What makes an audit trail tamper-evident?
A tamper-evident audit trail is a complete, cryptographically protected record of everything that happened to a document — who did what, when, from where — combined with a mechanism that makes any later alteration detectable. The "tamper-evident" part usually comes from hashing (a SHA-256 fingerprint of the document) and a digital seal: change one byte and the fingerprint no longer matches, so the tampering shows. Paired with detailed event logging — identity, UTC timestamps, IP address, device, and authentication method — it's what turns a valid signature into one that can defend itself in a dispute.
A log isn't the same as tamper-evidence
Lots of tools keep a log: "Alex opened the document at 2:14 PM." Useful — but a plain log has a weakness. If someone can edit the log, or swap the document after the fact, the record proves nothing. Tamper-evidence is the property that closes that gap: it doesn't necessarily prevent changes, but it makes any change detectable. That's the difference between a record you hope is accurate and one you can trust.
The two halves of a tamper-evident trail
A strong audit trail has two parts working together.
1. Complete event logging (the "what happened")
For every meaningful action, the trail should capture:
- Who — the signer's name and email
- When — a precise timestamp, ideally in UTC, for each event (sent, viewed, signed, completed)
- Where — the IP address and device/user-agent
- How — the authentication method used to verify the signer
- What they agreed to — the consent to sign electronically
This builds a chain of custody: a step-by-step account of the document's journey from draft to completion.
2. Cryptographic integrity (the "proof nothing changed")
Logging alone can be edited. Cryptography is what makes the record tamper-evident. Two techniques do most of the work:
- Hashing — the system computes a SHA-256 hash of the document: a fixed-length fingerprint unique to those exact bytes. Change anything — a number, a signature, a hidden metadata field — and the hash changes completely. Recording the hash at completion means anyone can later recompute it and confirm the file is unaltered.
- Digital sealing — the completed document is sealed with a digital certificate (for PDFs, typically a PKCS#7 structure). If the file is modified after sealing, the seal fails to validate. When that certificate is AATL-backed, common PDF readers show the tampering automatically.
Together, hashing and sealing mean you don't have to trust that the document is unchanged — you can verify it.
What a certificate of completion looks like
When a document finishes, a good platform generates a certificate of completion that consolidates the trail into a single, portable record. It typically includes:
- The document's SHA-256 hash
- Each signer's identity and email
- Every event with its UTC timestamp
- IP addresses and devices
- Authentication methods
- Confirmation of the tamper-evident seal
This certificate travels with the signed PDF, so the evidence is self-contained — you don't need to log back into a platform to prove what happened.
Why this matters in the real world
Most documents are never disputed. But when one is — a contract disagreement, an audit, a compliance review — the audit trail is your evidence. The questions that come up are always the same: Did this person really sign? When? Is this the exact document they agreed to? A tamper-evident trail answers all three with proof rather than assertion.
It also matters for compliance. Regulations across finance, healthcare, and government increasingly expect not just a signature, but a demonstrable, unalterable record of how it was obtained.
What to look for in a signing tool
When evaluating platforms, ask:
- Does it capture identity, timestamp, IP, device, and authentication method for every event?
- Does it record a cryptographic hash (e.g., SHA-256) of the completed document?
- Does it seal the finished file so alterations are detectable — ideally with an AATL-backed certificate?
- Does it produce a portable certificate of completion you can keep and share?
How PearSign handles it
PearSign builds a tamper-evident audit trail into every completed document. Each event records the signer's name and email, a UTC timestamp, IP address, device, and authentication method. The finished document is fingerprinted with a SHA-256 hash and sealed with an AATL-backed digital certificate, and a certificate of completion captures the whole chain of custody — so if a document is ever questioned, it can defend itself.
FAQ
What does "tamper-evident" mean for a document?
Tamper-evident means that any change made to a document after it's been signed can be detected. It's usually achieved by fingerprinting the document with a cryptographic hash and sealing it with a digital certificate — if the file is altered, the fingerprint no longer matches and the seal fails to validate.
What information should an audit trail capture?
A strong audit trail records, for each event, the signer's name and email, a precise timestamp (ideally UTC), the IP address and device used, the authentication method, and the signer's consent to sign electronically. This builds a chain of custody from draft to completion.
What is a SHA-256 hash and why does it matter?
SHA-256 is a cryptographic function that turns a document into a unique fixed-length fingerprint. If even one byte of the document changes, the fingerprint changes completely — so recording the hash at signing lets anyone later verify the file hasn't been altered.
What is a certificate of completion?
A certificate of completion is a portable record generated when a document is finished. It consolidates the audit trail — the document hash, each signer's identity, timestamps, IP addresses, authentication methods, and confirmation of the tamper-evident seal — into a single document that travels with the signed file.
Does PearSign provide a tamper-evident audit trail?
Yes. PearSign records a detailed audit trail for every document, fingerprints the completed file with a SHA-256 hash, seals it with an AATL-backed digital certificate, and generates a certificate of completion capturing the full chain of custody.
Ready to send your first document with PearSign?
AI drafts it, places the fields, and collects every signature — sealed and audit-trailed.
This article is general information about electronic signatures and related standards — not legal advice. For your specific situation, consult qualified counsel in your jurisdiction.