USB stick misreport...
 
Notifications
Clear all

USB stick misreporting capacity

14 Posts
7 Users
0 Likes
1,284 Views
zhaan
(@zhaan)
Posts: 50
Trusted Member
Topic starter
 

I have a few USB sticks from a case which are not USB3 (so not recent) and I would expect them normally to be around 4 or 8gb maximum.

When I add them to Encase, it claims they are 250gb.

File system is FAT32.

Any thoughts?

 
Posted : 16/01/2018 2:11 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I have a few USB sticks from a case which are not USB3 (so not recent) and I would expect them normally to be around 4 or 8gb maximum.

Why?

I mean, there are/were 256 GB USB sticks (USB 2.x).

If you have a Brand/Model it would be easy to check.

As a side note (and not necessarily your case) the market has been flooded with "fakes", sticks that are actually 2, 4 or 8 GB but that have been "hacked" at either the software or firmware level to seem much bigger (until you actually copy to them more data than the "real" capacity you won't notice).

jaclaz

 
Posted : 16/01/2018 2:21 pm
zhaan
(@zhaan)
Posts: 50
Trusted Member
Topic starter
 

Yeah, I know there are large capacity USBs in the 2.0 flavour but I have a few which are marked by manufacturer as 4gb reporting as being 200gb.

I was just reading about the fake USB sticks.

I sometimes see USB sticks reporting at a lot less than their capacity if they have hardware issues, etc. but have never seen them reporting more especially when they are marked with their capacity.

 
Posted : 16/01/2018 2:26 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Yeah, I know there are large capacity USBs in the 2.0 flavour but I have a few which are marked by manufacturer as 4gb reporting as being 200gb.

I was just reading about the fake USB sticks.

I sometimes see USB sticks reporting at a lot less than their capacity if they have hardware issues, etc. but have never seen them reporting more especially when they are marked with their capacity.

There are two possible "tricks", both largely used by counterfeiters.

The first one (simpler and "software only") is to simply dd to the stick an empty (usually FAT32) malformed filesystem, i.e. a "truncated" filesystem.

The second one (more complex, but still relatively easy to do) is to change parameters in the firmware to have the controller believe that it is coupled with a higher capacity chip (or chips).

Typically on these "artificially enlarged" sticks everything goes well until you use the actually available capacity, when you go over it they either "loop" (overwriting files/areas in the initial addresses) or the data simply vanishes with a "write error" of some kind.

Using dedicated tools, it is usually possible to determine the actual controller inside the stick and also the memory chip(s).
The usual reference site is this
http//www.usbdev.ru/

Russian, buit not that bad via Google translate.

 
Posted : 16/01/2018 2:46 pm
(@bntrotter)
Posts: 63
Trusted Member
 

I have a few USB sticks from a case which are not USB3 (so not recent) and I would expect them normally to be around 4 or 8gb maximum.

When I add them to Encase, it claims they are 250gb.

File system is FAT32.

Any thoughts?

Are they name brand USB sticks or they cheap O USBs? A lot of the cheap USBs are re-marketed USBs, or have re-furbished USB controllers/boards.

 
Posted : 16/01/2018 3:06 pm
JaredDM
(@jareddm)
Posts: 118
Estimable Member
 

I have a few USB sticks from a case which are not USB3 (so not recent) and I would expect them normally to be around 4 or 8gb maximum.

When I add them to Encase, it claims they are 250gb.

File system is FAT32.

Any thoughts?

Are they name brand USB sticks or they cheap O USBs? A lot of the cheap USBs are re-marketed USBs, or have re-furbished USB controllers/boards.

They are usually always sold on eBay, but they do occasionally show up on Amazon and other sites that allow third parties to sell their goods. They are buying cheap 512mb or 1gb sticks and tweaking them to appear larger. These guys rely on the fact that sites like eBay will only accept feedback for a short while after they are sold. So by the time people realize they bought a spoofed stick it's too late to even report the fraud to ebay.

We've seen a fair number of these show up for recovery once people get past the actual capacity and it starts writing data back in the loop over the FAT tables.

Sticks bought by bonafide retailers are usually always safe.

Here's an example of where these fake ones come from https://www.ebay.com/itm/1TB-USB-2-0-Flash-Drive-Disk-Memory-1-1-Pen-Stick-Thumb-Key-Storage-Swivel-Blue/331866027021?_trkparms=aid%3D444000%26algo%3DSOI.DEFAULT%26ao%3D1%26asc%3D44040%26meid%3D0c4bb82aee1d487e87865d64f8f1f33a%26pid%3D100752%26rk%3D1%26rkt%3D3%26mehot%3Dag%26sd%3D331794676118&_trksid=p2047675.c100752.m1982

 
Posted : 16/01/2018 7:51 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Here's an example of where these fake ones come from https://www.ebay.com/itm/1TB-USB-2-0-Flash-Drive-Disk-Memory-1-1-Pen-Stick-Thumb-Key-Storage-Swivel-Blue/331866027021?_trkparms=aid%3D444000%26algo%3DSOI.DEFAULT%26ao%3D1%26asc%3D44040%26meid%3D0c4bb82aee1d487e87865d64f8f1f33a%26pid%3D100752%26rk%3D1%26rkt%3D3%26mehot%3Dag%26sd%3D331794676118&_trksid=p2047675.c100752.m1982

Hey, wait, that one is expensive, 25 bucks for a 1 TB stick 😯

This one is cheaper
https://www.ebay.com/itm/2TB-1TB-512GB-Swivel-USB-2-0-Flash-Drive-Memory-Stick-Pen-Storage-Thumb-U-Disk/183010388887?hash=item2a9c44eb97mmIyO-Uc_y6eDYduKsIb-TMQ

10 bucks for a 2TB one!

And the seller is honestly reporting a "high" read/write speed of maximum 8 mb/s.

jaclaz

 
Posted : 16/01/2018 8:47 pm
(@einstein9)
Posts: 50
Trusted Member
 

I have a few USB sticks from a case which are not USB3 (so not recent) and I would expect them normally to be around 4 or 8gb maximum.

When I add them to Encase, it claims they are 250gb.

File system is FAT32.

Any thoughts?

When the Flash reports WRONG capacity this is most likely the Controller going crazy
there are TOOLS that READS internal Controller/Chip ID

where you will know if its FAKE or NOT

Advice i don`t recommend that you plug it/try to read it since this will Damage the Internal Memory. (based on my recovery experience)

Ref. Link here http//www.usbdev.ru/files/chipgenius/

you may try this tool for more details.

good luck wink

Edit. forgot to mention that the Best solution is the Chip-Off and read it with Pro. NAND tools.

 
Posted : 17/01/2018 8:37 am
JaredDM
(@jareddm)
Posts: 118
Estimable Member
 

When the Flash reports WRONG capacity this is most likely the Controller going crazy

Wrong capacity as in 0 or -1 byte size, yes that might be a tweaked controller. Wrong capacity as in 250Gb, no definitely not.

It's almost certainly a spoofed thumb drive. Fake 250Gb thumb drives are probably more numerous than real ones are. Real ones are quite rare because they're more expensive than a HDD four times the capacity. But, the fake ones have flooded ebay and they're all over the place. Here, just take a look at this collection someone gathered of the fake ones http//www.ebay.com/cln/tnimitz0/cheap-tb-fraud-fake-capacity-usb-flash-drives/167555477015

People are tempted by the too good to be true prices and they believe they "scored" when it comes in, recognizes as "250Gb" or "2Tb" and appears to work at first.

A simple way to find out the real capacity is to just read the NAND chip identifier code printed right on the top of the NAND chip(s) and google it. You might need a microscope or magnifying glass to read it.

The drive can't be larger than the sum of all NAND chips.

 
Posted : 17/01/2018 12:53 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

A simple way to find out the real capacity is to just read the NAND chip identifier code printed right on the top of the NAND chip(s) and google it. You might need a microscope or magnifying glass to read it.

The drive can't be larger than the sum of all NAND chips.

But that implies opening up the USB stick (which is not always doable without damaging it).

There are simple tools to check the capacity (real) such as FakeFlashTest
http//www.rmprepusb.com/documents/release-2-0
NOT suitable for recover/forensic/investigations/evidence, of course, but that is suggested to test a new USB stick.

And as said there are tools that can (usually) detail the chips inside via software, with the obvious limitation that if the counterfeiter did a real good work they might provide incorrect information.

As a side note, it wouldn't be the first time (though I never came across this on an actual USB stick) that the prints on a chip are fake/falsified.

jaclaz

 
Posted : 17/01/2018 2:27 pm
Page 1 / 2
Share: