The client in this data recovery case came to us for our SanDisk SD card recovery services. They had accidentally deleted the contents of their camera’s 8 GB microSD card. Unfortunately, accidentally deleting your data is all too easy in our digitally-dependent world. And unlike when you delete files off of your computer, when you delete the contents of a removable storage device, there’s no recycle bin or trash bin you can rummage through to retrieve those precious files. Fortunately, when you need to restore deleted files from a memory card, Gillware is on your side.
SanDisk SD Card Recovery Case Study: Deleted Photos
Drive Capacity: 8 GB
Operating System: FAT32
Situation: Deleted data
Type of Data Recovered: Photos and Videos
Binary Read: 100%
Gillware Data Recovery Case Rating: 7
Accidental file deletion is a kind of logical damage that can affect a data storage device. Normally, when you delete a file, it hasn’t gone away forever. Instead, what the filesystem does when you ask it to delete something is simply to sever the logical links which point to the file. A skilled logical data recovery engineer, such as the experts in our employ here at Gillware, can typically uncover that deleted file relatively easily as long as no new data has overwritten it since the time of deletion.
This is what our logical engineers expected to see when we received this client’s memory card for SanDisk SD card recovery. However, upon completely imaging the 8 GB memory card with our forensic imaging tools, our engineers were surprised to find nothing of use. This was not a normal file deletion case—there was something bigger and more complicated at work here.
Obviously, your memory cards do not store data the same way your hard drive does. The mechanical components necessary to store data magnetically simply cannot be miniaturized to the point where a hard drive can comfortably fit on your fingernail. (The smallest hard disk drive ever invented, by comparison, was about the size of a postage stamp, and could only fit about 12 gigabytes worth of data.)
When you need a lot of data in a tiny amount of space, you turn not to magnetic data storage, but to electronic data storage. This is in the form of flash memory. Every portable device today stores its data in NAND flash memory chips. NAND flash memory can fit mind-boggling amounts of data—up to 512 GB—into a single tiny microSD-sized package.
The methods for electronic data storage differ wildly from magnetic data storage. Modern NAND flash memory grew out of EEPROM, or “electrically erasable programmable read-only memory”. Unlike traditional ROM, you could erase and reprogram EEPROM using electrical current. Soon, computer scientists figured out how to erase EEPROM in chunks, instead of erasing the whole device at once. In the evolution of flash memory, one could call EEPROM the “missing link” between read-only memory and flash memory as we know it.
Because of NAND’s unique properties, the data inside the chips must constantly be rearranged and organized using special data management subroutines so that it can function more like the magnetic media we are all more familiar with.
These data management subroutines carry themselves out beneath the surface of the device, away from prying eyes. Our engineers suspected that these data management routines may have been responsible for making this SD card appear blank.
The only way to move forward with this SanDisk SD card recovery case was to delve deeper. Our flash memory experts had ample reason to believe that the deleted data still lived on the microSD card’s chip. After all, we see these “flash memory amnesia” situations frequently, especially at Gillware Digital Forensics. Sometimes, even when an SD card appears to be full of zeroes according a hex editor, lost data still lies hidden inside the chip.
To get at this hidden data, our engineers must perform a raw dump of the NAND chip’s contents. This is tough for a few reasons. First and foremost, getting at the monolithic NAND chip in a microSD card requires soldering very thin wires to specific contact points on the device, a process known as “spiderwebbing”. Secondly, because we are accessing the NAND chip with all of its layers of abstraction stripped away, we need to reassemble the data… manually.
This is an intense and laborious process, much more difficult than our typical deleted file recovery cases, making the costs involved much higher. In many cases, a client’s recovered data simply isn’t worth the extra investment. But in this case, the client gave us the go-ahead to move forward with a raw chip read.
After sifting through the microSD card’s contents, our engineers uncovered over 160 photos and 30 videos. Some of the files had minor glitches, but the majority functioned perfectly. We showed the client the results of the SanDisk SD card recovery operation. The client determined that their most important photos and videos were among the recovered files, marking this memory card data recovery case a success. We rated this case a 7 on our ten-point scale.