Dismiss Notice
Join Physics Forums Today!
The friendliest, high quality science and math community on the planet! Everyone who loves science is here!

Flash Drive Memory Specifics-For Legal Reasons

  1. Jan 26, 2009 #1
    I am involved in a legal case and I need to know some things about flash drives.

    1. Does anyone know if it is possible to find out for sure exactly when a file was saved onto a flash drive? I know that you can acess the "Date Created" and "Date Modified" information through by right clicking and then clicking "Properties", however, these dates can be easily faked just by changing the computers clock time.

    2. I would also like to know if there is some hidden function on flash drives that records the MAC address of the computers it was plugged into or records the order in which files were added, because then it would be possible to show that a certain file with a faked "Date Created" date, was actually added between two other files with non-faked "Date Created" dates which prove, or at least suggest, that it was added within a different time period.

    3. Another possible route might be to show the order in which files were added by looking at the actual location of the data on the drives so it would also be helpful to know if flash drives fragment the data, or have it in continuous strips.

    Btw: I am not going to use these responses for legal purposes or anything, I am just looking at possible avenues of further research, or expert testimony.
  2. jcsd
  3. Jan 26, 2009 #2


    User Avatar
    Science Advisor
    Homework Helper

    How else would the flash drive know -it doesn't have it's own clock.

    There isn't a recording of the MAC address - this only applies to network cards. The NTFS file system does have some extra security parameters to do some of the things you want - but it is almost never used on a flash drive.

    Tricky - the problem is that flash drives have what's called wear leveling.
    Each memory location in a flash drive can only be written to a certain number (50,000 - 1M) of times before it is damaged. Because memory at the front of the device would be used more often than the end - there is extra circuitry that randomizes the parts of the key used so the whole device wears out at the same rate.
    To further complicate matters you cannot erase an individual cell in a flash memory - you must erase an entire page and write in entire blocks, so when a file is added it might erase the end of an existing file, write the new file and then write the end of the exiting file somewhere else.

    ps. This is also different for NAND flash (typically used in USB keys/digital camera memory cards) and NOR flash (used for storing settings inside ucontrollers)

    You can fairly easily dump the entire contents of a USB flash drive as just numbers and search through for earlier versions of a file but even with the help of the maker of that particular chip you would probably have a job proving the sequence of events.
    Last edited: Jan 26, 2009
  4. Jan 26, 2009 #3


    User Avatar

    Staff: Mentor

  5. Jan 26, 2009 #4


    User Avatar
    Science Advisor
    Homework Helper

    Finding one who is more expert than a kid with a copy of Norton Undelete might be harder,
    also check if in your jurisdiction the computer forensic person also needs to be a licensed PI.
Share this great discussion with others via Reddit, Google+, Twitter, or Facebook