Join Us!

USB thumb drive que...
 
Notifications
Clear all

USB thumb drive query  

Page 1 / 2
  RSS
Adam10541
(@adam10541)
Senior Member

I'm wondering if anyone here has done much with USB thumb drives?

I have 2 issues, firstly the device itself has no serial number, at least none that I can find using Xways Forensics. I tried plugging the drive (write blocked) into my analysis machine and had a look with Nirsoft's USBDeview and this didn't list a serial number either. I'm assuming the write block will have nothing to do with this issue but I'm at a bit of a loss to explain.

It's a 2GB thumb drive, formatted FAT32.

The second question, and really my main one, is it possible to determine the date a USB thumb drive was formatted? I have no access to any of the many computers which may have done the formatting.

I have found a white paper on Digital Detective which talks about using the Volume ID to calculate the date of format, however the example given was specific to Fat12 Floppy Diskette, and it also states that some changes may happen with XP machines. I took this on board doubly so as the paper is quite old.

I determined the Volume ID is C5D7-A905 via the vol command from CLI, I can also find this in Xways, appears in reverse as 05 A9 D7 C5, I know there is a reason for this but my memory fails me at this point.

Can this be used to determine the date of format via XP or Win7?

Quote
Posted : 07/10/2013 1:28 pm
Igor_Michailov
(@igor_michailov)
Senior Member

Do you read the book "File System Forensic Analysis" by Brian Carrier ?

ReplyQuote
Posted : 07/10/2013 2:30 pm
jaclaz
(@jaclaz)
Community Legend

You can try using any among Chipgenius, CheckUDisk or ChipEasy
http//www.usbdev.ru/files/
to see as much info on the USB stick as it is available.

The "problem" with Disk Signatures and Volume ID's is often that of *something* in the software accessing them considering them a hex value (which they are not) and thus reversing it due to Big Endiannes.

See this seemingly unrelated article about Magic Bytes
http//thestarman.pcministry.com/asm/mbr/AA55H.html

About linking the Volume Id to a formatting date, I am afraid it is very unlikely that you will find a way.
This link was known in good ol' DOS times (and for FAT volumes) but it is not anymore for NTFS, and of course if the format was made with the "Manufacturer tool" or under *any* other OS, there is not even that feeble possibility, it could be anything.

JFYI, the matter is talked about here (including a tentative spreadsheet)
http//www.forensicfocus.com/Forums/viewtopic/t=2134/
http//www.msfn.org/board/topic/152097-on-superfloppies-and-their-images/?p=980297

And, just for the fun of it D , possible issues when Swiss watchmakers made backups on floppies 😯
http//www.msfn.org/board/topic/152097-on-superfloppies-and-their-images/?p=987748

jaclaz

ReplyQuote
Posted : 07/10/2013 3:43 pm
YogeshKhatri
(@yogeshkhatri)
Junior Member

If you are connecting via a write-blocker, you may be getting the serial number of the writeblocker/usb-bridge and not the real one you want. To get the real one, you will need to connect it directly, either use a linux machine (with auto-mounting disabled like a forensic boot cd) or a windows software writeblocker (DSI USB writeblocker). There are software available for windows (nirsoft, etc.) and linux to get the hardware IDs, serial numbers, etc..

The date and time from volume id is not a reliable method in FAT partitions to determine the date/time of format. This is usually a pseudo random number (on most implementations).

ReplyQuote
Posted : 07/10/2013 4:45 pm
mscotgrove
(@mscotgrove)
Senior Member

All thumb drives I have bought have come preformatted. Thus the date of format may be nothing to do with the user. It could also be a fixed image for every drive - but that is a guess.

ReplyQuote
Posted : 07/10/2013 4:56 pm
keydet89
(@keydet89)
Community Legend

I'm wondering if anyone here has done much with USB thumb drives?

I have 2 issues, firstly the device itself has no serial number, at least none that I can find using Xways Forensics. I tried plugging the drive (write blocked) into my analysis machine and had a look with Nirsoft's USBDeview and this didn't list a serial number either. I'm assuming the write block will have nothing to do with this issue but I'm at a bit of a loss to explain.

Okay, so you've found that the device doesn't have a serial number, and you've clearly connected the device to your analysis system. So, in order to verify this, have you performed USB device analysis on your own system, and specifically, have you found that the second character (second, NOT second to last) is '&'?

Also, I'm a bit unclear as to what the issue with the SN is, other than you're saying that it doesn't have one.

ReplyQuote
Posted : 07/10/2013 5:10 pm
athulin
(@athulin)
Community Legend

The second question, and really my main one, is it possible to determine the date a USB thumb drive was formatted? I have no access to any of the many computers which may have done the formatting.

Do you know what formatting software may have been present on them? For example, if they're all Windows XP, you might proceed on the assumption that one of the standard XP formatting methods was used, and then look for the artifacts they produce.

If there are deleted but recoverable directory folders, you may be able to establish a point in time after which the formatting must have taken place (under various assumptions, of course). And similarly, the existing time stamps may provide you with a corresponding point in time before which the formatting may have taken place.

Also, the volume label entry may be useful, for example.

You will not a 100% certain date, as far as I know.

ReplyQuote
Posted : 07/10/2013 9:07 pm
Adam10541
(@adam10541)
Senior Member

@ Jaclaz, thanks I will have a look at some of those tools and see if they can give me any extra information.

@YogeshKatri, I was using software blocker so the USB was connected directly to my analysis machine.

@mscotgrove, that's something I didn't actually think of and from memory I think all the USB thumbdrives I've bought have been pre-formatted FAT32 as well |
I suspect I may simply have to comment on the earliest date/time of any files I can recover and then I really will only be in a position to say with any degree of confidence that the drive has been in use since at least that date, but not be able to rule out prior usage which has since been copied over.

@keydet89, the issue with not having a serial number was more me thinking ahead of how I would prove that particular thumb drive was connected to a computer. Linking USB devices to other computers is not something I've had to do before, honestly I don't think I'll be asked to do it this time, however I just wanted to get my head thinking in that direction so I had a plan of attack should that eventuate.

Thanks everyone for the replies.

ReplyQuote
Posted : 08/10/2013 6:10 am
keydet89
(@keydet89)
Community Legend

@Adam10541,

Okay, but that doesn't answer the question, does it?

ReplyQuote
Posted : 08/10/2013 4:31 pm
jaclaz
(@jaclaz)
Community Legend

Just for the record, with the exception of "U3" devices (which are normally set in factory for two LUN's, first one CDROM and second HD volume like), 99.99% of common USB sticks (please read as "very nearly ALL") come from factory

  1. with the "Removable" bit set
  2. with a single "superfloppy like" volume, formatted as FAT32
  3. with a serial number
  4. [/listo]

    The other exception are the newish "high end" USB 3.0 ultra-fast sticks, that are actually a USB to SATA bridge + a (small) SSD.

    @Adam10541
    If you post EXACT model of the stick and possibly also PID/VID and a picture of it (or a link to it's manufacturer page, I may be able to confirm you that the original stick does come with a serial number from factory.

    jaclaz

ReplyQuote
Posted : 08/10/2013 8:32 pm
Adam10541
(@adam10541)
Senior Member

Sorry keydet89, I missed the other question as was in a rush working on another report.

I'm not sure I understand what you are asking here? I have checked the device on different machines to rule out something funky with my analysis machine. The second character (in disk view using Xways) is not a '&', it's an 'À'

Jaclaz, can't send a pic of the drive as it has client identifying information on it, but the below link is pretty much what it looks like. Just a standard black swivel generic sort of drive.

http//www.aliexpress.com/item-img/New-Arrival-USB-2-0-Flash-Memory-Stick-Jump-Drive-Fold-Pen-2GB-BLACK-Y559/501193314.html
The Vendor is listed as SMI Corporation
Vid_090c&Pid_1000

ReplyQuote
Posted : 09/10/2013 8:05 am
jaclaz
(@jaclaz)
Community Legend

Just a standard black swivel generic sort of drive.

http//www.aliexpress.com/item-img/New-Arrival-USB-2-0-Flash-Memory-Stick-Jump-Drive-Fold-Pen-2GB-BLACK-Y559/501193314.html
The Vendor is listed as SMI Corporation
Vid_090c&Pid_1000

Well, those are "bulk-bulk", they are commercialized branded by *anyone* and it is thus very likely that a given "brand" or possibly just a single production "batch" has been initialized without a Serial Number (the SMI Manufacturer's Tool, like many other ones, provides alternatively NO Serial, Manual Serial, Autogenerated Incremental, Random - besides allowing for different serial number lengths).

So, no certainty whatever, only the confirmation that it is possible that it came "from the factory" without a Serial Number (unlikely but possible).
As a comparison if it was coming from a number of "well known" brands, I would have rated the possibility "very, very unlikely" or "nearly impossible".

jaclaz

ReplyQuote
Posted : 09/10/2013 5:35 pm
jhup
 jhup
(@jhup)
Community Legend

I second what jaclaz just said.

When I have taken apart these flash drives, indeed they are "bulk-bulk". The exterior would be identical (other than the exterior markings, logos) but the interiors (PCB, chips, etc.) were different.

ReplyQuote
Posted : 09/10/2013 6:09 pm
Adam10541
(@adam10541)
Senior Member

No problems, thanks for the extra info gents, let's hope they don't ask me to match that particular drive to a computer then )

ReplyQuote
Posted : 10/10/2013 9:53 am
keydet89
(@keydet89)
Community Legend

I'm not sure I understand what you are asking here? I have checked the device on different machines to rule out something funky with my analysis machine. The second character (in disk view using Xways) is not a '&', it's an 'À'

Then, if you're referring to the device serial number, the device does have a serial number, and the question is moot.

ReplyQuote
Posted : 10/10/2013 4:48 pm
Page 1 / 2
Share: