To prove that evidence has not been altered since entering the lab, which approach is correct?

• A. Make MD5 hashes of the evidence and compare it with the original MD5 hash that was taken when the evidence first entered the lab
• B. Sign a statement attesting that the evidence is the same as it entered the lab
• C. There is no reason to worry about this possible claim because state labs are certified
• D. Make MD5 hashes of the evidence and compare it to the standard database developed by NIST

Answer: (D)

Proving that evidence hasn’t been altered relies on creating a fingerprint of the exact data when it enters the lab and then keeping that fingerprint secure. You generate a cryptographic hash of the entire evidence at intake and record that digest in the chain of custody. Later, you recompute the hash on the preserved copy and compare it to the original digest. If they match, the data remain unchanged; if they differ, tampering or corruption has occurred. This method provides a concrete, verifiable artifact that can be independently checked, rather than relying on a signed statement, lab certification, or a generic standard database. In practice, hashing at intake and comparing to that original digest is the reliable way to demonstrate integrity over time, with a note that stronger hash functions (like SHA-256) are preferred over MD5 for improved collision resistance.