All resources
    Integrity guide12 min read

    Hashing and custody

    SHA-256 hashes for online evidence bundles

    A practical evidence-operations guide to using SHA-256 hashes as integrity checks for online-harm captures: what the hash proves, how to record it, where it belongs in a custody log, and how to explain its limits to lawyers and security teams.

    01

    What this is

    A SHA-256 hash is a fixed fingerprint of a file at a point in time. For online-harm evidence, it helps a reviewer see whether a screenshot, media file, HTML capture, export, or bundle has changed after capture. It does not decide authenticity, authorship, legal significance, or platform-action outcomes. Finium treats hashes as one integrity layer inside a broader evidence file: capture, preserve, timestamp, structure, and export for counsel-led review.

    02

    Practical workflow

    Hashing works best when it is routine, narrow, and documented. The workflow starts when source material is captured and ends when an export is produced for a lawyer, security lead, or authorized reviewer. Each step records what happened without converting the record into legal advice.

    • Capture: save the source URL, visible timestamp, full-page screenshot, media file, and surrounding account context where lawful and appropriate
    • Preserve: store the original capture separately from annotations, translations, summaries, and exhibit views
    • Timestamp: record capture time in UTC and identify the timestamp source used by the capture system or reviewer
    • Hash: compute SHA-256 for each original file and for each later export bundle, then record the value beside the evidence ID
    • Structure: connect the hash to a chronology entry, source URL, custodian, storage location, and review status
    • Export: include a hash manifest so outside reviewers can verify that the delivered files match the exported package
    03

    Evidence checklist

    The hash value is only useful when the surrounding record tells a reviewer what was hashed, who handled it, and which version the value belongs to.

    • Evidence ID and stable file name used across the chronology, manifest, and export
    • SHA-256 value for the original capture file, not just for a compressed archive
    • Hashing tool or system process used, including version where available
    • Capture timestamp, hash timestamp, and the person or system that created the record
    • Storage location and access history for the original file
    • Notes for derived files, including redactions, translations, cropped exhibits, and bundle-level exports
    04

    How to explain the hash to a reviewer

    Use careful language: the hash supports integrity of the file after the value was recorded. It does not prove that the platform post was true, that the account owner authored it, or that a legal threshold has been met. A useful evidence file pairs the hash with source context, capture method, timestamp, account identifiers, and custody events so counsel and qualified reviewers can assess the whole record.

    05

    Where Finium links this in the evidence workflow

    This integrity guide supports Finium's broader evidence workflow at /how-it-works, the law-firm intake path at /for-law-firms, and the restricted handling model described at /security. It is also closely related to the existing chain-of-custody reference at /resources/chain-of-custody-online-evidence and the online-harm evidence pack checklist at /resources/online-harm-evidence-pack-checklist.

    06

    FAQ: do lawyers need a hash for every screenshot?

    Not every preliminary screenshot will receive the same treatment, but any item that may enter a formal evidence file benefits from an integrity value and a custody record. The operational rule is simple: hash originals early, keep derivatives separate, and let counsel decide what matters later.

    07

    FAQ: does a SHA-256 hash prove the online post was authentic?

    No. It proves that the file being checked matches the file represented by the recorded hash. Source authenticity needs other context: capture method, URL, platform state, account identifiers, provenance signals, corroboration, and reviewer judgment.

    08

    FAQ: can a hash replace chain of custody?

    No. A hash is one event inside the custody story. The chain of custody still needs who captured the item, where it was stored, who accessed it, what was derived from it, and which export was delivered.

    09

    FAQ: what boundary belongs in every hash manifest?

    The manifest is an integrity record, not legal advice and not an emergency-response tool. It does not promise a platform action, a legal result, or acceptance by any particular reviewer. It makes the handling record easier to inspect.

    FINIUM LEGAL

    Want this structured for a real matter?

    Send one public URL or representative matter and review the kind of source-aware evidence file Finium is built to prepare.