emptywheelI've pulled together what we can learn from the October 22, 2020 CYA memo on the Hunter Biden laptop. Hoping some tech folks, esp @malwarejake and @matthew_d_green can review it to see if they can figure out why FBI had to install laptop hard drive in new laptop to get an image of it.
Byron@emptywheel forensic practice would be to pull the drive and connect it via a write blocking cable/device over usb to a forensic tech’s computer possibly with another usb drive to then image the drive with out altering its contents.
Thomas A. Fine 
This.
You don't even need a write-blocking cable (although it's the safe way). You can just set a Mac to not mount disks at plug in, and then mount it by hand read-only. After that, the SSD sits sealed in a bag, and everybody works from locked read-only disk image copies (dmg or iso files) that are easy to share and faster than an SSD.
(You do also need an Apple proprietary enclosure for the non-standard Apple SSDs. Widely available.)
@thomasafine So why would they do it? What would the effect have been? @wpoland
@thomasafine ANd might that explain why they were resorting to validating files using a CSV download? @wpoland
@emptywheel @wpoland
I'm not going to harp on them about this because I don't know what tools they were using. Creating a CSV database of files for easier searches might be totally fine. And in fact, since with Apple metadata, no one single command lists all of it, a real forensic analysis would benefit from something like this (although there is zero indication here that this is what they actually meant).
I'm not going to harp on them about this because I don't know what tools they were using. Creating a CSV database of files for easier searches might be totally fine. And in fact, since with Apple metadata, no one single command lists all of it, a real forensic analysis would benefit from something like this (although there is zero indication here that this is what they actually meant).
For what they were talking about you could run:
find / -ctime -250 -ls
or just
ls -alctR /
And get a very quick answer. Sticking stuff in a database would be to set up for a deeper forensic analysis. (e.g. comparing filesystem metadata to the metadata Apple stores outside of the core filesystem structure).
John Panzer@thomasafine @emptywheel @wpoland I’m not looking up the command line flags but won’t that just give you the metadata for files and not a hash of the contents of each file, so if used for forensics de-duplication, won’t tell you if the contents are true duplicates?
@jpanzer @emptywheel @wpoland this was to answer the question of when files were changed, where they had proposed making a CSV listing to accomplish that.
@thomasafine Oh. Interesting point. The memo says that someone from CART imaged the hard drive.
It doesn't say CART was involved in the laptop image.
@wpoland
@emptywheel @wpoland
But that could just be sloppy language about "the hard drive". Once the one from the laptop was out of the laptop, people might have referred to it the same way.
It demands a different question to me: wouldn't a basic step to see what Mac Isaac had done be to simply compare the original ssd and the copy on the external drive and see if they differed?
@thomasafine And instead they deduped once they got the image of the laptop. @wpoland
@emptywheel @wpoland
I read that as people produced reports, listings of files, and these reports had redundancies in them. Unclear if these were files where there were duplicates on the laptop or filenames that were repeatedly reported. Would lean towards the latter.
I read that as people produced reports, listings of files, and these reports had redundancies in them. Unclear if these were files where there were duplicates on the laptop or filenames that were repeatedly reported. Would lean towards the latter.
@emptywheel @wpoland
OK I do see that they specifically said "imaged the external hard drive in Delaware". That does sound less like confusion about which drive - though it's still possible.
OK I do see that they specifically said "imaged the external hard drive in Delaware". That does sound less like confusion about which drive - though it's still possible.
@thomasafine With hard drive CART came in and imaged it--BUT NOT without problems. (See the March email.)
No mention of CART w/the laptop, and CART wouldn't do what was done.
@emptywheel @wpoland
It's unclear if that statement means they had problems imaging it, or if they had problems with what they found in the image.
The email might have said that Mac Isaac forensically ruined the data. (Which he probably did.) You might have a better guess at why they'd redact stuff from agents though.
@emptywheel @wpoland
Hmm. Shapley's version of the timeline says that "hard drive" is imaged by 12/19/2019 (#21,22) but on 3/6 the FBI received the image of the *laptop*. (#35,36)
So did the laptop take three months to image? Item #37 "First evidence ... from laptop" seems to corroborate that.
The message about "quality and completeness" says "the hard drive".
So maybe your interpretation of deduping was the right one?
Can't say I know the tech -- but then, I can spell Cellebrite properly and he can't -- but that is how it reads: immediate turnaround on the hard drive, four months for the laptop.
@emptywheel @thomasafine using cloned drive in another computer maybe so someone non technical could look around quickly 🤷🏼♂️ definitely not forensically sound. I work at a law firm and do email/data collections, and this isn’t something we would even consider.
@wpoland @emptywheel
It also seems pointlessly hard compared to just using a disk image file that could be stored on a thumb drive or transferred around your network.
It also seems pointlessly hard compared to just using a disk image file that could be stored on a thumb drive or transferred around your network.
I should probably note that most Macs have "target disk mode" in which the laptop can be booted as if it is nothing but a hard drive (although if you're pulling the disk out and putting it in something new, an actual enclosure is vastly cheaper and a better choice than using a laptop as an enclosure).
It's _possible_ they meant this, but it still sounds like a stupid method.
@emptywheel @wpoland
So for example if they just logged in and poked around, then ever "poking around" action would be updating access times.
If they used Apple Mail to read email (as Mac Isaac did), this alters the email files (because Apple Mail stores metadata at the end of email message files, like last read time).
Bruce@emptywheel @thomasafine @wpoland
> So why would they do it?
Conspiratorial: so they can insert stuff
More likely: incompetence
> What would the effect have been?
Probably nothing important, unless they wanted to twiddle the data. However, following proper procedures would mean being able to prove the data were not twiddled. That would have been a good thing.