emptywheelJul 6, 2023

I've pulled together what we can learn from the October 22, 2020 CYA memo on the Hunter Biden laptop. Hoping some tech folks, esp @malwarejake and @matthew_d_green can review it to see if they can figure out why FBI had to install laptop hard drive in new laptop to get an image of it.

https://www.emptywheel.net/2023/07/06/the-technical-oddities-of-the-fbis-exploitation-of-hunter-bidens-laptop/

The Technical Oddities of the FBI's Exploitation of Hunter Biden's Laptop - emptywheel

For some reason, the FBI deemed it necessary to buy a new laptop and install the hard drive from the laptop once owned by Hunter Biden before it could image the laptop.

emptywheel
Show threadJake WilliamsJul 6, 2023
@emptywheel @matthew_d_green
Taking a look now.
Show threadJake WilliamsJul 6, 2023

@emptywheel @matthew_d_green After a cursory review of the whistleblower transcript (item 20), there is no reason I can see why you'd do this. It's honestly a bit perplexing to me. But this drive seems to have been mishandled at every turn - at least this is consistent...

Alternate theory: it's inarticulate wording?

Show threadRandom Nunes ParodyJul 6, 2023

@malwarejake @emptywheel @matthew_d_green It seems like the last thing you'd want to do is boot it. I'd use something like a gparted boot disk or Puppy Linux to boot from usb and image the whole drive that way.

i assume there are more professional equivalent tools.

Show threadJake WilliamsJul 6, 2023
@RandomNunesParody @emptywheel @matthew_d_green Definitely, though we may be seeing the telephone game effect at play here.
Show threademptywheelJul 6, 2023
@malwarejake I think I'm pretty close to convinced there are material inconsistencies between thta laptop and what has been released. @RandomNunesParody @matthew_d_green
Show threadJake WilliamsJul 6, 2023
@emptywheel
The copies I've looked were all live booted from the drive image at different times. This is consistent with the FBI doc, only that I didn't expect the FBI to be doing that too. @RandomNunesParody @matthew_d_green
Show threademptywheelJul 6, 2023
@malwarejake Sorry: Can you say what that means? @RandomNunesParody @matthew_d_green
Show threadThomas A. Fine Jul 6, 2023

@emptywheel @malwarejake @RandomNunesParody @matthew_d_green
Every boot adds to the log files that forensic people should be looking at (instead of dick pics). Once booted, computers periodically "rotate" log files – meaning they move current logs to a different filename daily or weekly or monthly, keep N old versions, and purge anything older.

In short, booting will modify forensic data, and depending on timing can destroy forensic data.

Show threadThomas A. Fine 

@emptywheel @malwarejake @RandomNunesParody @matthew_d_green
So the logs would show recent boots. You'd be able to tell that it happened.

But in theory the FBI should have never done this.

In fact, it seems like a good lawyer could have all laptop data thrown out as evidence if the FBI actually did this, though you are probably more familiar with that part of things.

Jul 6, 2023 at 8:35pmWeb