Forensics Analysis of a Flashdrive's NAND raw image
February 21st, 2021, 17:12
Hello folks,
I am an incident responder that as everyone else under lockdown is looking for some hobby to pass the time
For testing purposes, I took a new 128MB flashdrive that mounts a NAND flash, formatted in FAT32, added some testing files (i.e. PDF, DOC, MP3, M4,etc).
Afterwards, I removed the NAND with a hotair gun and successfully made a raw dump of it with a FT2232H + TSOP48 adaptor.
At this point I was thinking to remove the OOB data and I will endup with a FAT32 image that I can easily mount either on Win (FTK Imager) or on Linux.
But I was kinda wrong.
My gut feeling is that the NAND's content is somehow XORed by the flashdrive controller.
Does someone have more literature or eventually opensource tools that may give me more insights on:
- How to approach the analysis of a raw dump from a flashdrive?
- How to analyze this raw dump?
- How to figure out the type of "weak encryption used"?
Usually, for embedded devices... I simply dump the NAND, remove the OOB and try to decompress the FS used (i.e. UBIFS, JFFS2, etc.)
But in this case I feel lost with this thingy of having a controller in the middle that XORs the data.
I am aware that there are commercial tools able to automatically analyze the "encrypted" data and return the files in the FS... but my purpose here is rather to learn and work on a FOSS tool to achieve similar point.
I am an incident responder that as everyone else under lockdown is looking for some hobby to pass the time
For testing purposes, I took a new 128MB flashdrive that mounts a NAND flash, formatted in FAT32, added some testing files (i.e. PDF, DOC, MP3, M4,etc).
Afterwards, I removed the NAND with a hotair gun and successfully made a raw dump of it with a FT2232H + TSOP48 adaptor.
At this point I was thinking to remove the OOB data and I will endup with a FAT32 image that I can easily mount either on Win (FTK Imager) or on Linux.
But I was kinda wrong.
My gut feeling is that the NAND's content is somehow XORed by the flashdrive controller.
Does someone have more literature or eventually opensource tools that may give me more insights on:
- How to approach the analysis of a raw dump from a flashdrive?
- How to analyze this raw dump?
- How to figure out the type of "weak encryption used"?
Usually, for embedded devices... I simply dump the NAND, remove the OOB and try to decompress the FS used (i.e. UBIFS, JFFS2, etc.)
But in this case I feel lost with this thingy of having a controller in the middle that XORs the data.
I am aware that there are commercial tools able to automatically analyze the "encrypted" data and return the files in the FS... but my purpose here is rather to learn and work on a FOSS tool to achieve similar point.
Re: Forensics Analysis of a Flashdrive's NAND raw image
February 23rd, 2021, 18:58
as you said there might be xor (it is not possible to tell by the pic you linked, coz that's just the area containing the usb descriptor looking stuff), but the content is 'shuffled' too as a result of write leveling.
It is never a single click solution. As i said in the other post.
pepe
It is never a single click solution. As i said in the other post.
pepe
Re: Forensics Analysis of a Flashdrive's NAND raw image
February 23rd, 2021, 19:06
Could you upload the image, including the OOB data? I would be interested in learning something as well.
Re: Forensics Analysis of a Flashdrive's NAND raw image
February 24th, 2021, 10:52
Re: Forensics Analysis of a Flashdrive's NAND raw image
March 17th, 2021, 10:14
haka wrote:My gut feeling is that the NAND's content is somehow XORed by the flashdrive controller.
Does someone have more literature or eventually opensource tools that may give me more insights on:
- How to approach the analysis of a raw dump from a flashdrive?
- How to analyze this raw dump?
- How to figure out the type of "weak encryption used"?
Ok, so first, it depends on how you dumped it. If you got the page sizes right, you should be able to open it in a hex editor, set the amount of bytes across to the page size and the SA or OOB data would have a recognisable pattern going down the rows, in a simple (MADE UP) example:
- Code:
5E 13 67 FF 01 0D D0 5F 84 D8 64 0A 58 E0 2D E9 C4 FA B1 9D B9 E9 70 9C 16 44 9A 25
DE 0C 68 FF 02 C6 11 42 D7 A6 23 5B 7F 1D F7 71 FB 93 CB 63 51 97 D9 C1 5D C9 F2 8B
68 96 8D FF 03 CE 1D B8 84 DD 4E DA B3 5A 4B 01 3B 2D B3 51 66 EC 9D 88 38 70 44 46
1A 87 60 FF 04 1C 95 CC 50 C7 A2 2F F3 6A D4 D9 BB 4C 77 E5 19 F2 DD 8B 79 E1 BC B9
6E A4 CC FF 05 26 A3 B3 4D 19 7E 9E D6 FD BF 75 21 FA 4D FE 56 68 E8 E7 27 EC 77 97
EC D1 D1 FF 06 EC 67 CE F2 DD BC 33 D6 EB 55 9E 9C 9C 97 D2 57 A9 BC B1 BF 7E C6 64
69 18 A9 FF 07 12 16 A9 55 BF D6 5D DF FB 58 30 F4 A8 71 5E 25 04 50 04 24 16 91 88 81
80 2A 8A FF 08 4C D1 B9 B0 0C D3 A3 CC F0 AD 43 91 7A D7 5C 00 87 32 F1 19 E5 04 C9
11 48 D0 FF 09 AA 4C F9 F3 52 9C C2 84 03 2C
probably you will get enormous value from reading everything at https://rusolut.com/visual-nand-reconstructor/documentation/
part 1 and 2 especially
Powered by phpBB © phpBB Group.