Federal Rules of Evidence - Rule 902

Owned by David Ruel (Unlicensed)
Jul 26, 2018

Rule 902(14) covers records “copied from an electronic device, storage medium, or file” (including email and other user-created records) that can be authenticated using a document’s hash values.3 A document’s hash value is represented by an alphanumeric sequence of characters unique to that document (its “digital fingerprint”) such that, if an original and copy have the same hash value, there is a very high probability that the documents are identical. For purposes of authentication, hashing “provides exactly the proof that Rule 902 requires: that the document is what the attorney states that it is.”4 Hash values are not the only method by which such certification can be made. As the Advisory Committee on Evidence notes, “[t]he rule is flexible enough to allow certifications through processes other than comparison of hash value, including by other reliable means of identification provided by future technology.”


Heureka Response to FRE 902

When a Heureka collect is done the agent gets a SHA-1 of the files bytes, that is passed on to the endpoint-api. When the endpoint-api gets the file and writes it to disk it calculates the SHA-1 of that file, which is checked against the value provided by the agent. If they do not match it throws an error and deletes it's copy of the file.