Home » Tech Talks » Services » Memory Card Forensics – Is your Evidence Reliable?

Memory Card Forensics – Is your Evidence Reliable?

Written by Anuraag Singh ~ Modified: 26-05-2022 ~ Services ~ 5 Minutes Reading

Memory Card Forensics

https://anuraagsingh.com/tech-talks/mobile-adware-removal-service/ It is so easy to manipulate the data of your memory card. Know how memory card forensics can help to prove in the court that your evidence is genuine. 

Even if we have more data than the storage of our phones allows, we can heave a sigh of relief. Why? It is because of the memory cards

These compact chips can store thousands of images, data, videos, etc. in them. This feature of memory cards has made it the most preferred storage device in all electronic devices. 

Along with acting as a storehouse for tons of data, memory cards contribute significantly when it comes to digital forensics

Let’s dive into the topic of know-how.

Role of Memory Card in Forensics Evidence

To prove your case in a court of law, you need to submit evidence.

Earlier, there were only cell phones, digital cameras, laptops, etc. that acted as evidence in the court. 

However, with technological advancement, even memory cards are also playing a part to capture the evidence used for prosecution in the court of law as used by law enforcement agencies and other officials.

Let me ask you a question? What is your first reaction when somebody asks for your phone? 

We all are reluctant to share it, right?

 Whether it’s you or me, we all hesitate in sharing our expensive & personal devices with anyone else.

This highlights the importance of memory cards.

Since a large part of our data is on memory cards, it alone is sufficient to act as primary evidence, without any need for parting with our valuable devices

Furthermore, since, a device’s internal memory capacity is no longer a constraint, it improves the validity and trustworthiness of electronic evidence in court during a trial.

Information Extracted from Memory Card

Artifacts retrieved from a memory card might reveal significant information about the suspect in an investigation. Some of them are as follows: –

  • Call log details (received, dialled, and missed calls).
  • Saved contact information
  • Text/multimedia communications sent, received, or deleted
  • Images, video, music, and MMS
  • History of Web Browsers
  • A collection of desktop and web-based email clients.

Are Memory Cards Perfect?

Though memory cards are useful in storing large amounts of data and save us from sharing our devices with anyone else. 

The issue arises because metadata create in mobile phones is automatically preserve in the device’s internal storage rather than on memory cards, which are add-on media for storing data.

Therefore, this makes it important to preserve the original device. Because the memory card forensic expert needs the device for forensic examination, as he cannot rely on the authenticity of the memory card completely to form a reliable forensic opinion.

More importantly, a person can easily manipulate the data of memory cards. Knowing the reasons behind it, and how memory card forensics can help in proving the dependability of the evidence in court is important.

What Makes Memory Cards Susceptible to Tampering?

The usual file format of these memory cards are FAT16, FAT32 or Ex-FAT, NTFS file systems.

Since most of these devices are format with the FAT file systems, their data become an easy target to be manipulate, tamper or replace. This is done by changing the artifacts through a hex editor

What is a Hex Editor? You may ask. 

A hex editor is computer software that allows data to be substituted and modifies metadata. Moreover, through this, artifacts of the manipulation may be hard to recover if done by a skilled person.

Ways to Manipulate Memory Card Data

1. Mirroring 

If a memory card is forensically mirrored in another memory card of the same brand, model, and size, it may be difficult to distinguish which one is original and which is the mirrored one. Also, the memory card lacks a unique serial number, thus complicating the matter.

2. Artifacts Modified in Root Directory

A qualified expert with strong file system knowledge may then insert the file onto the memory card and edit the artefacts in the root directory, which the forensic program will not identify.

3. Files Deleted and Entry in the Root Directory Removed

If a file gets delete and the entry in the root directory remove, it is not excavate. Even with data carving, nameless files get retrieved, but it may be impossible to determine who deleted the file and when.
 

Thus, as discussed above, it is possible to modify the evidence on the memory card, which may go undetected even with the most powerful forensic equipment.

Thus, this highlights the need to get the memory card examined by a forensic expert like Anuraag Singh, who has the basic and conceptual knowledge of media, file systems & memory card forensics methodologies. This will help in regaining the trust in the evidence contained in these devices in a civil or criminal proceeding in court.