In a computer forensics investigation, what describes the route that evidence takes from the time you find it until the case is closed or goes to court?

The route evidence takes from discovery through to court is the chain of custody. This is the documented, chronological record of every person who handled the evidence, every transfer or storage event, and every analysis or alteration performed on it. It begins when the item is found or seized, continues through transport to storage or the lab, through any examinations, and ends with its presentation in court or final disposition. Maintaining a strong chain of custody ensures the evidence remains authentic and untampered, because you can show who had access, when, how it was stored, and what was done to it at each step, often supported by logs, forms, and sometimes cryptographic hashes. This traceability is what supports the admissibility and credibility of digital or physical evidence in legal proceedings. Other terms don’t describe this lifecycle: one option relates to policies and separation of duties rather than the handling history; another concerns admissibility rules rather than the procedural record itself; and the last is about probability theory, unrelated to evidence handling.