All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: Forensics Analysis of a Flashdrive's NAND raw image
PostPosted: February 21st, 2021, 17:12 
Offline

Joined: February 21st, 2021, 16:37
Posts: 2
Location: Europe
Hello folks,
I am an incident responder that as everyone else under lockdown is looking for some hobby to pass the time :)

For testing purposes, I took a new 128MB flashdrive that mounts a NAND flash, formatted in FAT32, added some testing files (i.e. PDF, DOC, MP3, M4,etc).
Afterwards, I removed the NAND with a hotair gun and successfully made a raw dump of it with a FT2232H + TSOP48 adaptor.

At this point I was thinking to remove the OOB data and I will endup with a FAT32 image that I can easily mount either on Win (FTK Imager) or on Linux.
But I was kinda wrong.

My gut feeling is that the NAND's content is somehow XORed by the flashdrive controller.

Does someone have more literature or eventually opensource tools that may give me more insights on:
- How to approach the analysis of a raw dump from a flashdrive?
- How to analyze this raw dump?
- How to figure out the type of "weak encryption used"?

Image


Usually, for embedded devices... I simply dump the NAND, remove the OOB and try to decompress the FS used (i.e. UBIFS, JFFS2, etc.)
But in this case I feel lost with this thingy of having a controller in the middle that XORs the data.
I am aware that there are commercial tools able to automatically analyze the "encrypted" data and return the files in the FS... but my purpose here is rather to learn and work on a FOSS tool to achieve similar point.


Top
 Profile  
 
 Post subject: Re: Forensics Analysis of a Flashdrive's NAND raw image
PostPosted: February 23rd, 2021, 18:58 
Offline

Joined: October 3rd, 2005, 0:40
Posts: 4301
Location: Hungary
as you said there might be xor (it is not possible to tell by the pic you linked, coz that's just the area containing the usb descriptor looking stuff), but the content is 'shuffled' too as a result of write leveling.
It is never a single click solution. As i said in the other post.

pepe

_________________
Adatmentés - Data recovery


Top
 Profile  
 
 Post subject: Re: Forensics Analysis of a Flashdrive's NAND raw image
PostPosted: February 23rd, 2021, 19:06 
Offline
User avatar

Joined: September 8th, 2009, 18:21
Posts: 15440
Location: Australia
Could you upload the image, including the OOB data? I would be interested in learning something as well. :-)

_________________
A backup a day keeps DR away.


Top
 Profile  
 
 Post subject: Re: Forensics Analysis of a Flashdrive's NAND raw image
PostPosted: February 24th, 2021, 10:52 
Offline
User avatar

Joined: May 13th, 2019, 7:50
Posts: 907
Location: Nederland
https://youtu.be/MKC_Xl5sP6Y

http://adreca.net/NAND-Flash-Data-Recovery-Cookbook.pdf

_________________
Joep - http://www.disktuna.com - video & photo repair & recovery service


Top
 Profile  
 
 Post subject: Re: Forensics Analysis of a Flashdrive's NAND raw image
PostPosted: March 17th, 2021, 10:14 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3844
Location: Adelaide, Australia
haka wrote:
My gut feeling is that the NAND's content is somehow XORed by the flashdrive controller.

Does someone have more literature or eventually opensource tools that may give me more insights on:
- How to approach the analysis of a raw dump from a flashdrive?
- How to analyze this raw dump?
- How to figure out the type of "weak encryption used"?


Ok, so first, it depends on how you dumped it. If you got the page sizes right, you should be able to open it in a hex editor, set the amount of bytes across to the page size and the SA or OOB data would have a recognisable pattern going down the rows, in a simple (MADE UP) example:

Code:
5E 13 67 FF 01 0D D0 5F 84 D8 64 0A 58 E0 2D E9 C4 FA B1 9D B9 E9 70 9C 16 44 9A 25
DE 0C 68 FF 02 C6 11 42 D7 A6 23 5B 7F 1D F7 71 FB 93 CB 63 51 97 D9 C1 5D C9 F2 8B
68 96 8D FF 03 CE 1D B8 84 DD 4E DA B3 5A 4B 01 3B 2D B3 51 66 EC 9D 88 38 70 44 46
1A 87 60 FF 04 1C 95 CC 50 C7 A2 2F F3 6A D4 D9 BB 4C 77 E5 19 F2 DD 8B 79 E1 BC B9
6E A4 CC FF 05 26 A3 B3 4D 19 7E 9E D6 FD BF 75 21 FA 4D FE 56 68 E8 E7 27 EC 77 97
EC D1 D1 FF 06 EC 67 CE F2 DD BC 33 D6 EB 55 9E 9C 9C 97 D2 57 A9 BC B1 BF 7E C6 64
69 18 A9 FF 07 12 16 A9 55 BF D6 5D DF FB 58 30 F4 A8 71 5E 25 04 50 04 24 16 91 88 81
80 2A 8A FF 08 4C D1 B9 B0 0C D3 A3 CC F0 AD 43 91 7A D7 5C 00 87 32 F1 19 E5 04 C9
11 48 D0 FF 09 AA 4C F9 F3 52 9C C2 84 03 2C


probably you will get enormous value from reading everything at https://rusolut.com/visual-nand-reconstructor/documentation/

part 1 and 2 especially


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group