5GB of Data off of ...
 
Notifications
Clear all

5GB of Data off of a 4GB SD Card??

13 Posts
7 Users
0 Likes
700 Views
(@dbflynn)
Posts: 10
Active Member
Topic starter
 

I was recently asked to recover some pictures from a 4GB SD Card. The card was being difficult and was not recognized by anything. I formatted the card and was able to recover 5.22 GB worth of pictures, over 11,000. This is probably a rookie question, but how does this happen?

I guess I am asking in the event that I have a case with a similar issue and am asked on the stand. If anyone knows of some published material on the subject I would like to take a look at it.

? Thanks

 
Posted : 01/09/2010 5:54 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Well, to begin with, how do you know that the card is 4GB?

 
Posted : 01/09/2010 6:12 am
(@mobileforensicswales)
Posts: 274
Reputable Member
 

This may simply be a case that you don't know your tool well enough or you don't understand the confiruation you've given it. I'll explain it with an example

FF D8 FF 00 00 00 00 00 00 FF D8 FF 65 7F 54 00 … so on so forth

If you ran a JPEG finder over the above mentined hex for the header of a jpeg, (in this example I have chosen simply FF D8 FF) you will get 2 hits.

"FF D8 FF 00 00 00 00 00 00" is clearly not enough info to store a JPEG (of course these are zeros which would also not store image data but please treat them as example nonsence filler data)

Even though this isn't enough data to hold an image, if you tell your file carver to

#######

Start at n byte

Read 3 Bytes
IF data string = FF D8 FF THEN
Save where I am
Carve out 500 Bytes of Data
Else n++ LOOP

(very bad pseudo I know but I'm not a programer)

#######

The file carver will see that first header and create a 500Byte file which will not work.

Unless EVERY header on your piece of media is DEFINATLY a JPEG, you can easily expect more data to be carved than the original media was meant to have held in total. You get this alot in RAW scans.

I would say (depending on your file type) use a piece of DR software that can also include a footer analysis. Try it with and without and compare the results. You might find a carve with a header and footer is better for you, you might not, it depends entirely on your drive and whether the users footers have been overwritten.

As you have an SD card, I'm guessing your looking for JPEGs you cannot rely on a footer. So carve away and just trawl through your 5GB.

If you are having problems opening corrupt JPEGs, try IrfanView. Very good bit of free software that will (at times) open some of the most messed up photos

Hope this explained it

PS As per the post above, don't ever rule out larger capacities to whats on the label, criminals are tricky and can peel them off and change them. If you need 100% clarity, look at the NAND

 
Posted : 01/09/2010 12:57 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

What process didyou use for recovery? Did it include logical reading that could have read the same file twice due to corrupted directory information.

If it was straight carving, I don't think you will get more data as most carving routines will scan the disk once and just save the files sequentially.

Can you see from the log if multiple files have the same start location, or have duplicate hash values.

 
Posted : 01/09/2010 4:57 pm
(@dficsi)
Posts: 283
Reputable Member
 

Let's also not discount thumbnails too. If each image had its own thumbnail the file carver could be carving the large pictures and the embedded thumbnails as separate images too.

 
Posted : 01/09/2010 5:25 pm
(@douglasbrush)
Posts: 812
Prominent Member
 

I was recently asked to recover some pictures from a 4GB SD Card. The card was being difficult and was not recognized by anything.

Anything seems pretty absolute 😉 Have some examples of your approach?

 
Posted : 01/09/2010 7:04 pm
(@mobileforensicswales)
Posts: 274
Reputable Member
 

I formatted the card

Sorry I just noticed this, did you not like the File Allocation Table the card was already using ? Even if it was partially corupt you may have been able to get files out. Just a quick bit of advice for the future, if you enough access for a format you probably, you may have had enough for a partital/full recovery.

Before changing the card in the future, check the windows disk manager wink

 
Posted : 01/09/2010 7:08 pm
(@dbflynn)
Posts: 10
Active Member
Topic starter
 

Well, to begin with, how do you know that the card is 4GB?

You are correct in the asumption that I did not check anything other than the label on the front. However, this was given to me by a friend and I didn't think it necessary.

 
Posted : 02/09/2010 5:57 am
(@dbflynn)
Posts: 10
Active Member
Topic starter
 

stezer2000 -

There were quite a few non-working jpegs. I had guessed at something like you stated, although not in such a technical way.

DFICSI-

I also thought about the thumbnails, I wasn't sure I was right though.

douglasbrush -

It wasn't recognized by XP or Vista when normally attached. Each time I tried to open it I was only given the option to format the card. I couldn't load it into FTK or EnCase beacuse it wasn't recognized.

 
Posted : 02/09/2010 6:04 am
(@dbflynn)
Posts: 10
Active Member
Topic starter
 

Thank you all for your input. I am glad to see such a response to an easy question. I think I'll post another

 
Posted : 02/09/2010 6:07 am
Page 1 / 2
Share: