Our data recovery lab received an interesting case recently. On the surface, it looked like just an ordinary USB flash drive that had had its plug snapped off—the single most common form of data loss in USB flash drives. But upon removing the casing, our engineers discovered something truly bizarre.
Although many USB flash drives use monolithic chips today, the go-to for cheaper models is still the old standby of a NAND memory chip and a controller chip soldered to a simple green circuit board. This familiar sight is what greeted our engineers as they dug into this case.
No, your eyes are not deceiving you. That is an entire microSD card soldered to the PCB where a NAND chip should be.
As Forrest Gump’s momma used to say, sometimes life is like a box of chocolates. You never know what you’re going to get. USB flash drives are the same way.
The data in your typical USB flash drive lives on its NAND flash memory chip. The data leaves the chip, is assembled into something recognizable to your computer (and you) by a controller chip on the circuit board, and travels through the USB interface and into your computer. USB flash drives go by many names—jump drives, thumb drives, data pens, etc.—but no matter what you call them, they’re all more or less the same on the inside.
Or are they?
At Gillware, sometimes we encounter flash drives that are more than they appear, or less, or just plain weird. The reasons for these oddities fall into two categories:
Flash memory manufacturers typically have shallow margins. As a result, almost every scrap they make needs to be used, including chips that don’t quite pass the muster. Sometimes even defective products that would normally end up in a landfill have uses of their own.
For both traditional and flash data storage devices, during the manufacturing process, a few sectors/columns are just born bad simply due to factory defects. The manufacturers know this, so data storage devices are calibrated right off the assembly line to record where these bad parts live and ignore them. For example, take the physical sectors 4, 5, and 6. If the physical sector 5 is bad, the hard drive will know not to use sector 5 as a logical sector and will make 6 the new 5, 7 the new 6, and so on and so forth. Manufacturers also give flash devices just a little more memory cells than they need. This practice is called “over-provisioning.”
Flash memory manufacturers don’t like throwing away the things coming off of their assembly line unless the results are completely unusable. If a NAND chip with space for eight gigabytes can only use two (which is something we’ve seen before in our lab), it can still be packaged and sold as a two-gigabyte flash drive.
It might sound shady, but it isn’t. You are, after all, still getting what you paid for.
Here’s what likely went down with our Franken-flash:
The manufacturers built a microSD card, ran it through QA, and found out that it had a faulty controller. Not wanting to let a good NAND chip soldered into that tiny little package go to waste, they connected it to a flash drive’s controller chip, soldered it all together, plopped it into a case, and sold it.
These sorts of flash devices, cobbled together from “rejects,” are much like how hot dogs (excluding kosher dogs) are made from the ground-up gristle, fat, and other leftovers of assorted animals after all the “good stuff” has been parceled out. Usually, these flash devices are the ones you buy in bulk for cheap online when you need to put in an order for 1,000 USB flash drives with your company logo printed on them.
Hot dogs taste great with some mustard and relish, and likewise, these flash devices tend to work as advertised. After all, this odd little flash drive worked fine at its advertised capacity (even if its insides were a little weird). It only needed data recovery because its USB plug broke out. And that’s the same way most flash drives fail, anyway—even ones that are made up to standard.
By the way, we recovered 100% of the owner’s data.
When you buy cheap, you usually get what you pay for. Usually, that’s okay. You get your money’s worth—no harm, no foul.
But sometimes you get scammed.
Third-party vendors sometimes peddle deals that just seem too good to be true. A 128 GB flash drive for the price of a 4 GB drive? What a score!
Unfortunately, “too good to be true” tends to be just that more often than not. These drives typically have just as much capacity as the lower-gigabyte drives their prices match—they’ve only been altered so that your computer misreads their capacities. Once you fill them up, the drives either start overwriting the data you’ve already put on them. At worst, they stop mounting entirely until you reformat them.
Not too long ago we had a client who, once we’d recovered his data, decided to send in a USB flash drive he’d purchased on his own to use as a transfer drive. Sadly, the 256-gigabyte drive had less than half of the capacity it claimed to have. Only half of the customer’s data fit on it. Sadly, we had to break the news to the poor man that he’d been scammed. He agreed to send in another flash drive of his. It, too, ended up being a counterfeit. We ended up putting the client’s data onto one of our own hard drives instead and recommended he find a new supplier of flash drives.
In the world of USB flash drives, if it seems like you’re getting more than you paid for, you’re probably getting much, much less.
There are multiple tools and methods you can use to validate a flash device’s capacity, such as H2testw and FakeFlashTest.
From the right vendor, nothing beats a good ballpark frank, whether you prefer yours Chicago-style, New York-style, or Vietnam-style. You just need to be careful your hot dog didn’t come out of a vat full of tapeworms…