Saturday, May 08, 2010


Crime involving technology is increasing globally every year. In Kenya, corporate organizations are the most impacted due to their early automation. Tech savvy crooked employees are now able to use new methods, through technology, to commit traditional fraud.

This fraud is part and parcel of an organization’s risk profile and for it to be resolved a forensic investigation has to be conducted. This investigation attempts to reconstruct the crime scene and analyze the audit trail of the suspects. The motive is to ensure that any evidence can be identified and used to support any legal proceedings.

What is interesting is that digital evidence is increasingly becoming more prevalent and critical within a wider range of criminal and civil cases. These include rape, murder, assault, divorce, employment disputes and child abuse cases.

This means that lawyers in modern Kenya will have to acquaint themselves with the core components of digital evidence. One of the most important ones is the verification hash function. A hash function is a set of instructions that turns a variable-sized amount of text into a fixed-sized output number or single integer (hash function).

Hash functions are used in creating digital signatures or hash tables that are used for analysis and verification purposes. In simple terms, text or pictures which have been classified as evidence are assigned a hash function (or number) so as to prevent evidence contamination.

This hash function is important when a forensic ‘image’ of the hard drive or storage device is taken. This ‘image’ consists of an exact byte-by-byte copy of all data.

As a rule forensic investigators do not analyze the original device and its data. Investigators use copied ‘images’ of the storage device. At the start of forensic copying a hard disk or any other storage device is assigned an acquisition hash function. Once the evidence has been forensically copied (or imaged) the evidence is assigned a verification hash function.

The purpose of assigning these hash functions (acquisition and verification) is to apply a mechanism to confirm that the copied evidence is a complete and accurate copy of the data contained in the original device. It also confirms that if the acquisition and verification hash values match then no alteration of the evidence could have taken place. Integrity of evidence is therefore maintained.

It is this ‘image’ that forms the basis of any cyber criminal investigation and should be verified by any lawyer who presents or examines digital evidence.

No comments: