Hash Values Used To Confirm Seized Video Clips And Images

Hash value algorithm was used to show "a 99.9999% probability" of a match between seized video clips and images with known evidence (child pornography images); in this manner the hash value provided "a digital fingerprint of a computer file," in United States v. Glassgow, 682 F.3d 1107 (8th Cir. June 28, 2012) (No. 11-2611)

As we have previously noted, “hash” values are an important tool to identify and authenticate digital evidence. See generally Using “Hash” Values In Handling Electronic Evidence. An Eighth Circuit case demonstrates the use of hash values to confirm electronic evidence at trial.

In the case, the defendant was prosecuted for receipt of child pornography after an investigation led to the identification and seizure of his computer from his residence. Thumbnail images of child pornography were found on his computer. At trial, he challenged the admission of this evidence, arguing that the images "were not expandable for viewing and that the government’s exhibits were only 'similar' to the thumbnail pictures." Glassgow, 682 F.3d at 1109. The type of hash value used in the case is known as "Secure Hash Algorithm Version 1" or SHA-1 which is a 32-digit alphanumeric algorithm. It is considered "a digital fingerprint of a computer file" which is "unique" to the particular file. Glassgow, 682 F.3d at 1110 n.2. After his conviction by the jury, the defendant claimed error in the introduction of this evidence.

The Eighth Circuit affirmed, noting that expert testimony authenticated the images. Law enforcement had confirmed the images found on the defendant's computer with known images from a law enforcement data base. As the circuit explained:

A government expert, however, verified that the images in exhibits 3 through 17 were the actual enlarged images from Glassgow’s computer. To the extent Glassgow is challenging the government’s exhibit 1 (a DVD compilation of three video clips from a law enforcement database), the SHA-1 values of these videos matched the SHA-1 values of the files offered for distribution from Glassgow’s computer. According to the expert, there was a 99.9999% probability that exhibit 1 contained the same video clips that Glassgow possessed. The admission of exhibit 1 (which was not published to the jury, only described to it) was not unfairly prejudicial. Cf. United States v. McCourt, 468 F.3d 1088, 1092-93 (8th Cir. 2006) (published videos were not found to be unfairly prejudicial).

Glassgow, 682 F.3d at 1110 (footnote omitted).

While the case arose in a child pornography prosecution, it demonstrates the reliability and use of hash values to confirm a match for seized digital evidence. The 99.9999 percent probability standard certainly is not required to be satisified to authenticate evidence under FRE 901 which is generally considered not to impose a high hurdle. See, e.g., United States v. Gagliardi, 506 F.3d 140, 151 (2nd Cir. 2007) (noting that “[t]he bar for authentication of evidence is not particularly high”). As the case illustrates, the hash value determination can be an effective tool for the identification and authentication of evidence.


Subscribe Now To The Federal Evidence Review

** Less Than $25 Per Month ** Limited Time Offer **

subscribe today button


any one find a problem with this?

1) Peer to Peer (P2P) downloader searches for, "kittens"
2) List of files to download is presented to the mark that could be pictures or videos of kittens OR NOT.
3) P2P downloader clicks on a few kitten files that remain unknown until they are opened of alleged files of, "kittens" for download
4) Law Enforcement (LE) software(encase) is doing searches of P2P networks for known by hash value child pornography (CP)
5) LE software finds a number of CP images identified by there hash value being downloaded. They were unknowingly downloaded but nevertheless the P2P file-sharer becomes a targeted computer.
6) LE downloads from that targeted computer the known CP images that were found.
7) LE software tags the known CP images that were found on the targeted computer
8) LE software then re-uploads those tagged files to the targeted computer to be discovered later during a search warrant search.

"Created to solve the problem of child sexual abuse, child pornography law...has grown dramatically in the past two decades, expanding and proliferating along with the underlying problem that it targets. Yet, curiously, the law's expansion has not solved the problem, but only presided over its escalation." Amy Adler, Associate Professor, New York University School of Law

"We can't solve problems by using the same kind of thinking we used when we created them" Albert Einstein

Internet Lawyer

Yeah i do agree with you. Second, hash principles can be used to verify proof presented in judge, under FRE 901. There are few released choices talking about the part of “hash value.” One viewpoint mentioned that a “hash value” (or hash algorithm) may be used to verify an digital papers by unique means.

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

More information about formatting options

Federal Rules of Evidence