What is a hash collision and why does it matter in forensics?

• A. A collision occurs when the hash function fails to run; this prevents any hashing from being performed.
• B. A collision occurs when two different inputs produce the same hash; it can undermine evidence integrity.
• C. A collision occurs when a hash is longer than the original input; it creates storage inefficiency.
• D. A collision occurs when the hash value changes over time; this makes timestamps unreliable.

Answer: (B)

A hash collision happens when two different inputs produce the same hash value. In forensics, hashes act like fingerprints for digital evidence: they’re used to verify integrity, confirm that a copy is an exact replica, and link data to a source. If two distinct files end up with the same hash, the fingerprint isn’t unique, which means a malicious or accidental replacement could slip in without detection, undermining the reliability of the evidence.

That’s why collision resistance matters. Strong hash functions (like SHA-256) are designed to make collisions extremely unlikely, while older ones (such as MD5 or SHA-1) have known practical collisions and are considered weaker. To protect investigations, practitioners use robust algorithms, often verify evidence with multiple hashes, document the hashing process, and rely on signatures and chain-of-custody practices to maintain trust in the evidence. In short, a hash collision is two different inputs sharing the same hash, and that possibility directly impacts evidence integrity.