About the Author Dominik Weber is a Senior Software Architect for Guidance Software, Inc. |
A co-worker was looking into some strange issue with an acquisition of a flash drive. It seemed that the acquisition hash changed every time the drive was acquired. The write switch was off. Even a software or hardware write blocker did not prevent this odd effect.
My co-worker did isolate some sector differences between the individual acquisitions. She found out that it was a series of sectors located in “Unallocated Clusters”
While looking at the real sector data it changed every time the sector refreshed. It was a series of hex patterns like “44 00”; sometimes they would change to “40 00”, “18 00” or “00 00”
Then we used a disk editor to read the same sector and the same behavior persisted. Same results with other tools. On different computers.
The Hardware
I then paused and thought about the way most flash drives are created. A controller chip sits on the USB bus and communicates with the host machine and the actual flash storage chip. The flash storage chip is usually a flat, thin rectangular chip with a series of pins on both sides. Some flash drives have more than one such flash chip.
The controller is responsible for performing the actual sector writes/reads. Should the write switch be set to “read only” mode at device insertion time, the controller would tell the host that this drive is read-only and ignore / fail out write requests. The host on the other hand then would use this bit of information in the file system driver and mount the drive in read-only mode.
For instance the $Log file on improperly dismounted (“dirty”) NTFS drives would not be processed in order to roll back partial transactions.
Furthermore, the controller usually drives a LED to show disk activity and that the device actually is plugged in...
Read more at http://www.forensicfocus.com/dominik-weber
No comments:
Post a Comment