3. Content, Photo and Attachment Hashing
Hunchly automatically hashes all MHTML files, photos and attachments before storing. The hashing algorithm is SHA-256 and can easily be reproduced using common open source or command line tools. Extracting a page from a Hunchly export or by exporting a single page and then using SHA-256 from an independent tool should ALWAYS match the hash that Hunchly displays in the Dashboard for that capture.
If the hashes do not match then you have either modified the content or there has been an error when saving the files, and you should alert us immediately at firstname.lastname@example.org.
Potential Evidence Challenges
Hashes are not a bulletproof means to validate that the content was not changed BEFORE the MHTML capture was sent for review or disclosure. For example, an evil investigator looking to modify evidence could do the following:
- Capture a page that has a hash of ABCDEFG.
- Export the page to disk.
- Open the MHTML file and modify the content to say something other than what was captured.
- Manually generate a NEW hash which would be HIJKLMNOP for example.
- Submit the modified page and the new hash as evidence. When a third-party verifies this evidence it will mistakenly appear as though everything checks out.
This can be tricky to combat but there are a few strategies:
1. Demand that the page be submitted along with the GPG signature that Hunchly produces and the public key. While not perfect, it does place an additional roadblock on the evil investigator.
2. Validate the evidence through the source. For example, validate that the page content that is still active (if available) reflects what the investigator submitted for evidence. There are also sources of archived webpages such as the Wayback Machine that could be consulted.
3. Through a court order or other legal means, obtain the original material from the website where the evidence was collected, and compare to the submitted evidence to ensure that they match.
If you have additional questions, require clarification or have experienced evidentiary challenges of Hunchly data please email us: email@example.com