How to Hash a Video File for Evidence (Step by Step)

Why Video Evidence Has to Be Provably Unaltered

Video is some of the most persuasive evidence there is — and some of the easiest to doubt. A clip from a CCTV system, a dashcam, a phone or a body-worn camera only carries weight if you can show it is the same footage that was collected, not a trimmed, re-saved or quietly edited version. The way to remove that doubt is to hash a video file for evidence: compute a cryptographic fingerprint of the exact bytes, record it, and re-check it whenever the integrity of the footage is questioned. This guide walks through exactly how to do that, what mistakes to avoid, and how e-Dex (formerly Hash Calculator) does it offline on your own machine. If you are still pulling the footage off a recorder, start with our guide to exporting CCTV footage without losing integrity.

Hash the Original Export, Never a Re-Encoded Copy

This is the single most important rule, and it is where most video evidence goes wrong. A cryptographic hash is computed over every byte of a file. Re-encoding, transcoding or compressing a video rewrites the underlying data even when the picture looks identical to the eye — and because the bytes change, the hash changes completely. If you convert the clip to a smaller format to email it, drop it into an editor and re-export, or let a player "save a copy", you have created a new file with a new fingerprint that can never be matched back to the original. So fix the original native export in place, hash that file, and treat anything derived from it as a separate item.

Step by Step: Hashing a Video for Evidence

The process is short and repeatable. Done the same way every time, it produces a clean integrity trail:

1. Export natively. Pull the video off the source system in its native format, without re-encoding, transcoding or compressing it. Keep this file untouched as your master copy.
2. Hash the file at SHA-256. Open the original in e-Dex and compute its SHA-256 hash. This is your reference fingerprint.
3. Record it. Write down the SHA-256 value together with the file name, size and the date and time it was hashed — in your evidence log or directly on an integrity certificate.
4. Store it safely. Keep the original file and its recorded hash in secure storage, ideally separated, so neither the file nor the value can be quietly altered.
5. Re-hash to verify. Whenever integrity is questioned, recompute the SHA-256 hash of the stored file and compare it against the recorded value. An identical result is a MATCH; the footage is unchanged. Any difference is a MISMATCH.

Why a Converted or Compressed Copy Fails Verification

It is worth understanding why the rule above is absolute. When someone later tries to verify a clip and gets a MISMATCH, the usual cause is not tampering — it is that they hashed a different file. A copy that was shrunk for sharing, re-exported from an editing tool, or auto-converted by a media player carries different bytes from the original, so its hash will never equal the recorded value, even though the footage looks the same. The verification is doing its job: it tells you the bytes are not identical. That is exactly why the discipline of hashing only the untouched native export matters — it keeps your reference value meaningful and your later checks trustworthy.

Large Files: Speed Without Losing Recognition

Video evidence is often large — hours of CCTV can run to many gigabytes. e-Dex streams the file from disk rather than loading it all into memory, so it can hash multi-gigabyte video files on an ordinary Windows machine; bigger files just take longer because every byte has to be read. When speed matters, you can compute BLAKE3, which is built for high throughput on large data, but you should still record the SHA-256 value too. SHA-256 is the value most people and systems expect, so keeping it alongside BLAKE3 gives you both fast verification and broad recognition. e-Dex computes both in a single pass, so there is no extra step. For a wider look at the algorithms, see our digital evidence software overview.

Chain of Custody and the Integrity Certificate

A hash proves the footage has not changed; it does not, on its own, record who handled it or when. For that you need a documented chain of custody — when the video was collected, by whom, and every transfer since. Pair the SHA-256 value with that record and you have both halves of the story: the file is unaltered and its handling is accounted for. e-Dex packages the integrity half into a readable evidence integrity certificate that lists the hashes per file with a plain MATCH / MISMATCH verdict. Work through our chain of custody checklist to make sure the surrounding record is as solid as the hash.

Frequently Asked Questions

Which file should I hash, the original video export or a copy?
Always hash the original native export of the video, not a re-encoded, converted or compressed copy. The hash is a fingerprint of the exact bytes in the file. A copy that has been transcoded or recompressed has different bytes, so it produces a completely different hash and cannot be matched against the original. Export the source video without re-encoding, hash that file, and treat its SHA-256 value as the reference for all later checks.

Why does re-encoding or converting a video change its hash?
A cryptographic hash is computed over every byte of a file. Re-encoding, transcoding or compressing a video rewrites the underlying data even when the picture looks identical, so almost every byte changes. Because the bytes change, the hash changes completely. That is why a converted or compressed copy will fail verification against the original value, and why you must hash the untouched native export.

Which hash algorithm should I use for video evidence?
Use SHA-256 as the primary algorithm for video evidence. It is a modern, collision-resistant standard that is widely recognised. For very large multi-gigabyte video files you can also compute BLAKE3, which is much faster, but you should still record the SHA-256 value so the proof matches whatever value others expect. e-Dex computes both, plus SHA-512 and legacy values, in a single pass.

How do I hash a very large multi-gigabyte video file?
e-Dex streams the file from disk rather than loading it into memory, so it can hash multi-gigabyte video files on an ordinary Windows machine. Larger files simply take longer because every byte must be read. For speed on big files you can use BLAKE3, which is designed for high throughput, while still recording the SHA-256 value alongside it for compatibility and recognition.

Does hashing a video for evidence need an internet connection?
No. e-Dex runs fully offline on your own Windows machine. Reading the video, computing SHA-256 and BLAKE3, comparing against recorded values and producing the integrity certificate all happen locally, so the footage never leaves your computer. An internet connection is only needed if you choose to apply an RFC-3161 trusted timestamp from a Time-Stamping Authority.

Conclusion

Hashing a video for evidence is simple once you hold one rule firm: hash the original native export, never a re-encoded copy, compute SHA-256, record it, store it, and re-hash to verify. That single discipline turns "trust me, it's the same clip" into a fact anyone can re-check. You can do all of it in minutes, fully offline, on a single Windows machine with e-Dex — the Digital Evidence Integrity Suite. Open the free hash tool and start proving your footage is exactly what it should be.