A coworker brought me an SD card today because she could not delete any files from it. I noticed the lock switch was missing from the card, and after inserting the card into a portable reader, I confirmed the card was write protected. This got me curious: just how does the switch on an SD card work? I've relied on it for write protecting evidence, but I didn't really know how reliable the switch was.
With great gusto, I snapped the card in half to examine its contents. I did it with as much joy of discovery as a young boy has when first focusing the suns rays on ants with a magnifying glass. What I found inside surprised me: a very simple chip occupying about 1/3 of the card housing. I determined--by examining similar cards--that the switch did not bridge any electrical contacts on the chip, so write protection was not a function on the card itself.
I turned my attention to several card readers I have lying about. One has a very shallow card well, which makes visualizing the electrical contacts quite easy. I noted that on the side of the reader, in a location corresponding to the switch on an SD card, there was a spring-loaded pin. Through experimentation, I determined that the pin, when depressed, allows data to be written to the card. When the pin is extended, write-blocking occurs. The position of the "lock" switch on the card determines the position of the pin.
Thus, (and to my surprise) write blocking is a really function of the reader, not the card. It is possible for a reader to be constructed or damaged such that the lock switch has no effect! Frequent inspection and testing of a card reader used for forensic analysis is warranted.
Lesson: know your equipment!
No comments:
Post a Comment