[Mrich30]

I wonder how such analysis is conducted. are there experts for both parties present? Or just the judge? Seems strange to allow one of the parties access to the computer, there should be a neutral person operating the computer and only do stuff after both parties agree to it. Could take some time though...

[tptacek]

The analysis was conducted by an independent forensics firm. There are many of those; Facebook is apparently working with Stroz, one of the best.

[JoachimSchipper]

To clarify, you hire some (really expensive) people who start by prying the computer apart and making a copy of the hard drive(s). They then go through it, looking for interesting stuff in files (Word documents can contain previous versions, for instance), in the browser history, in unused parts of the drive (i.e. for deleted files), etc. There is no "operating the computer" in the conventional sense involved: using the computer would destroy evidence (i.e. overwrite deleted files).

In cases like this, I'd imagine one would have an obligation to respect the owner's privacy (except where relevant to the case) - dragging all his/her porn into court is not exactly classy.

[evgen]

It is unlikely that FB was given free reign to the original hardware. A more likely case is that they were given a duped version of the drives.

[mcao]

A duped drive would be useless. When you delete a file, the OS marks it as gone, but the data is still physically on the drive until you overwrite it with more data. The forensics team would need access to the original drive to uncover that data.

[wglb]

Don't such forensic activities do a sector-for-sector copy of the original hard drive and work from there? So the access they need to the drive is limited to the time it takes to do an image copy.

So if by "duped drive" you mean an image copy, it is not useless.