I found out yesterday that the exam board used in a project I'm involved with will accept the audio recording from an oral test (ie the speaking part of a test) as an mp3 file. This seems somewhat interesting as it's extremely easy to manipulate the files after they've been generated using freeware audio editing tools, such as Audacity. Obviously, though, this problem isn't a new one - certainly, it's possible to manipulate audio on tape or CD with as much ease.

The easiest way to prove that a file has been edited is to generate a hash of the original. If the hash doesn't match this file, then there's obviously been a change to the file. But how does one know that the has generated is that of the original file, and not one of the edited file? What's to stop someone just generating a hash based on the edited file?

Thinking about this a bit further, I hit on an idea. There's open source mp3 players/recorders out there such as the iRiver. This device runs an operating system which can be developed for applications such as this. It would be possible to create a custom operating system for devices such as this which could generate a hash based on the file that's just been recorded, along with the time, date, and a secret cipher. This hash could then be saved to an associated file.

From here, both the audio file and the file containing the hash would need to be sent to the exam board. As usual, if the hash matches the contents, all is good. It wouldn't be easy to create a new hash based on the edited file unless one knew the secret cipher and the other bits associated with the hash (ie method, and the date and time element). There's got to be something I've not considered here, though. What am I missing?