±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35894
New Yesterday: 0 Visitors: 120

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Fake 32GB Sony USB Flash Drive

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

neddy
Senior Member
 

Fake 32GB Sony USB Flash Drive

Post Posted: May 12, 08 01:48

I recently found myself examining what appeared to be a 32GB USB flash drive. Needless to say I was amazed to see such a device and indeed my workstation (XP) told me that it was 32BG in size and contained over 67million sectors. After some investigation though I came to the conclusion that I was looking at a device of aroung 2GB and after imaging it, I found that all sectors after approx 2GB to the last were returned as errors by FTK Imager. I rebuilt a FAT32 partition using the 'good' sectors and was presented with an intact volume. Recoverong folders on this volume returned listings of some previous attempts to copy files to the device.

Has anyone else had to deal with such a device and if so what steps did you take in your analysis?
_________________
Neddy
Forensic Computer Analyst (LE)
BSc (Hons)
!(-.-)!~~ 
 
  

jaclaz
Senior Member
 

Re: Fake 32GB Sony USB Flash Drive

Post Posted: May 13, 08 21:27

Cannot say of course what happened, but it is possible that the stick was bought "in good faith" and then used "normally".

These "fake" (Sony or other "tag" brand) drives usually behave correctly until you fill them up above their REAL capacity, as soon as you do they will of course throw an error, as you are trying to write on "nowhere".

Basically the fraudolent sellers of these fake sticks use a "production Tool" misusing it to "map" more available space (read more or biggers flash chips) to the controller.

But some simply create some wrong/fake MBR and bootsector data.

On Everything USB there are tens of threads/pages on the problem, here is an example:
www.everythingusb.com/...eadid=5442

To truly "reset" the drive to "real" capacity, usually the "Manufacturer tool" is needed, and it is usually rather difficult to make sure which chip is used in the stick, and then find the appropriate tool.

If the "faking" was done in MBR and bootsector, simply writing them to 00's will solve problem.


jaclaz  

Last edited by jaclaz on Jul 12, 08 18:56; edited 1 time in total
 
  

SteveMills
Newbie
 

Re: Fake 32GB Sony USB Flash Drive

Post Posted: Jul 10, 08 21:50

If the "faking" was done in MBR and bootsector, simply writing them to 00's will solve problem.

Jaclaz, please excuse me if this sounds stupid, but could you explain how I can do this? I'd love to be able to learn how to write 00's to solve this problem. much thanks
Steve  
 
  

noahb2868
Senior Member
 

Re: Fake 32GB Sony USB Flash Drive

Post Posted: Jul 11, 08 00:03

- SteveMills
If the "faking" was done in MBR and bootsector, simply writing them to 00's will solve problem.

Jaclaz, please excuse me if this sounds stupid, but could you explain how I can do this? I'd love to be able to learn how to write 00's to solve this problem. much thanks
Steve
I think Jaclaz might be talking about using a hex editor and changing the hex values to 00. A program like winhex would do the trick.  
 
  

kman
Newbie
 

Re: Fake 32GB Sony USB Flash Drive

Post Posted: Jul 11, 08 00:33

Would wiping the device using Encase's wiping feautre or some other forensic wiping tool suffice?  
 
  

neddy
Senior Member
 

Re: Fake 32GB Sony USB Flash Drive

Post Posted: Jul 12, 08 02:16

Wiping data on exhibits is not an option in my field guys! I am just interested in how my workstation reports 32GB where I am actually in posession of 2GB. What if my workstation reported 1GB and I was actually in posession of 4GB?

Im pleased this thread has been given new life.
I am interested in the technology used to create the apparent false properties of the device I examined and I would like to understand it more. I am of the opinion that this technology could be used to hide data and that this is an area that warrants our collective scrutiny.

Those of us working in the laboratories of LE agencies all around the world are constantly presented with an almost unmanageable volume of exhibits. We are required to evaluate each exhibits forensic value within a limited time period. In order that we make an informed evaluation of these devices we need to be aware of new techniques that may be employed which result in increasing the opportunity for hiding data.

When presented with a hard disk that has been manufactured by a company like Hitachi, we normally can depend on labels and data sheets to give us some idea of the number of sectors we should expect to encounter. Because of this, exceptions to the norm are usually identified very early in an investigation.

Labels on USB thumb drives or indeed memory cards, no matter how professional they look, may be hiding a wolf in sheeps clothing!
_________________
Neddy
Forensic Computer Analyst (LE)
BSc (Hons)
!(-.-)!~~ 
 
  

jaclaz
Senior Member
 

Re: Fake 32GB Sony USB Flash Drive

Post Posted: Jul 12, 08 18:39

- neddy
Wiping data on exhibits is not an option in my field guys! I am just interested in how my workstation reports 32GB where I am actually in posession of 2GB. What if my workstation reported 1GB and I was actually in posession of 4GB?

Im pleased this thread has been given new life.

Well, actually it was you that failed to keep it going. Wink

Basically a USB stick is made of two things:
1) a USB controller chip
2) one or more flash memory chip(s)

The controller chip manufacturer supplies a "Mass Production Tool" that you can use to program the firmware of the controller to "couple" it with the memory chips, besides setting some features on how the stick will "declare" itself (single/dual LUN, USB HD, USB ZIP, USB CD-ROM, Fixed/Removable, etc.)

These tools can be used in a "malicious" way, as the "fake Sony" manufacturers do, by telling the firmware that attached to the controller are bigger capacity memory chips than the ones that actually are used.

I guess that the same could be done reversing the problem, i.e. by telling the firmware that the connected chips have a lesser capacity than real one. Confused

So, one willing to hide some data would go like that:
1) write "hidden" data to high addresses
2) use the Manufacturer tool to declare a capacity lower than real

I do not think that current manufacturer tools allow for that, but it should be possible with an "ad hoc" written tool.

Unfortunately most of the REAL info is NOT available in English, these kind of topics are mainly found in Chinese, and a lot of Google Translate, fantasy and luck is needed to get the right info and tools.

A VERY GOOD starting point is Chipgenius:
www.boot-land.net/foru...topic=4661

That will identify the chip used and lnk to a (Chinese) page where the relevant Manufacturer tool can be found (if available).

Then, you will have to register to the Chinese board in order to be able to download the tool, and then again large parts of the tools will probably be as well written in Chinese....

An easy way to see what the real capacity of a stick is (at least in the case of the "fake" sticks) is to use dsfo from the dsfok utility:
members.ozemail.com.au.../freeware/
to copy the entire PhysicalDrive to the NUL device:
www.boot-land.net/foru...0&st=1

jaclaz  
 

Page 1 of 1