emptywheelI've pulled together what we can learn from the October 22, 2020 CYA memo on the Hunter Biden laptop. Hoping some tech folks, esp @malwarejake and @matthew_d_green can review it to see if they can figure out why FBI had to install laptop hard drive in new laptop to get an image of it.
Jake Williams@emptywheel @matthew_d_green After a cursory review of the whistleblower transcript (item 20), there is no reason I can see why you'd do this. It's honestly a bit perplexing to me. But this drive seems to have been mishandled at every turn - at least this is consistent...
Alternate theory: it's inarticulate wording?
Note that he doesn't know how to spell Cellebrite.
But there was "computer guy" in the room.
@matthew_d_green
@malwarejake Also, is the observation that iMessages were encrypted (on the drive) but there was a business card with the password consistent with what we've seen elsewhere? @matthew_d_green
@emptywheel @matthew_d_green I don't remember that there were encrypted iMessages, but their investigation is very different (both in goal and scope) than mine. I'm sure there's data on that drive that I've never encountered, even across multiple analyses of the system.
Heck just on email, the reporters understand even just the email contents FAR better than me. I was the guy saying "yes, we can validate this email is authentic." The FBI can just subpoena Google. Whole different scope.
Random Nunes Parody@malwarejake @emptywheel @matthew_d_green It seems like the last thing you'd want to do is boot it. I'd use something like a gparted boot disk or Puppy Linux to boot from usb and image the whole drive that way.
i assume there are more professional equivalent tools.
@RandomNunesParody @emptywheel @matthew_d_green Definitely, though we may be seeing the telephone game effect at play here.
@malwarejake I think I'm pretty close to convinced there are material inconsistencies between thta laptop and what has been released. @RandomNunesParody @matthew_d_green
@emptywheel
The copies I've looked were all live booted from the drive image at different times. This is consistent with the FBI doc, only that I didn't expect the FBI to be doing that too. @RandomNunesParody @matthew_d_green
The copies I've looked were all live booted from the drive image at different times. This is consistent with the FBI doc, only that I didn't expect the FBI to be doing that too. @RandomNunesParody @matthew_d_green
Thomas A. Fine 
@emptywheel @malwarejake @RandomNunesParody @matthew_d_green
Every boot adds to the log files that forensic people should be looking at (instead of dick pics). Once booted, computers periodically "rotate" log files – meaning they move current logs to a different filename daily or weekly or monthly, keep N old versions, and purge anything older.
In short, booting will modify forensic data, and depending on timing can destroy forensic data.
@emptywheel @malwarejake @RandomNunesParody @matthew_d_green
So the logs would show recent boots. You'd be able to tell that it happened.
But in theory the FBI should have never done this.
In fact, it seems like a good lawyer could have all laptop data thrown out as evidence if the FBI actually did this, though you are probably more familiar with that part of things.
@emptywheel @malwarejake @matthew_d_green What they should have done is booted to a different hard drive either by physically removing the drive and plugging it into a different computer or booting to a usb drive, and then copy the whole physical drive in one big piece.
I can't believe the FBI doesn't know that.
DoctorRobofinger@RandomNunesParody @emptywheel @malwarejake @matthew_d_green
The charitable interpretation is that they're saying "boot" here instead of "mount," but this whole thing is such a mess that nothing would surprise me now
The charitable interpretation is that they're saying "boot" here instead of "mount," but this whole thing is such a mess that nothing would surprise me now
Bruce@emptywheel @malwarejake @RandomNunesParody @matthew_d_green
Nunes' Parody beat me to it. You absolutely would not want to boot the thing directly. Every time you boot, the OS scribbles something on the drives. (Especially if there's additional stuff [e.g. malware] on it.) So you really do want to put it on a separate system that treats it as read-only data. One shouldn't need to be a computer forensics expert to know this.
Compuguy 🐱@RandomNunesParody @malwarejake @emptywheel @matthew_d_green Agreed. The one class on computer forensics I took almost a decade ago taught me not do do those things and to maintain the integrity of a forensics image. As @wpoland says in a later post, they should of been using a write-blocker in order to make a clean forensics image.
The whole Hunter laptop thing is a great example of what not to do when forensically examining a computer!
@compuguy @malwarejake @emptywheel @matthew_d_green @wpoland I refuse to believe the IRL FBI just booted up a computer in evidence. It's either defense lawyer misinformation or just plain BS, probably the later.
@RandomNunesParody It doesn't come from defense attorneys. It comes from the IRS Agent himself, and was written 3 years ago. @compuguy @malwarejake @matthew_d_green @wpoland
@emptywheel @compuguy @malwarejake @matthew_d_green @wpoland Got it. Thanks for the reply. Good to see you here.