Hi all,
I’m a developer with an interest in digital evidence integrity. It bothers me that logs, manifests, or artifact inventories can potentially be altered before they ever reach court.
I’ve developed a working CLI tool that currently implements things like:
- hashing collected items
- signing manifests (when a key is available)
- internally chained log entries
- verification of manifests and logs afterwards
The idea is to record interesting file states as early as possible so there’s a stronger trail showing that artifacts and items of interest remained unchanged later on. I can't imagine I'm done feature-wise. This is where your feedback comes in.
What I’m curious about is the practical side from people who actually investigate cases or even take decisions in a final stage, whether it's a judge, committee, prosecutor deciding for a go/no-go and so forth.
For example:
- How often do you run into concerns about digital evidence, log, or manifest tampering?
- Are integrity protections (hashes, signatures, chained logs) something investigators rely on, or would rely on if certain conditions are met?
- What tends to matter most when these artifacts end up being reviewed by courts, lawyers, or oversight bodies?
- When accusations of digital tampering arise (or need to arise), what actually helps to prove or disprove them?
I’m mainly trying to understand what investigators and legal reviewers actually need here rather than guessing from the engineering side.
Thanks for any insight.