±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36767
New Yesterday: 4 Visitors: 160

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Hidden files on USB Drive... how?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

Suai
Member
 

Hidden files on USB Drive... how?

Post Posted: Mar 26, 20 17:46

Need some input señores,

I've come across a USB drive. It shows up as having 2TB of capacity. I've read these are 'fake' USB drives that have had their firmware modified. Apparently one can keep copying files onto them but once the real capacity has been reached (guessing 32-64GB) it simply automatically errases whatever is oldest on the backend on the drive.

When mounted onto a Windows machine the drive shows a folder (we'll name it "support") and an empty text file named ".device_info_xxxxxxxxxx (the 'xxxx' are alfanumeric).

I imaged the drive (the imaging took over 3 days, and also occupies 2TB!) and when mounted into FTK, the supposedly empty folder named "support" is actually filled with CP.

I've been searching around but can't find answers as to how the contents of the folder might be hidden. My first hunch was that the text file might have been some kind of script but apparently it's empty.

I tried reading the contents of the folder on a Linux terminal and got the following error message:
ls: reading directory '.': Input/output error  
 
  

jaclaz
Senior Member
 

Re: Hidden files on USB Drive... how?

Post Posted: Mar 26, 20 18:20

Which filesystem is the volume?


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

chad131
Senior Member
 

Re: Hidden files on USB Drive... how?

Post Posted: Mar 26, 20 18:45

From what I have seen, the " .device_info_*** " files appear from devices that have been connected to Samsung Smart TV.  
 
  

Suai
Member
 

Re: Hidden files on USB Drive... how?

Post Posted: Mar 26, 20 19:28

- jaclaz
Which filesystem is the volume?


jaclaz


exFat  
 
  

Rich2005
Senior Member
 

Re: Hidden files on USB Drive... how?

Post Posted: Mar 26, 20 21:46

I think you might be coming at this from the wrong viewpoint and need to think less in terms of it being "hidden" and rather the drive is just faulty garbage designed to con people and therefore doesn't work properly. Or, perhaps more simply, are you sure it's not just deleted, and therefore not shown by Windows, and would be shown by FTK?

With these sort of things, you can indeed just keep copying data happily, then when you go to try to use the big file you just copied you'll find it doesn't work (indeed, much to my amusement, when I told an old boss his new shiny bargain USB was far too cheap and was probably dodgy and not going to work.....sure enough he proclaimed success when the copy finished.....and sure enough the file didn't actually work as it didn't actually contain all that data....apologies if he happens to be reading this....I did anonymise it!).

If it's not just simply deleted there's obviously the possibility/likelihood the file-system or its records have been ballsed up. Do you have X-Ways at your disposal to have a look at it with?

I suspect you've probably got an image of the actual data stored (albeit with a load of junk on the end as it cycles round).  
 
  

Bunnysniper
Senior Member
 

Re: Hidden files on USB Drive... how?

Post Posted: Mar 27, 20 00:39

- Suai
I imaged the drive (the imaging took over 3 days, and also occupies 2TB!) and when mounted into FTK, the supposedly empty folder named "support" is actually filled with CP.


If you summarize all file sizes you can see on the drive, how many GB are used of these 2 TB? Or are there 2 TB of illegal images the "support" folder? Sad
Is it a real hard drive or thumb drive from its physical size?

regards,
Robin
_________________
--
All opinions are mine and are not necessarily the opinions of my employer. 
 
  

jaclaz
Senior Member
 

Re: Hidden files on USB Drive... how?

Post Posted: Mar 27, 20 10:05

@Rich2005
JFYI Wink :

www.jitbit.com/alexblo...ard-drive/

@Suai
How (exactly) are you seeing these files in FTK?
I mean, does it just find the file, or it finds the file with the corresponding filesystem file metadata (name/path/dates)?
Do the files appear "directly" inside the "support" directory or do they appear inside a (possibly unnamed) subdirectory?

Mind you pure theory.

Let's say that to simplify, you have a device 11 sectors in real size. that "wrap arounds" the last 10 sectors, for a total (fake) capacity of 41 sectors i.e.:
where:
Sectors 0-10 = sectors 0-10
Sectors 11-20 = sectors 1-10
Sectors 21-30 = sectors 1-10
Sectors 31-40 = sectors 1-10

Now, if you write files to it (for the sake of the example let's say that all files are 1 sector in size or less) what happens?:
File 1 goes to sector 1
File 2 goes to sector 2
...
File 10 goes to sector 10
File 11 goes to sector 1, (thus overwriting the actual file contents BUT leaving the File 1 entry in the filesystem)
Fie 12 goes to sector 2, (thus overwriting the actual file contents BUT leaving the File 2 entry in the filesystem)

Now, what happens if you delete the entry for File 1? (you delete the file from the OS)

Sector 1 seems free, but it actually contains File 11 (and File 11 is still indexed in the FAT), and when you delete the File 11 both sectors 1 and 11 seem free but sector 1 still contains File 1. (this is the case Rich2005 suggested, deleted files).

But it has to be seen how the device is exposed to the Windows Explorer, it may well be that Windows explorer cannot see the file even if it is there, due to this (or that) little trick.

JFYI. here is a similar discussion (but for FAT32):
www.forensicfocus.com/...c/t=16785/

And this happens for files, how would the same thing behave for directories?
Directories in exFAT are rather complex, and there is a bitmap allocation:
www.ntfs.com/exfat-dir...entry-temp
www.researchgate.net/p..._artefacts

It is entirely possible that a minor change in (say) "benign Primary entry" is enough to:
1) have the data not visible in the "normal" OS/Explorer
2) have it visible in FTK
3) throw a fit in Linux (as a side note, more often than not Linux programs related to MS formats (which are largely mis- or under-documented) are "more realist than the king")

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 1 of 3
Page 1, 2, 3  Next