Processing Flash Memory Media
By Officer Fred J.Wiechmann
Portland Police Bureau
In the world of computer forensics, technology is continually changing. This is certainly true when it comes to flash memory chips and related technology. Flash memory chips are popular storage devices which are used in digital cameras and portable electronic devices. In recent years, the storage capacities have grown significantly. Today it is not uncommon to see 250 meg flash memory chips for sale in camera stores and office supply stores. Because of the popularity of these storage devices and the prevalence of digital cameras in photography, this form of computer storage lends itself to computer forensics examination. Recently I discovered a simple, yet effective, method for forensically evaluating flash memory media. This paper was prepared with the intent of sharing one solution to this growing computer forensic challenge of processing data stored in flash memory chips.
The question has come up during my computer investigations dealing with identity theft and frauds. How do I process flash memory chips from digital cameras, such as SmartMedia, Sony Memory sticks, Compact Flash I & II, Secure Digital, IBM Micro Drives? These types of media either have to be removed from the camera and placed into a reader that is connected to the USB port of the computer, or connect the camera directly to the USB or FireWire ports of the computer. Some flash media types have readers that are inserted into the floppy drive of a personal computer. All of these methods require that the Windows operating system is running and unfortunately Windows background processes can transparently write data to the storage devices. Such operating system processes can taint or destroy evidence unless certain precautions are taken.
Some forms of flash memory media have write protect tabs and others have a slider switch that can be moved to prevent writes to the disk. However, most Windows based programs do not like to read the flash memory storage devices when they are write protected. And some forms of flash memory media do not have a way to write protect the device. As with all computer evidence processing, evidence preservation is a priority and that does not change when flash memory media is processed for evidence.
The first issue to deal with in the evaluation of flash memory is finding a versatile multi-media reader that is both accurate and flexible. With that concern in mind, I have settled on the OmniFlash IDE Uno4 (MN-IDEU) reader/writer by Onspec Electronic, Inc. which works accurately with seven different types of Flash Media, i.e., SmartMedia, Compact Flash I & II, Sony Memory sticks, Secure Digital and IBM Micro Drives. This seems to be an ideal tool for law enforcement use because it is relatively inexpensive (approximately $50) and only one device is required to process many different forms of flash memory. It is also very convenient because it attaches to the IDE cable and it is easily installed in the 3.5 inch bay slot of a desktop computer.
Since the OmniFlash reader is IDE compatible, no special device drivers are required. I have also found that this particular reader also works with all the various versions of Windows, and it is also DOS compatible. When I use the device in DOS I have found that I just need to place the media in the reader prior to starting the computer. Once the computer boots, the flash memory media is recognized as a standard FAT 12 or FAT 16 storage device. DOS is the preferred operating system to use because it all but eliminates evidence preservation concerns. You should note that the reader also works with many non-Microsoft OS's also.
Once the flash memory media is recognized as a computer storage device, I am able to use SafeBack to make an evidence grade bit stream backup image of the data stored on the flash memory media. I use SafeBack because it is an established industry standard in computer forensics. However, I believe my method would also work with other evidence grade bit stream imaging software programs. After I have made the image backup of the flash memory media (either physical or logical) I can then process the restored bit stream backup image of flash memory media as a standard computer storage device. The resulting restored image includes allocated files and deleted files which all have the potential of containing relevant leads and evidence.
I have found that I can quickly review the data with Ilook (a law enforcement computer forensics tool) by feeding the SafeBack image directly into ILook. Or I can restore the SafeBack image to another drive for evidence processing using traditional computer forensics methods. I also use Graphics File Extractor to automatically extract all deleted and allocated graphics files which were stored on the subject flash memory media. If the batteries have been left in the camera then I start the camera and see what the date setting is on the camera. Unfortunately, if the batteries have been removed from the camera, the date and time on the camera will revert back to the default date and time. I also look at the date and time on the files to see if the person using the camera had set the date and time originally.
I have been referring to the flash media as if it all comes from cameras. However, you must not overlook the fact that many of these flash memory chips can also be used in other electronic devices, such as handheld computers and PDAs. The procedure outlined above would also be the same for processing the media from these types of devices. Please note that the method outlined above is not only applicable to the law enforcement community, it can also be used effectively in security reviews in classified government environments.
