If you need to prove what really happened, edited or converted files can make that tricky. How do you show a photo, video or document is authentic when metadata has been removed, formats change or quality is lost?
Keep the original files whenever you can. Originals hold metadata, EXIF details and checksums that forensic analysts use to verify integrity, and they keep native formats so quality is preserved. I know this can feel fiddly, but a little extra care makes a big difference when you need evidence to withstand scrutiny or meet claim procedures.
Practical steps to store, transfer and present originals securely:
– Store safely: Keep the original file untouched and make multiple copies. Keep at least one copy offline in a secure place and another on a reliable backup. Record a checksum for each file so you can show it has not been altered.
– Transfer carefully: Use secure transfer methods and avoid converting files to lossy formats that strip metadata. When sharing, send a copy and provide the checksum so recipients can verify integrity.
– Present clearly: Keep a simple record of how files were handled and passed on, and include any metadata or checksum information when presenting the files so they can be checked against the originals.
Following these steps helps your material remain reliable and easier to verify when it matters.
1. Keep metadata with your files so you can check integrity
Capture embedded and filesystem metadata such as creation and modification timestamps, filesystem attributes, embedded EXIF, document properties, device identifiers, geolocation, and revision history, because each field can corroborate timeline, origin, or authorship in a claim. Copy the original file immediately to a secure, write-protected location, then generate and record a cryptographic hash, for example SHA-256. Note that altering a single bit changes the hash value, so a mismatch provides strong, repeatable evidence of tampering, but a matching hash alone does not prove the file was never altered in all circumstances. To strengthen integrity claims, combine hashes with digital signatures or HMACs, trusted timestamping services, and strict chain of custody and secure handling of any keys or stored hashes to reduce risks such as hash recomputation by an attacker or theoretical collision attacks. Export a human-readable metadata report from the original file and save it alongside the file, including the exact command or tool used and its output to preserve a reproducible snapshot.
If you handle digital files, it helps to know the difference between embedded metadata and filesystem metadata. Embedded metadata sits inside the file itself — things like tags in a photo or properties in a document. Filesystem metadata is held by your operating system, for example creation and modification timestamps. Some workflows strip embedded tags but leave filesystem timestamps unchanged, so those differences can help evaluators spot whether a file has been altered during processing.
Before you submit or share copies, verify integrity by comparing cryptographic hashes and the key metadata fields you care about. A matching hash shows the file contents are identical, while checking metadata highlights any changes to internal tags or timestamps.
Keep a clear chain of custody that records who accessed or copied the file, what actions were taken, and where each copy is stored. Use immutable logs or versioned storage so the audit trail is tamper resistant and straightforward to demonstrate during a claim review. Simple, consistent steps like these make it much easier to prove a file’s integrity when it matters.
2. Use EXIF metadata and checksums to verify authenticity
If you need to check a photo’s authenticity, EXIF and related metadata are a good place to start. These fields record details about the device and how the image was taken, such as camera make and model, serial number, lens and exposure settings, GPS coordinates, timestamp and software tag. RAW or original camera files usually retain more of this information than edited exports. Extracting the full metadata gives reviewers technical evidence they can use to compare against claimed capture circumstances. Keep the original container and any sidecar files so embedded and supplementary metadata remain available for inspection.
If you need to preserve digital evidence, these practical steps help keep the record clear and verifiable:
– Export full metadata using a dedicated tool and save any sidecar files. Record the original file name alongside these exports.
– Compute a cryptographic hash such as SHA-256 at the point of extraction and store that hash with the source file.
– Keep a simple log of who handled the file, when the hash was computed, and where each copy is stored.
– Make the master copy read-only or write-protected and keep multiple verified copies so you can check integrity after each transfer.
– Publish or deposit the checksum with an independent third party to provide external corroboration.
– Retain the original memory card, device logs and upload receipts to support provenance, because metadata can be edited and checksums only prove integrity, not origin.
– Where possible, include forensic exports and witness statements to cross-check inconsistencies and strengthen the evidential record.
It may feel like extra work, but following these steps makes it much easier to show the chain of custody and the reliability of the evidence.
3. Capture originals in native formats to preserve quality
Native formats such as RAW for photos and original document files retain full sensor or source data and embedded metadata. For video, uncompressed files or true camera RAW video captures retain the most source information; many common camera codecs like H.264 and H.265 are lossy and discard data, while codecs such as ProRes and DNxHR use compression that preserves high visual quality but are not equivalent to raw sensor output. Avoid repeated re-encoding of video because each encode can reduce quality and alter metadata. Keep an untouched original and immediately duplicate the captured file, labelling the duplicate for editing so you retain a verifiable, unmodified source for comparison. Generate a SHA-256 checksum when the file is first saved and store the hash separately so you can recompute it later to demonstrate the file has not been altered.
If you need to preserve digital files as evidence, treat any conversion or export as a derivative rather than a replacement. Conversions can strip metadata and introduce compression artefacts that reduce evidential value, so make the process as clear and reproducible as possible. Try these straightforward steps:
– Note the export settings and codec used whenever you convert a file. That information helps explain any quality changes.
– Keep a detailed log of the capture chain. Record device type, capture settings, file path, transfer method and every person who handled the file. Hold on to the original transfer media wherever you can to maintain continuity.
– Embed metadata where appropriate and create cryptographic checksums for each file. Checksums act as a digital fingerprint to show whether a file has been altered.
– Keep originals alongside converted versions and explain why conversions were made. Treat conversions as working copies, not replacements.
Following these steps preserves primary evidence and provides objective, reproducible information others can use to validate the file.
4. How to store and transfer original documents securely
To keep original files secure and verifiably unchanged, follow these practical steps:
– Calculate a cryptographic hash for each original file and store that hash separately from the file.
– Check the stored hash after every transfer or copy to spot any alteration.
– Encrypt originals both at rest and in transit, and deliver them only over authenticated channels to prevent interception or unauthorised modification.
– Maintain a chain of custody log that records who handled each original, the transfer method used, and a signed acknowledgement at every handover.
Taken together, these measures create machine-verifiable evidence of integrity and continuous control whenever an original is moved.
If you’re managing important files, a few straightforward steps can cut the risk of loss or unauthorised distribution. Keep the original master file untouched and work from exact, bit-for-bit copies. Label the master as write-protected and use tamper-evident packaging for any physical media.
Limit who can see or change files by using role-based permissions and the principle of least privilege, so people only have the access they actually need. For transfers outside your organisation, require two-person approval to reduce the chance of mistakes or unauthorised sharing.
Run regular audits and set up automated alerts to flag unusual access or movement. That way any deviation from expected handling can be spotted and investigated promptly.
5. Present original documents as evidence and follow the claims process
Keep the original file and never overwrite it. Save a verified copy in read-only or archive storage so metadata such as EXIF data, device identifiers and timestamps remain intact. Create and record a cryptographic hash for each original file using a standard algorithm, and store that hash alongside the file; this acts as a digital fingerprint recipients can use to confirm the file has not been changed. If someone needs to view the file, provide a separate, accessible copy for viewing, but always preserve the unedited original for evidence.
If you need to submit evidence, keeping things simple and well documented makes the process smoother. Try the following practical steps.
Keep a clear chain of custody log that records who accessed the file, why and when. Note transfer methods, email timestamps and the names of anyone who handled the file to support authenticity.
Assemble a claim packet with the unedited originals, viewing copies, a metadata export, the hash file and any corroborating documents such as receipts, serial numbers and a short statement describing how the file was captured.
Run a quick integrity check before submission and record any permitted processing you carried out. Assessors commonly compare metadata with the claimant timeline and use hash comparisons to detect modifications. Adding proactive notes about legitimate edits and the evidence for them reduces questions and lets assessors focus on the substantive issues.
Keep the original, unedited files and their metadata so you have an objective, reproducible record to support any future claim. Create cryptographic hashes and store them securely, keep files in their native formats along with any sidecar files, and log a clear chain of custody so others can verify the files’ integrity and provenance.
Follow a few simple steps to make evidence easier to verify: keep metadata intact, use checksums, store and transfer files securely, and provide originals with supporting documents. Do this when preparing a claim so assessors spend less time disputing authenticity and more time focusing on the main issues.