Join Us!

5GB of Data off of ...
 
Notifications
Clear all

5GB of Data off of a 4GB SD Card??  

  RSS
dbflynn
(@dbflynn)
New Member

I was recently asked to recover some pictures from a 4GB SD Card. The card was being difficult and was not recognized by anything. I formatted the card and was able to recover 5.22 GB worth of pictures, over 11,000. This is probably a rookie question, but how does this happen?

I guess I am asking in the event that I have a case with a similar issue and am asked on the stand. If anyone knows of some published material on the subject I would like to take a look at it.

? Thanks

Quote
Posted : 01/09/2010 6:54 am
keydet89
(@keydet89)
Community Legend

Well, to begin with, how do you know that the card is 4GB?

ReplyQuote
Posted : 01/09/2010 7:12 am
mobileforensicswales
(@mobileforensicswales)
Active Member

This may simply be a case that you don't know your tool well enough or you don't understand the confiruation you've given it. I'll explain it with an example

FF D8 FF 00 00 00 00 00 00 FF D8 FF 65 7F 54 00 … so on so forth

If you ran a JPEG finder over the above mentined hex for the header of a jpeg, (in this example I have chosen simply FF D8 FF) you will get 2 hits.

"FF D8 FF 00 00 00 00 00 00" is clearly not enough info to store a JPEG (of course these are zeros which would also not store image data but please treat them as example nonsence filler data)

Even though this isn't enough data to hold an image, if you tell your file carver to

#######

Start at n byte

Read 3 Bytes
IF data string = FF D8 FF THEN
Save where I am
Carve out 500 Bytes of Data
Else n++ LOOP

(very bad pseudo I know but I'm not a programer)

#######

The file carver will see that first header and create a 500Byte file which will not work.

Unless EVERY header on your piece of media is DEFINATLY a JPEG, you can easily expect more data to be carved than the original media was meant to have held in total. You get this alot in RAW scans.

I would say (depending on your file type) use a piece of DR software that can also include a footer analysis. Try it with and without and compare the results. You might find a carve with a header and footer is better for you, you might not, it depends entirely on your drive and whether the users footers have been overwritten.

As you have an SD card, I'm guessing your looking for JPEGs you cannot rely on a footer. So carve away and just trawl through your 5GB.

If you are having problems opening corrupt JPEGs, try IrfanView. Very good bit of free software that will (at times) open some of the most messed up photos

Hope this explained it

PS As per the post above, don't ever rule out larger capacities to whats on the label, criminals are tricky and can peel them off and change them. If you need 100% clarity, look at the NAND

ReplyQuote
Posted : 01/09/2010 1:57 pm
mscotgrove
(@mscotgrove)
Senior Member

What process didyou use for recovery? Did it include logical reading that could have read the same file twice due to corrupted directory information.

If it was straight carving, I don't think you will get more data as most carving routines will scan the disk once and just save the files sequentially.

Can you see from the log if multiple files have the same start location, or have duplicate hash values.

ReplyQuote
Posted : 01/09/2010 5:57 pm
DFICSI
(@dficsi)
Active Member

Let's also not discount thumbnails too. If each image had its own thumbnail the file carver could be carving the large pictures and the embedded thumbnails as separate images too.

ReplyQuote
Posted : 01/09/2010 6:25 pm
douglasbrush
(@douglasbrush)
Senior Member

I was recently asked to recover some pictures from a 4GB SD Card. The card was being difficult and was not recognized by anything.

Anything seems pretty absolute 😉 Have some examples of your approach?

ReplyQuote
Posted : 01/09/2010 8:04 pm
mobileforensicswales
(@mobileforensicswales)
Active Member

I formatted the card

Sorry I just noticed this, did you not like the File Allocation Table the card was already using ? Even if it was partially corupt you may have been able to get files out. Just a quick bit of advice for the future, if you enough access for a format you probably, you may have had enough for a partital/full recovery.

Before changing the card in the future, check the windows disk manager wink

ReplyQuote
Posted : 01/09/2010 8:08 pm
dbflynn
(@dbflynn)
New Member

Well, to begin with, how do you know that the card is 4GB?

You are correct in the asumption that I did not check anything other than the label on the front. However, this was given to me by a friend and I didn't think it necessary.

ReplyQuote
Posted : 02/09/2010 6:57 am
dbflynn
(@dbflynn)
New Member

stezer2000 -

There were quite a few non-working jpegs. I had guessed at something like you stated, although not in such a technical way.

DFICSI-

I also thought about the thumbnails, I wasn't sure I was right though.

douglasbrush -

It wasn't recognized by XP or Vista when normally attached. Each time I tried to open it I was only given the option to format the card. I couldn't load it into FTK or EnCase beacuse it wasn't recognized.

ReplyQuote
Posted : 02/09/2010 7:04 am
dbflynn
(@dbflynn)
New Member

Thank you all for your input. I am glad to see such a response to an easy question. I think I'll post another

ReplyQuote
Posted : 02/09/2010 7:07 am
dbflynn
(@dbflynn)
New Member

As stezer2000 pointed out I don't know my tools well enough and am really trying to get some more experience and know how. I have found myself irritated with FTK 3. I am working on a small thumbdrive image and have found some Excel spreadsheets. The spreadsheets were carved out of unallocated space.

Now, correct me if I am wrong, a file that is carved out of unallocated space will not have a file name or dates and times. FTK doesn't give me any as I expected, However, using the free PinPoint Metaviewer I get the author, the program that created the file and version, the date and time created, last saved, and the last saved by identity.

Why doesn't FTK get this info? Is there something I am not doing right?

The data is listed in a section with "OLE Metadata" at the top. The "File System Metadata" is at the bottom and lists the date and time it was exported from FTK as reported by my machine. What is OLE Metadata?

ReplyQuote
Posted : 02/09/2010 7:16 am
BitHead
(@bithead)
Community Legend

Now, correct me if I am wrong, a file that is carved out of unallocated space will not have a file name or dates and times. FTK doesn't give me any as I expected,

You will not get the original file name when you carve a file from unallocated space with any program. And there will not be dates in the file attribute columns in FTK.

However, using the free PinPoint Metaviewer I get the author, the program that created the file and version, the date and time created, last saved, and the last saved by identity.

OK

Why doesn't FTK get this info? Is there something I am not doing right?

probably because you are not looking at the metadata file. FTK sees the file, the metadata file, etc. as unique objects. I am not in front of an exam machine so I am not sure about carving options or how the files are listed once they are carved, however the file and associated OLE object should have similar names.

The data is listed in a section with "OLE Metadata" at the top. The "File System Metadata" is at the bottom and lists the date and time it was exported from FTK as reported by my machine. What is OLE Metadata?

In which program? FTK? I thought FTK was not showing metadata? Kind of jumping back and forth.

Object Linking and Embedding
Plenty written on OLE OLE Concepts and Requirements Overview

ReplyQuote
Posted : 02/09/2010 9:41 am
dbflynn
(@dbflynn)
New Member

Sorry, the OLE Metadata shows in Pinpoint. I am pretty sure I checked the box to carve for meta files in FTK but didn't see any returned. I have seen the seperate meta files that you are referring to in past examinations.

ReplyQuote
Posted : 02/09/2010 11:26 pm
Share: