Investigation Camp

The Power of Investigation

About Hash Values

Complete Guide to Hash Values & Legal Evidence

Understanding Hash Values in Digital Forensics

Hash values are cryptographic fingerprints that uniquely identify digital files. They serve as crucial evidence in court proceedings, ensuring data integrity and authenticity in legal investigations.

Frequently Asked Questions

What is a Hash Value?

A hash value is a unique digital fingerprint generated by a mathematical algorithm. It converts any file or data into a fixed-length string of characters. Even a tiny change in the original file produces a completely different hash value, making it perfect for verifying data integrity.

  • SHA-1: 160-bit hash (40 hexadecimal characters)
  • SHA-256: 256-bit hash (64 hexadecimal characters)
  • MD5: 128-bit hash (32 hexadecimal characters) - Less secure

Why are Hash Values needed in Court?

Hash values serve as digital evidence to prove:

  • Data Integrity: Proves the file hasn't been tampered with
  • Chain of Custody: Maintains evidence authenticity throughout legal proceedings
  • Forensic Verification: Confirms digital evidence hasn't been altered
  • Legal Admissibility: Courts require proof of evidence authenticity
  • Expert Testimony: Provides scientific basis for digital evidence

What is Bharatiya Sakshya Adhiniyam Section 63(4)(c)?

The Bharatiya Sakshya Adhiniyam, 2023 replaced the Indian Evidence Act, 1872. Section 63(4)(c) deals with electronic evidence certification:

  • Previous Law: Section 65B of Indian Evidence Act, 1872
  • Current Law: Section 63(4)(c) of Bharatiya Sakshya Adhiniyam, 2023
  • Purpose: Ensures admissibility of electronic records in court
  • Requirement: Certificate identifying electronic record and describing the manner of its production

What is the difference between Part-A and Part-B Certificates?

Part-A Certificate
  • For original electronic records
  • When files are taken directly from source
  • Can be issued by investigating officer
  • Certifies the computer/device from which data was extracted
  • Used for primary evidence collection
Part-B Certificate
  • For copies of electronic records
  • When files are copied or processed
  • Requires expert testimony
  • Certifies the copying/processing method
  • Used for secondary evidence verification

Who can provide these Certificates?

Part-A Certificate
  • Investigating Officer
  • Police Personnel
  • Authorized Government Official
  • Person in charge of computer management
Part-B Certificate
  • Certified Forensic Expert
  • Computer Science Expert
  • Qualified Technical Expert
  • Court-approved Digital Forensic Specialist

Who qualifies as an Expert for Part-B Certificate?

According to legal requirements, a Part-B expert must have:

  • Technical Qualification: Computer Science/IT degree or equivalent
  • Professional Experience: Minimum years in digital forensics
  • Certification: Recognized forensic certifications (CFCE, CCE, etc.)
  • Court Recognition: Previously accepted as expert witness
  • Knowledge Areas: Hash algorithms, data integrity, forensic procedures
  • Understanding: Legal implications of digital evidence

Has the Supreme Court mentioned these Certificates?

Yes, the Supreme Court has provided significant guidance:

  • Arjun Panditrao Khotkar v. Kailash Kushanrao Gorantyal (2020): Emphasized strict compliance with Section 65B
  • Anvar P.V. v. P.K. Basheer (2014): Made Section 65B certificate mandatory
  • Shafhi Mohammad v. State of Himachal Pradesh (2018): Clarified certificate requirements
  • Digital Evidence Guidelines: Court emphasized authenticity and integrity verification
  • Hash Value Recognition: Courts accept hash values as integrity proof

What was the earlier provision (Section 65B)?

Section 65B of the Indian Evidence Act, 1872 was the predecessor:

  • Timeline: Applicable until July 1, 2024
  • Current Replacement: Section 63(4)(c) of Bharatiya Sakshya Adhiniyam, 2023
  • Similar Requirements: Certificate for electronic evidence admissibility
  • Transition Period: Cases filed before July 2024 may still use 65B
  • Core Principle: Both sections ensure electronic evidence authenticity

When will Hash Values change?

Hash values change when:

  • File Content Modified: Any change in data, even 1 bit
  • File Corruption: Storage media errors or bad sectors
  • Malware Infection: Virus or malware altering files
  • Metadata Changes: Some hash algorithms include metadata
  • Tampering: Intentional alteration of file content
  • Compression/Decompression: If file format changes

When will Hash Values NOT change?

Hash values remain same when:

  • Copying Files: Exact bit-by-bit copy maintains hash
  • Moving Files: Location change doesn't affect content hash
  • Renaming Files: Filename change doesn't alter content hash
  • Different Storage: Same file on different devices has same hash
  • Time Changes: Access time changes don't affect content hash
  • File System: Moving between NTFS, FAT32, etc.

Can we calculate Hash of Physical Documents?

No, hash values cannot be calculated for physical documents directly.

  • Digital Only: Hash algorithms work only on digital data
  • Scanning Required: Physical documents must be scanned/photographed first
  • Variables Affect Hash: Scanner settings, resolution, lighting affect hash
  • Not Authentic: Scanned copy hash ≠ original document verification
  • Alternative Methods: Physical documents use signatures, seals, watermarks
  • Chain of Custody: Physical evidence requires different authentication

Can Hash Values be calculated manually?

Technically possible but practically impossible:

  • Mathematical Process: Hash algorithms are mathematical functions
  • Complexity: Involves millions of mathematical operations
  • Time Required: Would take years to calculate manually
  • Error Prone: Human calculation errors make it unreliable
  • Tools Required: Software tools are mandatory for practical use
  • Verification: Manual calculation cannot be verified easily

Best Practices for Hash Value Generation

  • Use Multiple Algorithms: Generate both SHA-1 and SHA-256
  • Document Process: Record when, where, and how hash was generated
  • Verify Tools: Use trusted, certified software tools
  • Immediate Generation: Calculate hash immediately after seizure
  • Store Securely: Keep hash values in secure, tamper-proof records
  • Cross-Verification: Verify using multiple tools
  • Chain of Custody: Maintain detailed records throughout process

Legal Implications and Admissibility

  • Court Acceptance: Hash values widely accepted as integrity proof
  • Expert Testimony: May require expert to explain hash technology
  • Certificate Mandatory: Section 63(4)(c) certificate required
  • Chain of Custody: Must prove unbroken chain from seizure to court
  • Tool Reliability: Use forensically sound tools and methods
  • Documentation: Comprehensive documentation essential
  • Cross-Examination: Be prepared to defend methodology in court

Windows Command-Line Hash Tools

How can I calculate hash values using Windows Command Prompt?

Windows provides built-in command-line tools for hash calculation:

Using CertUtil (Built-in):

# For MD5 hash
certutil -hashfile "filename.ext" MD5

# For SHA1 hash
certutil -hashfile "filename.ext" SHA1

# For SHA256 hash
certutil -hashfile "filename.ext" SHA256

# For SHA512 hash
certutil -hashfile "filename.ext" SHA512

Using PowerShell Get-FileHash:

# Default SHA256
Get-FileHash "filename.ext"

# Specific algorithm
Get-FileHash "filename.ext" -Algorithm MD5
Get-FileHash "filename.ext" -Algorithm SHA1
Get-FileHash "filename.ext" -Algorithm SHA256
Get-FileHash "filename.ext" -Algorithm SHA512

How do I calculate hash values for multiple files at once?

PowerShell - Multiple Files in Directory:

# Hash all files in current directory
Get-ChildItem -File | Get-FileHash

# Hash all files with specific extension
Get-ChildItem -File -Filter "*.pdf" | Get-FileHash

# Hash all files recursively in subdirectories
Get-ChildItem -File -Recurse | Get-FileHash

# Save results to CSV file
Get-ChildItem -File | Get-FileHash | Export-Csv "hashes.csv" -NoTypeInformation

Command Prompt - Batch Processing:

# Create batch file to hash multiple files
for %i in (*.pdf) do certutil -hashfile "%i" SHA256 >> hashes.txt

# For subdirectories
for /r %i in (*.*) do certutil -hashfile "%i" SHA256 >> all_hashes.txt

What's the difference between CertUtil and PowerShell Get-FileHash?

Feature CertUtil PowerShell Get-FileHash
Availability All Windows versions Windows 8.1+ / PowerShell 4.0+
Supported Algorithms MD2, MD4, MD5, SHA1, SHA256, SHA384, SHA512 SHA1, SHA256, SHA384, SHA512, MD5
Output Format Hash value with extra text Clean object with Algorithm, Hash, Path
Batch Processing Requires scripting Built-in pipeline support
Export Options Text redirection only CSV, JSON, XML formats

How do I create a forensically sound hash report?

Complete PowerShell Script for Forensic Report:

# Create detailed hash report with metadata
                            $reportPath = "Forensic_Hash_Report_$(Get-Date -Format 'dd-MM-yyyy_HH-mm-ss').csv"
                            $files = Get-ChildItem -File -Recurse

                            $report = foreach ($file in $files) {
                                $hash = Get-FileHash $file.FullName
                                [PSCustomObject]@{
                                    'File Name' = $file.Name
                                    'Full Path' = $file.FullName
                                    'File Size (Bytes)' = $file.Length
                                    'Creation Time' = $file.CreationTime.ToString('dd-MM-yyyy HH:mm:ss')
                                    'Last Modified' = $file.LastWriteTime.ToString('dd-MM-yyyy HH:mm:ss')
                                    'SHA256 Hash' = $hash.Hash
                                    'Calculated On' = Get-Date -Format 'dd-MM-yyyy HH:mm:ss'
                                    'Calculated By' = $env:USERNAME
                                    'Computer Name' = $env:COMPUTERNAME
                                }
                            }

                            $report | Export-Csv $reportPath -NoTypeInformation
                            Write-Host "Report saved to: $reportPath"

How can I verify file integrity using previously calculated hashes?

PowerShell Integrity Verification:

# Compare current hash with known hash
$knownHash = "ABC123DEF456..."
$currentHash = (Get-FileHash "document.pdf").Hash

if ($currentHash -eq $knownHash) {
    Write-Host "File integrity verified ✓" -ForegroundColor Green
} else {
    Write-Host "File has been modified ✗" -ForegroundColor Red
}

# Batch verification from CSV
$originalHashes = Import-Csv "original_hashes.csv"
foreach ($entry in $originalHashes) {
    $currentHash = (Get-FileHash $entry.'Full Path').Hash
    $status = if ($currentHash -eq $entry.'SHA256 Hash') { "VERIFIED" } else { "MODIFIED" }
    Write-Host "$($entry.'File Name'): $status"
}

What are the best practices for command-line hash calculation in legal cases?

  1. Use SHA256 or higher: Avoid MD5 and SHA1 for legal purposes
  2. Document the process: Screenshot commands and outputs
  3. Include metadata: Date, time, operator name, system information
  4. Verify write-protection: Ensure original files cannot be modified
  5. Use absolute paths: Include full file paths in reports
  6. Cross-verify: Calculate hashes using multiple tools
  7. Chain of custody: Maintain detailed logs of who performed calculations when

Recommended Command Template:

# Document system and create timestamped log
echo "Hash Calculation Log - $(Get-Date)" > hash_log.txt
echo "Operator: $env:USERNAME" >> hash_log.txt
echo "Computer: $env:COMPUTERNAME" >> hash_log.txt
echo "PowerShell Version: $($PSVersionTable.PSVersion)" >> hash_log.txt
echo "=========================" >> hash_log.txt

# Calculate and log hash with verification
$file = "evidence_document.pdf"
$hash = Get-FileHash $file
echo "File: $($hash.Path)" >> hash_log.txt
echo "Algorithm: $($hash.Algorithm)" >> hash_log.txt
echo "Hash: $($hash.Hash)" >> hash_log.txt
echo "Calculated: $(Get-Date)" >> hash_log.txt