Surprise! A USB Drive

July 5, 2023 - Reading time: 3 minutes

Amidst the fireworks displays, backyard barbecues, and shopping trips that filled my four-day holiday weekend, I also found myself entangled in a modest mystery that literally arrived on my doorstep.

It all began with an ordinary, run-of-the-mill Amazon delivery. I had ordered a couple of cases for some portable hard drives I use to backup my computer. When they arrived, I noticed one of the cases already had a 1TB USB drive inside.

My curiosity piqued, I plugged the drive into a Linux PC I use for my Ham radio hobby. Adhering to sound forensic principles, I mounted the drive in read-only mode with the noexec option. This minimized the chances of contamination and/or infection.

The mystery deepened when I discovered the drive contained someone’s collection of family photos. How did this drive find its way to Amazon and subsequently end up being sent to me? Could it be that someone mistakenly returned this case without realizing their hard drive was still inside? And if so, how did Amazon neglect to inspect the returned item before repackaging it for sale?

Considering my next steps, I pondered whether to return everything to Amazon—the company whose oversight had led to this unexpected delivery. Would they diligently endeavor to locate the rightful owner of this drive, or would they simply repackage it and send it off to someone else?

I decided to take it upon myself to return the drive to its rightful owner. There was one problem: I had no clue as to whom it belonged to. There was no identifying information on anything. No documents stored inside identifying its owner. All there were, were photos. Fortunately, my past experience with digital forensics granted me some ideas. So I created a forensic copy and fed it into some software called Autopsy.

Autopsy’s EXIF parser was able to extract some photo metadata. For the uninitiated, when you take a photo using any modern device, a wealth of additional information is stored in the image file. This “metadata” could include the photographer’s name, the location where the photo was taken, the model of camera, and so on. Although Autopsy wasn’t able to find the owner's name, it did manage to compile a list of GPS coordinates where the photos were taken. Plotting these coordinates on a map, I noticed a significant concentration of photos were taken in a particular residential area. This discovery would prove crucial later on.

Examining the photos themselves more closely, I stumbled on an image where, upon zooming in, you could discern a person’s name on a sheet of paper. Typing in this name, along with the city/state from the GPS coordinates, produced results. I discovered profiles for the people in the photos along with some contact information. And in further confirmation, these people appeared to reside right at that cluster of GPS coordinates I noted earlier. Qapla’! 

The owners of the drive have been contacted, and we can finally lay this mystery to bed.