When electronically stored information (ESI) becomes evidence — in litigation, a government investigation, a public-records dispute, or an internal inquiry — two questions decide whether it can be relied upon: was it collected in a way that preserved its integrity, and can you prove what happened to it from the moment it was gathered? Collection is the act of acquiring ESI from its sources. Chain of custody is the documented, unbroken record of who handled that data, when, how, and why. Together they determine whether a piece of evidence is treated as authentic and trustworthy or dismissed as compromised.
These concepts sit at the intersection of records management, e-discovery, and digital forensics, and they belong squarely within an organization’s broader information governance program. Getting them right is rarely about exotic technology. It is about discipline, documentation, and a defensible, repeatable process that a third party could scrutinize after the fact.
Why collection integrity matters
ESI is fragile in ways paper never was. Opening a file can change its last-accessed timestamp. Copying with the wrong tool can strip system metadata or alter formatting. Forwarding an email re-encodes headers. Because metadata — authorship, dates, recipients, edit history, file paths — is often as probative as the content itself, a careless collection can quietly destroy the very facts at issue.
The standard a collection must meet is defensibility: the ability to show that the process was reasonable, proportionate, and faithful to the original. Courts and opposing parties do not require perfection; they expect a sound methodology consistently applied. A collection that alters data, skips relevant sources, or cannot be explained invites challenges to authenticity and, in extreme cases, allegations of spoliation. Frameworks such as ISO 16175 emphasize that records in digital environments retain evidential value only when their content, structure, and context are kept intact through every handling step.
Planning a defensible collection
Sound collection begins before anyone touches data. Key planning steps include:
- Map the sources. Identify every relevant repository — email systems, file shares, laptops, mobile devices, collaboration platforms, cloud accounts, and business applications. Modern matters increasingly turn on chat and messaging data, which is easy to overlook.
- Define scope. Agree on custodians, date ranges, keywords, and data types so the collection is targeted and proportionate rather than a blind seizure of everything.
- Preserve first. Issue and honor a litigation hold so relevant ESI is not deleted, overwritten, or auto-expired while collection is arranged.
- Choose a method that fits the risk. Higher-stakes matters justify more rigorous, forensically sound techniques; routine matters may warrant lighter-weight, targeted collection.
This planning is also where the proportionality principle embodied in the Federal Rules of Civil Procedure comes into play: the effort and cost of collection should be reasonable relative to the needs of the matter.
Collection methods and their trade-offs
There is a spectrum of collection approaches, and the right one depends on the legal exposure and the nature of the data:
- Forensic imaging. A bit-for-bit copy of an entire device or drive, capturing active files, deleted artifacts, and slack space. It is the most complete and most defensible method, used when deleted data or device behavior is in question, but it is also the most resource-intensive.
- Targeted (logical) collection. Acquiring specific files, mailboxes, or folders rather than a full image. Faster and more proportionate, it is appropriate when the relevant universe is well defined.
- In-place and platform-native collection. Many cloud and enterprise systems offer built-in tools that export selected content along with its metadata. These are efficient but must be validated to confirm they capture metadata faithfully and apply holds reliably.
Whatever the method, the cardinal rule is to work from a copy and preserve the original, and to verify that the copy is faithful — typically by generating and recording cryptographic hash values (such as MD5 or SHA-256) so any later alteration is detectable.
Establishing and documenting chain of custody
Chain of custody is the evidentiary backbone of any collection. It is the continuous, contemporaneous record that answers, for each item of ESI: who collected it, from where, when, using what tool and method, who has held it since, and where it is stored now. A gap in that record — an unexplained handoff, an untracked copy, a missing timestamp — is exactly what an opposing party will exploit to argue the evidence cannot be trusted.
A robust chain of custody typically captures:
- Source identification — the custodian, device, system, and location data came from.
- Collection details — date and time, the collector’s identity, the tool and method used, and verification (hash) values.
- Custody transfers — every transfer of possession, logged with date, time, and the names of both parties.
- Storage and access — where the data resides, how it is secured, and who has accessed it.
The discipline here is contemporaneous documentation: records made at the time, not reconstructed later. The Sedona Conference’s widely cited guidance reinforces that cooperation, transparency, and a documented, repeatable process are what make ESI handling defensible — and that overengineering for matters of modest stakes is itself a failure of proportionality.
Common pitfalls and good practice
The most frequent failures are mundane. Self-collection by untrained custodians who drag files into a folder strips metadata and breaks the audit trail. Holds issued but never enforced let relevant data age out. Messaging and ephemeral apps go uncollected because no one inventoried them. Copies proliferate without logging, leaving no clean original.
The antidotes are equally practical: rely on trained personnel and validated tools, preserve originals untouched, verify every copy with hashes, log custody contemporaneously, and write it all down in a way a neutral reviewer could follow. Treat collection and chain of custody not as one-off scrambles but as standing capabilities of your information governance program — so that when evidence is needed, the process is already in place, rehearsed, and ready to withstand challenge.
Sources & further reading
Authoritative government and non-profit references.
- Federal Rules of Civil Procedure — U.S. Courts
- The Sedona Conference publications — The Sedona Conference
- ISO 16175 records in digital environments — ISO
How to cite this page
APA
RM University Editorial Team. (2026). Collection and Chain of Custody for ESI. Records Management University. https://www.recordsmgmt.org/articles/collection-and-chain-of-custody-for-esi/
MLA
RM University Editorial Team. "Collection and Chain of Custody for ESI." Records Management University, 16 June 2026, www.recordsmgmt.org/articles/collection-and-chain-of-custody-for-esi/.