Hi,
Wondering if anyone has ever encountered one of those fingerprint-based biometric thumbdrives that will only reveal the 'hidden' partition after successful authentication.
I've recently come across one. If I do not authenticate, I will only see a 20MB physical drive. After successful authentication, I will see (in addition to the 20MB drive) another ~2GB physical drive on the system. This was when using a Windows system to access the thumbdrive.
On the other hand, using helix and linen, what showed up (before authentication) was a 20MB physical drive with a >1TB partition within it (yes it does not make sense).
This leads me to suspect that the thumbdrive has been 'configured' in a way to confuse the OS into wrongly identifying the number of physical drives or size of a physical drive. Once the OS cannot correctly identify the characteristics of the thumbdrive, any forensic tool running on that OS cannot function correctly.
I've in the past heard a presentation that it is possible to mess with the hard disk geometry so that the OS does not see the full capacity of a disk. Could a similar trick be applied to thumbdrives?
To summarise my queries
1. Can a thumbdrive be tweaked in a way that an OS cannot correctly read or recognize its characteristics (size, number of physical volumes, etc)?
2. Do forensic tools, software depend on the OS to correctly read a disk or thumbdrive?
3. How is it possible to perform a forensic analysis on such thumbdrives?
Any explanation, conjectures, suggestions are welcome.
Hello Optimints,
I too have a similar problem with a Transcend JF220 thumb drive. When attached it to the FW i see two partitions, 1 x 48MB and 1 x 848MB. When viewed in Encase 6.12 I see a logical volume of 48MB and a physical of 848MB the drive is infact 4GB in size. I have been loaned this drive for experimenting on and after some research on the internet it is alleged that if you resize the partions it will make all the other previously unseen space viewable and the previously encrypted files viewable….at the risk of sounding negative me thinks not 8O. Before I try this method I was wondering if you or any others out there have had any success in recovering/identifying the rest of the drive?
Hi,
I've had no further success since then. However, I did come across another flash device from a known vendor, who managed to confirm that indeed they tweaked the physical partition sizes so as to have public/ hidden areas.
My worry is that as this technique becomes more common (at least 3 now, including the Transcend device you encountered), computer forensics examiners are at the losing end, since computer forensics tools (hardware/ software) that I've tried are not able to deal with these.
Has anyone else encountered similar devices and found some ways to deal with them?
It is possible to manipulate the reported size by using the utility designed for the particular flash memory controller in the drive. Many of the modern flash drives have this feature.
I've in the past heard a presentation that it is possible to mess with the hard disk geometry so that the OS does not see the full capacity of a disk. Could a similar trick be applied to thumbdrives?
Without knowing what the 'trick' is, difficult to say. The two usual methods (HPA and DCO) apply only to ATA drives. The thumbdrives I have examined talk some dialect of SCSI command blocks, but I don't know if there are any SCSI disk hiding methods.
1. Can a thumbdrive be tweaked in a way that an OS cannot correctly read or recognize its characteristics (size, number of physical volumes, etc)?
This question is too wide. Are you asking about thumbdrives in general, or the particular one you have been working with`? Plain thumbdrives are more or less plain flash memory, while thumbdrives built on the U3 platform have more bells and whistles. You can find out – look for the U3 DAPI it has a API call to decide if you are working with a U3 thumbdrive or not.
For plain thumbdrives, I would expect it's a question of examining the USB mass storage commands. For U3 thumbdrives, … you may have to sign up for the HDK to get at the low-level details.
2. Do forensic tools, software depend on the OS to correctly read a disk or thumbdrive?
Some, surely. Most assume that you are looking at a hard drive, and so may be 'fooled' by an USB drive masquerading as a hard drive or a CD. Some of the tools I've used were not able to see the USB drive at all … they were looking for ATA drives. Other software (using the OS abstraction) could see it.
The ideal forensic tool should be able to talk USB mass storage commands in these situations, but I don't know any that does.
In fact, the
on these drives the size what controller reports does not correspond to the actual flash chip size.
Quite easy to put a small "protection" app on the first partition what will modify the reported size in the controller to the correct size if the password is right.
