Go Back
Blog

What Does It Mean to Be Forensically Sound?

Read this blog article to learn what it means to be forensically sound and why forensic soundness is so important in digital forensic investigations.

Defining Forensic Soundness

The generally accepted definition of forensic soundness is “the application of a transparent digital forensics process that preserves the original meaning of data for production in a court of law.”  

To meet that standard, and therefore be “forensically sound,” an investigation must be conducted in such a manner that the digital evidence (and all associated metadata) is identical at both the start and completion of the process. This can be established using hash codes, also known as hash values, which can be thought of as unique digital fingerprints for electronic files. To be forensically sound, the data collection and analysis processes must be defensible, consistent, repeatable, well-documented, and authenticated.  

Characteristics of Forensic Soundness

For an investigation to be "forensically sound," the process of collecting, preserving, analyzing, and presenting evidence must follow established forensic principles and best practices. This approach ensures that the evidence gathered is accurate, reliable, and admissible in a court of law, both for civil and criminal matters.

Accuracy and Reliability A forensically sound investigation ensures that evidence is collected and handled in a way that minimizes contamination, tampering, or alteration. This helps maintain the integrity and reliability of the evidence, making it more likely to withstand challenges during legal proceedings.

Objectivity

Forensic investigations aim to be unbiased and objective. Following standardized procedures helps reduce the influence of personal biases or subjective judgments, increasing the credibility of the findings.  

Transparency

A forensically sound investigation is transparent, allowing other experts to review and potentially replicate the results. This peer review process adds further validity to the findings.  

Ensuring Forensic Soundness with the Chain of Custody

A forensically sound investigation preserves evidence in its original state throughout the investigation, preventing degradation or loss of critical information over time. To do this, digital forensic investigators take steps that include thorough documentation of transfers in control of the evidence and investigative steps taken for what is known as “the chain of custody.”  

The chain of custody refers to the process through which physical or digital evidence is handled during an investigation. Proving that an item has been properly handled through an unbroken chain of custody is required for it to be legally accepted as evidence in court. It documents how, when, and by whom items have been collected, handled, analyzed, or otherwise controlled.  

Gaps in the chain of custody can result in the evidence being inadmissible. In the infamous OJ Simpson murder trial, several items of evidence—including blood samples—remained in officers’ possession for considerable amounts of time before being logged. This mistake allowed the defense to argue that evidence could have been planted or contaminated, introducing doubt into the jurors’ minds.  

For digital evidence, forensic investigators will often make use of a hardware write blocker. These devices ensure that no changes are made to the media being imaged, thus supporting the chain of custody.  

The Importance of Forensic Soundness

Forensically sound investigations play a vital role in supporting the justice system by providing reliable evidence that aids in determining guilt or innocence.  

  • Civil Matters: Adjudicated to a standard of “a preponderance of the evidence,” meaning only that the supposition is more likely true than not. In such cases, a logical collection often suffices. Logical collections include all the data and metadata associated with a given file, but do not include associated volatile, deleted, or encrypted data.
  • Criminal Cases: Demand a stricter evidentiary standard—“beyond a reasonable doubt.” Criminal trials demand a stricter standard of forensic soundness. Courts require evidence to meet specific standards and chain-of-custody protocols to be considered valid.

For an example of how not to conduct a collection, see Leidig v. BuzzFeed, Inc. (S.D.N.Y. Dec. 19, 2017). In that case, the plaintiffs produced screenshots with incorrect or missing metadata. The plaintiffs’ witness admitted that he “inadvertently changed or deleted the metadata” for some files when moving them to a hard drive. The court imposed sanctions for their “amateurish collection” efforts.

To learn more about how to conduct a forensically sound investigation, download Chapter 2 of Exterro’s Basics of Digital Forensics.

Redefining how your business manages data risk.
Get Started
Mitigating enterprise data risk.
ResourcesBlogPodcastCase StudiesWhitepapers
ProductseDiscoveryDigital ForensicsData GovernancePlatform & Intelligence
IndustriesFinancial Services & InsuranceHealthcare & Life SciencesEnergy & UtilitiesGovernment & Public Sector
CompanyNews & PressCareersTrust CenterContact Us
© 2026 Exterro. All rights reserved
Trust CenterModern Slavery StatementPrivacy PolicyWebsite Terms of Use
Do Not Sell or Share My Personal Information