Traditionaly, a chain of custody (chain of evidence) refers to the chronological documentation, or paper trail, showing storing, controling, transfer, analysis and handling with evidence. Chain of custody plays very important role in digital forensic investigation process. To prove chain of custody, investigators must know all details on how the evidence was handle.„Five Ws (and one H)“must be applied.

Life cycle of digital evidence is very complex, and at each stage there is more impact that can violate a chain of custody. Proper chain of custody must include information on how evidence is collected, transported, analyzed, preserved, and handled with. In most countries there is no standard unique protocol or procedures for this. In this paper authors will presents a digital evidence management framework–DEMF, which can im (prove) chain of custody of digital evidence in all stages of digital investigation process. In proposed framework will be used a SHA-2 hash function for digital fingerprint of evidence, biometric characteristics for authentification and identification a personal who handled with evidence, a digital trusted timestamp for determining a “right” time when evidence is discovered or when is accessed to evidence and a gps coordinates for determining a location of evidence. Use of all these factors in the right way provide safe and secure chain of custody, to ensure that digital evidence will be accepted by the court.