Hash « e-Discovery Team

Hash

51FEC3B6FCB1E7D5465575BED5DCDC1B8897AE5A

Computer hashing

Computer hash is an encryption algorithm that forms the mathematical foundation of e-discovery. Hashing generates a unique alphanumeric value to identify a particular computer file, group of files, or even an entire hard drive. As an example, the hash of the animated GIFF file is shown above. The unique alphanumeric of a computer file is called its “hash value.” Hash is also known in mathematical parlance as the “condensed representation” or “message digest” of the original message. It is more popularly known today as a “digital fingerprint.” Hash is the bedrock of e-discovery because the digital fingerprint guarantees the authenticity of data, and protects it against alteration, either negligent or intentional. Hash also allows for the identification of particular files, and the easy filtration of duplicate documents, a process called “deduplication” that is essential to all e-discovery document processing.

Hash is my favorite e-discovery technology. I became fascinated by its great potential as a safeguard for electronic evidence in the future, and ended up reading and experimenting with this algorithm in depth. Ultimately I wrote a forty-four page law review article on the subject. HASH: The New Bates Stamp, 12 Journal of Technology Law & Policy 1 (June 2007). Here I discuss hash at length and review just about every case that mentions it. The article has 174 footnotes to provide reference to almost everything on the subject that might be of interest to a lawyer or others in the e-discovery field. As the title suggests, I make a specific proposal in the article for the adoption of an e-discovery file naming protocol based on hash to replace the paper oriented Bates stamp. For more background on this law review article see my prior blog about it. For information on how the use of hash, instead of Bates stamps, is much more efficient and saves money in e-discovery processing, see my other blog The Days of the Bates Stamp Are Numbered.

Technically, hashing is based on the substitution and transposition of data by various mathematical formulas. Thus the process is called “hashing,” in the linguistic sense of “to chop and mix.” The hash value is commonly represented as a short string of random-looking letters and numbers, which are actually binary data written in hexadecimal notation. Hash is commonly called a file’s “fingerprint” because it represents its absolute uniqueness.

If two computer files are identical, then they will have the same hash value. Even if the files have a different name, if their contents are the same, exactly the same, they will have the same hash. This allows for easy identification and elimination of redundant documents, the mentioned deduplication process. But if you so much as change a single comma in a thousand page text, it will have a completely different hash number than the original. There are no similarities in the hash numbers based on similarities in the files. Each number is unique. That is how the math in all hashing works.

Many kinds of effective hash formulas have been invented, but two are in wide use today: the SHA-1 and MD5 algorithms. Both are very effective, in that mathematicians conjecture that it is “computationally infeasible” for two different files to produce the same hash value. That is why hashing is commonly employed in data transmissions to verify that the integrity of a file has been maintained in transmission. If you hash the file received, and it does not produce the same hash value, then it has been corrupted, and at least one byte is not the same as the original. It is a guaranteed way of verifying the integrity of an electronic file.

Software to run both the SHA-1 and MD5 hash analysis of files is widely available, easy to use and free. I use a HashTab Shell Extension to Windows, available for free at http://www.beeblebrox.org/software.php. The hash value of any file can be instantly determined, regardless of the type of electronic file, including graphics. For instance, the hash values of a Word document I am working on now are:
MD5: 588BCBD1845342C10D9BBD1C23294459
SHA-1: C24AE3125BFDBCE01A27FDDA21B3A7E83FAFF69E
If I only change one comma in this multipage document, all else remaining the same, the hash values are now:
MD5: 5F0266C4C326B9A1EF9E39CB78C352DC
SHA-1: 4C37FC6257556E954E90755DEE5DB8CDA8D76710
Although the two files have only this trivial difference, there are no similarities in these hash values, proving that hashing will detect even the slightest file alteration.

Hashing can also be used to determine when fields or segments within files are identical, even though the entire file might be quite different. This requires special software, but again is commonly available from many e-discovery vendors, for a price. This software allows you to hash only portions of a file. Thus, for instance, you can hash only the body of an email, the actual message, to determine whether it is identical with another email, even when the “reference” or the “to” and “from” fields are different. This allows for an important filtering process called “near de-duplication.”

9 Responses to “Hash”

Jr Says:
January 14, 2007 at 11:43 pm
Nice BLOG!
Sherlock Holmes in the Twenty-First Century: Definitions and Limits of Computer Forensics, Forensic Copies and Forensic Examinations « e-Discovery Team Says:
October 14, 2007 at 11:21 am
[...] Hash [...]
AS Says:
March 5, 2008 at 9:34 pm
Has anyone found lots of issues trying to decide which e-mail message properties to be used to create MD5 hash? Not to mention the timezone issues, where communication happened internationally…
Venue Analysis Transformed by e-Discovery and the Digitization of Society « e-Discovery Team Says:
March 16, 2008 at 4:11 pm
[...] Hash [...]
Trade Secrets Case Uses MD5 Hash and Keyword Search to Protect Defendants’ Rights - Magistrate’s Privilege Waiver Order Is Reversed « e-Discovery Team Says:
March 23, 2008 at 5:47 pm
[...] Hash [...]
New Case Denies Both Production Under Rule 26(b)(2)(B) and Sanctions for Spoliation Under Unspoken Rule 37 « e-Discovery Team Says:
April 1, 2008 at 5:42 pm
[...] Hash [...]
Jeff Says:
April 8, 2008 at 5:56 pm
Why are they so trusting of MD5/SHA1 both are circumventable. There are now ways to make the hashes match even if there are TOTALLY different files. REF:

http://www.schneier.com/blog/archives/2005/06/more_md5_collis.html

There are also several tools now to modify MD5/SHA1.

http://www.stachliu.com/collisions.html
Ralph Losey Says:
April 9, 2008 at 6:48 am
Thanks for the comment. The articles you reference are interesting, but the false collisions engineered by experts which are discussed at these sites, and elsewhere, are not a cause for any real concern in the e-discovery arena. Here we primarily use hash to verify that ESI has not been altered, and to determine if two files stored on systems are identical. e-Discovery is not using hash for encryption purposes. These studies do, however, explain why the spy agencies are moving to new hash formulas.
The Days of the Bates Stamp Are Numbered « e-Discovery Team Says:
May 11, 2008 at 1:13 pm
[...] Hash [...]

TEAM MISSION STATEMENT

1. Assist companies routinely involved in litigation to establish an e-discovery readiness team. The recommended team includes designated in-house legal counsel, IT and business management, and, where needed, the best e-discovery vendors and experts in the field. Our attorneys, technicians and other specialists help form, train and coach the team, but the client remains team owner and captain.

2. Meet with IT personnel and fully understand their data architecture and record retention practices, and then advocate and explain their position in the litigation process, appearing in court as co-counsel of record when necessary.

3. Guide in the creation and implementation of new systems to maintain records, preserve evidence, and timely respond to electronic discovery.

4. Provide high quality and consistent legal representation on e-discovery issues around the country, and work closely with local counsel, clients, and the courts to minimize costs and unnecessary disputes.

Sedona Principles, 2nd Ed.

1. Electronically stored information is potentially discoverable under Fed. R. Civ. P. 34 or its state equivalents. Organizations must properly preserve electronically stored information that can reasonably be anticipated to be relevant to litigation.

2. When balancing the cost, burden, and need for electronically stored information, courts and parties should apply the proportionality standard embodied in Fed. R. Civ. P. 26(b)(2)(C) and its state equivalents, which require consideration of the technological feasibility and realistic costs of preserving, retrieving, reviewing, and producing electronically stored information, as well as the nature of the litigation and the amount in controversy.

3. Parties should confer early in discovery regarding the preservation and production of electronically stored information when these matters are at issue in the litigation and seek to agree on the scope of each party’s rights and responsibilities.

4. Discovery requests for electronically stored information should be as clear as possible, while responses and objections to discovery should disclose the scope and limits of the production.

5. The obligation to preserve electronically stored information requires reasonable and good faith efforts to retain information that may be relevant to pending or threatened litigation. However, it is unreasonable to expect parties to take every conceivable step to preserve all potentially relevant electronically stored information.

6. Responding parties are best situated to evaluate the procedures, methodologies, and technologies appropriate for preserving and producing their own electronically stored information.

7. The requesting party has the burden on a motion to compel to show that the responding party’s steps to preserve and produce relevant electronically stored information were inadequate.

8. The primary source of electronically stored information for production should be active data and information. Resort to disaster recovery backup tapes and other sources of electronically stored information that are not reasonably accessible requires the requesting party to demonstrate need and relevance that outweigh the costs and burdens of retrieving and processing the electronically stored information from such sources, including the disruption of business and information management activities.

9. Absent a showing of special need and relevance, a responding party should not be required to preserve, review, or produce deleted, shadowed, fragmented, or residual electronically stored information.

10. A responding party should follow reasonable procedures to protect privileges and objections in connection with the production of electronically stored information.

11. A responding party may satisfy its good faith obligation to preserve and produce relevant electronically stored information by using electronic tools and processes, such as data sampling, searching, or the use of selection criteria, to identify data reasonably likely to contain relevant information.

12. Absent party agreement or court order specifying the form or forms of production, production should be made in the form or forms in which the information is ordinarily maintained or in a reasonably usable form, taking into account the need to produce reasonably accessible metadata that will enable the receiving party to have the same ability to access, search, and display the information as the producing party where appropriate or necessary in light of the nature of the information and the needs of the case.

13. Absent a specific objection, party agreement or court order, the reasonable costs of retrieving and reviewing electronically stored information should be borne by the responding party, unless the information sought is not reasonably available to the responding party in the ordinary course of business. If the information sought is not reasonably available to the responding party in the ordinary course of business, then, absent special circumstances, the costs of retrieving and reviewing such electronic information may be shared by or shifted to the requesting party.

14. Sanctions, including spoliation ﬁndings, should be considered by the court only if it finds that there was a clear duty to preserve, a culpable failure to preserve and produce relevant electronically stored information, and a reasonable probability that the loss of the evidence has materially prejudiced the adverse party.

Reprinted courtesy of The Sedona Conference®.

Go to www.thesedonaconference.org to download a free copy of the complete document for your personal use only.

MUCH DATA DO YOU HAVE?

CD = 650 MB = 50,000 pages. DVD = 4.7 GB = 350,000 pages. DLT Tape = 40/80 GB = 3 to 6 Million pages.
Super DLT Tape = 60/120 GB = 4 to 9 Million pages.

*************************** Page Estimates:
1 MB is about 75 pages;
1 GB is about 75,000 pages (pick-up truck full of documents).

Aver. pgs. per email: 1.5 (100,099 pages per GB).
Aver. pgs. per word document: 8 (64,782 pages per GB).
Aver. pgs. per spreadsheet: 50 (165,791 pages per GB).
Aver. pgs. per power point: 14 (17,552 pages per GB).

*************************** For the average .PST or .NSF Email File:
100 MB .PST file is 900 emails and 300 attachments.
400 MB .PST file is 3,500 emails and 1,200 attachments.
600 MB .PST file is 5,500 emails and 1,600 attachments.
A 1.00 GB .NSF file is 9,000 emails and 3,000 attachments.
A 1.5 GB .NSF file is 13,500 emails and 4,500 attachments.

*************************** Note: Many variables will affect ALL of the actual numbers above, including especially large image and video files, and recursive files.

*************************** Bits and Bytes Sizes:
•8 bits are equal to 1 byte (one or two words),
•1,024 bytes are equal to 1 kilobyte (KB).
•1,024 kilobytes (KB) are equal to 1 megabyte (MB or Meg).
•1,024 megabytes are equal to 1 gigabyte (GB or Gig) (truck full of paper).
•1,024 gigabytes are equal to 1 terabyte (TB) (50,000 trees of paper).
•1,024 terabytes are equal to 1 petabyte (PB) (250 Billion Pgs. of Text).
•1,024 petabytes are equal to 1 exabytes (EB) (1 000 000 000 000 000 000 bytes).