Digital Forensics for SD Cards
SD Card Forensics
The world is rife with SD cards, especially their pint-sized microSD cousins. You can find them in just about every digital camera or Android phone, in microcomputers like Raspberry Pi, in drones and GoPro video cameras, in handheld gaming devices, GPS units, smart devices, etc. Packing dozens or even hundreds of gigabytes of data into tiny chips, SD cards have taken the world of data storage by storm. A skilled and knowledgeable forensic investigator can analyze the data on these devices to determine when, why how, and by whom they were used. When you need answers to these questions, the SD card forensics experts at Gillware can help.
What Are SD Cards?
The “SD” in your SD card stands for “Secure Digital”, referring to the standard memory card format created by a joint effort between Toshiba, Panasonic, and SanDisk. The Secure Digital format was designed to replace the MMC memory card format in 1999. SD cards come in three form factors, and there are four “families” of SD card as well.
The three form factors of SD card are the original size (24 by 32 mm), the mini size (20 by 21.5 mm) and the micro size (15 by 11 mm). Of the three, the original and micro sizes are the most common. MicroSD cards, due to their tiny footprint, see the most use in providing extra storage space for mobile phones and other portable media devices. For the manufacturer, adding a slot to accommodate these minuscule devices does not eat up too much space that could be used for other features, while allowing the user to dramatically expand the capacity of their smartphone or MP3 player.
The four families of SD card are SDSC (Standard Capacity), SDHC (High Capacity), SDXC (Extended Capacity), and SDIO (Input/Output). The SD interface itself across the four families is electrically and mechanically the same; most SD host devices are backwards compatible. Changes to the devices across families allow them to support higher capacities, faster read/write speeds, or special input/output features. Typically SD cards will be formatted by their manufacturers with the FAT16, FAT32, or exFAT filesystem. The user can, however, format them with any other filesystem, such as NTFS or HFS+, although doing so can shorten the SD card’s lifespan.
SD cards can be made to protect their contents from being altered or erased. The host device can issue commands to the card to make it read-only, or the owner of an SD card can block writes to the device by sliding a tab on the side of the card.
How SD Cards Store Data
Like USB flash drives, SD cards store their data inside a flash memory chip. Flash memory evolved from electrically erasable programmable read-only memory, or EEPROM. Read-only memory is non-volatile; it retains the information stored on it even when not receiving power, but the data cannot be altered once it has been written. Random-access memory, on the other hand, is volatile and becomes blank when it stops receiving power, making it a poor choice for long-term data storage.
EEPROM, unlike traditional ROM, could be programmed, then erased and reprogrammed using an electrical current. By erasing and reprogramming the chip one block at a time, instead of all at once, designers could use EEPROM to both read and write data. With some clever wrangling, EEPROM became a form of NVRAM (non-volatile random-access memory), which later evolved into flash memory as we know it today. Flash memory can perform many of the same functions as hard disk drives and optical drives. As a result, SD cards and USB thumb drives have largely superseded CDs, and SSDs are making huge inroads in the realm of hard drives.
The “clever wrangling” used to make ROM behave like RAM takes the form of the flash transition layer (FTL) and data management algorithms. One of the quirks of flash memory, born out of its ancestor EEPROM, is that while you can write (or program) data to the chip, you cannot alter what you have written quite as easily as you would to a hard disk platter—however, you can easily erase the data.
Say, for example, you save a Word document to an SD card. That document takes up space in a single block on the chip. Now you go to edit the document and save it again. The card can’t overwrite the old document, but it can save the newest version of the document to a new block and mark the block containing the older version for erasure. Once the chip fills up that block, it erases it, and the block becomes ready for reuse. The FTL manages all of this in the background while the user goes about their business, unaware of the elegant data management processes going on under their nose.
SD Card Forensics
When an SD card turns up in your investigation, you’re likely to have a few questions. Who was using the card? What kind of data exists on the card? When was the card used, and for what purpose? A skilled forensic examiner can help answer these questions. In some cases, an SD card can even contain metadata identifying which devices it has been connected to—and conversely, connecting an SD card to a phone or computer will often leave a record in the device’s log, which a knowledgeable forensic investigator can uncover. By analyzing the contents of an SD card, a skilled forensic expert can tell the story of its life.
SD cards are most commonly connected to and installed inside other devices, and may be the primary or secondary form of data storage on these devices (for example, inside an Android smartphone, smart watch, or other smart device). Memory cards will typically spend very little time not plugged into a device. SD cards are often reused, and an Android phone owner who goes out and buys the latest model to replace their older phone will often use the same microSD card in their new phone. Properly analyzing the data from the SD card can be crucial to understanding how the device (or devices) containing it was used as well.
Retrieving Data after Formatting or Deletion
You may encounter SD cards that have been formatted, or that have had some or all of their contents deleted. When an SD card is formatted or has data deleted from it, the filesystem treats the deleted data in a very similar way as the garbage-collection algorithms in the flash chip’s FTL do. Instead of immediately erasing the data, it sets the data aside and marks it as available space for the card to reuse, and so as long as the SD card hasn’t been heavily used since the incident occurred, some or all of the lost data can still be retrieved and analyzed.
Broken or Corrupted SD Card Forensics
Because SD cards have no moving parts and the flash memory chip is particularly resilient compared to, say, a CD or a hard disk platter, it is very rare for these devices to break unless exposed to excessive physical trauma. When an SD card has failed in such a way that the SD interface becomes unusable, prohibiting access to the card’s contents through normal means, a delicate chip-off forensics process is required to acquire the data on the device.
It is more common for SD cards to become corrupted, which can also make retrieving their contents difficult. If an SD card is improperly handled by an individual and is, for example, ejected without warning from its host device, its boot sector might become corrupted. Boot sector corruption will make the device appear blank, but a skilled forensic investigator can retrieve the data from these devices and analyze it.
Gillware’s SD Card Forensics Services
The skilled and highly-trained experts at Gillware offer SD card forensics services for legal professionals, law enforcement officials, and other clients across the United States. With over 25 years of combined experience in the realms of digital forensics and data recovery, our SD card specialists can help you answer the most important questions when you need data from an SD card analyzed. Our seasoned and knowledgeable SD card forensics experts can help you with every part of your investigation, from an initial forensic assessment of the SD card in question to providing expert testimony in court to present our findings clearly and accurately.