What is chain of custody for video evidence?

A documented, continuous record of who had access to the original footage and every derivative copy, what they did with it, and when. The goal is to show a court that the footage presented as evidence is the same footage that was recorded — unaltered and accounted for at every step.

Does email-based sharing preserve chain of custody?

No. Email provides no record of who opened an attachment, no audit log of forwarded copies, and no way to demonstrate that the file delivered is identical to the file recorded. It can be used to share evidence, but it cannot produce the custody record on its own.

What does a chain of custody record need to contain?

At minimum — the source camera and time range, the operator who exported the footage, the time of export, every derivative produced (trims, transcodes, still frames) and who produced them, every recipient the footage was shared with, and a timestamped log of when each recipient accessed it.

Who is responsible for chain of custody when a security monitoring company hands footage off?

Custody transfers when the footage is handed over to law enforcement, an insurance adjuster, or another party. The security monitoring company is responsible for documenting custody on their side of the handoff — what was created, by whom, when, and who it was delivered to. The receiving party then becomes responsible for their portion.

Chain of Custody for Security Video — What Security Companies Need to Know

Chain of custody for security video is a continuous, documented record of who had access to the original footage and every derivative, what they did with it, and when. When footage ends up in a deposition, a subrogation claim, or a criminal proceeding, that record is what determines whether the footage is admissible as evidence. This guide covers what the record actually needs to contain and why the standard email-plus-shared-drive workflow can't produce one. For the practical mechanics of preparing footage in the first place, see our best practices for creating incident video clips.

Why chain of custody matters before you think you need it

Most clip requests don't turn into evidence. A handful do — and the problem is that you usually can't tell which ones up front:

A clip shared with a customer in March surfaces in a civil suit in November.
An insurance adjuster's subrogation team subpoenas the original footage for a case from six months ago.
A defense attorney challenges admissibility because the prosecution can't show how the clip arrived.

In each case, the question is the same: can you produce a continuous record from "this is what the camera recorded" to "this is what was delivered to opposing counsel"? If yes, the footage holds. If not, the footage is challengeable — sometimes successfully.

The cost of being able to produce that record is low. The cost of not being able to produce it when asked is high and unpredictable.

What the record needs to contain

A defensible chain of custody record for security video typically includes:

| Element | What it captures | | --- | --- | | Source | Camera ID, location, time range, original VMS, time zone. | | Recording integrity | A way to demonstrate the original recording has not been altered — hash, original file preserved, or both. | | Operator | Who exported the footage from the VMS, and when. | | Derivatives | Every trim, transcode, and still frame produced from the original — by whom and when. | | Recipients | Every party the footage or any derivative was shared with, by what method, on what date. | | Access log | A timestamped record of every open of every shared package, ideally with viewer identity. | | Disposal | If the footage is destroyed (retention period expires, court order), the date and authorization. |

The record does not need to be elaborate. It needs to be continuous — no gaps, no "we think we sent it to the Reno PD on the 14th" — and it needs to be produced at the time of use, not reconstructed afterward. Reconstructed records are the most common point of attack.

The most common chain-of-custody failure is not a missing record entirely — it's a record that's mostly there, with a gap somewhere between "operator exported the clip" and "the file ended up on opposing counsel's laptop." Mid-workflow gaps are what give a defense attorney room to work.

Why email and shared drives can't produce this record

The standard ad-hoc workflow — VMS export, manual trim, Google Drive or Dropbox link, email handoff — fails at several specific points:

No record of derivatives. Each re-export, trim, and conversion creates a new file with no documented relationship to the original.
Permission sprawl. A "anyone with the link" Drive share has no expiry, no access log, and no way to demonstrate who actually opened the file.
No tied access log. Email shows the file was sent. It doesn't show whether the recipient opened it, when, or how many times.
No revocation. Once a Drive link is shared, it lives until someone remembers to change permissions.
Recipient-side ambiguity. When the recipient forwards the link to a colleague, there's no signal back to the originator that the audience has grown.

A defense attorney does not need to prove that any of these failures actually happened. They only need to demonstrate that they could have happened — and that the originator can't show they didn't.

What a structured workflow looks like

A workflow that produces the custody record as a byproduct of normal use typically has these properties:

Original is preserved untouched. The VMS export lands in a tool that stores the original and only derives copies — never overwrites it.
Every derivative is logged. Trim, transcode, still frame — each one is recorded back to the original with operator and timestamp.
Sharing is link-based with access controls. Code-gated link, expiry, view-count limit, ability to revoke, per-recipient distinct access where possible.
Audit log is automatic. Every open is timestamped, with whatever recipient identification is available.
Retention is enforced. Footage is deleted on a documented schedule, with the deletion itself logged — see our retention requirements guide.

This is roughly what Incident Clips produces by default. The difference between a tool like this and a Drive folder is not the file storage — it's the record that comes with it.

Who owns the record after handoff

When you hand footage to a third party — law enforcement, an insurance adjuster, opposing counsel — custody on the receiving side becomes their responsibility. You are responsible for documenting:

What was handed off (exact files, hashes if possible).
To whom (named recipient, agency, case number).
When (timestamped, with method of transfer).
Who on your side authorized it.

After that, the recipient's own evidence handling procedures govern. But your record of the handoff itself is what closes your portion of the chain.

Special cases worth flagging

A few situations come up often enough to call out:

Subpoenaed footage, where you're legally required to preserve the original even past your normal retention window. Document the subpoena and tag the footage so retention sweeps don't delete it.
Subrogation requests, often months after the incident. The detail required is usually higher than a same-night police request — original footage, original timestamps, full custody record.
Multi-customer incidents — when an incident involves footage from multiple of your customers' sites. Each customer's footage is custody-tracked separately; comingling is a problem.
Internal investigations — when your own customer is investigating an employee. The custody record matters in employment proceedings the same way it does in criminal ones.

Practical next steps

If you're currently using Drive, Dropbox, or WeTransfer to share footage, treat that as the part of the workflow that needs replacing first. See Incident Clips vs Google Drive and vs Dropbox for the specifics.
If you don't have a documented retention policy yet, see our guide to retention requirements.
If you're handling law enforcement requests regularly, the practical how to share footage with police walkthrough covers the front half of the workflow.

Incident Clips is built to produce the chain of custody record as a byproduct of the normal sharing workflow — original preserved, every derivative logged, every share gated and audited. Contact us for a walkthrough, or see pricing.