emptywheelI've pulled together what we can learn from the October 22, 2020 CYA memo on the Hunter Biden laptop. Hoping some tech folks, esp @malwarejake and @matthew_d_green can review it to see if they can figure out why FBI had to install laptop hard drive in new laptop to get an image of it.
Byron@emptywheel forensic practice would be to pull the drive and connect it via a write blocking cable/device over usb to a forensic tech’s computer possibly with another usb drive to then image the drive with out altering its contents.
Thomas A. Fine 
This.
You don't even need a write-blocking cable (although it's the safe way). You can just set a Mac to not mount disks at plug in, and then mount it by hand read-only. After that, the SSD sits sealed in a bag, and everybody works from locked read-only disk image copies (dmg or iso files) that are easy to share and faster than an SSD.
(You do also need an Apple proprietary enclosure for the non-standard Apple SSDs. Widely available.)
@thomasafine So why would they do it? What would the effect have been? @wpoland
@thomasafine ANd might that explain why they were resorting to validating files using a CSV download? @wpoland
@emptywheel @wpoland
I'm not going to harp on them about this because I don't know what tools they were using. Creating a CSV database of files for easier searches might be totally fine. And in fact, since with Apple metadata, no one single command lists all of it, a real forensic analysis would benefit from something like this (although there is zero indication here that this is what they actually meant).
I'm not going to harp on them about this because I don't know what tools they were using. Creating a CSV database of files for easier searches might be totally fine. And in fact, since with Apple metadata, no one single command lists all of it, a real forensic analysis would benefit from something like this (although there is zero indication here that this is what they actually meant).
For what they were talking about you could run:
find / -ctime -250 -ls
or just
ls -alctR /
And get a very quick answer. Sticking stuff in a database would be to set up for a deeper forensic analysis. (e.g. comparing filesystem metadata to the metadata Apple stores outside of the core filesystem structure).
John Panzer@thomasafine @emptywheel @wpoland I’m not looking up the command line flags but won’t that just give you the metadata for files and not a hash of the contents of each file, so if used for forensics de-duplication, won’t tell you if the contents are true duplicates?
@jpanzer @emptywheel @wpoland this was to answer the question of when files were changed, where they had proposed making a CSV listing to accomplish that.