±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36317
New Yesterday: 0 Visitors: 213

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Flash drives and acquisition

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

jamie
Site Admin
 

Flash drives and acquisition

Post Posted: Jun 17, 10 15:15

Flash drives and acquisition

by Dominik Weber

“Take a look at this”. It started simply with that.

A co-worker was looking into some strange issue with an acquisition of a flash drive. It seemed that the acquisition hash changed every time the drive was acquired. The write switch was off. Even a software or hardware write blocker did not prevent this odd effect.

My co-worker did isolate some sector differences between the individual acquisitions. She found out that it was a series of sectors located in “Unallocated Clusters”

While looking at the real sector data it changed every time the sector refreshed. It was a series of hex patterns like “44 00”; sometimes they would change to “40 00”, “18 00” or “00 00”

Then we used a disk editor to read the same sector and the same behavior persisted. Same results with other tools. On different computers...

Read more


Please use this thread for discussion of Dominik's latest column.
_________________
Jamie Morris
Forensic Focus
Web: www.forensicfocus.com
Twitter: twitter.com/ForensicFocus
Facebook: www.facebook.com/forensicfocus 
 
  

athulin
Senior Member
 

Re: Flash drives and acquisition

Post Posted: Jun 17, 10 16:29

- jamie
Flash drives and acquisition by Dominik Weber


Very interesting!

One question that occurs to me is what the storage model of an USB Mass Storage device says about situations like that -- was that a compliant device, or not?

It also raises some interesting questions for acquiry of other media: does the respective media storage model guarantee that reads of uninitialized blocks can be repeated? If not, there's certainly a problem.  
 
  

Rich2005
Senior Member
 

Re: Flash drives and acquisition

Post Posted: Jun 17, 10 17:27

If you're interested in this, theres a huge thread on here relating to it:
www.forensicfocus.com/...pic&t=3542  
 
  

_nik_
Senior Member
 

Re: Flash drives and acquisition

Post Posted: Jun 22, 10 00:43

One question that occurs to me is what the storage model of an USB Mass Storage device says about situations like that -- was that a compliant device, or not?


Yes - the device is marketed as fully compliant. I am not aware of any file system that relys on the consistency of unwritten sectors.

What I'd be concerned is mayby some RAID 5 controllers. Since (in a simplified case of 3 disks) the controller might read a sector and write two, since reading is faster than writing. the read sector gets xor'd with the to be written one and the result ( the new xor sector and the new data) are written to the two other disks.

In any case, the flash/drive controller's firmware could just as easily return a 0- filled sector, not reading anything.  
 
  

mscotgrove
Senior Member
 

Re: Flash drives and acquisition

Post Posted: Jun 22, 10 02:43

If I use a floppy disk, an unitialised sector will not read, and hence return an error. Probably similar on a hard drive. Therefore, I would expect on this device if a sector has not been written to, it should return a read error, rather than 'random' data.

It may be acceptable, but is not nice.

On the other hand, thanks for the warning
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk 
 
  

_nik_
Senior Member
 

Re: Flash drives and acquisition

Post Posted: Jun 23, 10 22:49

[quote="mscotgrove"]On the other hand, thanks for the warning[/quote]

Yes - this explanation will help when having to explain why hashes do not match on flash media. I wish there would be a way to read out those address tables without custom hardware.  
 
  

_nik_
Senior Member
 

Re: Flash drives and acquisition

Post Posted: Jul 06, 10 23:54

I flash chip reader is on its way and the weekend after it arrives I will try and read the flash contents out. I have filled the sectors on a drive with the sector number and will see what I get. I hope I did not damage the chip removing it from the PCB.  
 

Page 1 of 1