Jozsef Hocza

Seized Data As Conclusive Evidence

I had a chance to look into how authorities handle seized HDDs. Poorly.

Let’s say you have a visit from the Tax office and they start to seize your equipment. What do they do? Pack ‘em up like any other evidence. But hey! Usually evidence is visible. However when we talk about electronic data it is invisible. So just packing them up like a “gun with a finger print on it” is not the way to go.

They should be able to prove that the evidence is clean. How can you do it with a HDD/SSD? Well during the “raid” they should have made at least “hashes” of the contents of the HDDs then record the hashes. Make the suspect to sign a paper that they took the HDDs with the following hashes.

Without these they practically cannot prove that someone did not alter the evidence. The accused can always say: “These are not my data” and there is no way to prove that the person is lying.

You can say that authorities could use a witness when they “process” the data. But is the witness a Tech-genius? Will they allow him to go through the computer to look for any suspicous program in the background that would automatically write and date-back incriminating evidence on the HDD when they “plug in”?


It is like the lottery. The notary states that the lottery was clean, no tricky move has made. How? Is he checked the machine thoroughly? Is he know every way of cheating and he checked against it?

So witness or no witness when they process the data that witness basically has NO IDEA what is going on. Just a pawn. Just someone to sign: “Everything was OK with the procedure” while if you ask him he cannot tell you “how it was OK”. How do you know it was ok?

Let’s give it a twist

Seized HDDs cannot prove that you did something wrong unless they can prove that the data existed back in that time when they seized it. But hey, before they did the hash, their computer could have just upload the incriminating evidence right before making the hash. So viewing from this angle, there is no way to prove that the data belong to the suspect.

Maybe the only way that would work is “putting it in a box and sealing the box.” But without processing the HDD I cannot tell you that you have some nasty stuff on it. How would I go to the court with your case if the only thing that could put dirt on you is on that HDD? Without looking at your data there is no case. But when I look at the data I kill the evidence.

What do you think?

If I gave you my HDD/SSD how would you prove that data existed that time I gave it to you?

Share this:

Subscribe to my e-mail list.
You can unsubscribe anytime.