Cloning a hard drive should be a pretty straightforward process, at least in theory. Typically, you will clone one hard drive to another. The suspect’s drive is known as the source drive and the drive you are cloning to is called the destination drive. The destination drive must be at least as large as (if not slightly larger than) our source drive. Although it is not always possible, knowing the size of the source in advance is pretty handy. Bringing the right size drive will save a lot of time and aggravation. The drive we want to clone (the source) is normally removed from the computer. It’s then connected via cable to a cloning device of some kind or to another computer. It’s critical to have some type of write blocking in place before starting the process. A write block is a crucial piece of hardware or software that is used to safeguard the original evidence during the cloning process. The hardware write block is placed between the cloning device (PC, laptop, or standalone hardware) and the source. The write block prevents any data from being written to the original evidence drive. Using this kind of device eliminates the possibility of inadvertently compromising the evidence. Remember, the hardware write-blocking device goes in between the source drive and the cloning platform. It takes little prep work to make a clone. The destination drive must be forensically cleaned before cloning a suspect’s drive to it. Most, if not all, forensic imaging tools will generate some type of paper trail, proving that this cleaning has taken place. This paperwork becomes part of the case file. Once the connections are made, the process starts with the press of a couple of buttons or clicks of a mouse. When complete, a short report should be generated by the tool, indicating whether the cloning was successful. Cloning is successful when the hash values (think “digital fingerprint”) for the source and clone match. We’ll dig deeper into hash values in just a bit.