Evidence
Chain of custody for open-source evidence
Zvonimir Cvetko Damnjanović9 min read
A screenshot arrives in a case file: a post, apparently by the subject, apparently admitting the thing. Eighteen months later a defence lawyer asks three questions. Who captured this? When, exactly? How do we know it looked like this at capture and hasn't been altered since? If the investigator cannot answer from records — not memory — the exhibit is in trouble, and with it, sometimes, the case. That is what chain of custody prevents, and it is cheap to get right and expensive to retrofit.
What the record must establish
Chain of custody for open-source evidence is the documented, unbroken answer to five questions for every artifact:
- Provenance — the precise source: full URL, platform, account, and the context needed to relocate it (or explain why it no longer exists).
- Time — capture time in UTC from a reliable clock, plus any content-internal times (post timestamps, EXIF) clearly distinguished from capture time.
- Collector — the identified person (or documented automated process) that performed the capture, under what authorisation.
- Method — the tool and technique: full-page capture, API export, WARC crawl, video screen recording — including tool versions where they matter.
- Integrity — proof the artifact is unchanged since capture: cryptographic hashes (SHA-256 as the working default) computed at collection and verified at every handover.
Everything after collection extends the same record: storage location, access, copies, conversions, redactions. A transformation is never a problem when it is documented — an undocumented one can taint the exhibit.
Capture: where cases are won and lost
Online content is volatile — posts are deleted, accounts vanish, pages change silently. The working rules:
- Capture before you engage. Any interaction with a subject (a follow, a message, a connection request) can trigger deletion. Preserve first.
- Capture more than the pixel. A flat screenshot proves little. Prefer formats that retain structure and metadata — WARC or MHTML archives, API responses, platform data exports — with a rendered capture alongside for human readers.
- Hash immediately. Compute the hash as part of the capture step, not as weekend housekeeping. A hash created at capture, logged with the UTC time, is the anchor everything else hangs from.
- Corroborate independently where stakes justify it. A third-party archive capture of the same URL made near the same time is powerful corroboration that the content existed publicly as claimed.
- Record the operating environment. Research personas, VPN exit, language and region settings all shape what a platform serves. Note them — content that only appears to certain profiles is a real cross-examination line.
Standards worth aligning with
None of this is invented per-case. ISO/IEC 27037 sets the baseline for identification, collection, acquisition and preservation of digital evidence; ISO/IEC 27043 frames the wider investigation process. For open-source work specifically, the Berkeley Protocol on Digital Open Source Investigations — developed for international criminal accountability — is the professional benchmark, and its practices transfer directly to law-enforcement and corporate contexts. Aligning your SOP with named standards does two things: it improves the work, and it gives the person defending the work something recognised to point at.
Process beats heroics
The failure pattern is rarely malice; it is improvisation under time pressure. The fix is a standard operating procedure that makes the right way the easy way: capture templates that demand the five fields, tooling that hashes and timestamps automatically, storage with access control and audit logs, and handover checklists that verify hashes at each step. This is also where platform support earns its keep — Nexus records provenance, time, handler, and transformations for every artifact as a side effect of normal analyst work, because discipline that depends on remembering is discipline that eventually fails.
The test of a chain of custody is boring by design: months later, a person who was not involved can reconstruct exactly what was collected, when, how, by whom, and prove it unchanged. Boring is what admissible looks like. Our approach to this across all engagements is described on the compliance page.
Frequently asked questions
What is chain of custody for digital evidence?
Chain of custody is the documented, unbroken record of who collected an artifact, when, from where, by what method, and every hand and transformation it passed through afterwards. For open-source material it typically combines a collection log, cryptographic hashes fixed at capture time, and controlled storage.
Can OSINT be used as evidence in court?
Yes — open-source material is routinely admitted when it is collected lawfully, preserved with integrity (hashes, timestamps, provenance), and presented by someone who can explain the method. What fails in court is not OSINT as a category but undocumented screenshots with no capture record.
Which standards apply to handling open-source digital evidence?
ISO/IEC 27037 covers identification, collection, acquisition and preservation of digital evidence; ISO/IEC 27043 covers investigation principles. For online investigations specifically, the Berkeley Protocol on Digital Open Source Investigations sets the professional benchmark.
Reading: Chain of custody for open-source evidence
Put this into practice
Next Sight delivers these workflows as services, platforms, and training — lawful, documented, and built for teams who carry consequences.