Fake 32GB Sony USB ...
 
Notifications
Clear all

Fake 32GB Sony USB Flash Drive

7 Posts
5 Users
0 Likes
759 Views
neddy
(@neddy)
Posts: 182
Estimable Member
Topic starter
 

I recently found myself examining what appeared to be a 32GB USB flash drive. Needless to say I was amazed to see such a device and indeed my workstation (XP) told me that it was 32BG in size and contained over 67million sectors. After some investigation though I came to the conclusion that I was looking at a device of aroung 2GB and after imaging it, I found that all sectors after approx 2GB to the last were returned as errors by FTK Imager. I rebuilt a FAT32 partition using the 'good' sectors and was presented with an intact volume. Recoverong folders on this volume returned listings of some previous attempts to copy files to the device.

Has anyone else had to deal with such a device and if so what steps did you take in your analysis?

 
Posted : 12/05/2008 1:48 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Cannot say of course what happened, but it is possible that the stick was bought "in good faith" and then used "normally".

These "fake" (Sony or other "tag" brand) drives usually behave correctly until you fill them up above their REAL capacity, as soon as you do they will of course throw an error, as you are trying to write on "nowhere".

Basically the fraudolent sellers of these fake sticks use a "production Tool" misusing it to "map" more available space (read more or biggers flash chips) to the controller.

But some simply create some wrong/fake MBR and bootsector data.

On Everything USB there are tens of threads/pages on the problem, here is an example
http//www.everythingusb.com/forums/showthread.php?threadid=5442

To truly "reset" the drive to "real" capacity, usually the "Manufacturer tool" is needed, and it is usually rather difficult to make sure which chip is used in the stick, and then find the appropriate tool.

If the "faking" was done in MBR and bootsector, simply writing them to 00's will solve problem.

jaclaz

 
Posted : 13/05/2008 9:27 pm
(@stevemills)
Posts: 1
New Member
 

If the "faking" was done in MBR and bootsector, simply writing them to 00's will solve problem.

Jaclaz, please excuse me if this sounds stupid, but could you explain how I can do this? I'd love to be able to learn how to write 00's to solve this problem. much thanks
Steve

 
Posted : 10/07/2008 9:50 pm
noahb2868
(@noahb2868)
Posts: 50
Trusted Member
 

If the "faking" was done in MBR and bootsector, simply writing them to 00's will solve problem.

Jaclaz, please excuse me if this sounds stupid, but could you explain how I can do this? I'd love to be able to learn how to write 00's to solve this problem. much thanks
Steve

I think Jaclaz might be talking about using a hex editor and changing the hex values to 00. A program like winhex would do the trick.

 
Posted : 11/07/2008 12:03 am
 kman
(@kman)
Posts: 5
Active Member
 

Would wiping the device using Encase's wiping feautre or some other forensic wiping tool suffice?

 
Posted : 11/07/2008 12:33 am
neddy
(@neddy)
Posts: 182
Estimable Member
Topic starter
 

Wiping data on exhibits is not an option in my field guys! I am just interested in how my workstation reports 32GB where I am actually in posession of 2GB. What if my workstation reported 1GB and I was actually in posession of 4GB?

Im pleased this thread has been given new life.
I am interested in the technology used to create the apparent false properties of the device I examined and I would like to understand it more. I am of the opinion that this technology could be used to hide data and that this is an area that warrants our collective scrutiny.

Those of us working in the laboratories of LE agencies all around the world are constantly presented with an almost unmanageable volume of exhibits. We are required to evaluate each exhibits forensic value within a limited time period. In order that we make an informed evaluation of these devices we need to be aware of new techniques that may be employed which result in increasing the opportunity for hiding data.

When presented with a hard disk that has been manufactured by a company like Hitachi, we normally can depend on labels and data sheets to give us some idea of the number of sectors we should expect to encounter. Because of this, exceptions to the norm are usually identified very early in an investigation.

Labels on USB thumb drives or indeed memory cards, no matter how professional they look, may be hiding a wolf in sheeps clothing!

 
Posted : 12/07/2008 2:16 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Wiping data on exhibits is not an option in my field guys! I am just interested in how my workstation reports 32GB where I am actually in posession of 2GB. What if my workstation reported 1GB and I was actually in posession of 4GB?

Im pleased this thread has been given new life.

Well, actually it was you that failed to keep it going. 😉

Basically a USB stick is made of two things
1) a USB controller chip
2) one or more flash memory chip(s)

The controller chip manufacturer supplies a "Mass Production Tool" that you can use to program the firmware of the controller to "couple" it with the memory chips, besides setting some features on how the stick will "declare" itself (single/dual LUN, USB HD, USB ZIP, USB CD-ROM, Fixed/Removable, etc.)

These tools can be used in a "malicious" way, as the "fake Sony" manufacturers do, by telling the firmware that attached to the controller are bigger capacity memory chips than the ones that actually are used.

I guess that the same could be done reversing the problem, i.e. by telling the firmware that the connected chips have a lesser capacity than real one. ?

So, one willing to hide some data would go like that
1) write "hidden" data to high addresses
2) use the Manufacturer tool to declare a capacity lower than real

I do not think that current manufacturer tools allow for that, but it should be possible with an "ad hoc" written tool.

Unfortunately most of the REAL info is NOT available in English, these kind of topics are mainly found in Chinese, and a lot of Google Translate, fantasy and luck is needed to get the right info and tools.

A VERY GOOD starting point is Chipgenius
http//www.boot-land.net/forums/?showtopic=4661

That will identify the chip used and lnk to a (Chinese) page where the relevant Manufacturer tool can be found (if available).

Then, you will have to register to the Chinese board in order to be able to download the tool, and then again large parts of the tools will probably be as well written in Chinese….

An easy way to see what the real capacity of a stick is (at least in the case of the "fake" sticks) is to use dsfo from the dsfok utility
http//members.ozemail.com.au/~nulifetv/freezip/freeware/
to copy the entire PhysicalDrive to the NUL device
http//www.boot-land.net/forums/?showtopic=5000&st=1

jaclaz

 
Posted : 12/07/2008 6:39 pm
Share: