Chiming in because I do computer forensics for a living. Nothing high speed like network intrusion of anything like that. My experience is mostly in child exploitation, with some dabbling in other areas I won’t discuss because it gives a little too much away about my identity.
Creating forensic disk images isn’t that difficult. You can use a hardware write blocker, a boot disk (Paladin is free and a very good tool for doing this), or a standalone forensic imager. When used properly, all of these will give you a bit for bit copy of the media you’re copying (thumb drive, hard drive, etc). A TX 1 forensic imager can copy a SATA HDD at about 200 megabytes/second.
I’m pretty sure the Dominion machines boot off of a memory card, so they’re not dealing with a ton of data on those. Same with any thumb drives or other miscellaneous memory cards they images. The servers are more problematic when it comes to time, but with the right equipment the 8 hour limitation isn’t a huge deal.
In general the time limit shouldn’t have been a problem assuming they brought enough equipment. Plus they had seven people working on it, which makes things go a lot faster.
The analysis is the hard part, and the most time consuming. Like I said, I don’t have experience in things like network intrusion. So I won’t speak on how they’re doing their analysis. But, generally speaking, you load all the data into a forensic program like EnCase or Axiom and see what they parse out. I’m sure they have custom scripts to parse out specific deleted data as well.
The analysis is always the worst part. Most people don’t realize exactly how much their computer is logging, and it takes a long time to even parse those logs to begin going through them.
I’ve had Axiom run for several days parsing a single hard drive. And more times than I can count I’ve had EnCase run for several days only to crash out before the processing was finished. Which is why I don’t use it anymore.
This. Its much easier to tell if/when something was altered, and personally I think they were looking for backdoor traces. The actual specificsare going to take some time tho. This is no longer my wheelhouse, so feel free to chime in anybody
Chiming in because I do computer forensics for a living. Nothing high speed like network intrusion of anything like that. My experience is mostly in child exploitation, with some dabbling in other areas I won’t discuss because it gives a little too much away about my identity.
Creating forensic disk images isn’t that difficult. You can use a hardware write blocker, a boot disk (Paladin is free and a very good tool for doing this), or a standalone forensic imager. When used properly, all of these will give you a bit for bit copy of the media you’re copying (thumb drive, hard drive, etc). A TX 1 forensic imager can copy a SATA HDD at about 200 megabytes/second.
I’m pretty sure the Dominion machines boot off of a memory card, so they’re not dealing with a ton of data on those. Same with any thumb drives or other miscellaneous memory cards they images. The servers are more problematic when it comes to time, but with the right equipment the 8 hour limitation isn’t a huge deal.
In general the time limit shouldn’t have been a problem assuming they brought enough equipment. Plus they had seven people working on it, which makes things go a lot faster.
The analysis is the hard part, and the most time consuming. Like I said, I don’t have experience in things like network intrusion. So I won’t speak on how they’re doing their analysis. But, generally speaking, you load all the data into a forensic program like EnCase or Axiom and see what they parse out. I’m sure they have custom scripts to parse out specific deleted data as well.
The analysis is always the worst part. Most people don’t realize exactly how much their computer is logging, and it takes a long time to even parse those logs to begin going through them.
I’ve had Axiom run for several days parsing a single hard drive. And more times than I can count I’ve had EnCase run for several days only to crash out before the processing was finished. Which is why I don’t use it anymore.
agreed. We are thinking it's just copy a drive and start to look around but you are spot on they have to do it in a way that is admissible in court.
This. Its much easier to tell if/when something was altered, and personally I think they were looking for backdoor traces. The actual specificsare going to take some time tho. This is no longer my wheelhouse, so feel free to chime in anybody
This is quality analysis and deserves many more updoots!!