emptywheelJul 6, 2023

I've pulled together what we can learn from the October 22, 2020 CYA memo on the Hunter Biden laptop. Hoping some tech folks, esp @malwarejake and @matthew_d_green can review it to see if they can figure out why FBI had to install laptop hard drive in new laptop to get an image of it.

https://www.emptywheel.net/2023/07/06/the-technical-oddities-of-the-fbis-exploitation-of-hunter-bidens-laptop/

The Technical Oddities of the FBI's Exploitation of Hunter Biden's Laptop - emptywheel

For some reason, the FBI deemed it necessary to buy a new laptop and install the hard drive from the laptop once owned by Hunter Biden before it could image the laptop.

emptywheel
Show threadChris Bussard

@emptywheel @malwarejake @matthew_d_green

Well, the short answer is likely that the original laptop was broken.

But moving the HD to another laptop and then *booting* it is absolutely bonkers. When you boot from a drive, you're going to change its contents. New logs will be written. Old logs might be archived or deleted. Temp files might be deleted. Checks for automatic updates may run, write logs, and download updates in the background. Programs configured to run at startup may check for automatic updates, synchronize to clouds, download e-mails, etc. And these new writes may happen in sectors containing deleted-but-theretofore-recoverable files, making them unrecoverable.

The correct approach is to mount it as a read-only secondary drive (likely in a desktop with ample SATA ports) and use dd to do a sector-for-sector copy of the drive to a file. Then set the original HD aside in case you later discover the copy has flaws. From here on out you should be working on copies of copies.

[Continues]

Jul 7, 2023 at 2:56amWeb