emptywheelJul 6, 2023

I've pulled together what we can learn from the October 22, 2020 CYA memo on the Hunter Biden laptop. Hoping some tech folks, esp @malwarejake and @matthew_d_green can review it to see if they can figure out why FBI had to install laptop hard drive in new laptop to get an image of it.

https://www.emptywheel.net/2023/07/06/the-technical-oddities-of-the-fbis-exploitation-of-hunter-bidens-laptop/

The Technical Oddities of the FBI's Exploitation of Hunter Biden's Laptop - emptywheel

For some reason, the FBI deemed it necessary to buy a new laptop and install the hard drive from the laptop once owned by Hunter Biden before it could image the laptop.

emptywheel
Show threadSteve Hersey

@emptywheel @malwarejake @matthew_d_green

Imaging a hard drive generally requires that it NOT be the one running the operating system. There are several reasons for this, which all boil down to "you can't get a trustworthy, consistent snapshot of the disk hosting the operating system you are running at the time:"

- A drive hosting an active operating system will have numerous files open (applications, logs, etc), preventing the imaging software from reading them, and may also play games with the partition table, for either good or bad reasons;

- Any malware on the drive being imaged may well interfere with the imaging process, potentially hiding its presence if that's the drive running the operating system; and

- the disk imaging tools may be running on a different operating system from the one that is present on the target hard drive.

Jul 6, 2023 at 4:59pmWeb