Home > Articles > Hardware

This chapter is from the book

Removable Memory

Today, it is rare for an investigator to simply seize a laptop computer and then only analyze that computer’s hard drive. The investigator must also consider the myriad of removable storage devices that are so pervasive today because of the low cost of removable memory. It is important to consider all potential storage when drafting a warrant and when conducting a search; you must understand how these devices are connected to the computer, understand trace evidence, and know the types of files that may be stored on these devices. This is easier said than done, given that removable memory has become smaller and more varied, with more wireless capabilities. This section provides some helpful advice on how to deal with removable memory.

FireWire

FireWire is the Apple version of IEEE 1394, which is a serial bus interface standard for high-speed data transfer. FireWire (see Figure 3.16) provides for higher data transfer speeds than USB wire, with speeds up to 400Mbps (megabits per second). FireWire 400 (1394-1995) can transfer data between devices at speeds ranging from 100, 200, or 400 megabits per second full duplex, and the cable length can measure up to 14.8 feet. FireWire 800 (1394b-2002) can transfer data at rates of 782.432 megabits per second full duplex. Apple, which has been largely responsible for the development of FireWire, has been slowly phasing out this protocol in favor of its Thunderbolt interface. Chapter 11, “Mac Forensics,” details how helpful FireWire can be for acquiring a forensic image from an Apple Mac using an Apple Mac.

FIGURE 3.16

FIGURE 3.16 FireWire cables

USB Flash Drives

As noted in Chapter 2, each time a device is connected to a computer, information about that device is recorded in Windows File Registry. Figure 3.17 shows exactly where in the registries USB device connections are recorded.

FIGURE 3.17

FIGURE 3.17 Registry Editor

These file registry entries are important in showing a history of what devices were connected to a computer. Every USB device has a serial number that is recorded in the subkey for that USB registry.

Access to files on a USB is not a forgone conclusion, however, because many of these storage devices have utilities built in. For example, Ironkey USB devices use AES 256-bit encryption to protect files on the device. These devices protect the user and enterprise from theft of intellectual property; after a series of unsuccessful attempts to access the device, the device automatically reformats the drive.

The file system found on a USB flash memory device is usually FAT, a file system that most computers recognize, although the device can be formatted to support other file systems.

External Hard Drives

There are generally two types of external hard drives: a USB-powered hard drive and an external drive that uses the USB interface for data transfer but uses an adapter to power the drive. Housed within the casing, an investigator usually finds a Serial ATA hard disk drive. This is important to know because if there is a limited amount of time to acquire evidence or the external hard drive cannot be removed from the premises, then it is probably advisable to remove the hard disk drive from the outer casing. By removing the drive from the casing, a cloning device can be used to make a copy of the external drive. If the hard disk drive is not removed from its casing, then the drive must be imaged using a write-blocker connected to a laptop. The Western Digital external hard disk drive in Figure 3.18 houses a 2.5-inch drive. A mini USB port is used for both power and data transfer to a computer.

FIGURE 3.18

FIGURE 3.18 Western Digital (WD) external hard drive

In some cases, a cloning device may not be workable, so an investigator should always bring a write-blocker (including a USB write-blocker). For imaging and validating the drive, an investigator can bring FTK Imager Lite on a USB or perhaps carry Raptor 2.0 on a USB or bootable CD. Imaging a 250GB drive, with verification, using FTK Imager Lite could take just over two hours whereas cloning that same drive could take approximately 40 minutes. When cloning or imaging a hard drive, it is proper protocol to place the source and destination hard drives on an antistatic, rubberized mat to avoid any electromagnetic interference. Hard drives should also be transported in antistatic bags.

External hard drives are mostly used today for backups or as an extension to a computer’s memory. An examiner should be aware that an external hard disk drive could contain any number of file systems, including (Windows) NTFS or (Mac) HFS+. More important, if the external drive is connected to a PC with Windows 7 installed and BitLocker To Go is running, then disconnecting the drive from the computer may encrypt that external drive. In other words, think before you remove any USB device that is connected to a live system. Of course, external drives can also be eSATA or FireWire. Newer drives may also have software installed for backing up the drive, perhaps to a cloud service. It is important to check for all installed software utilities on the suspect’s drive and note that backup software and other data integrity utilities can be present on a separate partition.

MultiMedia Cards (MMCs)

A MultiMedia card is storage memory that was developed by Siemens AG and SanDisk for use in portable devices, like cameras. MMCs are not as popular as they once were because they have largely been replaced by secure digital (SD) cards. An MMC has a standard size of 24mm × 32mm × 1.4mm. MultiMedia cards replaced SmartMedia cards, which Toshiba developed in 1995, and had a storage capacity of 16 MB–128 MB. As you can see in Figure 3.19, a SmartMedia card is very similar in appearance to an SD card.

FIGURE 3.19

FIGURE 3.19 SmartMedia card

Secure Digital (SD) Cards

A Secure Digital (SD) card is a file storage device that was developed for use in portable electronics, like cameras. The association that developed SD cards and set the standard for this memory is a joint venture between Matsushita Electrical Industrial Co., Ltd. (Panasonic); SanDisk Corporation; and Toshiba Corporation.

The standard size for an SD card is 24mm wide and 32mm long, with a thickness of 2.1mm (see Figure 3.20). It is possible to find SD cards, which have a capacity of up to 4GB. The standard size is often used in digital cameras, and many laptops come with an SD card slot and reader as standard. More recently, SDHC (Secure Digital High Capacity) cards began to appear in the market, beginning with a capacity of 4GB. SDHC cards can go up to 32GB. Even more recently, 64GB cards began to appear with the emergence of SDXC (Secure Digital eXtended Capacity). Secure Digital cards are formatted with the FAT32 file system.

FIGURE 3.20

FIGURE 3.20 Secure Digital card

Note that some SD cards are WiFi enabled with preinstalled utilities. Some of these utilities can automatically send photos to a mobile device, upload files to social media sites, or even add files to a cloud service. Generally, a logo on the SD card indicates that the card is WiFi enabled, but this might not always be the case; the investigator should be cognizant of these wireless capabilities.

If you encounter an SD card during an investigation, it is proper protocol to set the write-protect switch to on, when present on the card, to prevent any data from being written to this memory. Of course, the investigator will use a write-blocker before examining any removable memory, like an SD card.

A miniSD is 20 mm wide and 21.5 mm long. The microSD format was developed by SanDisk. A microSD card can be used in a Standard Digital card reader with the use of an SD adapter. microSD cards are often found in cellular telephones, and therefore they can be a valuable source of evidence. Additionally, many cellphone forensic imaging or cloning devices cannot read the contents of the microSD card, so the card may have to be removed and imaged separately.

CompactFlash (CF) Cards

CompactFlash (see Figure 3.21) is a memory card that was first developed by SanDisk for use in portable electronics, like digital cameras. A CompactFlash (CF) can have two different dimensions: (a) Type I is 43mm × 36mm × 3.3mm, and (b) Type II is 43mm × 36mm × 5mm. CompactFlash cards are not as popular today as Secure Digital cards, but they do have an effective file storage system and can potentially support up to 100GB of memory.

FIGURE 3.21

FIGURE 3.21 CompactFlash

Memory Sticks

A Memory Stick (see Figure 3.22) is Sony’s proprietary memory card that was introduced in 1998. Unlike many other flash memory manufacturers, Sony also produces many of the electronic devices that support its memory card. Sony manufactures televisions, laptops, cellular telephones, digital cameras, video recorders, game consoles, MP3 players, and numerous other electronic devices, all of which support additional memory through the use of a Memory Stick. The original Memory Stick was replaced by the Memory Stick PRO in 2003, to enable a greater storage capacity. The PRO series utilizes FAT12, FAT16, and FAT32 file systems. The Memory Stick Duo was a smaller memory card that was developed to fit well into small handheld devices. Other versions of the Memory Stick were developed to increase memory capabilities and to support high-definition video capture.

FIGURE 3.22

FIGURE 3.22 Memory Stick

More recently, the Memory Stick XC (Extended High Capacity) series was released by Sony and SanDisk. These memory cards have the potential to store up to 2TB of memory. The XC series uses the exFAT (FAT64) file system. This series have maximum data transfer rates up to 160 Mbps and 480Mbps depending upon the XC model.

The important point for investigators to note is that if a suspect owns Sony products, Memory Sticks could be present in these devices. For example, a Sony television might have a Memory Stick inserted. Moreover, that memory card will probably contain files uploaded from a computer.

xD Picture Cards

Introduced in 2002, xD (Extreme Digital) Picture Cards were developed by Olympus and Fujifilm for digital cameras and some voice recorders. These memory cards have been slowly phased out by Olympus and Fujifilm in favor of the more popular SD cards.

Hardware for Reading Flash Memory

There are a few ways to securely view the contents of flash memory cards. One tool is Digital Intelligence’s UltraBlock Forensic Card Reader and Writer (see Figure 3.23). This device is connected to a computer via the USB port (2.0 or 1.0) and can read the following media:

  • CompactFlash
  • MicroDrive
  • Memory Stick
  • Memory Stick PRO
  • Smart Media Card
  • xD Picture Card
  • Secure Digital Card (SD and SDHC)
  • MultiMedia Card
FIGURE 3.23

FIGURE 3.23 UltraBlock Forensic Card Reader and Writer

A regular memory card reader could be used in addition to a USB write-blocker to ensure that the data is viewed forensically. A write-blocker is a hardware device that allows an individual to read data from a device, like a hard drive, without writing to that device. An investigator could connect a media card reader to Digital Intelligence’s UltraBlock USB Write Blocker, which would be connected to a computer, where the media card’s contents would be viewed or acquired.

Compact Discs

A compact disc (CD), also known as an optical disc, is a polycarbonate plastic disc with one or more metal layers, used to store data digitally. A CD is usually 1.2mm thick and weighs 15–20 grams. Aluminum is generally used for the metallic surface. Data is stored to the disc and read from the disc using a laser. The laser that writes data to a disc reaches a temperature of 500–700 degrees Centigrade. Because the data is stored through a laser, CDs are not vulnerable to electromagnetic charges. The high temperatures used in storing the data cause the metal alloy to liquefy, and the reflective state changes. Lands are the reflective surfaces on a CD burned flat by a laser. Pits are the less reflective surfaces on a CD that have not been burned by a laser. The differences between the reflective and less reflective surfaces can be translated to binary (0s, 1s).

CDs were initially developed by Sony and Philips to store and play audio files. Later the CD-ROM was developed for data storage. A CD-R allows data to be stored once. Because a CD-R can only have data written to it once, handling this type of CD in a forensically sound manner does not require a write-blocker. A CD-RW, on the other hand, allows data to be written multiple times to the disc. Today a standard CD generally has a storage capacity of 700MB.

ISO 9660, introduced in 1988, refers to the standard for optical discs and their file system. ISO 9660 is also called CDFS (Compact Disc File System), and it was created to support different operating systems, like Windows and Mac OS. Other file systems can also be supported by CDs; however, these include Joliet, UDF, HSG, HFS, and HFS+. Joliet allows for longer filenames, which are associated with more recent versions of Windows. Because other file systems can exist on a CD, it is important to remember that a CD used in a Windows computer may show that it is invalid if an HFS+ file system resides on the disk. This means that specialized tools may be required to access the files stored on a CD. IsoBuster, for example, is a data recovery tool for CD, DVD, and Blu-ray. InfinaDyne’s CD/DVD Inspector is a specialized tool for a forensic acquisition of files from CDs and DVDs. It should be noted that an .iso file, which is an image of an optical disk, may be saved on the hard drive of a suspect’s computer or on another storage device.

The International Standardization Organization (ISO) in Geneva, Switzerland, has created this standard to facilitate the use of CDs on Windows, Macintosh, and UNIX computers. Frames consist of 24 bytes and are the smallest unit of memory on a CD-ROM. A sector on a CD-ROM consists of 98 frames (2352 bytes).

Compact Disc–Rewritable (CD-RW)

A CD-RW usually stores less data than a CD (570MB instead of 700MB). A track on a compact disc is a group of sectors that are written to at one time. A session on a compact disc is a group of tracks recorded at the same time. The table of contents (TOC) records the location of the start address, the session number, and track information (music or video) on a compact disc. The TOC is an example of a session, and every session contains a TOC. If the TOC cannot be read by the computer’s CD-ROM drive, then the compact disc will not be recognized. A full erase of a CD-RW deletes all data on a disc. However, a quick erase will only remove all references to tracks and sessions, leaving the land and pits unchanged. Nevertheless, the CD-RW will not be recognized because the sessions have been removed.

CnW Recovery is a tool that claims to recover disc data that has been through the quick erase process. Ultimately, when a quick erase has been performed, it is possible to recover the data on a CD-RW. When a full erase has been executed, the data cannot be recovered.

DVDs

A digital video (or versatile) disc (DVD) is an optical disc with a large storage capacity that was developed by Philips, Sony, Toshiba, and Time Warner. A single-sided DVD generally has a capacity of 4.7GB. Other DVD formats can store more than 17GB of data. Their large storage capacity makes them ideal for storing video files, which are often very large in size. A DVD player uses a red laser (650 nanometers) to read data from a DVD disc.

Blu-ray Discs

A Blu-ray disc (BD) is a high-capacity optical disc that can be used to store high-definition video. A single-layer disc has a storage capacity of 25GB, while dual-layer disc can store 50GB of data. Also available are 3D Blu-ray players and discs. A firmware upgrade available for Sony’s PlayStation 3 facilitates 3D Blu-ray playback as well. The name of this storage media comes from the blue laser (405nm) used to read the disc; this laser enables more data to be stored than the red laser used in DVDs. Standards for these optical discs have been developed and are maintained by the Blu-ray Disc Association (www.blu-raydisc.com).

From a forensics perspective, Blu-ray discs have limited value because both the Blue-ray burner and recordable discs are still prohibitively expensive for the average consumer; a suspect is more likely to store video on a hard drive or burn video files onto a DVD. Nevertheless, there are two different recordable formats. A BD-R disc can be written to once, while a BD-RE can be used for re-recording.

Companies like Digital Forensics Systems produce devices for imaging and analyzing CDs, DVDs, and BDs.

Floppy Disks

A floppy disk is a thin, flexible, plastic computer storage disc that is housed in a rigid plastic rectangular case. Files are stored on the disk magnetically. These disks have historically come in 8-inch (see Figure 3.25), 5¼-inch, and 3½-inch (see Figure 3.26) sizes. Initially, these disks were used to store a computer’s operating system. Subsequently, they were used for general file storage purposes. The 3½-inch disk was introduced in 1987; its storage capacity ranges from 720KB to 1.4MB.

FIGURE 3.25

FIGURE 3.25 8-inch floppy disk drive

FIGURE 3.26

FIGURE 3.26 3½-inch floppy disk drive

IBM invented the floppy disk drive, which was used to store and read data from floppy disks.

Floppy disks have been largely replaced by flash memory, optical disks, and external hard drives. An investigator who encounters floppy disks during an investigation is more likely to find the PC-compatible 1440KB format. Floppy disks are formatted with the FAT12 file system. All of these disks will only have either one or two clusters.

A forensic image of a floppy disk can be made by using the following Linux command:

# dd if=/dev/fd0 of=/evidence/floppy1.img bs=512

In the previous command, “/dev/fd0” refers to the floppy disk drive. The “bs=512” refers to the block size (bs), which is 512K.

Of course, prior to inserting any disk you should make sure that the disk is set to write-protected. You should then make a bit-for-bit copy of the floppy disk and lock the original disk in an evidence locker away from any potential magnetic interference. To view the files on the disk, you can use the following command:

# ls /dev/fd0

Zip Disks

A zip disk is a removable storage medium that was developed by Iomega in the early 1990s. Zip disks originally came with a 100MB capacity and subsequently increased to 750MB. They were introduced as an alternative to floppy disks, which have a lower storage capacity. A zip drive, where zip disks are loaded, can be either an internal or an external drive. Zip drives and their disks have largely been replaced by CDs and the more popular, smaller, flash memory devices.

Magnetic Tapes

Magnetic tape is a thin plastic strip with a magnetic coating that is used for storing audio, video, and data. Because data is stored magnetically, an investigator must be careful to keep magnetic tapes away from all types of magnetism. Magnetic tapes differ in the way that data is retrieved because they must be read in a linear fashion, from the start of the tape through the end of the tape. This often makes the process of acquiring data from magnetic tape much longer.

The use of audio tapes in investigations has become less important. This is also true of video tapes used in a video cassette recorder (VCR).

Magnetic Tapes (Data Storage)

Forensic imaging and analysis of magnetic tapes (see Figure 3.27) used for data storage on servers is a challenge. Many different proprietary server systems exist, which makes it impossible to have a single solution. An analysis of the physical surface can be conducted using a complicated process known as magnetic force microscopy. This method can be used to uncover wiped or overwritten data.

FIGURE 3.27

FIGURE 3.27 Magnetic tape for data storage

Generally, data is recorded to a magnetic tape in blocks. Data at the block level can be accessed using the dd command. In computer investigations, dd is a UNIX command that produces a raw data image of a storage medium, like a hard drive or magnetic tape, in a forensically sound manner. The dd command is written in such a way that the image is copied to a hard drive, which allows for better search capabilities. A magnetic tape has no hierarchical file system because files are stored sequentially or in a tape partition. Partitions on magnetic tapes allow users to group files in “tape directories.” When a sector is only partially used by a file, the remainder of the sector is referred to as memory slack, buffer slack, or RAM slack. Similar to hard disks, file slack can contain remnants of data from previously existing files.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020