Cloning
A forensic clone is an exact, bit-for-bit copy of a hard drive. It’s also known as a bitstream image. In other words, every bit (1 or 0) is duplicated on a separate, forensically clean piece of media, such as a hard drive. Why go to all that trouble? Why not just copy and paste the files? The reasons are significant. First, copying and pasting only gets the active data—that is, data that are accessible to the user. These are the files and folders that users interact with, such as a Microsoft Word document. Second, it does not get the data in the unallocated space, including deleted and partially overwritten files. Third, it doesn’t capture the file system data. All of this would result in an ineffective and incomplete forensic exam.
We will want to make a forensic clone of the suspect’s hard drive(s) as soon as we reasonably can. Cloning a drive can be a pretty time-consuming process and, for that reason, it usually makes more sense to do the cloning in the lab as opposed to at the scene. Cloning in the lab eliminates the need to be on scene for what could be hours. It also provides a much more stable environment, affording us better control of the process.
Before we take a computer off-premises, we must have the legal authority to do so. In a criminal case, this request and the rationale behind it should be part of the search warrant application. In civil cases, this provision can be negotiated by the parties or ordered by a judge.
Although taking the hardware back to the lab is routine in criminal cases, the cloning may have to be done at the scene in a civil case. Most civil cases with digital evidence focus on business computers. A business computer sitting in a lab isn’t generating any revenue, which tends to get business folks understandably cranky. If the hard drive in a business computer can’t be replaced, then the machine is often cloned and put right back into service.
Purpose of cloning
We know from earlier chapters that digital evidence is extremely volatile. Thus, you never want to conduct your examination on the original evidence unless there are exigent circumstances or there is no other option available. Exigent circumstances could include situations in which a child is missing. Sometimes there are no tools or techniques available to solve the problem at hand.
Examining the clone affords us the chance at a “mulligan”—a do-over, as is said in golf—should something go wrong. If possible, the original drive should be preserved in a safe place and only brought out to reimage if needed.
Hard drives are susceptible to failure. Having two clones gives you one to examine and one to fall back on. Ideally, all examination is done on a clone as opposed to the original.
Sometimes that isn’t an option, especially in a business setting when the machine and drive must be returned to service. In the eyes of the court, a properly authenticated forensic clone is as good as the original.
The cloning process
Cloning a hard drive should be a pretty straightforward process, at least in theory. Typically, you will clone one hard drive to another. The suspect’s drive is known as the source drive and the drive you are cloning to is called the destination drive. The destination drive must be at least as large as (if not slightly larger than) our source drive. Although it is not always possible, knowing the size of the source in advance is pretty handy. Bringing the right size drive will save a lot of time and aggravation.
The drive we want to clone (the source) is normally removed from the computer. It’s then connected via cable to a cloning device of some kind or to another computer. It’s critical to have some type of write blocking in place before starting the process. A write block is a crucial piece of hardware or software that is used to safeguard the original evidence during the cloning process. The hardware write block is placed between the cloning device (PC, laptop, or standalone hardware) and the source. The write block prevents any data from being written to the original evidence drive. Using this kind of device eliminates the possibility of inadvertently compromising the evidence. Remember, the hardware write-blocking device goes in between the source drive and the cloning platform.
It takes little prep work to make a clone. The destination drive must be forensically cleaned before cloning a suspect’s drive to it. Most, if not all, forensic imaging tools will generate some type of paper trail, proving that this cleaning has taken place. This paperwork becomes part of the case file.
Once the connections are made, the process starts with the press of a couple of buttons or clicks of a mouse. When complete, a short report should be generated by the tool, indicating whether the cloning was successful. Cloning is successful when the hash values (think “digital fingerprint”) for the source and clone match. We’ll dig deeper into hash values in just a bit.
Forensically clean media
A forensically clean drive is one that can be proven to be devoid of any data at the time the clone is made. Being sterile is another way of looking at it. It is important to prove the drive is clean because comingled data is inadmissible data. Drives can be cleaned with the same devices used to make the clones. The cleaning process overwrites the entire hard drive with a particular pattern of data such as 1111111111111 (Casey, 2011).
Forensic image formats
The end result of the cloning process is a forensic image of the source hard drive. Our finished clone can come in a few different formats. The file extension is the most visible indicator of the file format. Some of the most common forensic image formats include:
- •
-
EnCase (extension .E01)
- •
-
Raw dd (extension .001)
- •
-
AccessData Custom Content Image (extension .AD1)
There are differences in the formats, but they are all forensically sound. Some, like DD, are open source, while others, like AD1, are proprietary. Choosing one format over the other can simply be a matter of preference. Most forensic examination tools will read and write to multiple image formats.
In addition to being forensically sound, the other major consideration is that the tools to be used can read the image. The documentation with the tool should provide this information. Compatibility is a concern. This is especially true when exchanging image files between examiners.
Risks and challenges
The biggest risk during the cloning process is in writing to the source or evidence drive. Any writes to the evidence will compromise its integrity and jeopardize its admissibility. Getting a functioning write-blocking device or software in place will keep this from happening. Proper cloning should be pretty boring. Any time it gets exciting, you’ve got problems. What can ratchet up the adrenaline? Bad sectors and damaged or malfunctioning drives come to mind. A corrupt boot sector or a failing motor can also create complications.
Value in eDiscovery
The Sedona Conference, the leading think tank on electronic discovery, defines eDiscovery as “[t]he process of identifying, preserving, collecting, preparing, reviewing, and producing electronically stored information ‘ESI’) in the context of the legal process” (Sedona Conference, 2010).
Forensic cloning provides some additional value in the eDiscovery process. Preservation of potentially relevant data is paramount in electronic discovery. Parties that fail to preserve evidence can face some very stiff punishment. Forensic cloning is one option available to preserve some kinds of media, such as hard drives, and removable media, such as flash drives. It serves as the gold standard of data preservation in that it preserves all of the data on a piece of media, not just the active data. The down side of cloning is that it can be expensive and simply not practical in all situations.