Hash SHA-256 and qualified eIDAS timestamping: the forensic language every law firm should master
Digital evidence has moved from exception to routine. Lawyers now bring WhatsApp threads, screenshots, web pages, voice notes, photos and videos into criminal proceedings, civil disputes, insurance claims and labour cases. The volume keeps growing, but courts and forensic examiners have become stricter on one point: a file produced in evidence is worth what its technical proof of integrity and certain date is worth.
Two terms recur in every forensic report, in every cross-examination, in every objection raised by opposing counsel: SHA-256 hash and qualified eIDAS timestamp. Together they form the technical mechanism that turns a digital file into evidence that is hard to challenge. Apart, each tells only half of the story.
This drill-down explains, in non-technical language, what they are, how they work, why their combination matters in court, and how a law firm can use them without becoming a cryptography expert.
Guide reference. This article is part of the digital evidence guide for lawyers. Start there for a complete view of how digital evidence is captured, certified and produced in court.
What SHA-256 hash does: the unique mathematical fingerprint of a file
A hash is a short string that uniquely represents the content of a file. SHA-256 is the cryptographic hash function standardised by NIST in FIPS 180-4, the same standard adopted by banks, governments and certification authorities worldwide. The acronym stands for "Secure Hash Algorithm, 256-bit output".
The result is a 64-character hexadecimal string, always the same length, regardless of whether the input is a 12-character text message or a four-hour video. That string is the fingerprint of the file.
How it is computed in practice and what it is used for
A hash is computed by feeding the file through the SHA-256 algorithm. The operation is deterministic: the same file always produces the same hash, on any machine, in any country, at any time. It is also a one-way function: given the hash, it is computationally infeasible to reconstruct the original file.
In forensic work, the hash is the proof of integrity. The capturing party records the hash at the moment of acquisition. Anyone who later receives the file can recompute the hash and verify that it matches. If it matches, the file has not been altered, not even by a single character. If it does not match, the file is different from the one originally captured. There is no grey zone.
Why a single different bit changes the whole result
SHA-256 has a property called the avalanche effect. Changing a single bit in the input file: a comma, a pixel, a millisecond of audio, produces a completely different output hash. There is no partial similarity, no "almost identical" result. Two files differ either entirely in their hash or not at all.
For lawyers, the practical consequence is simple. If opposing counsel claims that a screenshot was edited, the hash answers the question without expert debate: same hash, same file; different hash, different file. The cryptographic property removes the discussion from the realm of opinion.
No practical collisions have ever been found for SHA-256. The function is considered cryptographically sound by NIST, ENISA and every major standards body.
Qualified eIDAS timestamping: the certain date that holds up in court
A hash proves what the file is. A timestamp proves when it existed. Without a trusted timestamp, the captured file could in theory be backdated or forward-dated. The hash alone does not say anything about time.
A timestamp binds the hash to a precise moment, certified by a third party. The legal weight of that timestamp depends entirely on who issues it and under which legal framework.
The difference between RFC 3161 timestamps and qualified eIDAS timestamps
RFC 3161 is the technical Time-Stamp Protocol defined by IETF. It is a sound protocol, used in countless software products. It produces a cryptographically valid timestamp. However, an RFC 3161 timestamp on its own does not carry an automatic legal presumption of accuracy under EU law. Its evidentiary weight depends on the trust placed in the issuer.
A qualified eIDAS timestamp is regulated by Regulation (EU) 910/2014, articles 41 and 42. It is technically based on the same protocol family, but it is issued exclusively by a Qualified Trust Service Provider (QTSP) listed in the EU Trusted List, under supervised conditions. Article 41(2) of the eIDAS Regulation gives it a specific legal effect: a qualified electronic timestamp enjoys the presumption of accuracy of the date and time it indicates, and of the integrity of the data to which the date and time are bound. The burden of proof shifts to whoever wants to challenge it.
The role of QTSPs under art. 41-42 of EU Regulation 910/2014
A QTSP is a legal entity, audited and supervised by national authorities, that issues qualified trust services such as qualified timestamps, qualified electronic seals and qualified certificates. The status is granted after a conformity assessment and is publicly verifiable on the EU Trusted List.
When a qualified timestamp is applied to a hash, the QTSP is certifying that, at a specific moment, that exact fingerprint existed and was submitted for sealing. The QTSP does not see the file: it sees the hash. This preserves confidentiality and at the same time anchors the file to a verifiable, supervised, legally recognised point in time.
TrueScreen, as a Data Authenticity Platform, integrates the seal of qualified third-party QTSPs via API. The qualified timestamping is delivered by a QTSP integrated into TrueScreen, not by TrueScreen itself.
| Criterion | RFC 3161 timestamp | Qualified eIDAS timestamp |
|---|---|---|
| Legal framework | IETF technical standard | EU Reg. 910/2014, art. 41-42 |
| Issuer | Any timestamping authority | QTSP on the EU Trusted List |
| Supervision | Not mandatory | Audited national supervision |
| Legal presumption in EU | None automatic | Presumption of date and integrity |
| Burden of proof | On the party invoking it | On the party challenging it |
Hash plus qualified timestamp: the combination that makes evidence non-repudiable
A hash without a timestamp says what the file is, but not when. A timestamp without a hash says when something happened, but not on which file. Together they create a sealed binding: this exact content existed at this exact moment, certified by a supervised third party.
This combination is what forensic examiners look for first when they receive a digital exhibit. It is also what opposing counsel attacks first when it is missing.
International evidentiary standards (eIDAS, FRE-style admissibility, expert testimony)
Several international frameworks accept the hash + timestamp logic as the technical backbone of digital evidence:
- eIDAS (Regulation EU 910/2014) establishes legal presumption for qualified electronic timestamps and qualified electronic seals.
- Federal Rules of Evidence 901 and 902 (United States) address authentication and self-authentication of records, including electronic ones, where cryptographic proofs of integrity carry significant weight.
- ISO/IEC 27037 provides the international guideline for identification, collection, acquisition and preservation of digital evidence, including the recommendation to compute and record hashes at the moment of acquisition.
- EU AI Act reinforces the need for verifiable provenance of digital content in regulated contexts.
A forensic report that cites the SHA-256 hash and the qualified eIDAS timestamp speaks the language these frameworks recognise.
How integrity is demonstrated in forensic proceedings
In practice, the demonstration follows a short, repeatable path. The expert receives the file. The expert recomputes the SHA-256 hash. The expert verifies that the hash matches the one recorded at the moment of capture and sealed by a qualified timestamp. If the two values coincide, the file is identical to the one originally acquired, and the time of acquisition is presumed accurate under article 41 of eIDAS.
At that point, the evidence is substantially non-repudiable on the integrity and date dimensions. The discussion in court moves to other questions: relevance, context, interpretation, but not whether the file is the original one.
How TrueScreen integrates hash and qualified timestamping in one workflow for law firms
For a law firm, building this technical chain manually is impractical. It requires forensic tools, hash computation utilities, contracts with a QTSP, scripts to bind hash and timestamp, and a verifiable archive. Every step is a potential point of failure.
TrueScreen is the Data Authenticity Platform that applies these elements automatically at the moment of capture. SHA-256 hash is computed at source. The hash is then sealed with a qualified electronic seal and a qualified eIDAS timestamp issued by a QTSP integrated into the platform via API. The result is a forensic report that contains the hash, the qualified timestamp, the audit trail and the verifiable references to the trust services used.
For a deeper view of how this fits into a complete forensic workflow, see the digital evidence use case for law firms. For neighbouring topics, the WhatsApp evidence court guide and the web evidence acquisition guide based on ISO/IEC 27037 cover the most frequent acquisition scenarios. The Cassation ruling on WhatsApp stalking evidence shows the same logic applied to a real case.
