USB Flash drive Serial Numbers - "UNIQUE"?
Formatted USB flash drives (a.k.a. thumb drives etc) have Volume Serial numbers generated when the new filesystem gets created. The algorithm depends on a file system and OS. Volume Serial number can easily be changed via hex editor at locations:
The above-mentioned tools are designed to work with different USB flash drive controllers and you of course must have the right one to be able to reprogram the device.
FAT 12/16 - 4 bytes at offset 0x027
FAT 32 - 4 bytes at offset 0x043
NTFS - 8 bytes at offset 0x48
or by using a myriad of free tools that can be found on the Internet. Volume Serial numbers are important from the forensic investigations stand point and there have been plenty of good material written on this topic. The most prominent in my view are written by Craig Wilson, Rob Lee and Harlan Carvey.
Unlike Device Serial Numbers, Volume ID's get captured by all forensic imaging tools. Device Serial Numbershowever have been considered by computer forensic practitioners as more reliable and "Unique" artefacts. In Windows there are several places when Device Serial Numbers get recorded/logged. USBStor registry key and Windows log files: Setupapi.log on Windows XP or Setupapi.dev.log on Vista and above are the most obvious one. It is also a well known fact that when a USB flash drive has no serial number, the system assigns to the device its own number with an ampersand symbol as the second character of this serial number.
The question is, how "UNIQUE" these Device Serial numbers are?
Well, as it turns out, these numbers are not necessary unique. There could be several reasons for this.
1. There is a tool that gamers are using to spoof device serial numbers called PB DownForce. It is capable of temporary changing the device serial number. The serial number can be changed to a random or predefine serial number.
This wont fool (see picture below) tools like USBDeview, but the software that rely on Operating System to obtain the serial number will fall for it.
2. USB drives serial numbers are meant to be at least 12 valid characters, represented as a UNICODE string. "The last 12 digits of the serial number shall be unique to each USB idVendor and idProduct pair" according Universal Serial Bus Mass Storage Class paper.
Valid Serial Number Characters
Numeric ASCII
0030h through 0039h "0" through "9"
0041h through 0046h "A" through "F
These requirements have not been adopted as the mandatory standard and a lot of manufacturers use shorter and in many cases identical numbers on their cheaper drives.
3. Big labels do use "unique" serial numbers, especially on their upper class, higher capacity USB devices. Still some reuse serial numbers every 6th million times as in case with one of the popular USB storage manufacturer I had to deal with.
4. Devices can be FAKE. On eBay there are plenty of fake 'false capacity usb flash drives', including brand name counterfeits such as 16GB Kingston, 32GB Sandisk etc. Serial numbers on these devices can be ether, all identical or generated at random.
5. User can change the device serial number accidentally or on purpose. There are many tools, mostly used to fix faulty USB flash drives, capable of changing the device serial number. FixFakeFlash Inspectortech website is a good place to learn more about fake USB devices and tools capable of changing many parameters on the USB device including the serial number, ability to create, encrypt, hide or write protect certain area on the device.
FAT 32 - 4 bytes at offset 0x043
NTFS - 8 bytes at offset 0x48
or by using a myriad of free tools that can be found on the Internet. Volume Serial numbers are important from the forensic investigations stand point and there have been plenty of good material written on this topic. The most prominent in my view are written by Craig Wilson, Rob Lee and Harlan Carvey.
Unlike Device Serial Numbers, Volume ID's get captured by all forensic imaging tools. Device Serial Numbershowever have been considered by computer forensic practitioners as more reliable and "Unique" artefacts. In Windows there are several places when Device Serial Numbers get recorded/logged. USBStor registry key and Windows log files: Setupapi.log on Windows XP or Setupapi.dev.log on Vista and above are the most obvious one. It is also a well known fact that when a USB flash drive has no serial number, the system assigns to the device its own number with an ampersand symbol as the second character of this serial number.
The question is, how "UNIQUE" these Device Serial numbers are?
Well, as it turns out, these numbers are not necessary unique. There could be several reasons for this.
1. There is a tool that gamers are using to spoof device serial numbers called PB DownForce. It is capable of temporary changing the device serial number. The serial number can be changed to a random or predefine serial number.
This wont fool (see picture below) tools like USBDeview, but the software that rely on Operating System to obtain the serial number will fall for it.
2. USB drives serial numbers are meant to be at least 12 valid characters, represented as a UNICODE string. "The last 12 digits of the serial number shall be unique to each USB idVendor and idProduct pair" according Universal Serial Bus Mass Storage Class paper.
Valid Serial Number Characters
Numeric ASCII
0030h through 0039h "0" through "9"
0041h through 0046h "A" through "F
These requirements have not been adopted as the mandatory standard and a lot of manufacturers use shorter and in many cases identical numbers on their cheaper drives.
3. Big labels do use "unique" serial numbers, especially on their upper class, higher capacity USB devices. Still some reuse serial numbers every 6th million times as in case with one of the popular USB storage manufacturer I had to deal with.
4. Devices can be FAKE. On eBay there are plenty of fake 'false capacity usb flash drives', including brand name counterfeits such as 16GB Kingston, 32GB Sandisk etc. Serial numbers on these devices can be ether, all identical or generated at random.
5. User can change the device serial number accidentally or on purpose. There are many tools, mostly used to fix faulty USB flash drives, capable of changing the device serial number. FixFakeFlash Inspectortech website is a good place to learn more about fake USB devices and tools capable of changing many parameters on the USB device including the serial number, ability to create, encrypt, hide or write protect certain area on the device.
The above-mentioned tools are designed to work with different USB flash drive controllers and you of course must have the right one to be able to reprogram the device.
Names of memory controllers can be coded in the original (Factory set) Serial Number. For example some Kingston's devices in13th position of the serial number have a letter A, B, E, C or F:
Kingston DataTraveler 200 USB Device SN: 001A92053B6ABB4131340023
A - SkyMedi
B or E - Phison
C or F - SSS
Kingston DataTraveler 200 USB Device SN: 001A92053B6ABB4131340023
A - SkyMedi
B or E - Phison
C or F - SSS
To my knowledge similar tools are available for the memory controllers listed below:
It displays chip model, manufacturer, revision number, VID/PID, interface speed, protocol, serial number and media type information.
Finally, unlike Volume Serial Numbers most forensic imaging tools don't capture a Device Serial number. The only exception to this rule I know are Tableau imagers. Both hardware (TD1 & TD2 duplicators) and Software (TIM a.k.a. Tableau's High Performance Software Imager) include the Device Serial Number in the acquisition log automatically (but not in the image itself).
Speaking about Tableau devices, a new generation of TD duplicator TD2 is looking really sexy. TD1 has been used by my team quite extensively. The new version "can optionally include USB, SCSI and SAS suspect drive" and what is even more exciting is the ability to image 1:2 or how Tableau called it "Twinning" support. According to the specifications it also supports EnCase v7 .ex01 (AES encrypted) format. I definitely going to order one of these very shortly.
- Alcor
- Ameco (MXTronics)
- Chipsbank
- iCreate
- ITE tech
- Netac
- OTI
- Phison
- Prolific
- RAMOS
- Skymedi
- SMI (Silicon Motion)
- SSS (Solid State System)
Finally, unlike Volume Serial Numbers most forensic imaging tools don't capture a Device Serial number. The only exception to this rule I know are Tableau imagers. Both hardware (TD1 & TD2 duplicators) and Software (TIM a.k.a. Tableau's High Performance Software Imager) include the Device Serial Number in the acquisition log automatically (but not in the image itself).
Speaking about Tableau devices, a new generation of TD duplicator TD2 is looking really sexy. TD1 has been used by my team quite extensively. The new version "can optionally include USB, SCSI and SAS suspect drive" and what is even more exciting is the ability to image 1:2 or how Tableau called it "Twinning" support. According to the specifications it also supports EnCase v7 .ex01 (AES encrypted) format. I definitely going to order one of these very shortly.
No comments:
Post a Comment