Researchers urge strict chain-of-custody, hashing and standardized working files for user-generated audio evidence
February 17, 2026 | Office of Justice Programs, Department of Justice (DOJ), Executive, Federal
This article was created by AI summarizing key points discussed. AI makes mistakes, so for full details and context, please refer to the video of the full meeting. Please report any errors so we can fix them. Report an error »
Dr. Rob Maher, professor of electrical and computer engineering at Montana State University, urged forensic teams to treat user-generated audio recordings with the same preservation discipline as other evidence and to adopt clear, repeatable workflows.
User-generated recordings — bystander phones, dash cameras, body-worn mics, doorbell cameras — now commonly appear in investigations, Maher said, and each presents different formats, metadata and risks. "As soon as possible to try to block any of those communication signals," he advised, recommending airplane mode and disabling Wi‑Fi and Bluetooth to reduce the risk a file is modified after collection.
Why it matters: preserving origin and integrity affects whether a file can be relied on in an investigation or court. Maher emphasized three practical steps investigators should take: keep the original file intact, compute a cryptographic hash for each original file, and create a separate standardized working copy for analysis. "When those files are then obtained, it's good practice to calculate a hash code for each file," he said, describing the hash as a sensitive checksum that will not match if the file is changed.
Details and standards: Maher said labs typically retain the original with its hash and then decode or reformat a working file for analysis, noting a common working-file standard is a 48 kHz sampling rate, 16‑bit stereo WAV. He emphasized the working file must have its own hash so analysts can demonstrate that their analysis files were not later altered. He also warned that decoding compressed files to uncompressed formats can change headers and metadata, so agencies should never delete the original: "You certainly never want to decode a file and delete the original because you would then obviously be losing the potential of interpreting that original metadata."
Metadata and authenticity: Maher recommended inspecting embedded metadata (file timestamps, GPS, device identifiers) and watching for signs a file was edited, such as editing remnants in headers or spectrographic discontinuities. Multiple, independent recordings can be used to check timing and shared background sounds to identify inconsistencies that suggest tampering.
Practical takeaways: agencies should adopt written procedures — how to collect devices, how to compute and store hashes, choice of working-file formats, and how to document any enhancements. Maher also recommended common, widely available tools to inspect files and metadata and urged transparency in documenting every processing step.
The webinar concluded with Maher reminding investigators that while many user-generated files will be authentic and useful, some will not; careful collection, hashing and documentation preserve both probative value and the ability to explain limitations to investigators or courts.
User-generated recordings — bystander phones, dash cameras, body-worn mics, doorbell cameras — now commonly appear in investigations, Maher said, and each presents different formats, metadata and risks. "As soon as possible to try to block any of those communication signals," he advised, recommending airplane mode and disabling Wi‑Fi and Bluetooth to reduce the risk a file is modified after collection.
Why it matters: preserving origin and integrity affects whether a file can be relied on in an investigation or court. Maher emphasized three practical steps investigators should take: keep the original file intact, compute a cryptographic hash for each original file, and create a separate standardized working copy for analysis. "When those files are then obtained, it's good practice to calculate a hash code for each file," he said, describing the hash as a sensitive checksum that will not match if the file is changed.
Details and standards: Maher said labs typically retain the original with its hash and then decode or reformat a working file for analysis, noting a common working-file standard is a 48 kHz sampling rate, 16‑bit stereo WAV. He emphasized the working file must have its own hash so analysts can demonstrate that their analysis files were not later altered. He also warned that decoding compressed files to uncompressed formats can change headers and metadata, so agencies should never delete the original: "You certainly never want to decode a file and delete the original because you would then obviously be losing the potential of interpreting that original metadata."
Metadata and authenticity: Maher recommended inspecting embedded metadata (file timestamps, GPS, device identifiers) and watching for signs a file was edited, such as editing remnants in headers or spectrographic discontinuities. Multiple, independent recordings can be used to check timing and shared background sounds to identify inconsistencies that suggest tampering.
Practical takeaways: agencies should adopt written procedures — how to collect devices, how to compute and store hashes, choice of working-file formats, and how to document any enhancements. Maher also recommended common, widely available tools to inspect files and metadata and urged transparency in documenting every processing step.
The webinar concluded with Maher reminding investigators that while many user-generated files will be authentic and useful, some will not; careful collection, hashing and documentation preserve both probative value and the ability to explain limitations to investigators or courts.
View the Full Meeting & All Its Details
This article offers just a summary. Unlock complete video, transcripts, and insights as a Founder Member.
✓
Watch full, unedited meeting videos
✓
Search every word spoken in unlimited transcripts
✓
AI summaries & real-time alerts (all government levels)
✓
Permanent access to expanding government content
30-day money-back guarantee
