Hacker News new | past | comments | ask | show | jobs | submit login

Assume all data on the drives has been cloned.

There's little chance they didn't.




He should absolutely assume that the data has been cloned, but there is about a 99% chance that it wasn't.

If the data was cloned on-site, then we wouldn't have heard about the search warrant (there'd have been a gag order).

And as this happened yesterday, there's almost no chance that the server could have been taken to the lab, imaged, and then returned to be reconnected today.

I would bet 100 dollars that the actual target server of the raid is still sitting on a dolly in the forensics cage while a tech is waiting for someone to tell him what he's supposed to be looking for.


You'd be surprised. I've worked with forensic law enforcement in the past, and they were equipped to clone drives quickly and easily. The idea is to create a clean image of the drive that they can use for evidence, and they don't boot the machine so if there's any trapdoors or whatever they won't hit them. And this was a local police force over 5 years ago, I can't imagine what the FBI would be capable of these days.


The FBI has the capacity to clone drives quickly, absolutely (although amusingly, the process is actually slower now than it was then, as drives are larger).

However, field cloning is absolutely not the desired procedure to use (for a lot of reasons). You only do field cloning if you are either: 1) Under a time crunch, or 2) Don't want the target to know that the clone has occurred.

If at all possible, you just take the equipment and process it in the lab.

I've done about 2 dozen of these for the FBI. We did field-cloning maybe three times.


Some should build a hard drive that logs being powered up and powered down!


I wouldn't be surprised if SSD's somehow had information like that stored in them (or at least the ability for it to be stored). Thankfully I got out of the Forensics racket before they were mainstream.


SMART power cycle count?


99%? I'd assume that the first thing they do on seizing a machine is pull the hard drive out and drop it in a disk cloning machine?


I like to always follow the saying "Hope for the best. Plan for the worst".

Assume the FBI has a copy of everything on the drives and assume that they will see every file on the drive, even though odds are they don't and they won't.


What do you base this upon?

He should contact the FBI and continue to beat on Digital One and determine if it was seized or not. It very well may have simply been turned off, is that not a valid possibility?




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: