Hidden files on USB...
 
Notifications
Clear all

Hidden files on USB Drive... how?

17 Posts
8 Users
0 Likes
3,532 Views
 Suai
(@suai)
Posts: 14
Active Member
Topic starter
 

Need some input señores,

I've come across a USB drive. It shows up as having 2TB of capacity. I've read these are 'fake' USB drives that have had their firmware modified. Apparently one can keep copying files onto them but once the real capacity has been reached (guessing 32-64GB) it simply automatically errases whatever is oldest on the backend on the drive.

When mounted onto a Windows machine the drive shows a folder (we'll name it "support") and an empty text file named ".device_info_xxxxxxxxxx (the 'xxxx' are alfanumeric).

I imaged the drive (the imaging took over 3 days, and also occupies 2TB!) and when mounted into FTK, the supposedly empty folder named "support" is actually filled with CP.

I've been searching around but can't find answers as to how the contents of the folder might be hidden. My first hunch was that the text file might have been some kind of script but apparently it's empty.

I tried reading the contents of the folder on a Linux terminal and got the following error message
ls reading directory '.' Input/output error

 
Posted : 26/03/2020 4:46 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Which filesystem is the volume?

jaclaz

 
Posted : 26/03/2020 5:20 pm
(@chad131)
Posts: 63
Trusted Member
 

From what I have seen, the " .device_info_*** " files appear from devices that have been connected to Samsung Smart TV.

 
Posted : 26/03/2020 5:45 pm
 Suai
(@suai)
Posts: 14
Active Member
Topic starter
 

Which filesystem is the volume?

jaclaz

exFat

 
Posted : 26/03/2020 6:28 pm
(@rich2005)
Posts: 535
Honorable Member
 

I think you might be coming at this from the wrong viewpoint and need to think less in terms of it being "hidden" and rather the drive is just faulty garbage designed to con people and therefore doesn't work properly. Or, perhaps more simply, are you sure it's not just deleted, and therefore not shown by Windows, and would be shown by FTK?

With these sort of things, you can indeed just keep copying data happily, then when you go to try to use the big file you just copied you'll find it doesn't work (indeed, much to my amusement, when I told an old boss his new shiny bargain USB was far too cheap and was probably dodgy and not going to work…..sure enough he proclaimed success when the copy finished…..and sure enough the file didn't actually work as it didn't actually contain all that data….apologies if he happens to be reading this….I did anonymise it!).

If it's not just simply deleted there's obviously the possibility/likelihood the file-system or its records have been ballsed up. Do you have X-Ways at your disposal to have a look at it with?

I suspect you've probably got an image of the actual data stored (albeit with a load of junk on the end as it cycles round).

 
Posted : 26/03/2020 8:46 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

I imaged the drive (the imaging took over 3 days, and also occupies 2TB!) and when mounted into FTK, the supposedly empty folder named "support" is actually filled with CP.

If you summarize all file sizes you can see on the drive, how many GB are used of these 2 TB? Or are there 2 TB of illegal images the "support" folder? (
Is it a real hard drive or thumb drive from its physical size?

regards,
Robin

 
Posted : 26/03/2020 11:39 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

@Rich2005
JFYI wink

https://www.jitbit.com/alexblog/198-chinese-magical-hard-drive/

@Suai
How (exactly) are you seeing these files in FTK?
I mean, does it just find the file, or it finds the file with the corresponding filesystem file metadata (name/path/dates)?
Do the files appear "directly" inside the "support" directory or do they appear inside a (possibly unnamed) subdirectory?

Mind you pure theory.

Let's say that to simplify, you have a device 11 sectors in real size. that "wrap arounds" the last 10 sectors, for a total (fake) capacity of 41 sectors i.e.
where
Sectors 0-10 = sectors 0-10
Sectors 11-20 = sectors 1-10
Sectors 21-30 = sectors 1-10
Sectors 31-40 = sectors 1-10

Now, if you write files to it (for the sake of the example let's say that all files are 1 sector in size or less) what happens?
File 1 goes to sector 1
File 2 goes to sector 2

File 10 goes to sector 10
File 11 goes to sector 1, (thus overwriting the actual file contents BUT leaving the File 1 entry in the filesystem)
Fie 12 goes to sector 2, (thus overwriting the actual file contents BUT leaving the File 2 entry in the filesystem)

Now, what happens if you delete the entry for File 1? (you delete the file from the OS)

Sector 1 seems free, but it actually contains File 11 (and File 11 is still indexed in the FAT), and when you delete the File 11 both sectors 1 and 11 seem free but sector 1 still contains File 1. (this is the case Rich2005 suggested, deleted files).

But it has to be seen how the device is exposed to the Windows Explorer, it may well be that Windows explorer cannot see the file even if it is there, due to this (or that) little trick.

JFYI. here is a similar discussion (but for FAT32)
https://www.forensicfocus.com/Forums/viewtopic/t=16785/

And this happens for files, how would the same thing behave for directories?
Directories in exFAT are rather complex, and there is a bitmap allocation
http//www.ntfs.com/exfat-directory-structure.htm#generic-directory-entry-temp
https://www.researchgate.net/publication/324744750_Forensic_Analysis_of_the_exFAT_artefacts

It is entirely possible that a minor change in (say) "benign Primary entry" is enough to
1) have the data not visible in the "normal" OS/Explorer
2) have it visible in FTK
3) throw a fit in Linux (as a side note, more often than not Linux programs related to MS formats (which are largely mis- or under-documented) are "more realist than the king")

jaclaz

 
Posted : 27/03/2020 9:05 am
watcher
(@watcher)
Posts: 125
Estimable Member
 

Let's back up a bit.

"… I've come across a USB drive. It shows up as having 2TB of capacity …"

To be clear, are you talking about a Thumb Drive, a Solid State Drive, or Spinning Rust?

"… the imaging took over 3 days, and also occupies 2TB …"

So you plugged it into a USB-2 port to image?

Did you use a write blocker?

What operating system were you running on your imaging machine?

"… ls reading directory '.' Input/output error …"
"… exFat …"

Do you have exFAT support on your Linux machine?

"… the supposedly empty folder named "support" is actually filled with CP…"

2 TB of unique CP?

What does the target device partition structure look like?

Last but not least, on the off chance that your device is not actually a bulk storage device, was you imaging machine Internet connected?

 
Posted : 27/03/2020 8:51 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

I would run data carving on the drive/image. It will show if there is data.

Typically for a device that has been faked to look larger, you will see the same data repeated many times. If data carving keeps producing the same file, this shows it might be a fake memory chip/drive.

If data carving does not find any files it may indicate encryption, or a blank drive. Just view random sectors to see if there is data, or they are blank.

If data carving finds files, then you can starting seeing how to recover them logically - ie it is worth working on.

 
Posted : 28/03/2020 12:07 pm
 Suai
(@suai)
Posts: 14
Active Member
Topic starter
 

Thanks for the suggestions. I won't be back in my workspace for at least a week due to COVID-19, but I'll follow-up with answers to these suggestions as soon as I get the chance. Speaking from memory

I'll try to be more specific.

"…To be clear, are you talking about a Thumb Drive, a Solid State Drive, or Spinning Rust?…"

By USB drive I meant Thumb Drive

Did you use a write blocker? "…Do you have exFAT support on your Linux machine?…"

Write blocked through software.
- When checking on a Windows machine I simply edit the Windows Registry and edit mount policy.
- For Linux I live boot into CAINE. It has exFat support both through command line and graphic desktop.

So you plugged it into a USB-2 port to image?

Machine is not internet connected. For imaging it was plugged into USB-3 port. I'd have to double-check if the Thumb Drive is actually USB-3 compatible, I recall it had the blue connector but seeing they fake the capacity… Still took incredibly long for imaging from my short experience (to my surprise the image verfication was correct)

"..2 TB of unique CP?.."

Not 2TB of unique CP. I recall the directory being roughly around 33GB.

…I think you might be coming at this from the wrong viewpoint and need to think less in terms of it being "hidden" and rather the drive is just faulty garbage designed to con people and therefore doesn't work properly. Or, perhaps more simply, are you sure it's not just deleted, and therefore not shown by Windows, and would be shown by FTK?…

My initial hypothesis was that the files were not "hidden" on purpose but the drive as you suggest is garbage and faulty, but the fact still remains that IF this person was not 'tech-savy', the CP was there, and he must have had access to it somehow. The files don't show up in FTK as deleted files. That's why I wanted to post it here to see if someone had a 'simple' explanation based on previous experience as to why these files weren't just showing up on your "normal/typical" OS/Explorer, and there was some method for hidding the contents. I'll speak with the investigators as well to expand info on the surrounding circumstances.

 
Posted : 28/03/2020 1:46 pm
Page 1 / 2
Share: