emptywheelI've pulled together what we can learn from the October 22, 2020 CYA memo on the Hunter Biden laptop. Hoping some tech folks, esp @malwarejake and @matthew_d_green can review it to see if they can figure out why FBI had to install laptop hard drive in new laptop to get an image of it.
Byron@emptywheel forensic practice would be to pull the drive and connect it via a write blocking cable/device over usb to a forensic tech’s computer possibly with another usb drive to then image the drive with out altering its contents.
Thomas A. Fine 
This.
You don't even need a write-blocking cable (although it's the safe way). You can just set a Mac to not mount disks at plug in, and then mount it by hand read-only. After that, the SSD sits sealed in a bag, and everybody works from locked read-only disk image copies (dmg or iso files) that are easy to share and faster than an SSD.
(You do also need an Apple proprietary enclosure for the non-standard Apple SSDs. Widely available.)
@thomasafine So why would they do it? What would the effect have been? @wpoland
@emptywheel @thomasafine using cloned drive in another computer maybe so someone non technical could look around quickly 🤷🏼♂️ definitely not forensically sound. I work at a law firm and do email/data collections, and this isn’t something we would even consider.
@wpoland @emptywheel
It also seems pointlessly hard compared to just using a disk image file that could be stored on a thumb drive or transferred around your network.
It also seems pointlessly hard compared to just using a disk image file that could be stored on a thumb drive or transferred around your network.