Forensic analysis is done on a mirror image of the original file. Hash tags are matched at the time to assure it is an exact duplicate.
This allows the forensic data to be presented in court as evidence in lieu of producing the original equipment and data.
It’s been a few years since I did forensic courtroom work on electronic data, but I doubt it has changed very much.
It is very evident that Dominion is very guilty of Spoliation of Evidence by deleting data.
Two Key Differences Between Digital Forensic Imaging And Digital Forensic Clone And How They Can Affect Your Legal Case
Over the years there have been many terms used to describe a Forensic Image versus a Clone and the process of making a forensic backup. Terms such as mirror image, exact copy, bit-stream image, disk duplicating, disk cloning, and mirroring have made it increasingly difficult to understand what exactly is being produced or being requested.
Broadly speaking, forensic backups are achieved by capturing all data from a source media (computers, cell phones, tablets, etc.) in a forensically sound manner so that all of the original data is an unaltered state. This means the entire contents of the source media are being collected, including unused space, all slack data, all unallocated space, and other medias.
A Forensic Image is a comprehensive duplicate of electronic media such as a hard-disk drive. Artifacts (Information or data created as a result of the use of an electronic devices that show past activity) such as deleted files, deleted file fragments, and hidden data may be found in slack (Unused space that is created between the end-of-file marker and the end of the hard drive cluster in which the file is stored and unallocated space (The unused portion of a hard drive). This exact duplicate of the data is referred to as a bit-by-bit copy of the source media and is called an Image. Images are petrified snapshots, that are used for analysis and evidence preservation. Images cannot be used as working copies.
A Forensic Clone is also a comprehensive duplicate of electronic media such as a hard-disk drive. Artifacts such as deleted files, deleted file fragments, and hidden data may be found in its slack and unallocated space.
This exact duplicate of the data is referred to as a bit-by-bit copy of the source media and is called a Clone. Clones are working snapshots, that are modifiable and not necessarily preserved. Clone are used as working copies to replace original evidence for analysis as well as data preservation purposes.
A hash (An error detection scheme which performs calculation on the binary value of the packet/frame and then which is appended to the packet/frame as a fixed-length field. Once the packet/frame is received a similar calculation is performed. If the result does not match the first calculation then a data change occurred during transmission.
The calculation can be a sum (Checksum), a remainder of a division or the resulting of a hashing function) of an original device can validate if media is an exact duplicate (forensically sound copy). Any variation in the hash value of an original to its Clone or Image will confirm that they are not exact copies. This is of importance to know when dealing with legal matters.
thx.
on the bat file:
they looked at the bat file line by line (dominion custom addon) that de-hardens sql server. assumes sql server shutdown. apparently two key lines: 1 copying security credentials in mass to folder. 2 disable encryption on in sql server. 3. restart sql server.
of course anyone with exec permission can run it, even remotely.