Comments on: Forensic acquisition and analysis of a U3 USB drive

By: ahoog

ahoog — Fri, 30 Jan 2009 22:03:48 +0000

Richard,

If you copied the dcfldd command above directly, there is a good chance the device my USB drive was mapped to (/dev/sdc) is not the same as yours. Run the command dmesg and look (near the bottom) for which device the drive is mapped as…it will be /dev/sd?. Also, some Linux distros automount…make sure you unmount (umount) the filesystem. If you still have problems, post the full command you are typing and I’ll take a look. Good luck.

By: Richard Pakula

Richard Pakula — Fri, 30 Jan 2009 21:54:57 +0000

Testing on a protected Sandisk U3 drive, with no password provided, I was unable to image the user data portion. When I tried to dcfldd as you recommended above, I got a “no medium found” error. Is the problem my lack of linux experience or is it something else? Thanks for any suggestions you can provide.

By: ahoog

ahoog — Wed, 17 Dec 2008 10:55:18 +0000

Anders: Thanks for the comment. I did download the software developer APIs and, like you, found them insufficiently specific. I’m glad you pointed out the possibility of U3-specific SCSI commands…I will search down that path.

Thijs: I’ve updated the link and would like to collaborate further, thanks.

Harlin: I’ll definitely check out the book. Your weblog is a great resource to the industry, thanks. Oh, and Gibson is an amazing author…I can tell you don’d overlook the details.

By: Thijs Bosschert

Thijs Bosschert — Wed, 17 Dec 2008 09:55:52 +0000

Hi,

I just got pointed to your article, I am the author of the ‘Battling Anti-Forensics: Beating the U3 Stick’ paper you reference to.
The link to my article doesn’t seem to work, but it can be accessed through
http://www.informaworld.com/index/779634181.pdf
or
http://www.informaworld.com/smpp/2016311730-4787156/content~db=all~content=a779634181~tab=content

I did some more research on the U3 device, which I still need to publish, which might be interesting also. If interested, just leave me an email. I don’t know yet when I will be able to publish it.

By: Anders Thulin

Anders Thulin — Wed, 17 Dec 2008 07:58:10 +0000

I’m almost certain that writing to the open but write-protected area requires U3-specific SCSI commands, and cannot be done by plain SCSI commands.

The U3 DAPI (available from U3.COM, possibly after registration as a developer) provides some additional insight in these devices (but still leaves a lot of open questions).

The HDK is not as easy to come by — as far as I know, you can only get it by registering as a hardware developer, and I think that includes signing an NDA.

By: H. Carvey

H. Carvey — Tue, 16 Dec 2008 22:39:15 +0000

Nice post. A great deal of this same info, from a Windows perspective, is covered in “Windows Forensic Analysis”.

Also, always glad to see another fan of William Gibson!