Forensic cloning of hard drives and storage devices

In any judicial process, it is essential that all digital evidence stored in any type of storage device remains unaltered from the moment they are intervened. With this it is possible to certify their originality, at any time after their intervention. If we do not take this into account, it is very likely that the digital evidence will be invalidated, so it is mandatory for a computer expert to maintain and certify the chain of custody of the digital evidence contained in these devices. The usual method that a computer expert must follow for the custody of digital evidence stored in a storage device is forensic cloning.

A forensic cloning of a storage device consists of copying all the contents of a hard disk, bit by bit, to another storage device or image file, obtaining the hash signature of the bits read during the process. With this, an exact low-level copy of all the contents of the hard disk is obtained in addition to certifying the correspondence of its content with the original by matching the hash signatures. A hash signature is nothing more than an alphanumeric character string obtained from cloned information. When the hash signature of the source device and the destination device are generated, both have to match to certify the chain of custody. If a single bit changes in the cloning process, it will mean that the hash signature of the source and destination devices do not match, the chain of custody has not been maintained and the test has been altered.

The computer expert must thoroughly document the forensic cloning process of the hard disk, including the situation and type of the original device intervened, as well as the characteristics of the device where the cloned information is going to be dumped. All this must be included in the computer expert report, in a detailed and intelligible way, in order to ensure the chain of custody of the digital evidence apprehended, physical and logical, before proceeding to study them.

The forensic cloning of hard drives requires a mobile forensic computing laboratory made up of specific electronic devices as well as specific software to perform the forensic cloning, bit by bit, of the devices to be intervened. It is very easy for an inexperienced expert and without adequate equipment to contaminate the evidence, invalidating it in the face of a judicial process. For example, connecting the intervened hard disk without blocking its writing will already cause an alteration in the device that invalidates it as evidence.

At FORENSICTECH, we have a mobile laboratory for the forensic cloning of hard drives, being able to carry out interventions “in situ”, and even in judicial offices before the lawyer of the Administration of Justice.

Considerations

This type of evidence can be contested and therefore, rejected, ruining the entire procedure. To determine whether this type of evidence can display probative value, the forensic analysis of a certified computer expert is essential.
 
Likewise, we must bear in mind that in recent years, the number of works and computer expert opinions that are dismissed in litigation and are not taken into account at the time of sentencing. The reason is none other than a huge increase in the number of computer experts who are not legally authorized to act before the courts, and who therefore incur in the crime of professional intrusion. We can find a clear example in the Judgment of the Superior Court of Justice of Madrid 531/2017, Social Chamber, Section 4, July 19th , 2017, in which it is stated in the first point of the grounds of law, that:

“The appealed ruling is essentially based on the ineffective and invalid expert evidence that has been provided as the only justification for the facts imputed in the letter of dismissal to the plaintiff, for several reasons explained by the Magistrate of Instance in her ruling. The first is because she understands that the expert presented by the company lacks an official degree in computer science, although at this point it is recognized that the expert is the person who provides computer assistance to the company as a freelancer, which implies at least a practical knowledge of what he is hired for. On the other hand, the informal nature of the expert evidence and the questioning of the chain of custody are argued. Special mention is also made of the breach of the guarantees of the plaintiff’s right to privacy at the time of carrying out the inspection and search of the computer equipment, declaring it proven that the plaintiff was not present. In short, the Magistrate of Instance, evaluating this evidence and the testimonies provided at the oral trial concludes that the defects in the practice of the expert evidence carried out by the company prevent granting probative value to this means of proof, and given that it is essential to prove the facts imputed to the plaintiff, declares the dismissal unjustified.”

The computer test must be certified in a computer expert opinion, prepared by a legally qualified computer expert. In our Frequently Asked Questions section you can find more information about it.

Why hire our services?

From FORENSICTECH we provide our clients with the security of having:

  • A computer expert specialized in your case, collegiate and legally authorized to act in the Spanish courts of justice.
  • Appropriate instruments and specialized software to develop your expert report.
  • Legally recognized chain of custody investigation and assurance methods.
  • An effective and efficient work in the requested expert report.
  • A certified computer expert opinion, which greatly increases your credibility and reliability before judicial bodies, as it is endorsed by a professional association.
  • A computer expert capable of facing the ratification in oral proceedings in all jurisdictional orders.
  • Our performance in all the courts of justice throughout Spain in all jurisdictional areas.

SUBSCRIBE

Receive the latest news by email
Remember that you can unsubscribe sending an email to info@forensictech.es
Skip to content