Forensic cloning of hard drives and storage devices

In any judicial process, it is essential that all digital evidence stored in any type of storage device remains unaltered from the moment they are intervened. With this it is possible to certify their originality, at any time after their intervention. If we do not take this into account, it is very likely that the digital evidence will be invalidated, so it is mandatory for a computer expert to maintain and certify the chain of custody of the digital evidence contained in these devices. The usual method that a computer expert must follow for the custody of digital evidence stored in a storage device is forensic cloning.

A forensic cloning of a storage device consists of copying all the contents of a hard disk, bit by bit, to another storage device or image file, obtaining the hash signature of the bits read during the process. With this, an exact low-level copy of all the contents of the hard disk is obtained in addition to certifying the correspondence of its content with the original by matching the hash signatures. A hash signature is nothing more than an alphanumeric character string obtained from cloned information. When the hash signature of the source device and the destination device are generated, both have to match to certify the chain of custody. If a single bit changes in the cloning process, it will mean that the hash signature of the source and destination devices do not match, the chain of custody has not been maintained and the test has been altered.

The computer expert must thoroughly document the forensic cloning process of the hard disk, including the situation and type of the original device intervened, as well as the characteristics of the device where the cloned information is going to be dumped. All this must be included in the computer expert report, in a detailed and intelligible way, in order to ensure the chain of custody of the digital evidence apprehended, physical and logical, before proceeding to study them.

The forensic cloning of hard drives requires a mobile forensic computing laboratory made up of specific electronic devices as well as specific software to perform the forensic cloning, bit by bit, of the devices to be intervened. It is very easy for an inexperienced expert and without adequate equipment to contaminate the evidence, invalidating it in the face of a judicial process. For example, connecting the intervened hard disk without blocking its writing will already cause an alteration in the device that invalidates it as evidence.

At FORENSICTECH, we have a mobile laboratory for the forensic cloning of hard drives, being able to carry out interventions “in situ”, and even in judicial offices before the lawyer of the Administration of Justice.

Considerations

“The appealed ruling is essentially based on the ineffective and invalid expert evidence that has been provided as the only justification for the facts imputed in the letter of dismissal to the plaintiff, for several reasons explained by the Magistrate of Instance in her ruling. The first is because she understands that the expert presented by the company lacks an official degree in computer science, although at this point it is recognized that the expert is the person who provides computer assistance to the company as a freelancer, which implies at least a practical knowledge of what he is hired for. On the other hand, the informal nature of the expert evidence and the questioning of the chain of custody are argued. Special mention is also made of the breach of the guarantees of the plaintiff’s right to privacy at the time of carrying out the inspection and search of the computer equipment, declaring it proven that the plaintiff was not present. In short, the Magistrate of Instance, evaluating this evidence and the testimonies provided at the oral trial concludes that the defects in the practice of the expert evidence carried out by the company prevent granting probative value to this means of proof, and given that it is essential to prove the facts imputed to the plaintiff, declares the dismissal unjustified.”

Why hire our services?

From FORENSICTECH we provide our clients with the security of having:

• A computer expert specialized in your case, collegiate and legally authorized to act in the Spanish courts of justice.
• Appropriate instruments and specialized software to develop your expert report.
• Legally recognized chain of custody investigation and assurance methods.
• An effective and efficient work in the requested expert report.
• A certified computer expert opinion, which greatly increases your credibility and reliability before judicial bodies, as it is endorsed by a professional association.
• A computer expert capable of facing the ratification in oral proceedings in all jurisdictional orders.
• Our performance in all the courts of justice throughout Spain in all jurisdictional areas.