How to find if a HD...
 
Notifications
Clear all

How to find if a HDD is Cloned?

10 Posts
6 Users
0 Likes
1,661 Views
(@vkskain)
Posts: 14
Active Member
Topic starter
 

Hello Team,

How to find if a Hard disk drive is cloned or Original???

 
Posted : 10/02/2020 11:22 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Hello Team,

How to find if a Hard disk drive is cloned or Original???

If you find a second drive with the same content and hash. There is no magic key in the registry like "CLONED=1".

 
Posted : 10/02/2020 12:02 pm
(@vkskain)
Posts: 14
Active Member
Topic starter
 

Hello Team,

How to find if a Hard disk drive is cloned or Original???

If you find a second drive with the same content and hash. There is no magic key in the registry like "CLONED=1".

Hey, thanks for the input.

There is no second drive with which we can compare…but let's assume that we get the second HDD with same content and Hash, then how can we identify which one is cloned and which one is original.

To the best of my knowledge I know that the cloning is a bit by bit exact replica of the source drive and there are no logs generated which can differentiate between them, but my query is that IS THERE ANY METHOD WHICH WE CAN USE TO IDENTIFY IF THE DRIVE IS CLONED OR NOT, IF IT IS POSSIBLE TO DO SO?

 
Posted : 10/02/2020 2:49 pm
(@rich2005)
Posts: 535
Honorable Member
 

Hello Team,

How to find if a Hard disk drive is cloned or Original???

If you find a second drive with the same content and hash. There is no magic key in the registry like "CLONED=1".

Hey, thanks for the input.

There is no second drive with which we can compare…but let's assume that we get the second HDD with same content and Hash, then how can we identify which one is cloned and which one is original.

To the best of my knowledge I know that the cloning is a bit by bit exact replica of the source drive and there are no logs generated which can differentiate between them, but my query is that IS THERE ANY METHOD WHICH WE CAN USE TO IDENTIFY IF THE DRIVE IS CLONED OR NOT, IF IT IS POSSIBLE TO DO SO?

Whilst not conclusive - suppose you might draw an inference from the SMART data. If one drive had 10 power on hours, and the other 3000, and both with activity spanning years, the one with 10 hours would be more suspicious.

 
Posted : 10/02/2020 2:54 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

IS THERE ANY METHOD WHICH WE CAN USE TO IDENTIFY IF THE DRIVE IS CLONED OR NOT

It is not necessary to scream that loud here, really not. Only a few of us need glasses or a hearing aid, we are not as old as we look, JUNIOR!

Back to the question This must be answered outside of traditional forensics.
Rich2005 already suggested comparing power cycles, and there is more you can do

- check the serial numbers of the drives on the vendor website. You might find the year and calendar week the drive was made
- compare the most recent time stamps from files with the production date of the drive
- compare with similar devices (if two similar Lenovo laptops in your company have drives from Toshiba and you find one from Seagate, you might [that is not 100% sure, double check that!] have found it
- use enhanced question techniques to ask the suspect which is the original drive and which is the clone
- find the receipt for one of the hard drives in his Amazon account or his Visa card details

regards, Robin

 
Posted : 10/02/2020 4:08 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

Depends on what is meant by 'cloned'. If we are talking in a forensic sense then it becomes harder due to it being an exact duplicate.

If we are talking in an IT sense, it may depend on the drive. If it wasnt forensically wiped first, you may find artifacts belonging to a different operating system or similar items.

My second question would be why?
If both disks are identical (by hash) clones, what does it matter beyond being identical?

 
Posted : 10/02/2020 6:24 pm
Passmark
(@passmark)
Posts: 376
Reputable Member
 

If the clone was moved to a new machine and booted, then I would expect more device drivers to be installed on the clone drive (and thus more registry entries).

For example if the original machine had an Intel Network adaptor, the clone had was used in a machine with an ASUS network adaptor, then you might find both the Intel and AUS drivers installed. (Windows auto-installs common drivers on boot up)

 
Posted : 11/02/2020 2:29 am
(@vkskain)
Posts: 14
Active Member
Topic starter
 

IS THERE ANY METHOD WHICH WE CAN USE TO IDENTIFY IF THE DRIVE IS CLONED OR NOT

regards, Robin

Hi, My apologies if I have offended anyone…I wanted to just highlight the question. My pleasure being your junior. Thanks for the updates, all of your points are insightful…I will definitely consider all points and will let u know the outcome. Thanks again.

 
Posted : 11/02/2020 7:48 am
(@vkskain)
Posts: 14
Active Member
Topic starter
 

Depends on what is meant by 'cloned'. If we are talking in a forensic sense then it becomes harder due to it being an exact duplicate.

If we are talking in an IT sense, it may depend on the drive. If it wasnt forensically wiped first, you may find artifacts belonging to a different operating system or similar items.

My second question would be why?
If both disks are identical (by hash) clones, what does it matter beyond being identical?

Hello, we have checked if the drive contained other artifacts from different OS as per your suggestion but haven't found anything like that, this may be possible if the hard drive was forensically wiped before cloning.

Answer to your second question is that there is no second hard drive to compare, So we're trying every possible method and scenario for this situation…we just need to prove that the hard drive in custody is cloned or not as we have received information from an anonymous source that the original HDD may have already been moved from the crime scene which contains more latest crucial data. Thank you.

 
Posted : 11/02/2020 8:10 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hello, we have checked if the drive contained other artifacts from different OS as per your suggestion but haven't found anything like that, this may be possible if the hard drive was forensically wiped before cloning.

NO.
And NO.

This makes no sense whatsoever, if a disk has been cloned it has been cloned, whether the second specimen has been wiped before or not, there won't be ANY difference, it is a clone.

Answer to your second question is that there is no second hard drive to compare, So we're trying every possible method and scenario for this situation…we just need to prove that the hard drive in custody is cloned or not as we have received information from an anonymous source that the original HDD may have already been moved from the crime scene which contains more latest crucial data. Thank you.

And again, IF another disk drive exists and it contains more (or only different) data THEN what you have in your hands is not a clone, it is *something else*, a (poor) copy, a fake copy, a manipulated copy, a brand new disk, whatever BUT NOT a clone.

jaclaz

 
Posted : 11/02/2020 12:02 pm
Share: