Know How to Perform USB Flash Drive & Pen Drive Forensics Easily

Carl Wilson | October 12th, 2017 | Freebies

The technical support team is steadfast in resolving issues and this time as well, the query probed by client asserting: “Kindly help to carry out recovery of deleted and corrupted data files from Pen Drive for investigation purpose”, was resolved with a unique formula for carving out the files from damaged Pen Drives. The solution claims to be a seamless solution for digital forensics, law enforcement, personal usage, and organizational consumption. The basic strategies for investigation has to be done manually and when needed the tool is suggested for further investigation.

Nowadays, the portable digital device usage has seen an exponential growth which is growing parallel to the consumer electronics. Flash memory technology especially USB drives or Pen Drives, has ruled the non-volatile technology for easy accessibility and storage. These storage devices are also upright resources from an investigation point of view. But conducting pen drive forensics can be difficult in certain cases where manual procedures are not enough.  The electronic gadget USB flash drive forensics & pen drive forensics  tools play an important role for the examination of embedded systems which mainly includes extraction of data on a logical level. The forensic investigation basically starts from data acquisition methods of flash memory devices using different approaches.

Exploring USB File System – USB Flash Drive Forensics

While investigating, mostly the latest USB flash drives are incurred i.e. FAT 32. Some old flash drives can also be acquired like FAT 12/16 which means that these devices use file allocation table for organizing file names. Usually there are two copies of the FAT table in case if one gets corrupted. When a file enters this file allocation table, its starting cluster is associated with it. All the clusters belonging to different files are chained together. What happens while deletion of any file from USB drive or Pen drive is, the first character of the filename is replaced by an E5 hex character also known as stigma. The cluster however which was associated with the deleted file is available to the Operating system which can be used.

Pen Drive being a Flash drive is a type of EEPROM (electrically erasable programmable read-only memory) and is non-volatile. This means that it memorizes the value devoid of inducing power and hence is dense. Highly used for storage, the behavior of these flash-memory Pen drives are not like normal memories like RAM or disks. Depending upon type of flash drives, NOR flash or NAND flash, the access and writing of data is managed.

Prior starting any Pen Drive forensics investigation, one must be aware of the algorithm being used for the file storage for that acquired device. Some of the USB flash drives just need to be plugged in and can be then used in new systems. But few editions of Windows systems like Windows 98 and older versions, urge a driver for utilization. Certain scenarios can be faced by investigators where newer versions like Windows 95, Millennium, Windows 7, XP, and 98, are unable to recognize the Pen Drive by examination machine. In such scenario, it is advised to try the flash drive on another system. But it is extremely important to have an USB hardware write-blocker installed in another system in order to prevent any unwanted data transport between system and Pen Drive. This is to make sure that no alteration or modification is done with the drive and no malware is transported to it.

The Solution Recommended

In order to recover complete data including deleted data from the Pen Drives, the most creditable software application is Pen Drive Recovery tool. This application is a professional utility and is designed to perform thorough recovery on the damaged or corrupted Pen Drive device. Providing assured recovery of data for forensics investigation, software is affiliated with multiple features as well. Pen Drive Recovery Tool needs to be downloaded as demo version on the system which can be then converted to a licensed version.

usb flash drive forensics



Once the software is successfully installed, follow the below mentioned steps;

Step 1: Attach the Pen Drive to the system which has to be investigated.

Step 2: Click on Scan Disk in order to scan the system with available Removable Storage.

Step 3: Software will display the attached Pen Drive to the software interface along with Partition Details.

Step 4: Double-click on the icon of Removable Storage device.

Step 5: Choose from the Recovery Options available: Normal, Deleted Files/Folders, & Formatted Partition.

Step 6: Click on Recover tab.

The available Recovery Options provide different types of recovery like; Normal recovery of available data files from the Pen drive. Deleted Item recovery providing recovery of items which were deleted from the Pen Drive helping investigators to view what is unseen. Formatted partition option is to recover data which was formatted intentionally by culprit.

Conclusion: Digital forensics is done with every type of electronic medium which come across while investigation. Small-scale digital storage mediums like Flash Drives including Pen Drives are no exception for that. Eventually the technology has risen and commenced the area of USB flash drive forensics as well with beneficial recovery tools like Pen Drive recovery software to provide necessary help to law enforcements via pen drive forensics. This tool is a foremost exemplary application to dig out the underlying evidences in the form of data files.