Case studies of problems that CnW Case study regardingb a stolen memory chip

How to determine if a memory chip used to belong to someone else

A recent inquiry we received was from some who thought they may have come across their memory stick that had gone missing a few months before. The current ‘owner’ said it was their own memory stick, the previous owner thought otherwise. How can CnW tools assist to see who may be correct.

Finding previous files
Assuming that the memory chip had no physical markings, then the only way to determine possible previous ownership is be discovering previously written files. Most memory chips are FAT16 or FAT32. It is also very likely that a stolen chip will have been reformatted so normal deleted files will not be found. Fortunately, the formatting procedure only rewrites the main file system areas, so the FAT and root directory will be cleared, but not the main memory.

The first approach will be a full Image raw scan, where files will be detected from signature. This is a very good method of extracting JPEGs, and if the first owner had photos, these may still be seen, and will be conclusive proof. The second approach will be a logical recovery, but based on scanning for directory stubs. In this mode, the whole memory chip is scanned for subdirectories, and so original file names, and dates may be found, even if the associated data has been overwritten.

A final point to investigate is slack space. This is a feature of the forensic option. It will produce a data file with fragments of data that have not been entirely overwritten. Analysis is rather more complex, but one may just possibly come across a unique string of data, such as the the first user’s name.

Likely success rate
The success of the above approaches does depend a lot on how the chip was used before and after the ‘change of ownership’. If the the first owner had filled the chip, and had lots of subdirectories, there will be a lot of potential evidence that could remain. If the first user was a light user, and the second user a very heavy user, then it will be very unlikely to prove that the chip was stolen.