Hello
Is it possible to determine the Date when FAT32 microSD card was formatted?
There is no Label set.
There is no $MFT file because of FAT32 filesystem.
There is hidden system folder "System Volume Information" with the creation date but I dont think the date is reliable because there are also user data files on the card with the earlier creation date (2 april 2020) than System Volume Information (6 April 2020)
Can the date of format FAT32 memorycard be clearly identify?
If u have a rough idea about the format time, u can try this
https://
See also this
https://www.forensicfocus.com/Forums/viewtopic/t=2134/
https://
jaclaz
It occurs to me that a makeshift way to find this out would be to use the MAC times of key filesystem artefacts like the "System Volume Information" folder and the "IndexerVolumeGuid" file. I suspect these are created at the point of format, or at least within a matter of seconds of the format completing.
Please do some testing before taking my word for it though - this is just a hunch off the top of my head!
Hope this helps,
Ben
I suspect these are created at the point of format, or at least within a matter of seconds of the format completing.
So the question arises if formatting has taken place at all. Most, probably all, SD cards I've bough have been pre-formatted – basically a master image of a formatted drive has been written to the disk. If so, initial timestamps are probably not even related to the individual card.
In such case, any additional folders are probably created on first mount on a Windows system, or on first file system activity that uses these folders.
Only way to know for sure is probably to buy a similar, factory-fresh SD and examine it.
(I get visions of forensic research institutes budgeting for 'all the new SD cards we need to buy next year' and allocating time for doing the follow up research about artifacts created on first mount on different platforms … )
So the question arises if formatting has taken place at all.
Very correct question.
I would add that the SystemInformation folder is created at the time the volume is connected (mounted) on a Windows system, I doubt that in factory they use a Windows to format the sd-card, and the final customer may well buy the card (already formatted) and insert it in a device (let say a digital camera) and take a few shots on - say - the 2nd of April and then connect the SD card to a Windows only some 4 days later to copy/store them or to print/send them.
jaclaz
So the question arises if formatting has taken place at all.
Very correct question.
I would add that the SystemInformation folder is created at the time the volume is connected (mounted) on a Windows system, I doubt that in factory they use a Windows to format the sd-card, and the final customer may well buy the card (already formatted) and insert it in a device (let say a digital camera) and take a few shots on - say - the 2nd of April and then connect the SD card to a Windows only some 4 days later to copy/store them or to print/send them.
jaclaz
Interesting! Both of you make really good points here, definitely worth testing and following up on if possible.
Jaclaz, I'm curious about your point that they probably don't use Windows to format the SD card - what system do you suspect they would use? This may produce artefacts in and of itself.
Thanks,
Ben
Jaclaz, I'm curious about your point that they probably don't use Windows to format the SD card - what system do you suspect they would use? This may produce artefacts in and of itself.
Well, I would not use Windows to format FAT32 cards in a factory, or - maybe more correctly - I wouldn't mount the drive in Windows nor use the built-in format.com.
The standard "format" will write to the bootsector
a. the jump bytes
b. the BPB (Bios Parameter Block)
c. the (Windows, be it NTLDR or BOOTMGR) boot code [1]
d. the volume serial (possibly using the same date/time based DOS algorithm we have seen)
e. the Magic Bytes 55 AA
Then it will have a number of not-needed "reserved sectors", usually 31, some of which will be perfectly blank, BUT a few will have the other parts of the boot code and their backup
f. partially populated "reserved sectors"
After those the two FATs are written, though actually they consist only in a few bytes at the beginning of the first sectors of each FAT, in the case of FAT32
g. FAT tablesincipits
h. depending on the settings used a "label" (which essentially is a "special" folder) might (or might not) be added.
Then, when the volume is mounted, the SystemVolumeInformation folder is created silently
i. SystemVolumeInformation folder
What is actually *needed*
a. the jump bytes (two or three, depending if short or long jump is used, either E9 00 or EB XX 90 [3])
b. the BPB
c. NOT needed
d. the volume serial (and here I would use an actual serial for the SD card, not a calculated one)
e. the Magic Bytes
f. NOT needed
g. FAT tables incipits
h. NOT needed
i. NOT needed
This is easily (and in a faster way) obtained by using an "image" and dd or similar, or a (command line) hex disk editor.
Besides the 31 "wasted" sectors, the amount of reserved sectors might be used to "align" data to the memory page file (though the usual 32 is "good enough").
jaclaz
[1] in Windows/FAT32 the boot code actually uses 3 sectors (the bootsector + another 2 sectors) + the RRAA sector and there is also normally a backup of some of them
[2] sectors LBA 0 (Bootsector) and sectors LBA1 (the RRAA) and LBA2 + a copy of them on LBA 6,7,8 and the subroutine bootsector on LBA13 [4]
[3] https://
[4] https://
Thank you very much for your replies.