I picked up a large batch of MicroSD cards and adapters for an upcoming project. I’m cheap, and the data reliability isn’t critical, so I picked up used cards on ebay. After I made the purchase, it occurred to me that this was a potential teaching moment, both to freshen my own skills and to raise awareness for others who may not pay as much attention as those of us in the field.
TLDR: If you don’t know how deleted your data really is, don’t give, sell or return writable media. Either learn how to securely erase your data and confirm that it has been erased, or toss it in a fire.
So before they showed up, I installed the latest version of Autopsy on a fresh Windows box. Fresh because, well, just like I’m assuming that others might have been careless in data deletion, I have to guard against being careless about sticking random cards in my machines.
So they arrived. The moment of truth was here. I pulled out the first MicroSD, stuck it in the first adapter, and inserted it into a USB slot on the PC.
Predictably, it pops up as a blank, formatted card. Let’s see what Autopsy sees…
Let’s see, it’s been a while since I played with Autopsy. Let’s go with:
* Add Data Source
Let’s call it
* Card001
* Local Disk
* Select Disk. On my machine it showed up as H:
<Next>
I’m leaving everything checked here. If this was true forensics I might be more choosy, but I’m not.
Looks like the first test is examining the file system. “Adding $OrphanFiles,” it says.
After that, it tells me file analysis has started. I can hit finish, but I can tell by the progress bar in the lower right that it’s still analyzing stuff. This process goes on for a few minutes.
After the file analysis phase, it moves on to the data integrity phase.
Finally it’s done. I browse the card in the data source tree. Ooh, look, there are recovered files in the $CarvedFiles folder! Baby pics, family pics, and yes… porn. Folks, I recycled porn from the very first used SD card I tested.
So I’m up to card 28 now, and a few patterns emerged.
The metadata shows a strong preponderance of Nokia 5300 as the image source. This tells me these cards were likely sold by a shop servicing Nokia phones. The mp3 and video content I’ve extracted so far shows a strong trend toward Spanish-speaking content, and a few of the images with recognizable stuff on them actually mentioned Mexico.
I need to dig deeper into metadata, but visually it appears that at least some of the porn is homemade. Some of the cards had porn images which had likely been downloaded from the internet, as I discovered by running through through TinEye.
I’ve really got to refresh my Autopsy skills. I don’t do forensics for a living, but it helps to know the workflow of someone who does, in case you might one day find yourself protecting yourself from an enthusiastic forensic investigator.
Further learning: There are hash sets you can obtain that can validate files you find against known file hashes. Which might be the prudent thing to do if you don’t know what your found media might contain. Might be good to know if you’re handling CSAM before you actually view CSAM.
