Indian Kanoon - Search engine for Indian Law

8.The entire cross examination of P.W.14 is filed along with the papers and it runs about nine pages. In the cross examination, several questions have been made in detail about hash value and also the veracity of the electronic documents.

The relevant portions are extracted hereunder for ready reference:-

"Do you have any idea HASH VALUE? It is alpha numeric uppercase, lowercase, digit number generated by Algorithms to provide authenticity. For Alpha numeric 32 digits are there for a MD file? Yes, If the HASH ALGORITHM used is MD FILE then it can generate 32 digits. In Ex.P25, can you say how many digits are there in the HASH? 32 digits. All the reports which was given by you contains only 32 digits as HASH VALUE? Yes. All the HASH VALUE given in Ex.P25 were generated by you at your office? Yes, the same has been generated automatically by the software used for the forensic examination based on the content of digital data available in the digital storage medium. In this case, the HASH VALUE were given from the test conducted by your lab on Q1 (MO1)? Yes. The purpose of giving HASH VALUE to a Material Object to ensure that the digital evidence is not tampered? Yes. In the letter Ex.P24, is there any HASH VALUE given by the office https://www.mhc.tn.gov.in/judis ( Uploaded on: 13/06/2025 02:27:21 pm ) while seizing the objects MO1 to MO5? No, in the forwarding letter no HASH VALUES were mentioned. If there is an HASH VALUE in the seizure mahazar and in the forwarding letter sent to your office and if they tallied with the HASH VALUE of your office then, it can be certainly said that, the Material Objects were not tampered?

Yes. All the photographs extracted in Ex.P25, are taken from the Hard Disk (Q1)?

The panchanama should be prepared for the HASH VALUE for each of the hard disk image? I have not prepared any panchanama and no such practice is followed. In your report, you've mentioned the time taken for obtaining the HASH VALUE for both the acquisition HASH and verification HASH? I've not mentioned. At page No. 267, inner page 6 you've mentioned Q1/C/PAGE5.sys and you've also at page no. 279 you've also mentioned the file name as USBPRINT.INF, at page No.287 you've mentioned as Q1/C/UNALLOCATED CLUSTERS and at page No.285, inner page 15 you've mentioned Q1/C/windows/fonts/wst_czec.fon? Yes. What is the purpose for adopting the above methods for analysing Q1? The forensic analyst will analyse active files, deleted files, unallocated clusters, Slack space and system artifacts for retrieving the evidence from the suspected digital evidence storage media. Why you've adopted "PAGE FILE.SYS" for analysing? As I mentioned above, Q1 contains microsoft operating system which has pagefile.sys as system file, the same was used. Ex.P25 inner page 6 and page 267 https://www.mhc.tn.gov.in/judis ( Uploaded on: 13/06/2025 02:27:21 pm ) does it contains the report of the analysis made by you using pagefile.sys? Yes. It is the hard copy printout of outcome of analysis of pagefile.sys. Is the page 6 in Ex.P25 is the true extract? Yes. Whether it can be read through the naked eye or human mind? It cannot be. What was the procedure you adopted to read the file and whether you've stated in your report? I've not mentioned about the procedure but the tool I've used has already an inbuilt utility for analysing pagefile.sys. What is the tool used? The tool I've used is Encase and the same I've mentioned at the page No. 1 of my report. I put it to you that, the images in pagefile.sys can never be read or accessed by user including administrator? It is not correct. Can you demonstrate that pagefile.sys that doesn't generate alphabetic words but only signs which are un-understandable by human brain? That cannot be done here, but through forensic tools data can be retrieved."