You're handing a forensic disk image to legal. What ensures its integrity and admissibility?
Short answer
Evidentiary integrity rests on hashing the image at acquisition (e.g., SHA-256) and verifying the hash later to prove it's unaltered, maintaining a documented chain of custody, and analyzing a working copy so the original stays pristine. Renaming the file does nothing for integrity, and compressing it to save space neither proves integrity nor helps admissibility. Touching the original risks spoliation that can get the evidence thrown out. Hash, document custody, and work on a verified copy.
When evidence may end up in court, two questions decide its value: can you prove it hasn't changed since acquisition, and can you account for everyone who handled it? Three controls answer those questions, and a competent responder applies all three.
What actually ensures integrity and admissibility
- Cryptographic hashing. Compute a hash (e.g., SHA-256) of the image at the moment of acquisition. Re-computing it later and getting the same value proves the image is bit-for-bit unaltered. A mismatch is a red flag; a match is your integrity proof.
- Documented chain of custody. A signed record of who collected the evidence, when, and every transfer afterward. It demonstrates the image was never in a position to be tampered with unaccountably — which is what makes it admissible.
- Work on a verified copy, never the original. Acquire with a write-blocker, verify the copy's hash against the source, and do all analysis on the copy. The original stays pristine and re-verifiable.
Why the distractors fail
- "Nothing in particular is needed" ignores the entire basis of digital evidence; an opposing counsel would have it excluded immediately.
- "Rename the file to something official-sounding" is cosmetic theater — a filename proves nothing about contents or handling.
- "Compress it to save disk space" confuses storage convenience with evidentiary controls; compression neither proves integrity nor establishes custody, and careless handling during it can alter or endanger the evidence.
What the interviewer is probing
Whether you understand that forensic value is a process — hash, document, preserve the original — not a property of the file itself. Touching the original or skipping the hash invites spoliation challenges that can get the evidence thrown out, undoing the whole investigation. They want the instinct to protect the original and prove integrity at every step.
Likely follow-ups
- Why is a single hash collision concern largely moot here, and which algorithms are still acceptable?
- What fields belong in a chain-of-custody record, and who signs it at each handoff?
- How do you prove the working copy is identical to the original at the moment of analysis?