Hendon Publishing - Article Archive Details

Print Article Rate Comment Reprint Information

Hidden Hard Drives

Written by Tim Dees

Few electronic gadgets have been marketed as successfully as have the Apple iPod and its close relatives. As of the end of 2004, Apple had sold over 10 million iPods, and Apple’s competitors are not doing badly with their own music players that store their tunes on tiny hard drives or solid state memory chips. People really seem to like the idea of having a stack of CDs, if not their entire music collection (the larger capacity iPods will hold over 5,000 songs) in a portable package that they can take with them anywhere. But as with so many other good things, iPods and other consumer electronics can be subverted to criminal activities, many of which you may not be aware of.

iPods contain a tiny (matchbox size) hard drive, very much like the one in your PC or laptop. The basic models have a 20 GB capacity, while the more expensive Photo iPod has a 60 GB drive (most laptop computers have hard drive capacities of around 40 GB). Mini iPods have 5 GB drives. Plugged into a conventional computer, the devices are recognized as external hard drives, onto which can be written any information that will fit on a computer.

Most users will use the iPods and other music players only for music storage, and the only interface they will use to write to and retrieve from the device will be the software that is distributed with the player. Apple uses a proprietary package called iTunes that also provides for downloading music via the Internet, while other brands use their own software or generic interfaces like Windows Media Player. Using these music player/encoder packages will reveal only the music files that are stored on the device.

However, if the players’ drives are viewed with a file directory application such as Windows Explorer, they will show all the files on the hard drive. Bad guys who are trying to conceal the presence of their computer records can simply use the music players as external drives, plugging them into their laptops or desktop PCs when they want to view or update the files. When they leave, they take the player with them, so that they know where their files are at all times.

If they think they’re about to get nabbed, they can ditch the player or give it to a confederate who will appear to be just another music buff. In a pinch, they can even stomp on the device and destroy the drive. At $300 to $500 a copy for most iPods, this gets expensive, but it’s still cheaper than bail. Many people bring their music players to work and otherwise take them wherever they go, so the presence of these devices seldom alerts anyone that anything untoward is going on.

Smaller capacity music players, such as the pack-of-gum size iPod Shuffle, use a solid state memory chip to store the music files. These are still relatively expensive in terms of dollars-per-gigabyte of storage, and it’s unusual to find solid state drives with capacities of more than 1 GB. On the upside, they have no moving parts, and their batteries last longer. Even though these players have no hard drives, they are still “seen” by their host computers as external drives, albeit ones with smaller capacities. They work just like the USB thumb drives or flash drives that are commonly available in capacities of up to 2 GB, and in fact some players are marketed as serving both functions.

Users plug the devices into a USB (Universal System Bus) port on a PC and can then read to and write from the devices. These flash or thumb drives are largely replacing the floppy disk for moving files from one computer to another, as they are fairly rugged, draw their power from the PC they’re plugged into, and are easy to carry. Even though these devices have no moving parts, they are still often called “drives,” which can be confusing to people with a low geek quotient. The “flash” term stems from the way Read-Only Memory (ROM) chips are encoded. Once data is “flashed” onto them in a special hardware device, the data remains indefinitely, even when power is removed. The new flash drives don’t need the special hardware, as it’s incorporated into the drive.

Some thumb drives, such as those sold by Sony, incorporate security functions into the memory. Files placed into a “vault” area on the drive are encrypted via a password chosen by the user. Without the password, the files are inaccessible. A few models even include a tiny fingerprint scanner that serves as the file encoding device.

Other electronic gadgets may contain removable memory storage devices. Many cellular phones that include cameras also have a memory card slot for storing the photos that the user takes. Personal Digital Assistants (PDAs), many of which are now combined with cellular phones, also carry removable storage. This storage can be in any of several formats, including CompactFlash, SecureDigital, or Memory Stick, among others.

These memory storage chips are very small—in some cases, smaller than a postage stamp—and have capacities of up to 4 GB. If the cell phone is used as a browser to view the photos stored on the chip, only photos recorded in the format used by the phone will appear. Other pictures, or non-picture files stored there, will probably be invisible.

Many digital cameras transfer their photographs to a host PC by way of a cable connection between the camera and computer. Although it may not be immediately apparent, the camera is acting as an external drive to the computer during this process. Someone wanting to hide files could easily transfer them to the camera’s memory card for retrieval later on to the same or another computer. Unless the memory card is explored with a file listing program, the only indication that there was anything other than photos on the memory card would be a discrepancy between the card’s capacity and the number of photos stored there.

The contents of these chips are viewed by the use of a memory card reader attached to a PC. Memory card readers are relatively inexpensive (less than $30, in most cases—do a Google search for “memory card reader” and you’ll get thousands of choices) and often accommodate multiple card formats all in one device. They usually attach to the PC through a USB connection or may be installed in a drive bay.

These are handy if you use digital cameras, as the storage card in the digital camera can be read and later wiped without having to have the camera there. In a rush, the memory chip with the photos can be taken out of the camera and read, while a fresh one is placed in the camera to get it back out into the field. Of course, they’re also indispensable if a suspect is brought in with a memory card in his possession.

The small size of these flash memory cards should be incentive for officers to conduct more thorough searches. They are so small that they can be hidden just about anywhere. Most of them do contain metal, but in such small amounts that they may not trip a metal detector, even a handheld one used at close range. The only way to be certain that any flash memory devices have all been found is to search carefully and thoroughly.

If a device capable of storing digital evidence is recovered, it is best to leave the examination of the device to a qualified forensic computer technician. Booting up a device or exploring its contents can change the file structure and leave the state open to an argument from the defense that the evidence was changed and not properly preserved. Forensic examiners can use special software and hardware to “image” the contents of the disk drive or flash memory without altering the contents themselves. The original can then be placed back in the evidence vault while all examinations are conducted on the image file.

Possession of a flash memory drive is not in itself an inherently suspicious act. I usually have one in my pocket, and it seldom contains anything more nefarious than my CV and whatever article I’m working on at that moment. Most people listening to music on their iPods don’t have anything other than music stored there. But know that these flash drives and music players have become the new “stash boxes.”

Like dopers used to go to considerable effort to construct innocent-looking containers with secret compartments to hide their narcotics, new age crooks are finding ways to hide records of criminal transactions, child pornography, classified materials and other contraband on music players and flash memory devices.

Tim Dees is a former police officer who writes and consults about applications of technology in law enforcement. He can be reached at (509) 585-6704 or by e-mail at tim@timdees.com.


Published in Law and Order, Jun 2005

Rating : Not Yet Rated


Comments

Comment on This Article

No Comments


Related Products

Computer CrimeComputer Crime Investigative TrainingCybercrimeInvestigations
 

Article Images

Click to enlarge images.

 
Events and Tradeshows: LAOPFMTRPSIT
Latest News: LAOPFMTRPSIT
 
Close ...