Used storage devices such as SD cards and USB sticks are sold on different sites. There are many used devices available for purchase on both eBay and Amazon. However, many sellers do not have competence regarding how to sufficiently wipe these devices.
Furthermore, I chose to purchase a set of digital storage devices from Ebay.co.uk and Finn.no. This is what turned up in the mailbox a few days later. All files on the devices were deleted by the previous owners.
The first step is to acquire a forensic image of the devices. This is conducted using
dc3dd, which is based on
dd. By default,
dc3dd provides a progress bar. It also allows the user to hash the device while imaging. The devices were imaged using Read Only. You never know when a rubber ducky may appear… Besides, it is best practice to not write any data to the “evidence”, if that was the case.
All devices were successfully imaged. There are many tools that can be used to determine the file system, offset, and deleted data. A strong recommendation is to use Autopsy for Windows, as it is free, fast, has a great GUI, and has a significant amount of features. Autopsy is a part of The Sleuth Kit (TSK). However, TSK is also installed by default on Kali Linux. Thus, it is tremendously limited compared to Autopsy on Windows. TSK for Linux is excellent to simply gain a fast overview of the device.
mmls is used to determine the file system and its offset. From thereon,
fls is used to view the files located on the SD card. The
* indicates that the files have been deleted by the previous owner(s). It also appears that the SD card has been used on a phone.
There are many files located on the device. Some are of course more sensitive than others. The content of the files give a clear indication that the owner was not aware of the deleted data being accessible. The data was then carved using a variety of tools, such as
foremost. Autopsy for Windows is preferred when extracting and investigating larger data sets. For small tasks, TSK for Linux is more than enough.
Furthermore, when using
exiftool, some of the images reveals the geographical location and the device used to take the photograph. In this case, an iPhone 6. The SD card itself does (of course) not belong to an iPhone. However, a large variety of images belonging to a series of Apple products, digital cameras, and so on were found on the storage device.
Using a simple online coordinate lookup tool provides us with the location of where the photograph was taken.
One of the USBs contained tons of blueprints of oil rigs, product flyers, testing procedures, testing results, images of the physical installation, employee names, resumes, PowerPoint presentations, personal photographs (vacations, selfies, parties, etc.), social security numbers, tax information, and so on. In other words: a goldmine for people with malicious intentions.
mmls did not respond too well with one of the other SD cards, as shown above. However, looking at the raw data “on top” of the device with
xxd reveals that it is FAT32. From thereon, the same procedure can be conducted to view and extract the data. The device previously belonged to an Android. It contained Snapchat photographs, Pokemon Go information, school documents, and overall a tremendous amount of personal data.
Before selling your digital storage devices; you should always wipe them properly. The deleted data can easily be recovered and misused. One of the most efficient methods is to use
dd to overwrite the existing data. This should be conducted several times. However, it is not always that simple, as there are many methods used for a variety of digital storage devices, such as USB, HDD, SSD, etc. Make sure to read Blancco’s article regarding data deletion for further information. And if you do not know what you are doing: simply do not sell your digital devices…