Module 01 — Foundations
Foundations of Forensic Science
Every forensic examination starts with a simple question: can this file, this photo, this document be trusted? This module covers the foundations of forensic science for non-specialists: what a forensic examiner does, the difference between a trace and evidence, what Brazilian law requires for chain of custody, and how the SHA-256 hash proves the integrity of digital evidence.
What is forensic science?
Forensic science is the set of scientific disciplines applied to facts of legal interest. When a case needs to establish whether a document was tampered with, whether an image was edited, or where a scam originated, the answer rests on the scientific method, not on the analyst's opinion. Chemistry, forensic medicine, ballistics and computer forensics all belong to this field.
The word "forensic" comes from the Latin forensis, of the forum: the public space where the Romans argued their cases. The meaning still holds. Forensic knowledge is knowledge produced to be presented and challenged in court.
In practice, the same reasoning applies to a physical crime scene and to a scam run over WhatsApp. Someone collects the traces, examines them methodically, and explains the result in a way that lets any other specialist repeat the procedure and check the conclusions. That possibility of independent verification is what separates technical evidence from guesswork.
What a forensic examination is and what an examiner does
A forensic examination is forensic science applied to an investigation. The examiner studies the traces and records the work in an expert report: a technical document describing what was found, which method was used in the examination, and what conclusions it led to.
The report neither accuses nor clears anyone. It presents technical facts, and the decision belongs to the court. To serve the proceeding, forensic work must be reproducible: another examiner, starting from the same traces and the same method, should reach the same result. A report that does not explain its own method carries little weight in court, however firm its conclusion.
Digital forensics follows the same principle. A chat screenshot, a file or a suspicious link are examined against objective criteria, and every step of the examination is documented so the result can be checked later by anyone.
Trace, evidence and proof: what is the difference?
Three words often used interchangeably carry very different weight in an investigation:
- Trace is any mark or object found that may relate to the fact. Raw, unexamined data. A photo received on WhatsApp, a PDF that arrived by email, or a suspicious link are all traces until someone examines them methodically.
- Evidence is the trace after examination, when the technical analysis demonstrates it relates to the case. The same photo, if the examination reveals metadata editing marks and pixel inconsistencies, becomes evidence of tampering.
- Proof is the evidence brought into the proceeding, where it faces adversarial scrutiny: the other party may challenge it, and the judge decides how much weight it carries.
What separates a trace from evidence is not the object itself; it is the quality and documentation of the examination. Without a record of how, when and by whom the analysis was performed, any finding can be challenged. That demand for traceability leads straight to the next lesson: chain of custody.
Chain of custody: what it is and what the law says
Chain of custody is the record of everything that happens to a trace from collection to presentation in court: who collected it, when, how it was transported and stored, and who had access to it at each step.
That history exists because the defense can always claim the evidence was swapped or altered along the way. If the record has gaps, the claim gains strength, and technically solid evidence can lose its value in the proceeding.
The SHA-256 hash: a fingerprint for every file
In the digital realm, the technical pillar of chain of custody is the cryptographic hash. The algorithm most used in forensic work is SHA-256 (Secure Hash Algorithm, 256 bits). Applied to any file, whether a PDF, an image, a spreadsheet or an exported conversation, it produces a 64-character code that represents exactly that content at that moment.
The property that matters here is the avalanche effect: changing a single byte of the file produces a completely different hash. There is no subtle variation and no proportional change; the code changes entirely, whatever the size of the file. That is why comparing hashes is the most direct way to verify the integrity of a file.
Watch the avalanche effect happen
A contract PDF, its SHA-256 hash — and what happens when a single character changes.
"… the CLIENT shall pay the amount of $12,000.00, in a single installment, by the fifth business day …"
Hash intact — the file is identical to the one on record. ✓ integrity confirmed
SHA-256 is everywhere: operating systems check downloads with it, cloud platforms validate every transfer, digital signatures include the hash of the signed content, and electronic notary systems use it to guarantee record immutability.
How to detect tampering in practice
Suppose you received a PDF contract and suspect a clause was changed after signing:
- Whoever generated the document records the SHA-256 at the moment of signing.
- You calculate the SHA-256 of the version you received.
- Identical codes, character by character, mean the file has not been modified in any way.
- Different codes mean there was an alteration. That divergence is technical evidence.
The same check resolves other common cases: a medical report with a suspicious diagnosis, an invoice with an amount different from the one the system issued, a WhatsApp conversation exported as digital evidence in a proceeding, a certificate received by email with odd data.
The 8 stages of an exhibit under the CPP
Slide through the chain — every link is a mandatory record.
Isolation
Securing the scene to prevent contamination of the exhibit before collection.
In the digital worldNever open the original file: opening it already alters the metadata.
Collection
The exhibit is gathered by a qualified professional, logging who and when.
In the digital worldSHA-256 hash computed before any processing.
Packaging
Individual packaging that preserves the characteristics of what was collected.
In the digital worldAn intact forensic copy; the original is never handled.
Transport
A logged transfer, with no broken seal between origin and destination.
In the digital worldHash verified after every transfer of custody.
Receipt
Formal transfer of custody: who handed over, who received, in what condition.
In the digital worldDoes the new hash match the recorded one? Custody accepted.
Processing
The forensic examination itself, with a documented, reproducible method.
In the digital worldAlways on the forensic copy, never on the original.
Storage
Kept under controlled conditions while the case is ongoing.
In the digital worldHash re-verifiable at any point in the proceedings.
Disposal
Authorized release or destruction — also recorded, closing the chain.
In the digital worldThe disposal record closes the custody trail.
Introduction to digital forensics
Digital forensics, also called computer forensics, applies the forensic method to phones, computers, files and the internet. Its subject is digital evidence: an email, a photo's metadata, a system access log, a phishing link.
Digital traces have a characteristic that changes everything: they are fragile and can be altered without leaving a visible sign. Opening a file the wrong way modifies its metadata. Copying a photo to another folder changes its creation date. That is why careful collection and chain of custody weigh even more here than in physical forensics, where material traces withstand time better.
Demand for digital forensics has grown alongside online crime in Brazil: WhatsApp and Pix scams, altered PDF documents, fake profiles, deepfakes. In every one of these cases the work starts at the same point, which is identifying and preserving the traces before they are lost or changed.
That initial triage is what MetaScope puts within anyone's reach: examining images, documents and links against technical criteria and recording file integrity before deciding whether the case justifies a formal examination.
The field has produced specialised tools covering different fronts of computer forensics applied to legal practice — from crime scene reconstruction to digital media analysis. A [portfolio of solutions built for this context](https://www.investigacaoforense.com/portfolio) can help identify which type of analysis fits each situation.
Frequently asked questions
Do WhatsApp screenshots and digital evidence hold up in court?
They do, provided chain of custody is maintained and the examination is reproducible. Reports produced with a documented method are accepted in civil, labor and criminal proceedings. The judge weighs the technical quality and traceability of the examination, not just the final conclusion. An isolated screenshot, with no integrity preservation, carries far less probative value than the same screenshot backed by a hash and a record of origin.
Can anyone request a forensic examination?
Yes. Any party to a proceeding may request one from the court, and may also hire an independent technical consultant to review an official report or produce an independent opinion.
What if the suspect deletes the original file?
A hash preserved before the deletion still holds: it proves that content existed in that exact state. If a different file is presented later, its hash will differ, and that divergence is itself relevant technical evidence.
Does MetaScope replace a formal expert report?
No. MetaScope is a triage and digital evidence preservation tool: it identifies technical signals and documents file integrity. A report with full legal standing requires a qualified examiner and follows its own procedural framework.