Greetings All
I have a Lexar Professional 400x 16GB CF Card that I am having difficulty identifying the data on it.
There are no partitions on the device, and none to be located. Here is what I am seeing on the physical volume
Beginning at PS 1, there are 32,256 bytes of data, followed by 512 bytes of a repeating string, and then back to the same 32,356 bytes.
for example, the first four bytes of the 32,256 are hex DF C3 7B E9…. (this 31.5k chunk of data is all the same and just keeps repeating through the entire physical device.
The 512 bytes in between however change between these 'chunks', for example, the area between the first two blocks of 'real' data are all hex 40 40 40 40…, where as the next 'break', will have all hex 80 80 80 80…
I know that there are Nikon (NEF) Raw images on this media, and have another known good card to compare it to. The known good card is formatted FAT32 and does not appear to have any remarkable characteristics to it.
Is anyone familiar with this type of structure that I'm encountering on the corrupt media? I believe I have evidence on it that could be crucial to my case. Any suggestions and help would be greatly appreciated.
Thanks in advance.
Is it 100% certain that this card is both in FAT32 format and the card has Nikon images on it? Is it also completely certain that this card is not encrypted?
Marc
I am not 100% certain that the questionable media is formatted FAT32, the good one that I'm comparing it to is however. As for encryption, I had considered that early on and am extremely doubtful that the media is encrypted.
Both of these pieces of media were used by the same fellow, taking pictures he shouldn't have been. I have some images I need from the media that is formatted FAT32, but not the ones I really need to make this case solid.
The guy that used the camera and these cards is not at all tech savvy, and there was an element of surprise when we confiscated it from him. He wouldn't have had the opportunity, or knowledge to attempt to take extreme measures to keep the images from him. It is possible that he reformatted it, but I doubt it.
It really has me puzzled!
Thinking outside of the box for a moment - can you re-check the search site or interrogate the perp? We once found a flash drive taped to the underside of a dresser. Most of these guys have a special place for the stuff they're not supposed to have, separate from their normal media.
I see where you're going Marc. It is in the best interest for this guy to be cooperative, and he is so even though I've been down that road before, that's not the case here.
He honestly has no idea that we're having problems with this piece of media.
If anyone else can help with what I originally submitted, please assist if you can.
Thanks again.
Did you try to decode the repeating bytes in any way? The first that comes to my mind reading this is refurbishment wiping. Maybe this data reveals some characteristics of devices to do that.
Another thought. Even if there's no recognizable file system, photos may be recoverable. I would probably carve the data with 2-3 commercial forensic software packages and see what they recover. If that produces useful results and you need to verify them before you feel comfortable testifying, you can do so manually with a hex editor.
It seems to me that you can still put on a strong case, even in the face of some unknowns, provided you can demonstrate that the data you recovered is actually present. Even in the absence of file system metadata, EXIF may give you everything you need.
I haven't tried to decode this information and am hoping to gain some additional direction because quite honestly, I don't know where to look next.
Thanks.
Understood. You don't need to manually carve the data. Just stand on the shoulders of giants and let the automated tools do their thing. The results will reveal what your next step should be.
Any recommendations on the best type of automated tool to possibly get this stuff back?
Any input is greatly appreciated.