Hidden files on USB Drive... how?

Well 2 TB thumb drives do exist, but they are very rare and outrageously expensive.

3 Days to image 2TB is very believable over USB-2. Optimum performance would be about 1.5 days.

I definitely want to see the partition structure!

… to see if someone had a 'simple' explanation based on previous experience as to why these files weren't just showing up on your "normal/typical" OS/Explorer, and there was some method for hidding the contents….

If there's an NTFS partition, I'd immediately think ADS (Alternate Data Stream).

My initial hypothesis was that the files were not "hidden" on purpose but the drive as you suggest is garbage and faulty, but the fact still remains that IF this person was not 'tech-savy', the CP was there, and he must have had access to it somehow. The files don't show up in FTK as deleted files. That's why I wanted to post it here to see if someone had a 'simple' explanation based on previous experience as to why these files weren't just showing up on your "normal/typical" OS/Explorer, and there was some method for hidding the contents. I'll speak with the investigators as well to expand info on the surrounding circumstances.

I think you're making dangerous leaps here. Based on what you've said, I don't see how you could state anything about whether the person in possession of the stick had access to the "CP".

It still sounds most likely this material is just deleted or you're seeing oddities as a result of broken file-systems.

At best, at this time, it sounds like all you could say is there was this material on the stick at some point in time, and more work needs to be done to investigate the state of your forensic image / file-system / records.

If this is beyond your capabilities - perhaps you could attack this from a different angle - and examine other computers in the case to try to identify if a) this USB stick was plugged into them at any point b) whether files of the same name/hash as the CP are present c) whether records of accessing files of the same name as these CP items are present

It still sounds most likely this material is just deleted or you're seeing oddities as a result of broken file-systems.

Based on the existing information at this point in time fully agree. There is a certain likelihood that someone, who had these illicit images on his USB thumb drive, tried to delete the folder that could him bring into a prison. And that failed.

regards, Robin

I don't think this matches all your symptoms but still worth bearing in mind. There was discussion a few years ago about recycled memory chips ending up in 'New' devices with some content preserved. I couldn't quickly find a relevant presentation but https://www.ontrack.com/uk/blog/the-world-of-data/why-does-your-brand-new-usb-stick-have-data-on-it/ is related. If you already think the device is dubious, worth considering the integrity of the components.

I don't think this matches all your symptoms but still worth bearing in mind. There was discussion a few years ago about recycled memory chips ending up in 'New' devices with some content preserved. I couldn't quickly find a relevant presentation but https://www.ontrack.com/uk/blog/the-world-of-data/why-does-your-brand-new-usb-stick-have-data-on-it/ is related. If you already think the device is dubious, worth considering the integrity of the components.

… at an improbability level of two to the power of two-hundred and seventy-six thousand, seven-hundred and nine to one against - possibly much higher

https://googology.wikia.org/wiki/Hitchhiker%27s_number

Come on …

If the Swedish guy had found the photos of the Chilean guy's daughter's wedding (as opposed to his driver's license), that would increase the improbability level, but not much.

jaclaz

Fair enough, too quick to post without thinking about the likelihood. I should have picked up on my own warning sign when I started it with a caveat!

Best go get a nice hot cup of tea.