Oh, and the method described by the report indicates they took a byte-for-byte copy of the drive. I've done this before myself to clone a drive. They actually described the way I'd take the copy. Boot up a computer with a Linux boot disk, then copy the image of the drive from one device to another. It can be done as simply as this:
dd if=/dev/sdb of=image_of_sda1.img
At that point you have a file that is a copy of every bit on the drive. You can, if you want use that image to clone to another device.
dd if=image_of_sda1.img of=/dev/sdc
Of course, you could also have just gone straight from one drive to another:
dd if=/dev/sdb of=/dev/sdc
Personally, I'd use the former method, as it gives you a copy of the entire drive as a file, that you can then easily mount in read only mode, or copy to another device to actually boot up and look at as closely as you want. This kind of stuff is done every day, and is pretty straightforward. Granted, the image file is going to be as large as the original file, which might make it a little bit clunky to work with, but that's what you want, a byte for byte copy of the data exactly as it existed on the drive.
Thanks for the additional information. I am following this while still working, and haven’t yet read the whole report. A byte for byte close is what I am calling a “hardware” copy.
I will be honest, however, in that I am unsure if a hardware copy still captures ghost images of files where the magnetic statis is ambiguous. One wouldn’t think that this affects this particular effort (the images on the disk should still be fresh), but I am not in this narrow part of the field, so I do not know.
I do know that previous election logs should NOT be available if the current logs are not, presuming there is not an option to disable logging (which is a signal of the intent to commit fraud, anyway).