Hi folks,
I've looked around and seen references to what I'm looking for but no definite methodology yet.
A USB U3 presents itself as a CD until the password is entered and the FAT portion seems to remain offline until that process is complete.
I'm doing an exam on one for which I don't have the password and need a forensically sound image. This is the first time I've come across U3 so I'm just learning the ins and outs.
I'd say I'd like to know the easiest way to do that but really, I'd love to know ANY successful way to do it.
Thanks in advance for the assistance.
A USB U3 presents itself as a CD until the password is entered and the FAT portion seems to remain offline until that process is complete.
I'm doing an exam on one for which I don't have the password and need a forensically sound image.
Of the CD part use something like HxD Hex Editor, open 'Optical Disk 1' (or whatever the number is on your system), and save the image. (Some other CD acquiry methods will get you only the CD image.) Behind the CD image, there's a lot of seemingly random data … I've not found anything useful in there, but you may.
Of the FAT partition itself Good luck. Ordinary methods won't work, as far as I know. But you may be lucky – the owner may have provided a password hint that is broad enough for you to guess the password, or recognize it from passwords found on related evidence items. The password hint can be extracted easily, along with the number of guesses remaining before the stick locks up on you.
I won't discount the possibility of there being some kind of back door to the U3 sticks, but I think it would be a very jealously guarded secret, if it exists. General knowledge of a back door would destroy the U3 encrypted thumbsticks as a product fairly decisively. It makes better business sense to avoid any such latent threats.
There is very likely another way in, but it would destroy the thumbstick in the process extract the flash memory, and examine it in a test bed. You need an electronics lab for this, and considerable hardware knowledge. More expensive sticks I would imagine are tamper-hardened to some degree. Haven't quite gone as far as this myself…