Detecting and preventing file tampering
With each new
office personnel must sort through a wide array of electronic evidence, including discovery from
external sources including opposing counsel. These documents are
shared with the courts, experts and several other parties. How can you ensure that everyone is working with the exact same set of facts? How can you determine if any of these files were altered prior to arriving in your
Electronic files are typically shared by disc or download link using the honor system. Once these files have been dispersed, anyone can modify the contents to fit their narrative, and then distribute that version as an official exhibit.
Such changes can be difficult or impossible to trace to their source due
to the number of people with access to the files. To prevent this, you can identify each file by its unique Hash
value and then use that identifier to ensure file integrity once file
sharing has begun.
A Hash value is an electronic fingerprint constructed solely from the file’s contents and structure. The most common Hash is the 5th generation of the Message Digest
algorithm, commonly known as MD5. There are dozens of free programs to calculate MD5 values and,
regardless of the program used, the resulting MD5 value will always
match for exact copies of the same file.
Two easy-to-use free MD5 programs are Digestit
They support drag-n-drop ease of use and require les time than reading
this paragraph. Other offerings, like Microsoft's™ File
Checksum Integrity Verifier are also free, but can be cumbersome to use.
As soon as you receive or generate an original electronic item, use your
preferred hash value program to calculate its MD5 value. You can then
include a list of all the relevant MD5 values anytime you share those files.
This is often done as a read-only text file that you control. At anytime,
a file recipient can generate their own list of MD5 values and, if they match, be confident that their file versions are identical and indistinguishable from the
file versions under your control.
Any changes, even the simple act of opening and resaving a file without any content changes,
the calculated MD5 value.
MD5 is so secure from tampering that you have significantly better odds of
winning the Powerball lottery,
four times in a row. Best of all, MD5 values work on media files, presentations, documents, DVDs,
ZIP files and anything else that can be shared electronically. Assigning MD5 hash
values is the easiest method to provide version control of all your electronic files.
NOTE: Because the MD5 algorithm is open-source, it has been reverse
engineered and compromised under controlled conditions. However, every attempt to undetectably alter
documents or media files has resulted in file corruption and/or different MD5
newer algorithms (e.g. MD6), MD5 remains secure and its support is
into common applications.
Once version control is in place, the next step is determining if your files were altered prior to receipt.
Although a full authentication analysis requires years of experience and sophisticated software,
some basic tests can be quickly performed using free software and minimal
It is well known that a computer’s operating system can display a
file's modified, accessed and created dates, collectively known as
the MAC dates. In Windows, this information is accessed by right
clicking on a file and then left clicking on the Properties option. However,
MAC information is saved by the computer's operating system and can
become inaccurate from several causes including user error, virus, file
transfer or free programs like FileDateCH. A more reliable date source is
reading the metadata hidden within the target file.
Some of this metadata can be read with the tools you already have. For
example, with Windows you right click on the file, left click on
Properties and then left click on the Details tab. You can often access
metadata by simply choosing Properties under the File menu of whatever
software you are using to open the electronic file. In the case of media
lets you review every metadata field of most audio and video files. If
these details deviate from the known case facts, they become a strong indication of file tampering.
It is increasingly common for file metadata to include the GPS coordinates of the recording location. You can
enter these values directly into a Google™ search box to translate them into a street address. If the metadata
includes a field labeled as “@xyz” the third GPS coordinate is the above sea level altitude denoted in meters. In most cases, these GPS coordinates are
extremely accurate and can pinpoint a specific room of a high-rise
building. This accuracy results from advances in GPS technology and the
inclusion of signals form cell
phone towers (aka Enhanced GPS). GPS data can make or break a case. For
example, I recently had a case where a file’s GPS coordinates matched the address of someone with video editing skills, instead of the location depicted in the video.
The file's metadata often includes details about the software or equipment used to capture the recording, including the
user settings in effect when the file was saved. If these details do not
match the how the file is claimed to be created, then you may have strong evidence of after-the-fact file tampering. For example, if
a video’s metadata lists the file as being in a Windows format, but the event was captured on an iPhone, then you can be confident that you are not looking at the original
recording as saved by that iPhone. Metadata inconsistencies should
always be examined. Copying, downloading and sharing a file will not alter
a files metadata or MD5 value.
Audacity and Audition are extremely common audio editing programs. Each
program allows the user to isolate a given frequency for deeper
analysis. Editing may be detected by disruptions in the pulse of a given
frequency, shifts in the bit rate, or shifts in the DC portion of the
signal. All of these tests require specialized training to interpret the
significance of such anomalies.
Hex editors allow the user to examine raw file data. The information at
the beginning and end of a file can provide deep insight into the
programs that affected the underlying file data. Be.HexEditor
allows the user to view and modify any bit or byte of data.
When working with video, VLC
is free and indispensable program. Once you open a video with VLC, each press
of the letter “e” on your keyboard advances the video to the next
image and displays the text "Next frame". If the “e” button
makes the words appear, but the image does not change, then your video includes duplicate identical images.
This is a strong indicator that your video is a later generation
duplicate and not an exact copy of the original recording.
Modern video compression methods slice videos into a mosaic of small
squares, typically eight pixels (screen dots) wide and eight pixels
tall. If some of the duplicate images show the people and objects in the exact same position, but a few
of these squares are slightly brighter (or darker) than seen in the
otherwise duplicate frame, then the file likely originated from remote viewing software instead of being an original recording. Remote
software captures are almost always an incomplete and lower quality representation of the original
video because they sacrifice quality rather than alter the playback
speed when dealing with limited internet speeds.
On-screen information is the last thing added to a video
before it is saved onto a recording device. If any video frame shows
two different video frames or time stamps blended together, then your video
is likely the creation of a screen
capture. This overlap results from the lag time of the viewing
computer's video not matching the lag time of the screen capture method being
Most image viewing programs include a “Properties” or
"Info" menu option to display a picture’s metadata. If your image is in JPG format,
JpegSnoop will display
a long list of metadata fields and even indicate if there are signs of content tampering.
Document and presentation programs typically include their own “Properties” or "Info" option to display metadata fields for their file types.
This is especially important with JPG images since their structure makes
image tampering nearly impossible to detect. It should also be noted
that software (like analogexis)
can alter every metadata field of JPG and TIFF images. Similar programs
exist for other formats, including some raw and proprietary file types.
Often times you can compare a file's metadata and/or header values to
published tables (e.g. a Google search) to determine if that information
matches the expected information. By comparing the file's header and/or metadata to known facts, you can quickly separate fact from fiction.
Steganography is the ability to hide data within a host file, typically
as a text inside an image file. The hidden data cannot be detected using
metadata or hex editor tools. OpenPuff
makes it easy to extract hidden messages, passwords or even illegal
These are just a few simple tests to determine if further questions should be asked or a forensic expert consulted. Deeper authentication tests (Spectrographic analysis, phase shifts detection, changes in data depth, Principal Component Analysis and Wavelet analysis, etc…)
and visual analysis (reflections, clarity, shadows, object analysis,
etc…) do require a far greater understanding of the science.
By incorporating MD5 values and basic authentication tests into your workflow, the
factual integrity of the evidence will be preserved.
By Douglas Carner