Dileep case: Was the memory card tampered with? A cyber security expert explains

It had come out in a forensic report recently that the memory card containing the visuals of the sexual assault was accessed while it was in the custody of the court.
Dileep against a background of cyber data
Dileep against a background of cyber data
Written by:

In the last few weeks, there has been a lot of discussion about the memory card used in the 2017 Kerala actor assault case, containing the visuals of the attack. Terms like hash value and last accessed date have been thrown about. The police finding says that the memory card, which was supposed to be in the safe custody of the trial court in Ernakulam, appears to have been accessed by someone. A forensic report, discovered during further investigation in the case this year, says that the memory card was last accessed in December 2018, a year after actor Dileep, the alleged mastermind behind the crime, was allowed to watch the visuals in court. When the police petitioned the trial court for access to the memory card, judge Honey M Varghese dismissed the plea.

It has also been reported that the hash value of the memory card has changed. Does that mean that the memory card was accessed, or changed or tampered with – these are the questions of concern for the prosecution. In an interview with TNM, international cyber security specialist Sangameswaran Manikkyam Iyer explains what the technicalities mean, and what one may interpret from it.

Q. What does hash value mean? What can we interpret when a hash value has changed?

A. The hash value for a digital file is like fingerprints for a human being. Every digital file will have a unique hash value. Different hashing algorithms are used to generate a hash value for a digital file, which will be a fixed length alphanumeric string. If the hash value of a digital file has changed, it can mean that the file has either been modified or tampered with, or else that it has been completely replaced. However, there is no way to know if it was authorised or unauthorised, or who accessed it or when.

There is another hash value called volume hash, which is used for the entire storage device. A memory card or pen drive will have a volume hash value. But if that has changed, we only know that something in the device has changed, not what. We wouldn’t know which files in the memory card may have changed. However, the hash value of a digital file will indicate if that particular file has changed.

This is not an access control mechanism, like the one used in offices where cards are used to access a specific space. Hash values cannot differentiate whether the file was modified by person A or person B. It would also not change if a file has only been opened and viewed.

Q. You said a change in hash value may mean that the file was either modified or replaced. Is there any way to know which of these two has happened?

Unfortunately, the change in hash value will not tell us which of the two conditions has occurred. It will only say something has changed. Two files may look alike by the name or size. But the hash value might be totally different. From the hash value you cannot find out what has changed.

Q. The forensic report, which came out recently, mentions the last accessed date of the memory card as December 13, 2018. That is nearly a year after the accused Dileep viewed the visuals in court.

There are certain gaps here. There are two FSL (Forensic Science Lab) reports. One is a confidential report which supposedly mentions that the hash value of the memory card has changed. I have not seen this report but heard about it from people who did. This report is not in public. So we cannot say which has changed – is it the volume hash or the file hash. A change in volume hash may indicate something within the memory card has changed, not what. A change in the file hash will say which file has been modified. Unless the second report is out, we cannot say this.

The other forensic report, which has come out in public, has details of the analysis of the memory card, the specific make, the number of files, creation and last accessed date, etc. You have to consider the host and the device. The host is the computer used to see the contents of the memory card. The last accessed date will come from the properties of the digital file, which can be viewed in the host. But we cannot make out which computers were used to access the device. So there is no way to know how many times it has been accessed. 

Watch: Why did Judge Honey keep the forensic report a secret: Adv Aja Kumar

Related Stories

No stories found.
The News Minute