16 GB monolith showing 2 TB capacity
Posted: June 14th, 2019, 11:07
We received a "no name" monolith USB flash drive, which according to the customer is a 16 GB one.
Below are several pictures.
In the BIOS, it appears as three different storages.
For this flash drive, "fdisk -l" lists three 4 GB volumes for that drive : sdb, sde and sdg
as well a sdc which has an absurd capacity of 275 GB.
All /dev/sdX "partitions" can be cloned without problem and hex analysis shows non-null content in them.
However, analyzed individually, there show no files.
/dev/sda is not listed but appears as 2 TB when cloned.
In Windows, both the disk management and diskpart show the flash drive as a 2 TB disk without any partition.
Opening the flash drive in Windows with the hexadecimal editor HxD, this one shows the first sectors as unreadable with a grey background.
Additionnally, there is an "Incorrect function" popup.
HxD also sees the flash drive with the erroneous capacity of 2 TB (4278190080 sectors).
From within HxD, it is possible to access the sectors near the impossible location of 2 TB.
The last sectors show identical content, which doesn't seem random.
Maybe is this the XOR key applied to blank sectors?
"Rewinding" the sector offset to explore content up to the first sectors shows non-null content in all the 2 TB space.
Sectors 0, 1, ... show something, contrarily to just after opening the drive.
In HxD, the "Incorrect function" popups shows appear, but sectors are still accessed.
Because of the three 4GB storages, I wonder if this corrupted USB flash drive behaves like a RAID storage and/or if the 4GB storages are the content of the crystal / planes.
Maybe is a fourth 4GB chunk at /dev/sdf (which is not listed) or simply at /dev/sdc which obvioulsy has wrong size.
Before considering the use of advanced tools like VNR Rusolut, PC3000-Flash or Soft-Center is there something more to try?
Below are several pictures.
In the BIOS, it appears as three different storages.
For this flash drive, "fdisk -l" lists three 4 GB volumes for that drive : sdb, sde and sdg
as well a sdc which has an absurd capacity of 275 GB.
All /dev/sdX "partitions" can be cloned without problem and hex analysis shows non-null content in them.
However, analyzed individually, there show no files.
/dev/sda is not listed but appears as 2 TB when cloned.
In Windows, both the disk management and diskpart show the flash drive as a 2 TB disk without any partition.
Opening the flash drive in Windows with the hexadecimal editor HxD, this one shows the first sectors as unreadable with a grey background.
Additionnally, there is an "Incorrect function" popup.
HxD also sees the flash drive with the erroneous capacity of 2 TB (4278190080 sectors).
From within HxD, it is possible to access the sectors near the impossible location of 2 TB.
The last sectors show identical content, which doesn't seem random.
Maybe is this the XOR key applied to blank sectors?
"Rewinding" the sector offset to explore content up to the first sectors shows non-null content in all the 2 TB space.
Sectors 0, 1, ... show something, contrarily to just after opening the drive.
In HxD, the "Incorrect function" popups shows appear, but sectors are still accessed.
Because of the three 4GB storages, I wonder if this corrupted USB flash drive behaves like a RAID storage and/or if the 4GB storages are the content of the crystal / planes.
Maybe is a fourth 4GB chunk at /dev/sdf (which is not listed) or simply at /dev/sdc which obvioulsy has wrong size.
Before considering the use of advanced tools like VNR Rusolut, PC3000-Flash or Soft-Center is there something more to try?
