A hash value can be described as A unique numerical identifier that can be assigned to a file, a group of files, or a portion of a file, based on a standard mathematical algorithm applied to the characteristics of the data set (http://federalevidence.com)/ The most commonly used algorithms, known as MD5 and SHA, will generate numerical values so distinctive that the chance that any two data sets will have the same hash value, no matter how similar they appear, is less than one in one billion. ‘Hashing’ is used to guarantee the authenticity of an original data set and can be used as a digital equivalent of the Bates stamp used in paper document production (http://federalevidence.com).
Hash values are used during different phases concerning electronic evidence (http://federalevidence.com). First, in the computer forensic examination process, a hash value is used to ensure that the examined copy has not been altered (http://federalevidence.com). A hash value will be taken of the original hard drive.
Under accepted protocols, an image is made of the original (http://federalevidence.com). The image is used during the forensic examination to preserve the integrity of the original. A hash value is taken of the imaged copy before any examination(http://federalevidence.com). If the values are the same, then the copy is treated the same as the original( http://federalevidence.com ) If the values are different, then the integrity of the copy is called into question. At the end of the forensic examination, a third value is commonly taken.
The three hash values (original hard drive, imaged hard drive before the examination, and imaged hard drive after the examination) must match (http://federalevidence.com). The hash algorithm has afforded digital media forensic analysis a highly reliable and efficient means to ensure that the integrity of the digital evidence collected remains uncompromised http://federalevidence.com ). (It also provides a means to discard from the examination the irrelevant, and focus in on the important, while exposing little, if any, ancillary information (http://federalevidence.com).
Second, hash values can be used to authenticate evidence introduced in court, under FRE 901. There are few published decisions discussing the role of “hash value. (http://federalevidence.com). One opinion noted that a “hash value” (or hash algorithm) may be used to authenticate an electronic document by distinctive means. to provide them with distinctive characteristics that will permit their authentication under Rule 901(b)(4) (http://federalevidence.
com). Third, hash values may be used during the discovery process (http://federalevidence.com).