In United States v. Farlow, 2012 U.S. App. LEXIS 11121 (1st. Cir. Jun. 1, 2012) the 1st Circuit erred in its description of how changing a file affects its hash value. Judge Thompson stated:
The problem for Farlow is that we have rejected the idea that government agents should so narrowly restrict their searches of digital devices. "When searching digital media for 'chats' and other evidence of enticement" -- like the bodybuilder image -- "government agents cannot simply search certain folders or types of files for keywords." Crespo-Rios, 645 F.3d at 43 (emphasis added). The same goes for other specific identifying information -- like hash values. This is because computer files are highly manipulable. Id. at 43-44. A file can be mislabeled; its extension (a sort of suffix indicating the type of file) can be changed; it can actually be converted to a different filetype (just as a chat transcript can be captured as an image file, so can an image be inserted into a word-processing file and saved as such). See id. Any of these manipulations could change a document's hash value. And in any event a limited hash-value search would not have turned up any chat transcripts (which, again, can be saved as image files) or other evidence of Farlow's New York crimes. The government therefore reasonably executed a broad search that fell within the scope authorized by the valid warrant it obtained.The highlighted/bolded portion is not in fact, completely true. It is true that capturing a chat transcript as an image, or placing it in a different document does change the hash value. But, merely changing the name of a file, or changing its extension using regular file operations does not change that file's hash value. A friendly example of that on OS X:
And for clarity's sake, a duplicate test on Windows, using "hashtest2.txt" from the OS X machine as a starting point. I have copied the file and renamed it, as well as copied it and changed the extension:
I point this out merely to prevent this erroneous statement from being perpetuated. I do not think, on the whole, that it really makes too much difference in the case itself. I'm open to opinions otherwise.
As a caveat, let me also note that changing a file extension can also occur through a program (i.e. MS Paint) whereby one file format is converted to another (png to jpg, for example), and that would change the hash value. I think the words in this decision are just a little unclear and ambiguous.