Computer Forensics: ELI5
For those who lack the technical background, here is a brief description of how "computer forensics" is usually done to collect and preserve evidence. Yes, there's a tie-in to the Hunter Biden laptop
Let me begin by telling you the story of how I came to learn the information that I’ll share with you in this post, and then I’ll get to the gritty technical details.
It’s not a sexy story in a James Bond sort of way, but boring in the way that going to a dinner party with a bunch of tax accountants who are all talking shop is boring.
Or maybe it’s like watching paint dry. That’s a close second.
Toward the end, there is a tie-in to the recent Hunter Biden laptop story that you may find useful, which makes this topic less boring.
So the background: for about nine years, I was an Executive Director in charge of the day-to-day operations of a large Information Technology department for a large school district. The organization had an annual budget of about a billion dollars, so it was a sizeable enterprise.
At the time, it was the largest “enterprise network” in the Central Valley of California, and thanks to my work and my team’s work, it had the most advanced network and data center in the city back then (the city had a population of about a million people at the time, so it wasn’t a small one-horse town or anything.)
There were much larger enterprise-scale I.T. systems in the San Francisco Bay and Los Angeles areas, to be sure; but in the agrarian Central Valley, ours was at the time the largest—serving the technology and Internet access needs of 10,000 staff, 80,000 students and all those students’ parents on a daily basis.
At any one time we had 35,000 to 50,000 devices on the network: laptops, PCs, network devices, printers, staff and student cell phones, iPads, tablets, projectors, VOIP desk phones, surveillance cameras, you name it.
I oversaw a large, tens-of-millions of dollars scale infrastructure upgrade project that started around 2012 and lasted about four years; the goal was to replace all of the internal networks with high-speed fiber optics, connecting 107 school sites to a central office and data center.
When we were done, the district had almost 4,000 wireless access points serving wireless Internet to thousands of classrooms—and for the first time, teachers and students had a reliable, useful high-speed network with which to enhance their education.
But also, there was a new high-speed Internet connection to use for sometimes inappropriate purposes.
From time to time, there would be incidents involving staff or students in which I would be tasked to work with the Human Resources Department to do investigations. At times, I also had to run FOIA requests against our district Microsoft Exchange email server, so I’m quite familiar with the flaws in the process of document and email retrieval for FOIA (James Corney anyone?)
I also ran a Blackberry Enterprise server for a few years for dozens of executives who had Blackberries, so I also know quite well the ins and outs of why Hillary Clinton preferred blackberries back in the day. There’s a really good reason she did. This reason, by the way, is also why blackberries don’t exist anymore. They’re rather inconvenient for certain three letter agencies. But that’s a tale for another time.
Sometimes we were tasked by HR to simply locate where certain computers or devices were being used at times of interest. One time it was because a student was suicidal and writing posts online, but nobody knew where the student was. We located him using wireless access point triangulation of his computer, and safety personnel were able to rescue him.
At other times, it was for typical HR policy violation issues. Because the computers on the network belonged to the school district, there was no “right to privacy”—whatever was on those computers was supposed to only involve educational activities. But some staff and students took them home and treated them as their own personal computers, unwisely, so as you can guess with that many students and staff members there would now and then be some rather inappropriate situations.
Sexting between students, sexting between staff, sexting between staff and students, nude pictures or porn on student or staff computers (that sometimes accidentally got displayed on projector screens to classrooms full of kids), teachers involved in outside business ventures and using district resources to transact their businesses, more sexting and porn, things like that.
I would get a call now and then and have to go seize a laptop or a PC for Human Resources. Depending on the severity of the situation, we might be tasked to do the investigation and report to HR ourselves; if it was a criminal situation, we would secure the devices and turn them over to police authorities or forensic experts.
On one of these calls, I wound up investigating a teacher at a high school and it turned into a nine-year cybercrime trial for which I was called several times to testify as an expert witness.
As it turned out, the teacher whom I caught committing cybercrime was married to a woman who was the supervising agent for the local FBI field office—and her team, ironically, was tasked with investigating cybercrime locally.
I helped win that case against her husband. Her colleagues had to recuse themselves from the investigation, but that’s a story for some other time.
I can share, though, that when I was deposed by the perpetrator’s attorney, and the lawyer asked about my prior career experience in the hopes of discrediting me as a witness, I saw him fill his proverbial diapers when I told him I used to design and build supercomputers for the NSA. And install them there.
He knew in that instant he’d lost the case.
When you are tasked with securing enterprise-owned computer equipment because they might be used to press charges for potentially criminal activity, it is important to keep very detailed records, copies of databases, and preserve hard drive evidence.
Sometimes the perpetrators would get a 15-minute tip off from a snitch buddy that someone from the central office was coming, so they would try to delete files to cover their tracks. When we took possession of the equipment, it was critically important to preserve it in the exact state it was in when we arrived.
A typical process for preserving evidence might include:
photographing the computer in the location and condition in which you found it, including careful notes of which network ports it was plugged into.
taking careful note of the make, model and serial numbers of the PCs and their internal components like hard disks or USB/SSD drives. In the event it became necessary, we could take those serial numbers to the manufacturer (say, Apple) and ask for proof that a Mac laptop with THIS serial number had a motherboard with THAT serial number and a hard disk with THE OTHER serial number so that they could provide us evidence that these three components had in fact all been installed that way by the factory.
We would then make an immediate “image copy” of the internal hard disk. This is a byte-by-byte exact duplicate. Anytime you “boot” a computer, it is going to write small amounts of new data to the hard drive; if you actually logged in, even with an administrator account, the operating system is going to write even more fresh data to the hard drive. When this happens, it potentially overwrites critical information in deleted blocks on the drive, which if recovered might contain evidence.
So instead, we ran disk recovery utilities (typically LINUX based) that booted from a USB thumb disk. These allowed you to do a ‘clone’ of the systems hard drive to a backup drive — making an exact, byte for byte copy—without ever booting the seized computer.
In addition, we would sometimes create a ‘checksum’, or ‘hash’, which could be used to prove later on that the drive’s contents had not been altered after the time the clone was made.
The way a hash works is that it is a digital signature: if even a single byte is changed on the hard disk in question, when re-calculating the ‘signature’ hash later, it will produce a new hash value. You can therefore prove to a court’s satisfaction that a drive was or was not tampered with after the time the image copy was made by comparing these signatures. If they match, the drive contents were unaltered.If we then had to sift through files and folders to extract evidence for HR, we would only do so on some other computer, using another copy of the cloned drive, so that we wouldn’t disturb either the original disk or the ‘pristine’ copy.
We would then turn over the evidence (porn images, files, etc.) and all of the equipment to HR and they would take the investigation from there. If it was a criminal situation, these same steps would be performed by a private investigator or the FBI.
So now on to the Hunter Biden Laptop topic.
Most computer techs in medium to large organizations know how to do these steps, and most have the tools at hand (because they use them daily) to do hard drive cloning, usually for upgrades or repairs. Sometimes, if you’re trying to repair a failed computer system with a flaky disk, the first thing you try to do is clone the hard drive, because it might be on its last legs, and you might get lucky enough to pull a clean copy before it gives up the Ghost (TM).
That is an inside joke to IT people, because one of the software packages to make clones of hard drives was called Ghost (TM). (Rimshot.) I’m here all week, please tip your bartender. (I told you there was boring accountants-talking-shop-at-a-dinner party dry humor here, you were forewarned.)
Anyway, afterwards you can transfer that backup cloned copy to a fresh hard disk, and give the client back their repaired computer with their data intact on a new drive. So immediately making a clone of the hard drive contents is often a first step.
All of this begs the question: given that most computer techs know how to do drive cloning and have the tools to do it, and at least some of them understand how drive cloning (with signature hashing) is also necessary for preserving evidence, one has to wonder: did the Delaware service shop owner who handled the repairs of Hunter Biden’s laptop do these things?
If he did do an ‘image copy’ clone of a 500GB internal Mac laptop hard drive, that image copy would have all of the extant files and folders that were stored on it at the time, but *also* all the deleted blocks that were marked as ‘unallocated’ at the time (and sometimes, these deleted blocks can be inspected to recover deleted files. Sometimes.)
The word is that JP Mac Issac extracted 300GB of ‘data’ from a 500GB drive, and that this 300GB trove constitutes the ‘Hunter Biden Laptop’ contents that have been under analysis by various groups.
Doesn’t sound like an image copy. Does he or someone else actually have the full image copy? What, exactly, did Jack Maxey get his hands on then—and when? Something does NOT add up here.
How can Maxey claim to have “450 GB” of deleted blocks from that same laptop hard drive if it only had 500GB of total capacity, of which 300GB was in use and 200GB was “available”? In theory, one could recover (at most) up to 200GB of deleted material, but it’s difficult; not every file and folder will be recoverable, and different recovery software tools will do a better or worse job than others because data recovery isn’t an exact science but a heuristic one.
In theory, if the files that were deleted happened to be compressed (think ZIP files), then 200GB of recovered blocks could in theory “expand” to something larger after “unzipping”. But that’s a stretch. Something doesn’t fit between Maxey and Issac.
I had some experience with doing difficult deleted disk drive block recovery, too, having been put in a position to have to recover hundreds of Gigabytes of critically valuable data from a server drive that had been reformatted, not just erased.
It took several days of nail-biting tension, but the software I purchased from a German vendor for this task was able to do it, whereas most disk recovery software at the time could not.
So… I’m eager to find out some of the simple but critical details of the Hunter Biden laptop and its recovery. Was an image clone taken? Was a hash signature performed? Is that hash value available (because it can be used to prove that downstream copies of the HRB laptop are identical to the original—or conversely, to expose fakes.)
Was more than one physical drive left at the shop? Was that drive, too, cloned? Are there multiple versions of the “Hunter Biden Laptop Drive” circulating—some with only the user folder (300GB) from the Mac laptop and some with all of the blocks from the disk, including the deleted ones (500GB)? Are we sure the internal drive of the laptop was only 500GB? Any chance it was 750GB?
What was the chain of events that led to Maxey getting a copy from Mac Issac’s original?
Questions. We have questions.
EXCELLENT! I was able to follow along and appreciated the humor! Good job!
HI! I graduated Rose in 1988 with an EE degree - cool to see you here. Patrick Byrne claims it's 400,000 images, not 400 GB. Since most of the images are likely jpeg, you could easily expand 200 GB (or less) of jpeg to 400 GB of data. Also claims of using a technique to get bits that were overwritten using physics techniques - clearly outside the ability of most and seems to me to require the original drive. Thanks for all your posts!