Flash drives and ac...
 
Notifications
Clear all

Flash drives and acquisition

7 Posts
5 Users
0 Likes
335 Views
Jamie
(@jamie)
Posts: 1288
Moderator
 

Flash drives and acquisition

by Dominik Weber

“Take a look at this”. It started simply with that.

A co-worker was looking into some strange issue with an acquisition of a flash drive. It seemed that the acquisition hash changed every time the drive was acquired. The write switch was off. Even a software or hardware write blocker did not prevent this odd effect.

My co-worker did isolate some sector differences between the individual acquisitions. She found out that it was a series of sectors located in “Unallocated Clusters”

While looking at the real sector data it changed every time the sector refreshed. It was a series of hex patterns like “44 00”; sometimes they would change to “40 00”, “18 00” or “00 00”

Then we used a disk editor to read the same sector and the same behavior persisted. Same results with other tools. On different computers…

Read more

Please use this thread for discussion of Dominik's latest column.

 
Posted : 17/06/2010 3:15 pm
(@athulin)
Posts: 1156
Noble Member
 

Flash drives and acquisition by Dominik Weber

Very interesting!

One question that occurs to me is what the storage model of an USB Mass Storage device says about situations like that – was that a compliant device, or not?

It also raises some interesting questions for acquiry of other media does the respective media storage model guarantee that reads of uninitialized blocks can be repeated? If not, there's certainly a problem.

 
Posted : 17/06/2010 4:29 pm
(@rich2005)
Posts: 536
Honorable Member
 

If you're interested in this, theres a huge thread on here relating to it
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=3542

 
Posted : 17/06/2010 5:27 pm
_nik_
(@_nik_)
Posts: 93
Trusted Member
 

One question that occurs to me is what the storage model of an USB Mass Storage device says about situations like that – was that a compliant device, or not?

Yes - the device is marketed as fully compliant. I am not aware of any file system that relys on the consistency of unwritten sectors.

What I'd be concerned is mayby some RAID 5 controllers. Since (in a simplified case of 3 disks) the controller might read a sector and write two, since reading is faster than writing. the read sector gets xor'd with the to be written one and the result ( the new xor sector and the new data) are written to the two other disks.

In any case, the flash/drive controller's firmware could just as easily return a 0- filled sector, not reading anything.

 
Posted : 22/06/2010 12:43 am
(@mscotgrove)
Posts: 938
Prominent Member
 

If I use a floppy disk, an unitialised sector will not read, and hence return an error. Probably similar on a hard drive. Therefore, I would expect on this device if a sector has not been written to, it should return a read error, rather than 'random' data.

It may be acceptable, but is not nice.

On the other hand, thanks for the warning

 
Posted : 22/06/2010 2:43 am
_nik_
(@_nik_)
Posts: 93
Trusted Member
 

On the other hand, thanks for the warning

Yes - this explanation will help when having to explain why hashes do not match on flash media. I wish there would be a way to read out those address tables without custom hardware.

 
Posted : 23/06/2010 10:49 pm
_nik_
(@_nik_)
Posts: 93
Trusted Member
 

I flash chip reader is on its way and the weekend after it arrives I will try and read the flash contents out. I have filled the sectors on a drive with the sector number and will see what I get. I hope I did not damage the chip removing it from the PCB.

 
Posted : 06/07/2010 11:54 pm
Share: