Asgard Forensics
Digital Intelligence
Initializing security check…
ACCESS GRANTED
VPN / Proxy detected — disable VPN and reload to continue
Secure · Verified · Protected
📄 Best experienced on desktop — for full case management, evidence uploads, and portal access we recommend a web browser on PC or tablet.

Chain of Custody Policy

Last updated: June 2026

1. What Chain of Custody Means in Digital Forensics

Chain of custody (CoC) is the documented, chronological record of every person who has handled a piece of evidence, every action taken on that evidence, and every location where it has been stored, from the moment of collection through to final disposal or return. In digital forensics, maintaining an unbroken chain of custody is essential because digital evidence is inherently mutable — any undocumented handling event creates an opportunity for opposing parties to challenge the reliability of findings in legal, regulatory, or compliance proceedings.

ASG Forensics applies chain of custody documentation to every engagement. This policy describes how that documentation is created, maintained, verified, and disclosed. Clients should understand that CoC documentation is only as strong as the integrity of evidence at the time it is submitted; ASG Forensics cannot retroactively establish custody of events that occurred before evidence reached our systems.

2. Client Obligations Before Submission

The integrity of the chain of custody begins with the client. Before submitting any evidence to ASG Forensics, clients are obligated to:

  • Preserve all original evidence in its unmodified state from the point at which it is identified as potentially relevant.
  • Avoid opening, modifying, copying (except for forensic imaging purposes), or transferring evidence across systems without first consulting ASG Forensics on best practice for their specific case type.
  • Document, to the best of their ability, a brief history of who has handled the evidence prior to submission, including when it was first identified and what actions (if any) have been taken on it.
  • Refrain from installing, running, or updating software on devices that may contain relevant evidence until a forensic image has been taken.
  • Notify ASG Forensics immediately if evidence is accidentally modified, deleted, or transferred after the decision to commission an investigation has been made.

Failure to preserve evidence prior to submission may limit the conclusions that can be drawn from the analysis and will be noted in the forensic report.

3. Evidence Receipt and Initial Logging

When evidence is received by ASG Forensics, a formal evidence receipt event is recorded in the case management system. This record captures the following information at minimum:

  • Date and time of receipt (UTC), recorded automatically by the submission system
  • Submission channel used (client portal, secure file transfer, or authorised encrypted email)
  • Identity of the submitting party as authenticated by the portal or submission system
  • File names, sizes, and types for each item received
  • SHA-256 hash of each received file, computed immediately upon receipt before any further processing
  • Internal exhibit identifier assigned to each item (e.g., EX-001)
  • Name of the ASG Forensics analyst who received and logged the evidence

This initial log entry constitutes the opening entry in the chain of custody record for each exhibit.

4. Cryptographic Integrity Verification (Hashing)

Hashing is the primary technical mechanism by which ASG Forensics verifies that evidence has not been altered during analysis. Upon receipt, a SHA-256 hash is computed for every file and recorded in the CoC log. At each subsequent stage of analysis — including when evidence is accessed for examination, when working copies are created, and when analysis is completed — the hash of the evidence is re-computed and compared against the recorded value. Any discrepancy is treated as a critical integrity failure, documented immediately, and brought to the attention of the case lead and the client.

Where disk or volume images are produced from physical devices submitted by the client, ASG Forensics records both the hash of the original acquisition image and the hash of any working copy. Forensic examination is conducted exclusively on working copies; original images are stored read-only and are not modified at any point.

5. The Custody Log — Structure and Maintenance

A custody log is maintained for each case. Each entry in the log records a handling event and includes:

  • Timestamp (UTC)
  • Exhibit identifier(s) involved
  • Action performed (e.g., receipt, hash verification, examination, working copy creation, report compilation, archival, deletion)
  • Name and role of the ASG Forensics personnel performing the action
  • Purpose of the action
  • Hash value recorded at the time of the action, where applicable
  • Any anomalies or observations noted during the action

The custody log is stored in a tamper-evident, access-controlled system. Log entries are immutable once created; corrections or addenda are recorded as new entries with a reference to the original. The log is not accessible to clients through the standard portal and is maintained as an internal forensic record.

6. Working Copies and Examination Practices

Forensic analysis is conducted exclusively on verified working copies of submitted evidence. Original evidence files are write-protected and stored separately from the analysis environment. Working copies are created using forensically sound duplication methods, and the hash of each working copy is verified against the original before examination begins. Analysis tools operate in read-only modes wherever the software supports it. Any tool that requires write access to a file operates on a copy, never on the working image itself.

7. Access Controls and Internal Transfer

Access to evidence and the custody log is limited to personnel directly involved in the engagement. All access events are automatically logged by the case management system with the timestamp and identity of the accessing user. Internal transfers of evidence between analysts — for example, when a case is escalated or when a peer review is required — are recorded as custody transfer events in the log. No evidence is transferred to external parties without a corresponding custody transfer record and, where applicable, client authorisation.

8. Third-Party Access and External Disclosure

Evidence held by ASG Forensics will not be disclosed to third parties except in the following circumstances:

  • The client has provided express written authorisation for the disclosure to a named third party (such as their legal counsel, a law enforcement agency, or a financial institution).
  • ASG Forensics is compelled by a valid court order, subpoena, or equivalent legal instrument to produce evidence or records.
  • Disclosure is required to prevent imminent serious harm to an identifiable individual and no other mechanism is available.

Any compelled disclosure will be logged in the custody record, and ASG Forensics will make reasonable efforts to notify the client of the disclosure unless prohibited from doing so by law.

9. Chain of Custody Documentation in Forensic Reports

Each forensic report produced by ASG Forensics includes a chain of custody section or appendix. This section identifies each exhibit by its internal reference number, provides its SHA-256 hash value as recorded on receipt, states the date and method of receipt, and identifies the analyst responsible for the examination. The CoC appendix is intended to provide sufficient documentary foundation for the report to be assessed by legal counsel, compliance officers, or other technical reviewers. However, ASG Forensics does not warrant that any court, regulatory body, or third-party institution will treat the report or its CoC documentation as admissible or sufficient for their particular requirements, as those determinations are made by those bodies independently.

10. Limitations of Chain of Custody in Digital Contexts

Digital chain of custody has inherent limitations that differ from physical evidence handling. ASG Forensics can document all handling events that occur within its own systems but cannot establish or certify what occurred to evidence before submission. Where evidence arrives with metadata timestamps that are inconsistent with the client's stated timeline, or where file system artefacts suggest prior modification, this will be noted in the report. ASG Forensics is not responsible for custody gaps that arose prior to receipt of evidence, and findings in a report will reflect only those conclusions that can be drawn from the evidence as received.

11. Retention of Custody Records

Custody logs are retained for a minimum of five (5) years following the closure of a case, regardless of the retention period applicable to the underlying evidence files. This extended retention period reflects the fact that custody documentation may be required in subsequent legal proceedings that arise after the initial engagement has concluded. Custody logs are archived in encrypted, access-controlled storage and are not routinely accessible to personnel who were not involved in the original case.

Open Case