U3 encrypted thumbd...
 
Notifications
Clear all

U3 encrypted thumbdrive

38 Posts
17 Users
0 Likes
6,252 Views
(@pizzaman)
Posts: 2
New Member
Topic starter
 

Hi Folks,

I'm working as a consultant for some Italian Courts and I tried to get into an U3 thumbdrive with encryption on. I was looking for a way to get in by using hundred of tools and by reading posts on hundred of (almost useless) websites without result, and even at SanDisk they kept telling me that they hadn't the slightest idea. At the end I gave up, but it happens to me very often to forensic dealing with those thumbdrives and I was wondering if there's a real way to get data or not

Thanks a lot for your help

 
Posted : 29/10/2009 5:36 pm
(@seanmcl)
Posts: 700
Honorable Member
 

If the files on the volume are encrypted, U3 uses AES-128 or AES-256 so you'd need a lot of time and luck and, according to SanDisk's FAQ, newer versions of the device will wipe the data after so many failed attempts (I have not verified this for myself).

If the volume is only password protected, but not security enabled (encrypted), you would able to mount the volume by by-passing the U3 interface. Imaging the device using forensic software should allow you to determine whether encryption is turned on.

 
Posted : 29/10/2009 7:02 pm
(@douglasbrush)
Posts: 812
Prominent Member
 

Other background info that can be helpful about the U3 platform

Deployment Kit
http//picimag.s3.amazonaws.com/developerdownloads/U3_Deployment_Kit_TR_0107.zip

Uninstall Utility
http//u3uninstall.s3.amazonaws.com/U3Uninstall.exe

 
Posted : 29/10/2009 7:46 pm
harryparsonage
(@harryparsonage)
Posts: 184
Estimable Member
 

You need a soldering iron.

H

 
Posted : 29/10/2009 11:07 pm
(@pizzaman)
Posts: 2
New Member
Topic starter
 

thanks for your quick replies, guys. Unfortunately the U3 stuff
(@seanmcl) is the newest one - three attempts only and your data gone!
@harryparsonage thanks, that will be my last resort (basically the courts are always looking for data acquisitions that can be repeated from defence, so I cannot go so straight!)
finally @douglasbrush thanks a lot for your papers

 
Posted : 30/10/2009 7:50 pm
harryparsonage
(@harryparsonage)
Posts: 184
Estimable Member
 

I don't know too much about the soldering iron method, well nothing to be accurate. I believe the principle is that it is possible to remove the chip that controls the access and then you are left with a standard usb stick. If you can do this then the defence would be able to image the item as well and get the same result.

I think this may have been done in the MetPol labs, if anyone is here from the Met they might be able to comment.

H

 
Posted : 30/10/2009 11:07 pm
psu89
(@psu89)
Posts: 118
Estimable Member
 

I have a Sandisk U3 Titanium with security turned on. When I boot to Ubuntu 9.10 with the drive attached, I have full access without ever entering the password.

EDIT Actually the only way this works is if I first boot to XP and enter the U3 password. I then reboot to Ubuntu and the drive is accessible without re-entering the password. I have also found that I can reboot to XP and not re-enter the password.

I guess this doesn't help your situation, but I am now curious as to what makes this possible.

 
Posted : 04/11/2009 6:36 pm
(@seanmcl)
Posts: 700
Honorable Member
 

I guess this doesn't help your situation, but I am now curious as to what makes this possible.

I believe that once you unlock the partition, as long as the U3 device has power, it will remain unlocked. Was this a warm reboot or a cold reboot?

 
Posted : 04/11/2009 7:13 pm
psu89
(@psu89)
Posts: 118
Estimable Member
 

I guess this doesn't help your situation, but I am now curious as to what makes this possible.

I believe that once you unlock the partition, as long as the U3 device has power, it will remain unlocked. Was this a warm reboot or a cold reboot?

Warm. Thanks,

 
Posted : 04/11/2009 7:53 pm
(@rarosalion)
Posts: 28
Eminent Member
 

While possibly not relevant to your situation (as you seem to be talking about an encrypted drive, not just a locked drive), I've had some success with recovering data from locked U3 devices by simply using the built in "wipe" feature, which removes the password and seems to only to do a basic format of the device.

Obviously this method isn't forensically sound, but seems justifiable if all else fails. Make sure you test this yourself before working on real evidence but, in my testing, I did the following

1. Enable software-based USB write blocking (I used M2CFG's writeblocking tool) - I was unable to get the device to function correctly through a hardware write blocker. Write blocking prevents the device from writing any new files to the partition after the format - it will not prevent the formatting entirely.
2. Use the U3 software's built in wipe/forgotten password option (I forget exactly what this is called).
3. Open the resulting "wiped" volume in EnCase or similar and use normal data recovery techniques. With EnCase's "Recover Folders" option, I was able to recover all previous data (may have lost some metadata on the first MFT entry or two).

Hope that helps someone.

 
Posted : 05/11/2009 8:04 am
Page 1 / 4
Share: