- Hi, I asked a Mac advisor but didn’t get any helpful answers. I have 3 macs at home. I want to know if an SD card has ever been inserted into any one of these 3 macs. The sd card has never been inserted into any other computer before. Would inserting the SD card into all 3 macs and seeing the last opened date help me find that out? If it *hasn’t* been inserted into any of these 3 computers, what would I see in the last opened date info?
Hi pippin.
With a write blocker connect the SD card to a computer and check if the SD card has a .DS_Store file. This file contained attributes and other desktop configuration properties. If the SD card was ever inserted into a MAC, you should see one of these.
as far as identifying which MAC from the .DS_Store file, I can say. You may need to research, or do some testing to see what identifiable information you may be able to use to match the info to a specific MAC.
thank you so much!!
as I am not a digital forensics expert (just a layperson trying to get some answers), what’s a write blocker?
also,
which part of the SD card can I expect to find the .DS_Store file? Can I just do a search?
You said “ . This file contained attributes and other desktop configuration properties.“ does this work for laptops too, or do you mean all Mac computers? Sorry if I sound really dumb! Once again, thank you so much for your help!
I see.
Well, it is important that you do not connect the sd card to your MAC for this search unless you have a write blocker.
otherwise you will see the .DS_Store file there, but it may not signify it has ever been plugged in before but rather it shows up now because you inserted it now (I hope this made sense)
if you don’t have a write blocker, there are some software versions available (not as good and forensically sound as hardware wrote blockers, but you may be able to find one).
otherwise, my suggestion would be to plug the sd card to a Windows Machine instead for this search.
Windows won’t create the .DS_Store. If you want to do an extra step, you could set USB to read only by making a change in the registry.
but if this is not for a case and like you said, you are not looking to necessarily do this forensically, then my suggestion will be to do the search on a Windows machine.
connect to the SD card and make sure you Enable the option to view hidden files. Once you do this, you should see he .DS_Store file.
you could also download FTK imager (it’s free) and add the SD card (physical drive) into the “evidence tree” and browse through the directory to see if the file is there.
there are tons of YouTube videos on how to use FTK imager. It is very simple to use. 🙂
sorry, forgot to answer…
a write blocker is a piece of hardware (or software) that is used to prevent changes or any data to be written to the source.
they are sometimes called “Forensic bridges”.
so, you would connect your SD card to a write blocker, then the write blocker to the computer. This prevents any data from being written on your SD Card.
normally, as soon as you connect a thumb drive or other media to a computer, the computer makes changes such as writing property files and other things. In forensics, we want to prevent any changes on the source as we examine, so we always use write blockers to preserve the integrity of the evidence.