Well, any of the common commercial tools EnCase, AccessData FTK, X-Ways will do this. I didn't expect that you'd be conducting a forensic exam, yet be unfamiliar with those tools. That actually raises other concerns, like whether you're skilled in preserving evidence (e.g., write-blocked image acquisition and verification), and have the wealth of additional knowledge and skills digital forensic examiners need. I don't mean to question your capabilities. As this forum illustrates, each of us encounters new issues from time to time. Furthermore, if you're out of your depth, all is not lost, but you might want to find a local colleague who can assist you, because mistakes can be very costly.
If you still want to move forward, I'm a fan of X-Ways, but you can also check out this list http//
Scott,
Thanks for the reply. For what it's worth, I am quite familiar with EnCase, FTK, etc. I am an ENCE, and have worked on over 350 cases involving digital assets. I am quite capable of forensically acquiring digital data using best known practices and own several write blockers, drive duplicators, etc. to perform those tasks.
I've got the flash media mounted up in EnCase right now which is what I used to provide the information to this forum. Since EnCase and FTK are not necessarily "data recovery" applications, I was merely asking if anyone had encountered the scenario present here in this case with the repeating data streams separated by the 512 byte buffers.
The hex data that I posted earlier is not associated with any kind of file header that I have encountered before. My hope is that someone out here has seen this and can provide some insight related to how they proceeded.
If anyone HAS seen this pattern before and has a possible solution, I would still greatly appreciate it very much.
LOL. Then nothing I told you is news. Best of luck.
Has the card ever worked?
There are many 'fake memory cards' that say maybe 16GB but are in fact much smaller. The sympton is normally repeating data.
Try and change a few bytes in a sector at the end of the chip and see if the same change is then found earlier on in the chip.
Interesting idea Michael.
the piece of media has worked several times before, so I don't believe it's a fake.
I will change some a few of the bytes at the end of one of the sectors and see what happens to the beginning.
Thanks for the suggestion.
IThere are no partitions on the device, and none to be located. Here is what I am seeing on the physical volume
Beginning at PS 1, there are 32,256 bytes of data, followed by 512 bytes of a repeating string, and then back to the same 32,356 bytes.
You do get a complete image – 16Gbyte?
What's in PS0?
The structure you describe does not sound like encryption, unless it's terribly bad. Well enrypted data cannot be compressed very much – the degree by which you can encrypt this image would be an indicator of the likelihood that it has been through a good encryption high degree of compression, low likelihood. or … you may be able to calculate the entropy of the image and get your estimate that way.
If anything, it sounds more like you are seeing some kind of 32Mbyte structure that does not seem to fit the expected file system. (What IS in PS0?) A very tentative guess would be that you might be seeing data created by the Nikon formatting code, or by some kind of test program … or very remotely possible even low-level structure from the flash implementation (say, the result after a successful TRIM. Does repeated acquiry give exactly the same image?). Personally, though, I would suspect a factory-fresh card that hasn't been initialized – but as you say you know there are images on the device, I can only assume you also know that it has been initialized/formatted.
As you have a good CF … (is it the same model, by the way?) does it contain any unallocated space? What do you find in those? Anything that looks similar to what you see on the first CF? Is there any software included with Nikon cameras or Lexar media that allows a computer to initialize or adjust CFs in any way?
/begin Crazy idea
Do you have access to the camera? Do you have a spare 16GB CF card?
If so, try cloning your exhibit and then put the clone in the camera. If the camera reports no data, then you know it's not a RAW format.
/End Crazy idea