Handling of evidence delays rulings on case for Litchfield man accused of shooting his wife
Published: Wednesday, June 15, 2011
By CHRIS RUELI
LITCHFIELD — In spite of a lengthy argument that ensued Tuesday regarding a motion for disclosure in Litchfield resident John Lavoie’s first-degree assault case, no decision was rendered.
Lavoie, 54, engaged police in a 10-hour standoff after allegedly shooting his wife in November 2009.
Lavoie was previously in custody for nearly two months after he barricaded himself inside his East Litchfield home on Nov. 24, 2009, following an alleged assault on his wife. Police said Lavoie used a loaded shotgun to shoot his wife in the leg. She was able to escape and drive herself to the hospital, but only after she successfully wrestled the shotgun away from Lavoie and escaped, documents detailed.
On Tuesday, attorney Rachel M. Baird, Lavoie’s defense counsel, requested exact duplicates of the computer hard drives that were seized by state police in order for the defense to create their own report during the hearing in Litchfield Superior Court.
Baird called Monique Ferraro, a digital forensics expert at Technology Forensics in Waterbury, to testify regarding the copies of the hard drive that have already been turned over by state police. Ferraro testified she needed the hash values from the computer, something equivalent to DNA or fingerprint identification, in order to determine if she received exact copies of the hard drives. (Click here for Register Citizen article.)
Can you explain what "hash values" are? What evidence does the defense hope to obtain from the computer?
ReplyDeleteHash values are used in digital forensics to validate that a copy is the same as an original. A software program applies a mathematical algorithm to each character in a file or set of data and, as it moves along in the progression of characters, smooshes the results together- hence, the term, 'hash.' The resulting alphanumeric value is 128-bits and statistically infeasible to be the same as any other value. (Read. . . the probability of one hash value being the same as another hash value by chance is about the same as a DNA or fingerprint value being the same as another.) If you were to change one character or one space in a file, or even in an entire hard drive for which a hash value has been calculated, the hash value would change completely.
ReplyDeleteThere are many other features of hash values that are too voluminous to discuss here, but I'll briefly touch on a couple. You cannot deconstruct a hash value. It cannot be recalculated from end to beginning to determine the contents of a file. Hash values are used not only in digital forensics, but in electronic discovery and are the de facto standard for validating electronically stored data.
When creating a forensically sound copy of original evidence, a hash value (usually MD-5 and/or SHA-1 and CRC) is calculated on the original drive or media and then on the copy to confirm that the copy is the same as the original. The hash values are recalculated on the original to confirm that the original was not altered in the copying process.
Hope that answers your question, anonymous :)