Understanding what is inside a file.
How hashes, digital signatures, timestamps and perceptual fingerprints actually work. Technical guides written precisely, without the shortcuts that fall apart under expert scrutiny.
Forensic images: E01 and dd
«I made a copy of the disk» means nothing. Copying files skips unallocated space and bad sectors. A forensic image is a sector-by-sector transcription of what is on the medium.
13 Jul 2026 Read → File analysisEntropy, magic bytes and disguised files
A file has no will, but it has a character: the distribution of its bytes. Entropy measures that character in a number — and like every single number, it says something true and i…
13 Jul 2026 Read → Digital signatureHow signing with a smart card works
If the computer signs the document, does the private key end up in the computer's memory? No, and that is the entire reason smart cards exist. The key never leaves the card: it is…
12 Jul 2026 Read → TimestampsThe timestamp, explained
Your computer's clock can be set by hand in three seconds. A timestamp is the way to have the time stated by someone with no reason to lie, and stated so that anyone can check it.
12 Jul 2026 Read → StandardsBagIt: a self-verifying case file
A digital case file verifiable only with the software that created it is not a case file: it is a hostage. BagIt solves this the oldest way: everything in the clear, in text files…
12 Jul 2026 Read → File analysisssdeep: fuzzy hashing explained
Between the cryptographic hash, which shouts «different!» over one bit, and the perceptual one, which squints at images, sits fuzzy hashing: how alike are two files, as sequences …
11 Jul 2026 Read → Digital signatureThe formats of the digital signature
A file called contract.pdf.p7m lands in your inbox and your computer has no idea what to do with it. They are all digital signatures, and the container simply depends on what you …
11 Jul 2026 Read → Digital signatureWhat «valid signature» really means
«The signature is valid» stands in for three distinct claims, and collapsing them loses the cross-examination. Verifying means answering three questions separately: each can fail …
11 Jul 2026 Read → Perceptual hashesHow a perceptual hash works
Re-save a photo and its SHA-256 changes end to end, though it is the same image. That is correct behaviour for a cryptographic hash, and it is what makes it useless for answering …
10 Jul 2026 Read → Perceptual hashesaHash, dHash and pHash compared
Three algorithms begin with the same gesture and end with 64 bits. What changes is the question asked of each cell: three questions, three blind spots. Their disagreement is the m…
10 Jul 2026 Read → Image analysisWhen the EXIF thumbnail betrays the photo
Inside almost every photo there is a second image: the EXIF thumbnail, generated at the instant of capture. If it no longer resembles the photo, someone edited it afterwards — and…
10 Jul 2026 Read → HashWhat a cryptographic hash actually proves
A hash answers exactly one question: is this file still the one it was? It doesn't say who wrote it, or when. Knowing what it promises — and what it doesn't — is the difference be…
9 Jul 2026 Read → HashAre MD5 and SHA-1 really «broken»?
«MD5 is broken, don't use it» is true enough to be dangerous. It is broken against one specific attack, and remains fit for another use — the one forensics makes of it. The differ…
9 Jul 2026 Read → HashWhich hash algorithm should you choose
Eighteen algorithms are not eighteen choices: they are three families with different internal constructions, plus two checksums that have nothing to do with cryptography. A select…
9 Jul 2026 Read →