SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing

bsmuir 23,782 views 29 slides Aug 18, 2014
Slide 1
Slide 1 of 29
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28
Slide 29
29

About This Presentation

This presentation follows on from some research I conducted earlier this year in relation to the encryption software utilised by SanDisk USB thumb drives. The presentation details how to best process this data forensically. The presentation also explains how to flash USB thumb drives as part of this...

Size: 2.89 MB
Language: en
Added: Aug 18, 2014
Slides: 29 pages

Slide Content

Forensic Processing Brent Muir – 2014

SecureAccess V1 Encryption Bypass SecureAccess V2 Encryption Changes Flashing USB Devices Fake USB devices? Anatomy of USB PID & VID Serial Number Emulating a SanDisk Device TOPICS

Based on technology by YuuWaa Subsidiary of Gemalto No longer supported product EOL as of January 2014 SecureAccess V1

The old method: Enable write-blocking (SW or HW) Image device Mount forensic image as write-cached (FTK Imager V3.x) Run SecureAccess software Decrypt contents and add to forensic container SecureAccess V1

Bypass published in August 2013: Open Explorer  Click on Folder and Search options  click on view  make sure that you can see hidden files Go to the MyVaults folder, located in the same location as RunSanDiskSecureAccess_Win.exe . In the MyVaults folder go to the folder named as the same thing the vault you want to access is named. Open the dmOption.xml file in Notepad or any other word processing program Look for DoCrypt"true " and change true to “false”. Then save the file . At login screen leave password field blank and click “OK” http ://www.hackforums.net/showthread.php?tid=3637837 SecureAccess V1 – Encryption Bypass

Based on EncryptStick ENC Security Systems AES 128 bit encryption algorith m No bypass is currently known SecureAccess V2

SecureAccess V2

Old method of imaging and mounting write-cached no longer works Software now looks for Vendor ID (VID) & Product ID (PID) of SanDisk devices SecureAccess V2

So how can we recreate a SanDisk device? SecureAccess V2

Ever wondered how you can buy 512 GB USB thumb drives for so little $$$ online? Flashing USB Devices

online? Flashing USB Devices – Fake USB Devices

Flashing USB Devices – Blank USB Controllers

Flashing USB Devices – Blank USB Controllers

2 major components to a USB thumb drive: ASIC (Application Specific Integrated Circuit) NAND (Negated AND) – flash storage (utilises logic gates) Flashing USB Devices – Anatomy of USB Device

Toshiba, ASIC & Foundry Solutions for USB Flashing USB Devices – USB Controller ASIC

Phison Electronics Corporation, USB 2.0 Flash Controller Specification PS2251, Version 1.2 Flashing USB Devices – USB Block Diagram

USB devices are NOT created equal Same make and model ≠ same USB controller chipset and FW Flashing USB Devices

Flashing USB Devices – OEM Controllers Manufacturer Market Share Profit (Million Dollars) Phison 35.5% $32.3 Silicon Motion (SMI) 23.2% $21.1 SanDisk 14.9% $13.6 Skymedi 9.0% $8.2 Sony 7.4% $6.7 AlcorMicro 3.2% $2.9 Toshiba 3.1% $2.8 Others 3.7% $3.4 TOTAL 100% $91.1 iSuppli Corp (2007), USB Controller Market Shares (Revenue in Millions of Dollars)

Some of the numerous OEM Flash Controller Vendors: ALCOR Ameco ChipsBank Efortune Icreate Innostor Netac OTI Phison Prolific Silicon Micro Skymedi Solid State System USBest Flashing USB Devices – OEM Controllers

Tools required: ChipsGenius (latest version preferably) Identifies PID, VID, SN of USB device as well as USB controller chip and related FW Relevant flashing tool (based on USB controller chip) Suitable USB thumb drive (size and availability of flash SW/FW) Older USB devices are easier to flash due to release of FW tools and FW files Otherwise buy a fake thumb drive (such as 512GB) as these should be easily flashable Flashing USB Devices

Flashing USB Devices – ChipsGenius Important Attributes: VID PID Serial Number Controller Vendor Controller Part-Number F/W Flash ID code

Flashing USB Devices – USBDeview Important Attributes: VendorID ProductID Serial Number

Steps required: Identify VID & PID of SanDisk device using ChipsGenius or USBDeview E.G. VID 0781 & PID 5581 = SanDisk Flash* suitable USB device with the original VID & PID Copy logical contents across from original exhibit What happens when you try to run the SecureAccess software now? *WARNING : All data on device will be wiped during flashing Emulating a SanDisk Device

Emulating a SanDisk Device Software runs, but as first-time use

\ SanDiskSecureAccess Vault\System Files\ 2 files reference SN of original exhibit SN must match original device in order to “see” encrypted files Emulating a SanDisk Device

Steps required: Identify VID & PID of SanDisk device using ChipsGenius or USBDeview E.G. VID 0781 & PID 5581 = SanDisk Flash* suitable USB device with the original VID, PID, & SN Copy logical contents across from original exhibit What happens when you try to run the SecureAccess software now? *WARNING : All data on device will be wiped during flashing Emulating a SanDisk Device – Take 2

SUCCESS! Emulating a SanDisk Device – Take 2

Files can now be decrypted and added to forensic container Emulating a SanDisk Device – Take 2

HackForums - http:// www.hackforums.net/showthread.php?tid=3637837 ChipsGenius – http ://www.usbdev.ru/ - hosts many flashing tools including ChipsGenius (Russian) http://flashboot.ru/iflash/ - good database for locating flashing tools that work with various chipsets (Russian) http://dl.mydigit.net/ - contains many flashing tools for various chipsets (Chinese) https://viaforensics.com/computer-forensics/forensic-acquisition-analysis-u3-usb-drive.html Harman, R. (2014) Controlling USB Flash Drive Controllers: Exposé of Hidden Features, Smoocon, URL: Bang, J., Yoo, B. and Lee, S. (2010) Secure USB Bypassing Tool, , URL:http ://www.dfrws.org/2010/proceedings/bang.pdf http://usbspeed.nirsoft.net/ - lists some VID and PID http://www.scribd.com/doc/216218953/PS2251# - Phison Electronics Corporation USB 2.0 Flash Controller Specification PS2251 Version 1.2 References / Resources
Tags
digital forensics forensics dfir
Categories
Technology
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 23,782
  • Slides 29
  • Favorites 11
  • Age 4124 days
Related Slideshows
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx 11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
46 views
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx 10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
46 views
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx 13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx 11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
Know for Certain 21
Know for Certain
DaveSinNM
21 views
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx 17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views
View More in This Category