DISCOURSE
Who is intimidated by “hash value” tests?
When you open a digital file, the hash value of that file never changes. If anyone says so, it’s stupid. Not only that but it is also misleading. If the ‘hash value’ of a digital proof (file) has changed, it is likely that one of the following two things must have happened.
The director Shri. These are the words spoken by Balachandrakumar.
“That is, the possibility of tampering with the original evidence cannot be ruled out.”
According to a breaking news item released by Reporter TV, “memory card or USB pen drive containing the most important evidence in lawful custody, scenes of the 2017 attack, has been reported to have been ‘legally or illegally’ accessed” by someone.
I have not seen that report at the time of writing, so I can not say more on this. In other words, the technical wording used in that report can only be stated with clarity. But this is a very serious matter.
Many say the footage was ‘accessed’ by someone, or copied or leaked by someone. But one question many asked me was, “Who benefits from leaking those scenes?” Not only that ‘Copied’, ‘Leaked’ Unnikrishnan’s security character Sreenivasan’s character at the end of ‘Yathrakkarude Shraddhakk’ in the movie ‘Yathrakarude Shraddhakk’ is not seen climbing into the flat, as if he is looking at the light somewhere else.
But what bothered me more than those questions was the thought of whether someone had changed the footage and replaced it with another footage or tampered with the footage itself.
I have worked with many countries and investigative agencies in many cases. My opinion is that one should first look at the above angle from the experience. Some agencies will give more importance to the second possibility mentioned above and look for the first. There is nothing wrong with that; But all possibilities must be explored. “Do not leave any stones unturned” is a very basic search approach. It is important in any criminal investigation that no detail be left out due to negligence.
There is an assessment that the ‘hash value’ has changed on the memory card or USB pen drive mentioned in this case. In that case, we have to assert over and over once more that things are very serious because we are clearly aware of its importance. It is common in my work area to constantly inquire regarding such factors.
When you open a digital file, the hash value of that file never changes. If anyone says so, it’s stupid. Not only that but it is also misleading. Of a digital proof (file) If the ‘hash value’ has changed then it is possible that one of the following two things has definitely happened.
1) The original file has been tampered with.
2) The original file itself has been totally changed.
In either case, It is undisputed that it has the potential to overturn the fate of the 2017 incident itself. If anyone has any doubts regarding this, they can talk to legal experts and find out.
If the digital forensic report on the case is not completed as soon as an objective study is done, it will be clear what the consequences will be. Accurate evidence of what actually happened in that incident will only come out through the forensic report of that digital file. Only those who are aware of the significance of that digital forensic report in this investigation will try to delay or optimize it.
Another possibility can be found through forensic studies. A study can also reveal if there were any errors in the way the digital evidence was collected and stored from the defendants, for example if it was copied or otherwise copied.
If the ‘hash value’ of the files taken into custody as digital evidence has changed then of course they have been ‘tampered’.. That’s for sure. Because cryptography or science does not lie. People are hard to trust but science can certainly be trusted. That is the digital scientific proof.
Investigative agencies and courts around the world rely on the same cryptography science for similar cases. And then Who is scared of these ‘hash value’ tests?
The ‘hash value’ is the measure of the sanctity of any digital proof (also read as ‘unobtrusive’). So if this ‘hash value’ has changed, it definitely means that something has changed in the file.
‘Kill Chain’ is a common term used in attacks or cyber manipulations of the digital world. These are the various stages of a cyber attack. At each stage the same people or many different people will be a part of it. Sometimes it becomes part of a ‘kill chain’ process, some knowingly and some unknowingly. Moreover, in some cases the people who participated in one stage may not need to know any information regarding the people who participated in another stage. It can be compared to different compartments in a train. Vestibules or unconnected compartments.
The forensic examination of the ‘hash value’ of the original footage certainly frightens people who have become (or had to change) being part of this ‘kill chain’.
As Baiju Kottarakkara initially said in a Reporter Channel video, only Manorama reported this suspicion in 2017 (something distorted in the original video evidence). But it had to be taken care of. No one notices its significance.
Baiju Kottarakkara
Even if the original video file is legally ‘accessed’, the files can only be tampered with or the content can be changed without the necessary technical controls. That is the real problem. This is called the ‘audit trail’.
It is certain that the officials there will not want an inquiry into the integrity tampering of the original video file guarded by the judiciary. Because it will bring to light the serious shortcomings that have occurred on their part. So if you ask me why I did not order a forensic inquiry into the digital files in the above direction, the answer is in the question itself.
The skepticism of those who have listened to the recent questioning of the credibility of the forensic laboratory of a high-ranking official, for whatever reason, has the following two purposes:
1) Do not trust reports regarding data recovered by forensic officers from mobile phones.
2) the ‘hash value’ of the original proof video file has changed; So do not believe the forensic report that it has been tampered with.
The first FSL report has just been released. More dangerous is the second thing mentioned above. This means that if a ‘hash value’ forensic examination of a real evidence video file is ordered in the near future, people who have become or have become part of the aforementioned ‘kill chain’ will know for sure that the result will be ‘positive’. Is it to make you believe it too?
The volume of a USB pen drive or memory card is the name given to the total ‘storage’ of that device. Then the ‘hash value’ of the volume is the sum of all the files contained within that volume. The ‘hash value’ of a volume is also a measure of the integrity of that volume.
Once the ‘hash value’ of a volume is detected, then the ‘hash value’ of that volume will definitely change if that volume is accessed or the files inside it are opened or something else. But there is a problem with this program. ‘Hash value’ cannot tell you who accessed and when. But the question of whether anyone has access can be answered with ‘yes or no’.
The ‘hash value’ of the volume is like a CCTV camera on the front door of our house. The front camera only shows if someone has gone in or out of the house. The outside camera cannot show what happened in the rooms inside the house. So is the use of the hash value of the volume.
The ‘hash value’ of each file inside a volume is like the CCTV camera in every room inside our house. Inside cameras can show what is going on inside the respective rooms. That is the use of ‘hash value’ of files. In short, two type cameras are needed to understand what really happened inside and outside the house. such as The ‘hash value’ of the volume and the ‘hash value’ of the files are required to determine if any tampering has taken place.
Generally, if digital evidence is taken into custody in accordance with protocol, many investigative agencies will calculate the ‘hash value’ of that volume and record the evidence on the outside of the cover. Another proof of inadequacy will be recorded in the register. The next time someone legally ‘accesses’ this volume, the ‘hash value’ of the subsequent volume will be calculated and recorded on the cover and register.
A major drawback of this method is that even if it is legally ‘accessed’ and the files inside the volume have been edited or modified, it will not tell the ‘hash value’ of the volume. The ‘hash value’ of the volume will change even if it is accessed without being entered in the register, but it is difficult to find out when it changed.
Another common practice is to calculate the ‘hash value’ of the volume as well as the ‘hash value’ of each file in it. If so, two problems can be answered. To see if anyone has accessed and if any files have been ‘tampered with’.
An important thing to note ‘Hash value’ is not an ‘access control’ mechanism. This means that the department has no technical control over who can ‘access’ the evidence. Digital vault or encryption is best for that. Many international agencies use these tools.
If the fact that sometimes only the ‘hash value’ of the volume was calculated and the ‘hash value’ of each of the files inside it was not actually calculated, it would no doubt be seen as a serious omission. There is no doubt that this should be investigated as soon as possible.
A report that clearly outlines things should be submitted immediately. If the original evidence has been altered or tampered with, the ‘hash value’ may simply become the ‘dash value’.
Content Highlight: Cyber Security Expert Sangameshwaran Iyer regarding the digital evidence and its Hash value in actress attack case
