1. What is a forensic clone? What is its purpose? Explain the cloning process, and what steps an examiner must take in order to ensure a proper, valid clone.

A forensic clone is a exact copy of a storage device and its purpose is to have a examinable copy of the storage device so the original storage is not affected, or have risk of being altered in the forensic process. This preserves its original state when found, which could be any type of storage such as USBs, SSDs, mobile phones, and drives. If a mishandling of the original even a small change to a file can create problems legally. The cloning process starts with identifying and documenting the source drive (the original) and the destination drive (forensically clean media). Next, is to connect the source drive to a write blocker that prevents writing onto the original. Use forensic imaging or cloning platform to take image of the drive and put it onto forensically clean media. Finally make hashes or the imaging platform possibly will, and compare to see if the hashes match.

FORENSICALLY CLEAN MEDIA A forensically clean drive is one that can be proven to be devoid of any data at the time the clone is made. Being sterile is another way of looking at it. It is important to prove the drive is clean because comingled data is inadmissible data. Drives can be cleaned with the same devices used to make the clones. The cleaning process overwrites the entire hard drive with a particular pattern of data such as 1111111111111 (Casey, 2011).

!!

To help in the process of making digital forensics widespread, to contribute to the process of making digital forensics readily available, then you will have this knowledge, you can help the whole community move forward.

INSTRUCTIONS: Respond to the following prompt in at least 250 words. In at least 50 words, thoughtfully write a critique to one of your classmates’ posts and mention your alternative solution/discussion by the due date.

Cloning a hard drive should be a pretty straightforward process, at least in theory. Typically, you will clone one hard drive to another. The suspect’s drive is known as the source drive and the drive you are cloning to is called the destination drive. The destination drive must be at least as large as (if not slightly larger than) our source drive. Although it is not always possible, knowing the size of the source in advance is pretty handy. Bringing the right size drive will save a lot of time and aggravation. The drive we want to clone (the source) is normally removed from the computer. It’s then connected via cable to a cloning device of some kind or to another computer. It’s critical to have some type of write blocking in place before starting the process. A write block is a crucial piece of hardware or software that is used to safeguard the original evidence during the cloning process. The hardware write block is placed between the cloning device (PC, laptop, or standalone hardware) and the source. The write block prevents any data from being written to the original evidence drive. Using this kind of device eliminates the possibility of inadvertently compromising the evidence. Remember, the hardware write-blocking device goes in between the source drive and the cloning platform. It takes little prep work to make a clone. The destination drive must be forensically cleaned before cloning a suspect’s drive to it. Most, if not all, forensic imaging tools will generate some type of paper trail, proving that this cleaning has taken place. This paperwork becomes part of the case file. Once the connections are made, the process starts with the press of a couple of buttons or clicks of a mouse. When complete, a short report should be generated by the tool, indicating whether the cloning was successful. Cloning is successful when the hash values (think “digital fingerprint”) for the source and clone match. We’ll dig deeper into hash values in just a bit.