Nearly every crime scene contains digital evidence. To preserve original digital evidence for forensic investigation, law enforcement must know how to recognize, seize, transport, and store it. To recover evidence from a crime scene, a professional investigator must meticulously apply proven digital forensic methodologies to identify, gather, clone, preserve, store, analyze, interpret, attribute, and/or reconstruct the information stored in the storage media. E-Discovery was used to extract evidence from the crime scene in several cases of classic crimes.
This digital proof depicts the events as they were said to have occurred. A forensic clone is a replica of digital evidence that is identical in every way. You can clone files, directories, hard discs, and more. A forensic clone is also known as the bit-stream image or forensic image. A forensic image of a hard drive captures the whole contents of the hard disc, from beginning to end. A forensic clone is not the same as a “copy and paste” via the operating system. Both active and latent data are captured in a real forensic image. This is the fundamental difference between the two and why a forensic photograph is chosen.
Digital evidence is extremely volatile. As a result, unless there are urgent circumstances or no other options, one should never examine the original evidence. If at all feasible, the original drive should be kept in a safe place and only used to clone if necessary. That is not always possible, especially in a commercial setting when the machine and drive must be returned to service.
Hard disc drives are prone to failure. Having two clones allows an investigator to study one and fall back on the other. All inspections should ideally be performed on a clone rather than the original.
A forensic clone is a complete copy of electronic material, such as a hard disc drive. Its slack and unallocated space may contain artifacts such as deleted files, erased file fragments, and hidden data. A Clone is an exact duplicate of the data that is referred to as a bit-by-bit copy of the original medium. Clones are editable, but not necessarily saved functional snapshots. Clone copies are utilized as working copies to substitute original evidence for data preservation and analysis.
Purpose of Cloning
As we know, digital evidence is extremely unstable. As a result, unless there are extenuating circumstances or no other option, you should never conduct your examination on the original evidence. Situations in which a child is missing are examples of urgent circumstances. There are occasions when no tools or strategies are available to solve the problem.
Examining the clone gives us the opportunity for a “mulligan” if something goes wrong. If at all possible, keep the original drive in a safe place and only use it to reimage if necessary. Hard disc drives are prone to failure. Having two clones allows you to investigate one and fall back on the other. All inspections should ideally be performed on a clone rather than the original.
When the machine and drive must be returned to service in a business situation, this isn’t always an option. A properly validated forensic clone is as good as the original in the eyes of the court.
The Cloning Process
Cloning a hard disc should be a rather simple procedure, at least in theory. You will usually clone one hard disc to another. The source drive is the suspect’s drive, and the destination drive is the drive you are cloning to. Our destination drive must be at least as big as (if not somewhat bigger than) our source drive. Knowing the size of the source ahead of time is useful, albeit it is not always attainable. Bringing the correct drive size will save you time and frustration.
The source drive (the target) is usually removed from the computer. The gadget is then connected to a cloning device or another computer via cable. You must have some type of write blocking in place before starting the process. A write block is a key piece of hardware or software that protects the original evidence during the copying process. Between the cloning device (PC, laptop, or standalone hardware) and the source lies the hardware writes block. The write block ensures that no data is written to the original evidence drive. Using a gadget like this minimizes the chance of accidentally compromising evidence. Remember that the hardware write blocking device sits between the source and the cloning platform.
Making a clone necessitates some preliminary work. Before cloning a suspect’s drive to it, the destination drive must be forensically cleansed. Most, if not all, forensic imaging technologies will leave a paper trail demonstrating that the cleaning was completed. This documentation is added to the case file.
The process is initiated by pressing a couple of buttons or clicking a mouse once the connections have been formed. When the cloning is finished, the tool should generate a short report indicating whether or not the cloning was successful. When the hash values (think “digital fingerprint”) for the source and clone match, cloning is successful. In a moment, we’ll delve deeper into hash values.
The Narcotics Control Bureau (NCB) has filed a case against actor Rhea Chakraborty, her brother Showik, and four others, based on communications recovered by the Enforcement Directorate (ED) from “clones” of Rhea’s two mobile phones, which purportedly contain proof of her discussing narcotics.
What exactly is mobile phone forensic cloning?
It is a bit-for-bit replica of an entire mobile device that is used in mobile device forensics. Some law enforcement agencies and forensic science laboratories perform “imaging” or forensic cloning of a cell phone or other digital device if they believe it will help with an investigation or prove a case in court.
What is the difference between cloning a phone and copying and pasting all of the info from a phone or laptop?
Only the active files — or the files now present on the device — are transferred in the classic copy-pasting of data. It would not contain files that the user had removed or overwritten. When it comes to criminal investigations, where there is a chance that incriminating data would be removed, the imaging technique, also known as physical acquisition, becomes crucial.
The physical acquisition of mobile phone data entails a bit-for-bit transfer of the data to a physical storage device. This contains all data that has been removed. Only the directories are replicated in other techniques, not the deleted files.
When the data or allegedly incriminating chats etc found using imaging be used as evidence in a court of law. According to Special IG Brijesh Singh, who previously led the Maharashtra cyber police, information found on a device can be used in court against an individual if it is accompanied by a 65 (B) Information Technology Act certificate – which specifies how electronic devices must be handled to be admissible, such as not being tampered with. It has evidentiary importance in a court of law, in addition to being utilized as an investigation tool.
What are some examples of how mobile forensic cloning has aided detectives?
Apart from other terror-related incidents, Payal Tadvi, a second-year resident doctor at Nair Hospital in Mumbai who was allegedly driven to suicide on May 22, 2019, was one of the best examples of forensic cloning of a mobile phone. Her parents claimed that three doctors had harassed her, and the Maharashtra Forensic Science Laboratory (FSL) was able to recover a snapshot of a suicide note she had written from a forensic clone of her phone. The three doctors, who were eventually charged with aiding suicide, allegedly removed the suicide note from her phone, according to authorities. The memo, however, was discovered and utilized as important evidence against the three doctors.
Is it possible to retrieve all data deleted from your phone or laptop? Is the information on your phone/laptop that you sell or give away for repairs at risk?
This is dependent on the device to some extent. Data that has been deleted from a device can usually be retrieved using the software. However, data recovery is tough on some Apple and Blackberry smartphones, and even a factory reset may make it difficult to recover data on these phones.
However, to prevent data on a device that you sell from being recovered and potentially used for extortion, it is recommended that you encrypt files on the device and then perform a factory reset before selling it. Most Android phones provide the option of encrypting data in their settings. You then give it a password or PIN.
Is encryption enough to save data?
Regardless of encryption, the security of your data will be determined by the level of encryption used. A method is known as ‘brute force acquisition’ is used to extract a password or PIN through try and error. Several law enforcement agencies purchase similar tools for criminal investigations, particularly in terrorism instances.