emptywheelI've pulled together what we can learn from the October 22, 2020 CYA memo on the Hunter Biden laptop. Hoping some tech folks, esp @malwarejake and @matthew_d_green can review it to see if they can figure out why FBI had to install laptop hard drive in new laptop to get an image of it.
Byron@emptywheel forensic practice would be to pull the drive and connect it via a write blocking cable/device over usb to a forensic tech’s computer possibly with another usb drive to then image the drive with out altering its contents.
Thomas A. Fine 
This.
You don't even need a write-blocking cable (although it's the safe way). You can just set a Mac to not mount disks at plug in, and then mount it by hand read-only. After that, the SSD sits sealed in a bag, and everybody works from locked read-only disk image copies (dmg or iso files) that are easy to share and faster than an SSD.
(You do also need an Apple proprietary enclosure for the non-standard Apple SSDs. Widely available.)
@thomasafine So why would they do it? What would the effect have been? @wpoland
@thomasafine ANd might that explain why they were resorting to validating files using a CSV download? @wpoland
@thomasafine Oh. Interesting point. The memo says that someone from CART imaged the hard drive.
It doesn't say CART was involved in the laptop image.
@wpoland
@emptywheel @wpoland
But that could just be sloppy language about "the hard drive". Once the one from the laptop was out of the laptop, people might have referred to it the same way.
It demands a different question to me: wouldn't a basic step to see what Mac Isaac had done be to simply compare the original ssd and the copy on the external drive and see if they differed?
@thomasafine And instead they deduped once they got the image of the laptop. @wpoland
@emptywheel @wpoland
I read that as people produced reports, listings of files, and these reports had redundancies in them. Unclear if these were files where there were duplicates on the laptop or filenames that were repeatedly reported. Would lean towards the latter.
I read that as people produced reports, listings of files, and these reports had redundancies in them. Unclear if these were files where there were duplicates on the laptop or filenames that were repeatedly reported. Would lean towards the latter.
@emptywheel @wpoland
OK I do see that they specifically said "imaged the external hard drive in Delaware". That does sound less like confusion about which drive - though it's still possible.
OK I do see that they specifically said "imaged the external hard drive in Delaware". That does sound less like confusion about which drive - though it's still possible.
@thomasafine With hard drive CART came in and imaged it--BUT NOT without problems. (See the March email.)
No mention of CART w/the laptop, and CART wouldn't do what was done.
@emptywheel @wpoland
It's unclear if that statement means they had problems imaging it, or if they had problems with what they found in the image.
The email might have said that Mac Isaac forensically ruined the data. (Which he probably did.) You might have a better guess at why they'd redact stuff from agents though.
@emptywheel @wpoland
Hmm. Shapley's version of the timeline says that "hard drive" is imaged by 12/19/2019 (#21,22) but on 3/6 the FBI received the image of the *laptop*. (#35,36)
So did the laptop take three months to image? Item #37 "First evidence ... from laptop" seems to corroborate that.
The message about "quality and completeness" says "the hard drive".
So maybe your interpretation of deduping was the right one?
Can't say I know the tech -- but then, I can spell Cellebrite properly and he can't -- but that is how it reads: immediate turnaround on the hard drive, four months for the laptop.