Sequence of events:
12:48am format SD card by the utility provided on the phone ( after wiping and verifying )
12:58-12:59am pictures were taken in sequence where the images showed numbers 1 - 9, 9 being the last image.
1:00am Created a simple video showing a pencil
101am Created a simple video showing a CD
1:18am Ejected the phone from the PC
1:19am Used the phone to view image 6 ( last image viewed )
1:20am Used the phone to view the pencil video ( last video viewed )
1:20am Connected the phone to PC to create a dd image
1:35am Unmounted SD card to prepare for erase
1:37am Used Erase SD card utility to erase the contents of the storage device
1:42am Mounted card in phone again
1:43am connected to PC and created another image to analyze
Were the files really lost?
Looking at the image after the SD card was formatted, showed FAT was reset to its initial state.
Erasing of the SD card, updated the default folder structure where the modified date showed the time the card was erased. Interestingly, the previous DiskCacheIndex...tmp showed the erase time and the new DiskCachIndex...tmp showed the time the newly erased SD card was mounted.
The logical sector of the DCIM\Camera where the pictures and videos were stored. The directory entries did not keep the metadata of previously stored files.
Directory content for folder DCIM\Camera before erasure.
The directory content that is not part of the default folders like the DCIM\.thumbnails folder was not reset. It's content was set to unallocated, but was not changed.
All original files were verified to still exist on the drive including the thumbnail version of the images and the first frame of the videos.
Other locations also include path information and actual image copies in the com.cooliris.media folder. I will post another blog on analyzing those files. They were also intact after erasing the media.
Conclusion,
No comments:
Post a Comment