At an international computer forensics conference in March of this year experts and law enforcement collaborators revealed a serious challenge to investigators trying to get valid prove of innocence or guilt by analyzing data from USB sticks. Both Martin Westman, digital forensics and storage media expert as well as Aya Fukami from the National Police Agency Japan have found evidence that in some cases old data from former computer users can be found on brand new USB sticks.
Just a year ago – in autumn of 2016 – a Swedish computer user made an unbelievable discovery: When he inserted his daughters USB stick into his laptop, in addition to her wedding pictures he also found a picture of a driver´s license of a Chilean individual. This came as a really big surprise since the daughter never had contact to this man and the USB stick was sold to her as “brand new”. Alarmed by this news, Westman researched the problem and discovered that this happens with standard eMMC memory chips more often than one might think.
According to these experts this poses a serious problem to computer forensic experts. They cannot be sure at first sight that the data they find on a USB stick or device is really only from the current user, who is involved in a criminal or legal investigation. Therefore more intensive analysis has to be made in the future to provide surefire prove that the data found is really from the last computer user. Up until now the prove chain looked like this: If criminal content – e.g. pornographic pictures or else – was found on the stick, this was enough to open an investigation and used for a conviction.
Now – with the findings of both Westman and Fukami – there is much more work needed: If you are not sure that the data is from the current user and owner of the stick, the whole history of the data has to be revealed. For this the metadata of the files – documents or pictures – have be checked. Additionally the serial numbers of the build-in memory chips have to be read out. With this number and the corresponding device ID number a former owner of the smartphone can be identified. Then investigators have to check, if the criminal content is from the current user or the old smartphone owner. As one can see, this process is much more time-consuming, but solid evidence can still be gathered.
But what is the beef to the normal computer user?
So what is the best solution to this problem for an ordinary consumer? The best way to cope with it is to buy not the cheapest USB stick available, but to purchase a product from a well-known brand and producer. Therefore buying loads of cheap USB sticks from a Chinese web shop might not be a good idea, since you might not only find old data from unknown people on your brand new stick, but they might also contain viruses as well.
Additionally these cases show the importance to every computer user to be extremely cautions to their own data on old smartphones. There are lots of acquirers of old computer equipment or smartphones in the internet or in shops, who will give some – but not lots of – money for smartphones in large quantities. Exactly these build-in memory chips will then be reused for producing cheap “brand new” USB sticks. Therefore it is essential to securely delete all your personal data from smartphones or any other external flash device before selling them or giving them away. Since flash drives are different to magnetic based storage devices, they cannot be securely and fully deleted with common erasure software. Only special software like Blancco Mobile Device Eraser (https://www.blancco.com/products/mobile-device-eraser/), which can also delete data on parts of the chip, which are normally not accessible to the common computer user, should be used. Otherwise data recovery experts like the ones from Kroll Ontrack, will be able to recover data – if necessary – which is still not properly erased from the old smartphone memory chip.