Hash Values Used To Confirm Seized Video Clips And Images

Hash value algorithm was used to show "a 99.9999% probability" of a match between seized video clips and images with known evidence (child pornography images); in this manner the hash value provided "a digital fingerprint of a computer file," in United States v. Glassgow, 682 F.3d 1107 (8th Cir. June 28, 2012) (No. 11-2611)

As we have previously noted, “hash” values are an important tool to identify and authenticate digital evidence. See generally Using “Hash” Values In Handling Electronic Evidence. An Eighth Circuit case demonstrates the use of hash values to confirm electronic evidence at trial.

In the case, the defendant was prosecuted for receipt of child pornography after an investigation led to the identification and seizure of his computer from his residence. Thumbnail images of child pornography were found on his computer. At trial, he challenged the admission of this evidence, arguing that the images "were not expandable for viewing and that the government’s exhibits were only 'similar' to the thumbnail pictures." Glassgow, 682 F.3d at 1109. The type of hash value used in the case is known as "Secure Hash Algorithm Version 1" or SHA-1 which is a 32-digit alphanumeric algorithm. It is considered "a digital fingerprint of a computer file" which is "unique" to the particular file. Glassgow, 682 F.3d at 1110 n.2. After his conviction by the jury, the defendant claimed error in the introduction of this evidence.

The Eighth Circuit affirmed, noting that expert testimony authenticated the images. Law enforcement had confirmed the images found on the defendant's computer with known images from a law enforcement data base. As the circuit explained:

A government expert, however, verified that the images in exhibits 3 through 17 were the actual enlarged images from Glassgow’s computer. To the extent Glassgow is challenging the government’s exhibit 1 (a DVD compilation of three video clips from a law enforcement database), the SHA-1 values of these videos matched the SHA-1 values of the files offered for distribution from Glassgow’s computer. According to the expert, there was a 99.9999% probability that exhibit 1 contained the same video clips that Glassgow possessed. The admission of exhibit 1 (which was not published to the jury, only described to it) was not unfairly prejudicial. Cf. United States v. McCourt, 468 F.3d 1088, 1092-93 (8th Cir. 2006) (published videos were not found to be unfairly prejudicial).

Glassgow, 682 F.3d at 1110 (footnote omitted).

While the case arose in a child pornography prosecution, it demonstrates the reliability and use of hash values to confirm a match for seized digital evidence. The 99.9999 percent probability standard certainly is not required to be satisified to authenticate evidence under FRE 901 which is generally considered not to impose a high hurdle. See, e.g., United States v. Gagliardi, 506 F.3d 140, 151 (2nd Cir. 2007) (noting that “[t]he bar for authentication of evidence is not particularly high”). As the case illustrates, the hash value determination can be an effective tool for the identification and authentication of evidence.

______________________________

Subscribe Now To The Federal Evidence Review

** Less Than $25 Per Month ** Limited Time Offer **

subscribe today button

Comments

Internet Lawyer

Yeah i do agree with you. Second, hash principles can be used to verify proof presented in judge, under FRE 901. There are few released choices talking about the part of “hash value.” One viewpoint mentioned that a “hash value” (or hash algorithm) may be used to verify an digital papers by unique means.

Post new comment

  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

More information about formatting options

Federal Rules of Evidence
PDF