Flash Drive Memory Specifics-For Legal Reasons

AI Thread Summary
Determining the exact time a file was saved on a flash drive is challenging, as the "Date Created" and "Date Modified" attributes can be manipulated by changing the computer's clock. Flash drives do not record the MAC addresses of computers they are plugged into, and while NTFS can offer some security parameters, these are rarely utilized on flash drives. The concept of wear leveling complicates data retrieval, as it randomizes write locations to prolong the device's lifespan, making it difficult to ascertain the order of file additions. Although it is possible to dump the contents of a flash drive for analysis, proving the sequence of events may require expertise in computer forensics. Consulting a qualified computer forensics expert is recommended for accurate insights.
unglax
Messages
1
Reaction score
0
I am involved in a legal case and I need to know some things about flash drives.

1. Does anyone know if it is possible to find out for sure exactly when a file was saved onto a flash drive? I know that you can acess the "Date Created" and "Date Modified" information through by right clicking and then clicking "Properties", however, these dates can be easily faked just by changing the computers clock time.


2. I would also like to know if there is some hidden function on flash drives that records the MAC address of the computers it was plugged into or records the order in which files were added, because then it would be possible to show that a certain file with a faked "Date Created" date, was actually added between two other files with non-faked "Date Created" dates which prove, or at least suggest, that it was added within a different time period.

3. Another possible route might be to show the order in which files were added by looking at the actual location of the data on the drives so it would also be helpful to know if flash drives fragment the data, or have it in continuous strips.

Btw: I am not going to use these responses for legal purposes or anything, I am just looking at possible avenues of further research, or expert testimony.
 
Engineering news on Phys.org
unglax said:
1. Does anyone know if it is possible to find out for sure exactly when a file was saved onto a flash drive? I know that you can acess the "Date Created" and "Date Modified" information through by right clicking and then clicking "Properties", however, these dates can be easily faked just by changing the computers clock time.
How else would the flash drive know -it doesn't have it's own clock.


2. I would also like to know if there is some hidden function on flash drives that records the MAC address of the computers it was plugged into or records the order in which files were added, because then it would be possible to show that a certain file with a faked "Date Created" date, was actually added between two other files with non-faked "Date Created" dates which prove, or at least suggest, that it was added within a different time period.
There isn't a recording of the MAC address - this only applies to network cards. The NTFS file system does have some extra security parameters to do some of the things you want - but it is almost never used on a flash drive.

3. Another possible route might be to show the order in which files were added by looking at the actual location of the data on the drives so it would also be helpful to know if flash drives fragment the data, or have it in continuous strips.
Tricky - the problem is that flash drives have what's called wear leveling.
Each memory location in a flash drive can only be written to a certain number (50,000 - 1M) of times before it is damaged. Because memory at the front of the device would be used more often than the end - there is extra circuitry that randomizes the parts of the key used so the whole device wears out at the same rate.
To further complicate matters you cannot erase an individual cell in a flash memory - you must erase an entire page and write in entire blocks, so when a file is added it might erase the end of an existing file, write the new file and then write the end of the exiting file somewhere else.

ps. This is also different for NAND flash (typically used in USB keys/digital camera memory cards) and NOR flash (used for storing settings inside ucontrollers)

You can fairly easily dump the entire contents of a USB flash drive as just numbers and search through for earlier versions of a file but even with the help of the maker of that particular chip you would probably have a job proving the sequence of events.
 
Last edited:
berkeman said:
Sounds like you need to find an expert in computer forensics in your area. The Yellow Pages probably has listings of them...
Finding one who is more expert than a kid with a copy of Norton Undelete might be harder,
also check if in your jurisdiction the computer forensic person also needs to be a licensed PI.
 

Thread '3-terminal device external modeling'

Very basic question. Consider a 3-terminal device with terminals say A,B,C. Kirchhoff Current Law (KCL) and Kirchhoff Voltage Law (KVL) establish two relationships between the 3 currents entering the terminals and the 3 terminal's voltage pairs respectively. So we have 2 equations in 6 unknowns. To proceed further we need two more (independent) equations in order to solve the circuit the 3-terminal device is connected to (basically one treats such a device as an unbalanced two-port...
View full post »
Thread 'Weird near-field phenomenon I get in my EM simulation'

Thread 'Weird near-field phenomenon I get in my EM simulation'

I recently made a basic simulation of wire antennas and I am not sure if the near field in my simulation is modeled correctly. One of the things that worry me is the fact that sometimes I see in my simulation "movements" in the near field that seems to be faster than the speed of wave propagation I defined (the speed of light in the simulation). Specifically I see "nodes" of low amplitude in the E field that are quickly "emitted" from the antenna and then slow down as they approach the far...
View full post »

Similar threads

Power wheelchair switches off and shows two red lights flashing
Replies
8
Views
3K
Saving to Flash Drive: Copy Files & Drives?
Replies
12
Views
2K
NEED HELP reading data from flash memory module
Replies
4
Views
2K
Unknown USB Device (Device Descriptor Request Failed) No Drive Letter
Replies
2
Views
2K
Curious Digital Audio Electronics Question
Replies
14
Views
2K
How do encrypted USB flash drives work and how can we make them more secure?
Replies
7
Views
2K
How are pseudo ranges obtained?
Replies
15
Views
4K
What Factors Affect USB 3.0 Flash Drive Performance?
Replies
3
Views
2K
TMS320F28035 bootloading to SD card
Replies
1
Views
2K
Auto/Motor Honda NT700V Deauville motorcycle maintenence: Drive shaft
Replies
27
Views
4K

Hot Threads

Recent Insights

Back
Top