Monday, April 23, 2012

USB Flash drive Serial Numbers - "UNIQUE"?

Formatted USB flash drives (a.k.a. thumb drives etc) have Volume Serial numbers generated when the new filesystem gets created. The algorithm depends on a file system and OS. Volume Serial number can easily be changed via hex editor at locations:

FAT 12/16 - 4 bytes at offset 0x027
FAT 32      - 4 bytes at offset 0x043
NTFS         - 8 bytes at offset 0x48

or by using a myriad of free tools that can be found on the Internet. Volume Serial numbers are important from the forensic investigations stand point and there have been plenty of good material written on this topic. The most prominent in my view are written by Craig Wilson, Rob Lee and Harlan Carvey.

Unlike Device Serial Numbers, Volume ID's get captured by all forensic imaging tools. Device Serial Numbers however have been considered by computer forensic practitioners as more reliable and "Unique" artefacts. In Windows there are several places when Device Serial Numbers get recorded/logged. USBStor  registry key and Windows log files: Setupapi.log on Windows XP or on Vista and above are the most obvious one. It is also a well known fact that when a USB flash drive has no serial number, the system assigns to the device its own number with an ampersand symbol as the second character of this serial number.

The question is, how "UNIQUE" these Device Serial numbers are?
Well, as it turns out, these numbers are not necessary unique. There could be several reasons for this.

1. There is a tool that gamers are using to spoof device serial numbers called PB DownForce. It is capable of temporary changing the device serial number. The serial number can be changed to a random or predefine serial number.

This wont fool (see picture below) tools like USBDeview, but the software that rely on Operating System to obtain the serial number will fall for it.

2. USB drives serial numbers are meant to be at least 12 valid characters, represented as a UNICODE string.  "The last 12 digits of the serial number shall be unique to each USB idVendor and idProduct pair" according Universal Serial Bus Mass Storage Class paper.

   Valid Serial Number Characters

        Numeric                        ASCII
0030h  through 0039h      "0" through "9"
0041h through 0046h       "A" through "F

These requirements have not been adopted as the mandatory standard and a lot of manufacturers use shorter and in many cases identical numbers on their cheaper drives.

3. Big labels do use "unique" serial numbers, especially on their upper class, higher capacity USB devices. Still some reuse serial numbers every 6th million times as in case with one of the popular USB storage manufacturer I had to deal with.

4. Devices can be FAKE. On eBay there are plenty of fake 'false capacity usb flash drives', including brand name counterfeits such as 16GB Kingston, 32GB Sandisk etc. Serial numbers on these devices can be ether, all identical or generated at random.

5. User can change the device serial number accidentally or on purpose.  There are many tools, mostly used to fix faulty USB flash drives, capable of changing the device serial number. FixFakeFlash Inspectortech website is a good place to learn more about fake USB devices and tools capable of changing many parameters on the USB device including the serial number, ability to create, encrypt, hide or write protect certain area on the device.

The above-mentioned tools are designed to work with different USB flash drive controllers and you of course must have the right one to be able to reprogram the device.

Names of memory controllers can be coded in the original (Factory set) Serial Number. For example some Kingston's devices in13th position of the serial number have a letter A, B, E, C or F:

Kingston DataTraveler 200 USB Device SN: 001A92053B6ABB4131340023

A        - SkyMedi
B or E - Phison
C or F - SSS

To my knowledge similar tools are available for the memory controllers listed below:
  • Alcor
  • Ameco (MXTronics)
  • Chipsbank
  • iCreate
  • ITE tech
  • Netac
  • OTI
  • Phison
  • Prolific
  • Skymedi
  • SMI (Silicon Motion)
  • SSS (Solid State System)
In addition to USBDeview there is another excellent tool called ChipGenius (by Chinese Developers at that provides a lot of useful information about a USB Device. The tool can be used to check pretty much all types of USB devices including external hard drives and MP3 players, detect fakes and view the device controller vendor.

It displays chip model, manufacturer, revision number, VID/PID, interface speed, protocol, serial number and media type information.

Finally, unlike Volume Serial Numbers most forensic imaging tools don't capture a Device Serial number. The only exception to this rule I know are Tableau imagers. Both hardware (TD1 & TD2 duplicators) and Software (TIM a.k.a. Tableau's High Performance Software Imager) include the Device Serial Number in the acquisition log automatically (but not in the image itself).

Speaking about Tableau devices, a new generation of TD duplicator TD2 is looking really sexy. TD1 has been used by my team quite extensively. The new version "can optionally include USB, SCSI and SAS suspect drive" and what is even more exciting is the ability to image 1:2 or how Tableau called it "Twinning" support. According to the specifications it also supports EnCase v7 .ex01 (AES encrypted) format. I definitely going to order one of these very shortly.

Wednesday, April 11, 2012

HELLO - Almost missed it.

Computer Forensic tools are rapidly improving and make forensic examinations easier for the masses. Only a qualified forensic practitioner however can reliably produce consistently good results.
For example at present no computer forensic tool can properly detect, search and index text in the Unicode escape sequence. I have recently been working with the image containing some iPad sqlite3 backup files and found an extremely important piece of evidence almost by accident. Well, not exactly by accident, just have been thorough really.
\u0048 \u0045 \u004c \u004c \u004f means HELLO when you convert it from the Unicode-escape, which Apple tends to use quite extensively for recording non Latin characters. Python comes to rescue (once again) with its built-in sqlite3 library to pull the data and .decode('unicode_escape').

A quick script solved the problem, so I get some free time to finally watch "George Harrison: Living in the Material World" this weekend which has been on my to-do list for a couple of months now.

And to make it clear, the important piece of evidence I found wasn't "HELLO" word