Forensic Imaging - Cloning
A forensic image or clone is an exact, bit for bit copy of a hard drive or similar discrete digital data storage device. Typically Laptop Hard drive, Portable Hard Drive, Mobile Phone or Tablet. It's also known as a bit stream image. In other words, every bit (1 or 0) is duplicated on a separate, forensically clean piece of media. Why go to all that trouble? Why not just copy and paste the files? The reasons are significant. First, copying and pasting only gets the active data. That is, data that is accessible to the user. These are the files and folders that users interact with, such as a Microsoft Word document. Second, it does NOT get the data in the un-allocated space including deleted and partially overwritten files. Third, it doesn't capture the file system data. All of this would result in an ineffective and incomplete forensic examination of the storage device.
When there is good reason to suspect that a computer, laptop, mobile phone or CCTV recorder for example contain evidence then a forensic clone of that hard drive or memory area is needed and needs to be undertaken as soon as is practicable.
Cloning a data storage device can be a pretty time-consuming process, and for that reason it usually makes more sense to do the cloning in the lab as opposed to at the scene. Cloning in the lab eliminates the need to be on scene for what could be hours. It also provides a much more stable environment, affording us better control of the process.
Before we take a device off premises, we must have the legal authority to do so. In a criminal case, this request and the rationale behind it should be part of the search warrant application. In civil cases, this provision can be negotiated by the parties or ordered by a judge.
Although taking the hardware back to the lab is routine in criminal cases, the cloning may have to be done at the scene in a civil case. Most civil cases with digital evidence focus on business computers. A business computer sitting in a lab isn't generating any revenue, which tends to get business folks understandably cranky. If the hard drive in a business computer can't be replaced, then the machine is often cloned and put right back into service.
Purpose of Cloning
We know from earlier chapters that digital evidence is extremely volatile. As such, you never want to conduct your examination on the original evidence unless there are exigent circumstances or there is no other option available. Exigent circumstances could include situations in which a child is missing. Sometimes there are no tools or techniques available to solve the problem at hand.
Examining the clone affords us the chance at a “mulligan” should something go wrong. If possible, the original drive should be preserved in a safe place and only brought out to re-image if needed.
Hard drives are susceptible to failure. Having two clones gives you one to examine and one to fall back on. Ideally, all examinations are done on a clone as opposed to the original.
Sometimes that isn't an option, especially in a business setting when the machine and drive must be returned to service. In the eyes of the court, a properly authenticated forensic clone is as good as the original.
The Cloning Process
Cloning a hard drive should be a pretty straightforward process, at least in theory. Typically, you will clone one hard drive to another. The suspect's drive is known as the source drive and the drive you are cloning to is called the destination drive. The destination drive must be at least as large (if not slightly larger) than our source drive. Although it is not always possible, knowing the size of the source in advance is pretty handy. Bringing the right size drive will save a lot of time and aggravation.
The drive we want to clone (the source) is normally removed from the computer. It's then connected via cable to a cloning device of some kind or to another computer.
It's critical to have some type of write blocking in place before starting the process. A write block is a crucial piece of hardware or software that is used to safeguard the original evidence during the cloning process. The hardware write block is placed between the cloning device (PC, laptop, or standalone hardware) and the source. The write block prevents any data from being written to the original evidence drive. Using this kind of device eliminates the possibility of inadvertently compromising the evidence. Remember, the hardware write blocking device goes in between the source drive and the cloning platform.
There is a little prep work involved in making a clone. The destination drive must be forensically cleaned prior to cloning a suspect's drive to it. Most if not all forensic imaging tools will generate some type of paper trail, proving that this cleaning has taken place. This paperwork becomes part of the case file.
Once the connections are made, the process is started with the press of a couple of buttons or clicks of a mouse. When complete, a short report should be generated by the tool indicating whether or not the cloning was successful. Cloning is successful when the hash values (think “digital fingerprint”) for the source and clone match.