Chain of custody is the documented record of how evidence was collected, transferred, handled, and stored over time.
Chain of custody is the documented record of how evidence was collected, transferred, handled, and stored over time. In plain language, it shows who had the evidence, what happened to it, and whether it remained under controlled handling.
Chain of custody matters because evidence is more useful when people can trust how it was handled. If important artifacts move through unclear or poorly documented steps, confidence in the investigation can weaken.
It also matters because some incidents involve legal, regulatory, or disciplinary consequences where clear evidence handling becomes especially important.
Chain of custody appears in serious incident response, digital forensics, evidence retention, legal review, and high-sensitivity investigations. Teams connect it to Evidence Preservation, Forensic Artifact, and Audit Log because strong evidence handling depends on both preservation and documentation.
Security teams apply chain-of-custody discipline when the credibility of the evidence may later matter beyond the immediate technical response.
An investigation collects critical artifacts from a compromised workstation. The team documents when the artifacts were gathered, who handled them, where they were stored, and what authorized transfers occurred so later reviewers can trust the handling history.
Chain of custody is not the same as Evidence Preservation. Preservation keeps evidence intact and available. Chain of custody records the handling path and accountability for that evidence over time.
It is also not necessary in exactly the same depth for every minor event. The level of rigor depends on the seriousness of the incident and the downstream use of the evidence.