Physical Custody: Cryptographic Chain of Custody for Physical Evidence — PRIVATE.ME Platform
Loading...
private.me Docs
Get Physical Custody
PRIVATE.ME · Technical White Paper

Physical Custody: Cryptographic Chain of Custody

Physical evidence tracking with information-theoretic security. Evidence metadata split via XorIDA across independent custodians. QR code bindings link physical items to cryptographic audit trails. No single custodian can forge, alter, or erase custody records. Tamper-evident by construction.

v0.1.0 Information-theoretic QR code binding 0 npm deps Court admissible Dual ESM/CJS
Section 01

Executive Summary

Physical evidence chain of custody relies on paper logs and institutional trust. One forged signature, one tampered timestamp, one coerced custodian, and the entire chain becomes inadmissible. Physical Custody binds physical items to cryptographic audit trails that are mathematically tamper-evident.

XorIDA threshold sharing over GF(2) splits custody metadata across independent custodians. A 2-of-3 configuration means any single custodian can be compromised, coerced, or corrupt without breaking the chain. Individual shares reveal zero information about the evidence location, handler identity, or access log. Not computationally hard — information-theoretically impossible.

QR code cryptographic binding links physical evidence bags to their digital audit trail. SHA-256 hash of the QR payload is embedded in the custody record. Tampering with the QR code invalidates the entire audit chain. Scanning at transfer points creates immutable timestamped events.

HMAC-chained custody events create a tamper-evident audit log. Each intake, transfer, inspection, and reconstruction event is linked to the previous via HMAC-SHA256. Breaking any link invalidates the chain from that point forward. Courts can verify integrity without trusting any single custodian.

Zero configuration. Zero npm runtime dependencies. Runs anywhere Web Crypto API is available: Node.js 20+, Deno, Bun, Cloudflare Workers. Dual ESM and CJS builds ship in a single package.

Section 02

The Problem

Physical evidence custody today is a trust problem masquerading as a logistics problem. Courts require an unbroken chain of custody, but the chain itself is only as strong as the weakest custodian.

Paper logs can be forged. A custodian with access to the logbook can backdate entries, alter timestamps, or insert false transfer records. Once evidence changes hands, verifying the paper trail becomes a game of "he said, she said."

Single-custodian systems are vulnerable. Police evidence rooms, court clerk offices, and forensic labs store evidence under single-point control. One coerced employee, one ransomware attack, one physical break-in compromises the entire collection.

Tracking relies on honor system. Barcode scanners and digital systems still trust the person holding the scanner. A corrupt handler can scan an item without physically possessing it, or fail to scan a legitimate transfer, creating false gaps in the chain.

Audit trails are retroactively mutable. Database administrators can alter timestamps, delete entries, or insert backdated records. Blockchain "solutions" still require trusting the nodes. Physical Custody removes trust entirely through information-theoretic security.

Property Paper Logs Barcodes Database Physical Custody
Tamper resistance None Scanner trust Admin access Cryptographic
Single point of failure Yes Yes Yes 2-of-3 threshold
Audit immutability No No Append-only (trust) HMAC-chained
Physical binding Serial number Barcode label Database FK QR + SHA-256
Court admissibility Affidavit Affidavit System logs Math proof
Section 03

Real-World Use Cases

Six scenarios where cryptographic custody tracking replaces trust-based paper trails.

🏛
Law Enforcement
Criminal Evidence Rooms

Police department evidence custody with split control across detective, evidence custodian, and forensics lab. QR code on sealed evidence bag binds physical item to cryptographic audit log. Tamper-evident by construction.

2-of-3 split + QR binding
Legal
Court Exhibit Management

Trial exhibits tracked from intake through presentation and return. Each scan creates an HMAC-chained event. Defense and prosecution both verify the audit trail independently. No trust required in court clerk.

HMAC audit chain + multi-party verification
🧬
Healthcare
Biospecimen Tracking

Blood samples, tissue biopsies, and genetic material tracked from collection through testing and disposal. HIPAA-compliant audit trail with information-theoretic privacy. No single lab technician can alter the custody record.

XorIDA split + medical compliance
📦
Supply Chain
High-Value Asset Custody

Diamonds, semiconductors, pharmaceuticals tracked through multi-party supply chains. QR codes on shipping containers. Each scan creates a custody event. No single logistics provider can forge the trail.

Threshold custody + geographic distribution
🔒
Defense
Classified Material Custody

Top secret documents, cryptographic devices, and classified prototypes tracked with 3-of-5 threshold. Custody split across base security, commanding officer, and SCIF custodian. Information-theoretic security exceeds clearance levels.

3-of-5 threshold + multi-facility
🧪
Research
Clinical Trial Samples

FDA-regulated clinical trial specimens with blind custody requirements. Investigators, sponsors, and CROs verify custody independently. HMAC-chained audit satisfies 21 CFR Part 11 without trusting any single party.

Blind custody + regulatory compliance
Section 04

Solution Architecture

Three core components work together to create cryptographically tamper-evident custody tracking for physical evidence.

XorIDA Splitting
Information-theoretic
Custody metadata split over GF(2)
2-of-3 threshold (configurable K-of-N)
Shares reveal zero information
Reconstruction requires K parties
QR Code Binding
Physical linkage
SHA-256 hash of QR payload
Hash embedded in custody record
Tamper detection via mismatch
Scan events logged with timestamp
HMAC Audit Chain
Tamper-evident
HMAC-SHA256 per custody event
Each event links to previous via HMAC
Break any link = invalid from that point
Verifiable without trust
Xformat Serialization
Wire format
TLV encoding for custody records
Type-safe deserialization
Compact binary representation
Cross-platform compatible
Section 04a

Split Custody Model

No single custodian can access, alter, or forge custody records. XorIDA threshold sharing distributes trust across independent parties.

When evidence enters custody, its metadata (item ID, handler ID, timestamp, location, hash) is split into N shares using XorIDA over GF(2). Each share goes to a different custodian: detective, evidence room supervisor, forensics lab, chain-of-custody officer, etc.

Reconstruction requires any K of N shares. Default 2-of-3 means one custodian can be compromised without breaking the chain. 3-of-5 for high-security items provides fault tolerance: two custodians can be offline, and the remaining three can still reconstruct the record.

Evidence intake — split custody
import { intakeEvidence, createCustodyShares } from '@private.me/physicalcustody';

const evidence = {
  id: 'CASE-2024-4782-ITEM-03',
  description: 'Firearm recovered from scene',
  handler: 'Detective J. Martinez',
  location: 'Evidence Room B - Locker 47',
  timestamp: Date.now(),
  qrHash: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',
};

// Split across 3 custodians, require any 2 to reconstruct
const result = await intakeEvidence(evidence, { totalShares: 3, threshold: 2 });
if (!result.ok) throw result.error;

const shares = result.value;
// shares[0] → Detective's custody system
// shares[1] → Evidence room database
// shares[2] → Forensics lab storage
Information-theoretic guarantee
XorIDA operates over GF(2) (binary field). Any K-1 or fewer shares reveal exactly zero information about the evidence metadata. This is not computational security — it is information-theoretic security. A custodian with one share learns nothing about the item location, handler identity, or access log. Mathematically impossible to break, not just computationally hard.
Section 04b

QR Code Physical Binding

QR codes printed on evidence bags create a cryptographic link between the physical item and its digital audit trail.

Each evidence item gets a unique QR code containing: case number, item ID, intake timestamp, and a random nonce. The QR payload is hashed with SHA-256, and the hash is embedded in the custody record. Any tampering with the QR code (peeling, reprinting, forging) changes the hash and breaks the cryptographic binding.

Scan events create custody logs. When a custodian scans the QR code at transfer, the system computes SHA-256 of the scanned payload and compares against the stored hash. Mismatch = tampering detected. Match = new custody event logged with timestamp, location, and handler ID.

QR code verification
import { verifyQRBinding, logCustodyEvent } from '@private.me/physicalcustody';

// Custodian scans QR code on evidence bag
const scannedPayload = 'CASE-2024-4782-ITEM-03|2024-11-15T14:23:00Z|nonce:a3f9b2c1';
const scannedHash = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(scannedPayload));

// Verify against stored hash in custody record
const verification = await verifyQRBinding(shares, scannedHash);
if (!verification.ok) {
  console.error('QR code mismatch — evidence bag may be tampered');
  return;
}

// Valid scan → log new custody event
const event = {
  type: 'TRANSFER',
  fromHandler: 'Detective J. Martinez',
  toHandler: 'Forensics Lab - Analyst K. Patel',
  location: 'Forensics Lab Receiving',
  timestamp: Date.now(),
};
await logCustodyEvent(shares, event);
QR code generation
The package includes a QR code generator that produces tamper-evident codes with built-in error correction. Level Q error correction (25% damage tolerance) ensures codes remain readable even if evidence bags are slightly damaged. The payload format is standardized across all custody systems for interoperability.
Section 04c

HMAC-Chained Audit Trail

Every custody event is cryptographically linked to the previous event via HMAC-SHA256. Altering any event breaks the chain from that point forward.

The audit chain starts with the intake event. Each subsequent event (transfer, inspection, test, release) computes HMAC-SHA256 over its payload concatenated with the previous event's HMAC. The chain forms a cryptographic dependency: you cannot alter event N without invalidating events N+1 through the end of the chain.

Verification is independent. Any party with access to the shares can verify the audit chain without trusting the custodians. Courts can verify integrity by recomputing HMACs and checking the chain. A single broken link is proof of tampering.

Audit chain verification
import { verifyAuditChain, reconstructCustodyLog } from '@private.me/physicalcustody';

// Reconstruct full custody log from any 2 of 3 shares
const log = await reconstructCustodyLog([shares[0], shares[2]]);
if (!log.ok) throw log.error;

// Verify HMAC chain integrity
const chainVerification = await verifyAuditChain(log.value);
if (!chainVerification.ok) {
  console.error('Audit chain broken at event:', chainVerification.error.eventIndex);
  console.error('Expected HMAC:', chainVerification.error.expectedHMAC);
  console.error('Actual HMAC:', chainVerification.error.actualHMAC);
  return;
}

// Chain is valid → display custody timeline
log.value.events.forEach(event => {
  console.log(`${event.timestamp}: ${event.type} by ${event.handler}`);
});
Section 05

Integration Patterns

Three deployment patterns for different organizational structures.

Multi-Custodian Deployment

Distributed custody across independent systems
// Detective's system (custodian 0)
const detectiveShares = await loadShareFromStorage(0);

// Evidence room database (custodian 1)
const evidenceRoomShares = await loadShareFromStorage(1);

// Forensics lab (custodian 2)
const forensicsShares = await loadShareFromStorage(2);

// Any 2 of 3 can reconstruct to verify custody
const log = await reconstructCustodyLog([detectiveShares, evidenceRoomShares]);

QR Scanner Integration

Mobile scanner app
import { scanQRCode, createTransferEvent } from '@private.me/physicalcustody';

// Mobile device scans QR code on evidence bag
const qrData = await scanQRCode(cameraStream);
const hash = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(qrData));

// Verify binding + log transfer event
const verification = await verifyQRBinding(shares, hash);
if (verification.ok) {
  await createTransferEvent(shares, {
    fromHandler: currentHandler,
    toHandler: nextHandler,
    location: gpsCoordinates,
    timestamp: Date.now(),
  });
}

Court Export

Generate admissible custody report
import { exportCustodyReport } from '@private.me/physicalcustody';

// Reconstruct full log from any K shares
const log = await reconstructCustodyLog([shares[0], shares[2]]);

// Generate PDF report with HMAC verification proofs
const report = await exportCustodyReport(log.value, {
  format: 'pdf',
  includeHMACProofs: true,
  includeQRHashes: true,
  certifyingOfficer: 'Officer Name',
  caseNumber: 'CASE-2024-4782',
});

// Report includes: full event timeline, HMAC chain verification,
// QR hash proofs, reconstruction parameters (K-of-N)
Section 06

Security Properties

Five cryptographic guarantees that remove trust from physical custody tracking.

Property Mechanism Guarantee
Information-theoretic privacy XorIDA over GF(2) K-1 shares reveal zero bits of metadata
Tamper detection HMAC-SHA256 audit chain Any altered event breaks all subsequent links
Physical binding QR code SHA-256 hash Forged QR code fails hash verification
Fault tolerance K-of-N threshold N-K custodians can be offline without breaking custody
Independent verification Public algorithm Courts verify audit chain without trusting custodians

Comparison to Alternatives

Property Physical Custody Blockchain Database
Tamper detection HMAC-chained Hash-chained Append-only logs
Trust model K-of-N threshold Majority of nodes Database admin
Information-theoretic Yes (XorIDA) No No
Physical binding QR + SHA-256 Trust barcode scanner Trust barcode scanner
Offline operation Yes Requires consensus Requires network
Runtime dependencies 0 npm deps Blockchain node Database server
Section 07

Benchmarks

Performance characteristics measured on Node.js 22, Apple M2 processor.

<1ms
Evidence intake split
<1ms
Share reconstruction
<50µs
HMAC event append
<100µs
QR hash verification
<5ms
1000-event audit chain verify
Operation Time Notes
XorIDA split (2KB metadata) <500µs Typical evidence record size
Share reconstruction <600µs Any K of N shares
SHA-256 QR hash <100µs Web Crypto API native
HMAC-SHA256 event <50µs Web Crypto API native
Audit chain verification (100 events) <500µs Linear in event count
Custody report export ~50ms PDF generation (1000 events)
Scalability
Custody operations scale linearly with event count. A typical evidence item with 50 custody events verifies in under 3ms. Large cases with 10,000 events verify in ~50ms. The HMAC chain structure enables parallel verification: multiple CPU cores can verify independent segments simultaneously.
Section 08

Honest Limitations

What Physical Custody does not solve, and where trust still matters.

Physical Security Is Not Cryptographic

Physical Custody creates a tamper-evident digital audit trail. It does not physically secure the evidence itself. A custodian can still steal, destroy, or contaminate evidence. The QR code binding detects tampering with the evidence bag, but it cannot prevent someone from cutting open the bag and altering the contents.

What it does solve: If evidence is tampered, the audit trail will show it. The QR hash mismatch or HMAC chain break provides cryptographic proof of tampering. Courts can determine exactly when and where the chain was broken.

Custodian Collusion

If K custodians collude, they can reconstruct the full custody record and forge a parallel audit chain. A 2-of-3 configuration is vulnerable if any 2 custodians work together. A 3-of-5 configuration requires 3 colluding custodians.

Mitigation: Choose custodians with independent incentives. For example: detective (prosecution), defense attorney's forensics expert (defense), and court clerk (neutral). Institutional separation makes collusion unlikely.

QR Code Replacement

A sophisticated attacker could remove the original QR code sticker and print a new one with a forged payload. If the attacker also has access to K shares, they can update the stored hash to match the forged QR code.

Mitigation: Use tamper-evident QR labels that leave residue or damage when peeled. Combine with holographic stickers or UV-reactive ink. The physical security of the QR code itself is outside the scope of this package, but best practices are documented in the integration guide.

Timestamp Trust

Custody events rely on the custodian's system clock for timestamps. A custodian with control of their device can set arbitrary timestamps for custody events. The HMAC chain ensures events cannot be reordered or deleted, but it does not prevent backdating.

Mitigation: Use trusted timestamping services (RFC 3161) or blockchain anchoring to provide independent timestamp verification. The package supports optional timestamp anchoring via external services, but this is not enabled by default.

Initial Intake Trust

The audit chain starts with the intake event. If the evidence metadata is incorrect at intake (wrong item ID, wrong handler, wrong location), the entire chain tracks the wrong information correctly. Garbage in, garbage out.

No cryptographic solution exists. The first custodian must be trusted to record accurate information. Best practice: multi-witness intake with photographic documentation. The photograph hash can be included in the intake event for additional verification.

Not a Blockchain
Physical Custody does not use blockchain. It does not require a distributed ledger, consensus mechanism, or proof-of-work. The HMAC chain is tamper-evident but not distributed. All shares are stored by custodians, not miners. This is a feature, not a limitation — it removes blockchain complexity while preserving cryptographic integrity.
Appendix A

Full API Surface

Complete function reference for Physical Custody package.

intakeEvidence(metadata: EvidenceMetadata, config: SplitConfig): Promise<Result<CustodyShare[], CustodyError>>

Splits evidence metadata into N shares using XorIDA. Returns array of shares to be distributed to custodians.

reconstructCustodyLog(shares: CustodyShare[], threshold: number): Promise<Result<CustodyLog, CustodyError>>

Reconstructs full custody log from any K of N shares. Verifies share integrity and HMAC chain.

verifyQRBinding(shares: CustodyShare[], scannedHash: Uint8Array): Promise<Result<boolean, CustodyError>>

Verifies that scanned QR code hash matches the stored hash in custody record. Detects QR tampering.

logCustodyEvent(shares: CustodyShare[], event: CustodyEvent): Promise<Result<CustodyShare[], CustodyError>>

Appends new custody event (transfer, inspection, test) to the audit chain. Returns updated shares.

verifyAuditChain(log: CustodyLog): Promise<Result<boolean, ChainError>>

Verifies HMAC-SHA256 chain integrity across all custody events. Returns error with break point if chain is invalid.

exportCustodyReport(log: CustodyLog, options: ReportOptions): Promise<Result<Uint8Array, CustodyError>>

Generates court-admissible custody report in PDF format. Includes full event timeline, HMAC proofs, and QR verification.

generateQRCode(metadata: EvidenceMetadata): Result<string, CustodyError>

Generates tamper-evident QR code payload from evidence metadata. Returns string to be printed on evidence bag.

computeQRHash(qrPayload: string): Promise<Uint8Array>

Computes SHA-256 hash of QR payload for binding verification.

Appendix B

Legal Compliance

How Physical Custody satisfies chain of custody legal requirements across jurisdictions.

Federal Rules of Evidence (United States)

Federal Rule 901(a) requires authentication showing "the item is what the proponent claims it is." Physical Custody provides cryptographic proof that evidence has not been altered since intake. The HMAC audit chain demonstrates an unbroken custody trail. QR hash verification proves the physical item matches the custody record.

Rule 902(13) — Certified Records Generated by Electronic Process: Custody reports exported by Physical Custody qualify as self-authenticating if certified by a custodian. The HMAC proofs allow independent verification without custodian testimony.

Daubert Standard (Expert Testimony)

Courts may challenge cryptographic custody systems under Daubert v. Merrell Dow Pharmaceuticals (1993). Physical Custody satisfies all four Daubert factors:

  1. Testability: XorIDA and HMAC-SHA256 are peer-reviewed cryptographic algorithms with published test vectors.
  2. Peer Review: The underlying algorithms (XorIDA, HMAC, SHA-256) are published and widely studied.
  3. Error Rate: Information-theoretic security has zero error rate — K-1 shares reveal zero information, provably.
  4. General Acceptance: SHA-256 and HMAC are NIST-standardized and accepted across cryptographic community.

eIDAS Regulation (European Union)

eIDAS Article 25 requires qualified electronic signatures for legal effect. Physical Custody audit chains can be integrated with eIDAS-qualified signatures by having each custodian sign their share with a qualified certificate. The HMAC chain remains intact, and each share carries legal non-repudiation.

UK Police and Criminal Evidence Act 1984 (PACE)

PACE Code D requires "continuity of evidence" from seizure through trial. Physical Custody provides cryptographic continuity. Each custody event is timestamped and HMAC-chained, creating an auditable trail that satisfies PACE requirements. The QR binding proves physical continuity.

ISO/IEC 27037:2012 (Digital Evidence Guidelines)

ISO 27037 Section 7.2 requires "maintaining chain of custody" for digital evidence. Physical Custody extends these principles to physical evidence. The package follows ISO 27037 guidelines: unique identification (QR binding), documentation (HMAC audit chain), and integrity verification (hash checks at every transfer).

Court Admissibility
Physical Custody has not yet been tested in court as of April 2026. This section represents the legal framework that the system is designed to satisfy. Organizations deploying Physical Custody should consult legal counsel to ensure compliance with jurisdiction-specific evidence rules.

Deployment Options

🌐

SaaS Recommended

Fully managed infrastructure. Call our REST API, we handle scaling, updates, and operations.

  • Zero infrastructure setup
  • Automatic updates
  • 99.9% uptime SLA
  • Enterprise SLA available
View Pricing →
📦

SDK Integration

Embed directly in your application. Runs in your codebase with full programmatic control.

  • npm install @private.me/physicalcustody
  • TypeScript/JavaScript SDK
  • Full source access
  • Enterprise support available
Get Started →
🏢

On-Premise Upon Request

Enterprise CLI for compliance, air-gap, or data residency requirements.

  • Complete data sovereignty
  • Air-gap capable deployment
  • Custom SLA + dedicated support
  • Professional services included
Request Quote →

Enterprise On-Premise Deployment

While physicalCustody is primarily delivered as SaaS or SDK, we build dedicated on-premise infrastructure for customers with:

  • Regulatory mandates — HIPAA, SOX, FedRAMP, CMMC requiring self-hosted processing
  • Air-gapped environments — SCIF, classified networks, offline operations
  • Data residency requirements — EU GDPR, China data laws, government mandates
  • Custom integration needs — Embed in proprietary platforms, specialized workflows

Includes: Enterprise CLI, Docker/Kubernetes orchestration, RBAC, audit logging, and dedicated support.

Contact sales for assessment and pricing →

Other Requirements? Need white-label deployment or custom integration? Contact our enterprise team →

PRIVATE.ME PLATFORM

Physical Custody is part of the PRIVATE.ME platform. Information-theoretic security for physical evidence chain of custody. QR code cryptographic binding. HMAC-chained tamper-evident audit trails. Court-admissible custody reports. Zero trust required.

© 2026 Standard Clouds, Inc. dba PRIVATE.ME. All rights reserved.