 Key Takeaways — Part 3.3
- Chain of custody: 6 links from Seizure → Packaging → Transport → Storage → Examination → Court
- Hash values are digital fingerprints — even one bit change = completely different hash
- SHA-256 is recommended standard; MD5 alone is weak and attackable
- BNSS S.105 requires two independent witnesses from locality
- Document device state (ON/OFF) — don't turn off running device without capturing volatile data
- Seizure memo must have: date/time/place, witnesses, device details, hash, sealing method
- Every transfer needs: who, what, when, why, signatures of both parties
- Defence attacks: gaps, hash mismatch, improper sealing, witness issues, no write-blocker
- Prosecution counters: complete documentation, hash verification, expert testimony
- Minor chain breaks can create reasonable doubt — obsessive documentation essential