In March at the International Computer Forensics Conference, experts and law enforcement collaborators spoke of new challenges that investigators face when trying to attain proof of innocence or guilt from USB stick data. Martin Westman, digital forensics and storage media expert, and Aya Fukami from the National Police Agency in Japan have found evidence that in some cases old data from former computer users can be found on brand new USB sticks.
Is new really new?
Just a year ago, in autumn of 2016, a Swedish computer user made an unbelievable discovery when he inserted his daughters USB stick into his laptop. In addition to her wedding pictures he also found a picture of a driver´s license of a Chilean individual. This came as a really big surprise since the daughter never had contact with this man and the USB stick was sold to her as “brand new”. Alarmed by this news Westman researched the problem and discovered that this happens with standard eMMC memory chips more often than one might think.
Who owns the data?
According to experts, this poses a serious problem in computer forensics. They cannot be sure at first sight that the data they find on a USB stick or device is really only from the current user, who is involved in a criminal or legal investigation. Therefore, more intensive analysis has to be made in the future to provide surefire proof that the data found is really from the last computer user. Up until now the proof chain looked like this: If criminal content – e.g. pornographic pictures or incriminating content of the like – was found on the stick, this was enough to open an investigation and used for a conviction.
Getting to the bottom of it
Now, with the findings of both Westman and Fukami, there is much more work needed. If you are not sure that the data is from the current user and owner of the stick, the whole history of the data has to be revealed. This means the metadata of the files – documents or pictures – has to be checked. Additionally, the serial number of the built-in memory chips has to be read out. With this number and the corresponding device ID number, a former owner of the smartphone can be identified. Then investigators have to check if the criminal content is from the current user or the old smartphone owner. This process is much more time-consuming, but solid evidence can still be gathered.
But what is the beef to the normal computer user?
So what is the best solution to this problem for an ordinary consumer? The best way to cope with it is to buy not the cheapest USB stick available, but to purchase a product from a well-known brand and producer. Therefore buying loads of cheap USB sticks from a Chinese web shop might not be a good idea, since you might not only find old data from unknown people on your brand new stick, but they might also contain viruses as well.
How to ensure deletion of data
Additionally, these cases show the importance to every computer user to be extremely cautious to their own data on old smartphones. There are lots of acquirers of old computer equipment or smartphones on the internet or in shops, who will give money for smartphones in large quantities. These built-in memory chips will then be reused for producing cheap “brand new” USB sticks. Therefore it is essential to securely delete all your personal data from smartphones or any other external flash device before selling them or giving them away. Since flash drives are different to magnetic based storage devices, they cannot be securely and fully deleted with common erasure software.
Have you ever found old data on a new device? Let us know by tweeting @KrollOntrackUK.