Flash Drive Memory Specifics-For Legal Reasons

Click For Summary

Discussion Overview

The discussion revolves around the specifics of flash drive memory in the context of legal inquiries. Participants explore the reliability of file timestamps, potential hidden functions of flash drives, and the implications of data storage methods on legal evidence.

Discussion Character

  • Exploratory
  • Technical explanation
  • Debate/contested
  • Conceptual clarification

Main Points Raised

  • Some participants question whether it is possible to determine the exact time a file was saved to a flash drive, noting that "Date Created" and "Date Modified" can be manipulated by changing the computer's clock.
  • There is a suggestion that flash drives do not record the MAC addresses of computers they are plugged into, and that the NTFS file system's security features are rarely applicable to flash drives.
  • Participants discuss the concept of wear leveling in flash drives, which complicates the ability to ascertain the order of file additions, as data may be written in a non-linear fashion due to the need to preserve the lifespan of memory cells.
  • One participant mentions the possibility of dumping the contents of a flash drive to analyze earlier versions of files, but acknowledges the difficulty in proving the sequence of events without expert assistance.
  • Several participants recommend seeking expertise in computer forensics for more reliable insights into the issues raised.

Areas of Agreement / Disagreement

Participants express differing views on the capabilities of flash drives regarding data recording and retrieval, with no consensus on the reliability of timestamps or the existence of certain hidden functions.

Contextual Notes

The discussion highlights limitations in understanding flash drive technology, including assumptions about data integrity, the impact of wear leveling, and the complexities of file system behaviors.

Who May Find This Useful

Individuals involved in legal cases requiring digital evidence analysis, computer forensics professionals, and those interested in the technical aspects of flash drive data management.

unglax
Messages
1
Reaction score
0
I am involved in a legal case and I need to know some things about flash drives.

1. Does anyone know if it is possible to find out for sure exactly when a file was saved onto a flash drive? I know that you can acess the "Date Created" and "Date Modified" information through by right clicking and then clicking "Properties", however, these dates can be easily faked just by changing the computers clock time.


2. I would also like to know if there is some hidden function on flash drives that records the MAC address of the computers it was plugged into or records the order in which files were added, because then it would be possible to show that a certain file with a faked "Date Created" date, was actually added between two other files with non-faked "Date Created" dates which prove, or at least suggest, that it was added within a different time period.

3. Another possible route might be to show the order in which files were added by looking at the actual location of the data on the drives so it would also be helpful to know if flash drives fragment the data, or have it in continuous strips.

Btw: I am not going to use these responses for legal purposes or anything, I am just looking at possible avenues of further research, or expert testimony.
 
Engineering news on Phys.org
unglax said:
1. Does anyone know if it is possible to find out for sure exactly when a file was saved onto a flash drive? I know that you can acess the "Date Created" and "Date Modified" information through by right clicking and then clicking "Properties", however, these dates can be easily faked just by changing the computers clock time.
How else would the flash drive know -it doesn't have it's own clock.


2. I would also like to know if there is some hidden function on flash drives that records the MAC address of the computers it was plugged into or records the order in which files were added, because then it would be possible to show that a certain file with a faked "Date Created" date, was actually added between two other files with non-faked "Date Created" dates which prove, or at least suggest, that it was added within a different time period.
There isn't a recording of the MAC address - this only applies to network cards. The NTFS file system does have some extra security parameters to do some of the things you want - but it is almost never used on a flash drive.

3. Another possible route might be to show the order in which files were added by looking at the actual location of the data on the drives so it would also be helpful to know if flash drives fragment the data, or have it in continuous strips.
Tricky - the problem is that flash drives have what's called wear leveling.
Each memory location in a flash drive can only be written to a certain number (50,000 - 1M) of times before it is damaged. Because memory at the front of the device would be used more often than the end - there is extra circuitry that randomizes the parts of the key used so the whole device wears out at the same rate.
To further complicate matters you cannot erase an individual cell in a flash memory - you must erase an entire page and write in entire blocks, so when a file is added it might erase the end of an existing file, write the new file and then write the end of the exiting file somewhere else.

ps. This is also different for NAND flash (typically used in USB keys/digital camera memory cards) and NOR flash (used for storing settings inside ucontrollers)

You can fairly easily dump the entire contents of a USB flash drive as just numbers and search through for earlier versions of a file but even with the help of the maker of that particular chip you would probably have a job proving the sequence of events.
 
Last edited:
berkeman said:
Sounds like you need to find an expert in computer forensics in your area. The Yellow Pages probably has listings of them...
Finding one who is more expert than a kid with a copy of Norton Undelete might be harder,
also check if in your jurisdiction the computer forensic person also needs to be a licensed PI.
 

Similar threads

Power wheelchair switches off and shows two red lights flashing
  • · Replies 8 ·
Replies
8
Views
4K
Saving to Flash Drive: Copy Files & Drives?
  • · Replies 12 ·
Replies
12
Views
2K
NEED HELP reading data from flash memory module
  • · Replies 4 ·
Replies
4
Views
2K
Unknown USB Device (Device Descriptor Request Failed) No Drive Letter
  • · Replies 2 ·
Replies
2
Views
2K
Curious Digital Audio Electronics Question
  • · Replies 14 ·
Replies
14
Views
2K
How to model the behavior of a closed loop position system?
  • · Replies 9 ·
Replies
9
Views
3K
How do encrypted USB flash drives work and how can we make them more secure?
  • · Replies 7 ·
Replies
7
Views
3K
How are pseudo ranges obtained?
  • · Replies 15 ·
Replies
15
Views
4K
What Factors Affect USB 3.0 Flash Drive Performance?
  • · Replies 3 ·
Replies
3
Views
3K
TMS320F28035 bootloading to SD card
  • · Replies 1 ·
Replies
1
Views
2K