Open in app

Sign in

Write

Sign in

Tracing the Invisible: How Digital Forensics Extracts Data from External Storage Devices

The Hackers Meetup
7 min readApr 21, 2025

What is Digital Forensics?

In very brief Digital Forensics is a branch of Forensic Sciences that focuses on identifying, analyzing, and reporting the data that is stored digitally, virtually or in any electrical form. This kind of data is crucial for investigations in civil and criminal cases. Digital Forensics involve examining digitally stored evidence to uncover crucial facts.

What are the digital devices that hold evidence?
Digital evidence consists of information taken from computer devices which can be important for court cases. The safety and integrity of these evidence is very important. These evident computer devices may include Computers, Laptops, Mobile phones, IoT devices, Cloud storage, and External storage devices.

In this Blog, we will be talking about Digital analysis of External Storage Devices.

What are External Storage Devices?

External Storage is the hardware that can store data Outside of a computer device. It is additional storage that is basically used to provide extra memory, and portability, and to transfer files between devices. Examples include CDs, DVDs, memory cards, external hard drives, USB flash drives, etc. Let’s see each one in detail.

  • Portable HDD: External hard drives that can be connected to a computer or other devices using a USB or Thunderbolt port. It offers large storage capacities for storage and data backups, as well as for transferring files.
  • SSDs: Quite similar to HDDs but are faster and more durable as they use flash memory.
  • USB flash drives: Small and portable, ideal for transferring smaller files.
  • Memory Cards: Used in many devices that need compact storage like a camera, smartphone, or other portable devices. They also allow users to expand their storage.
  • Optical Disks: CDs, DVDs or Blu-ray disks etc. are the examples. These are the older devices, lesser in use today. Used for media distribution, archiving, and backups.
  • Network-Attached Storage: NAS is a special type of storage that can connect to a network, allowing multiple devices to access the same storage space.
  • Virtual Storage: Cloud-based external storage is not physical, but provides storage accessed over the internet.

All these devices are very essential for the collection of forensic evidence. As this hardware are used in personal and professional affairs. These are also capable of holding large quantities of data and are easy to carry. Pen drives can transfer data at a very high speed.

Key stages of a Basic Digital Forensics investigation:

  • Identification and seizure: Identification of the device and securely seize the storage media that may have relevant data.
  • Preservation: Ensuring and maintaining the integrity of the data by creating copies as backups and securing the original evidence untouched.
  • Analysis: Analyzing and examining the raw dataset to find relevant information and draw conclusions.
  • Documentation: Recording and writing down all the steps taken during each step of the investigation thoroughly, including the tools used, and the findings.
  • Presentation: Presenting the findings from the dataset clearly and concisely, often in a court or legal setting.

This is the typical walkthrough of any digital investigation. Now let us see how can we retrieve data from different digital devices more specifically with details.

Digital Forensics of External Storage Devices:

The primary goal is to retrieve the data from these storages, even the deleted or overwritten data. The process includes systematic examination and analysis of the storage media to recover, inspect, and interpret data. The steps after the basic identification and preservation include:

  • Forensic imaging: The first rule in digital forensics is to Never Mess with the Original Evidence. Always make an Image of the device first and then work with that copied file. Creating a bit-by-bit copy of the device is important to prevent any unwanted data alteration.
  • Timeline Analysis: Reconstruction of events to understand the order of actions. Suspicious behaviors can be captured using pattern analysis.
  • Data Extraction: once the imaging and timeline analysis are done, start extracting data from the forensic image. It includes all the data be it text files, images, videos, or even deleted media. Many tools are available for this.
  • Data Analysis: After extraction of the data, analyze the raw huge data to find meaningful, and useable information. Analysis of the files, file system, and architecture, metadata analysis, decryption, etc. is included here.
  • Data interpretation: Analysis will give us a huge amount of data, sort the data according to our needs, and identify the relevant information like time stamps, user activity, communication logs, etc.
  • But how can you get the data that is already gone, already deleted? The reply to this is — it is possible to retrieve the deleted data as once the data is stored or written in the storage device it cannot be really completely deleted. That data is compressed and stored in the SLACK space of the device. And can be easily fetched using specialized software.

Challenges Faced by the Analysts:

  • Encryption and Compression: Encryption and compression are frequently used on external storage devices to protect the data within. Due to this, experts face a lot of problems in decrypting and accessing the data. Advanced tools are needed to decrypt encrypted or compressed data.
  • Anti-Forensic Techniques: To prevent the data retrieval and forensics of storage devices, perpetrators use anti-forensic methods. This involves the automatic erasing or altering of data upon using specialized software, which makes it even more challenging for investigators to put together the digital evidence.
  • Firmware attacks: When a device’s firmware is embedded with any malicious code, the device becomes vulnerable to firmware-based attacks. A thorough understanding of device internals is necessary for both detection and mitigation of such attacks.
  • Time and Power supply: It takes a hell-lot of time to image, process, and retrieve the data, and sometimes due to power loss or any other reasons, the process might get hindered and have to be repeated. Also, it needs constant and huge amounts of processing and power in laptops.
  • Tools used in the digital forensics of external storage:
  • For forensic imaging: FTK Imager, EnCase, Tx1, Logicube Falcon, etc.
  • For analysis and retrieving deleted files: Autopsy, EaseUS, Disk Drill, Recuva, and more.

Now you might be thinking, “This blog is drowning in theory — where’s the hands-on stuff?” Let’s see an easy practical of retrieving deleted files from a USB drive. Ready for the Action?

PRACTICAL

  • Here I’ll be using a Pen-drive (SanDisk — 32GBs):
  • The first step is to make an image of the USB. There are various paid as well free tools available for Forensic Imaging. We will be using FTK Imager.
  • Plug in your Pen-drive and open FTK images and, file — create disk image — physical disk — choose your USB.

Select the destination type as Raw(dd), and file the case, it will ask for a unique case number, evidence number, unique description, examiner and notes, fill the form accordingly.

Now select the destination for the file and name it. And start the processing of forensic imaging of your USB drive.

It might take a while to create the full image, but it can totally depend on the amount of data it has ever stored.

Now, it’s time to extract the data and the deleted files from the Pendrive, use the Autopsy, to analyse the image and fetch the files.

Open Autopsy, in that create a new case and add the destination of the image file, as well the destination for the extracted data, after that fill in the data accordingly and press finish.

Now add a source file; Add data source — generate new host name based on data source name — Disk image or VM file. Then select the path of the image file, and configure the ingest.

We will get all the data that has ever been on the drive. And hence the data is extracted. We can also see the timeline, geolocation and other metadata of the files.

That is how you do it!!

NOTE: when you do the practical, make sure your power source is connected as well as try not to keep your laptop on your bed, pillow or lap. Keep it on a smooth surface to facilitate heat emission.

Written By: NANDNI JOSHI

Digital Forensics
External Storage
Investigation
Autopsy
Hands On

--

--

The Hackers Meetup
The Hackers Meetup

Written by The Hackers Meetup

551 followers
8 following

Initiative of @viralparmarhack to provide a proper platform for cyber security researchers & like-minded people to establish a community.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech