Windows Users Beware: Missing BitLocker Recovery Key + Corrupt Windows = Bad News
March 2, 2018
AMD Ryzenfall is yet another weakness in the design of modern CPUs.
Ryzenfall: Another Bombshell AMD Vulnerability
March 27, 2018

More than Meets the Eye with USB Flash Drives

128 GB USB flash drive hot dog

Do you trust this USB drive to have its stated capacity?

Our data recovery lab received an interesting case recently. On the surface, it looked like just an ordinary USB flash drive that had had its plug snapped off—the single most common form of data loss in USB flash drives. But upon removing the casing, our engineers discovered something truly bizarre.

Although many USB flash drives use monolithic chips today, the go-to for cheaper models is still the old standby of a NAND memory chip and a controller chip soldered to a simple green circuit board. This familiar sight is what greeted our engineers as they dug into this case.

But wait.

What’s this?

Perfectly normal USB flash drives?

A perfectly normal USB flash drive that showed up in Gillware’s lab recently

No, your eyes are not deceiving you. That is an entire microSD card soldered to the PCB where a NAND chip should be.

Or take this specimen our engineers received recently:

A strange USB flash drive with an iPhone NAND chip

This might not look quite as unusual until you realize that the NAND chip isn’t the kind that normally goes into flash drives, but rather the kind you’d find inside an iPhone. This flash drive had been cobbled together from the usual flash drive parts and a chip meant for an iPhone that hadn’t been good enough to use in an actual iPhone.

What Goes Into USB Flash Drives, Anyway?

As Forrest Gump’s momma used to say, sometimes life is like a box of chocolates. You never know what you’re going to get. USB flash drives are the same way.

The data in your typical USB flash drive lives on its NAND flash memory chip. The data leaves the chip, is assembled into something recognizable to your computer (and you) by a controller chip on the circuit board, and travels through the USB interface and into your computer. USB flash drives go by many names—jump drives, thumb drives, data pens, etc.—but no matter what you call them, they’re all more or less the same on the inside.

Or are they?

At Gillware, sometimes we encounter flash drives that are more than they appear, or less, or just plain weird. The reasons for these oddities fall into two categories:

1. Manufacturer Cost-Cutting

Flash memory manufacturers typically have shallow margins. As a result, almost every scrap they make needs to be used, including chips that don’t quite pass the muster. Sometimes even defective products that would normally end up in a landfill have uses of their own.

For both traditional and flash data storage devices, during the manufacturing process, a few sectors/columns are just born bad simply due to factory defects. The manufacturers know this, so data storage devices are calibrated right off the assembly line to record where these bad parts live and ignore them. For example, take the physical sectors 4, 5, and 6. If the physical sector 5 is bad, the hard drive will know not to use sector 5 as a logical sector and will make 6 the new 5, 7 the new 6, and so on and so forth. Manufacturers also give flash devices just a little more memory cells than they need. This practice is called “over-provisioning.”

Flash memory manufacturers don’t like throwing away the things coming off of their assembly line unless the results are completely unusable. If a NAND chip with space for eight gigabytes can only use two (which is something we’ve seen before in our lab), it can still be packaged and sold as a two-gigabyte flash drive.

It might sound shady, but it isn’t. You are, after all, still getting what you paid for.

How the Sausage Gets Made

Here’s what likely went down with our Franken-flash drives:

For the first one, the manufacturers built a microSD card, ran it through QA, and found out that it had a faulty controller. Not wanting to let a good NAND chip soldered into that tiny little package go to waste, they connected it to a flash drive’s controller chip, soldered it all together, plopped it into a case, and sold it.

For the second one, manufacturers encountered an iPhone NAND chip that couldn’t hack it inside an iPhone, but could work just fine installed in a cheap flash drive… so they plopped it onto a USB drive’s circuit board.

These sorts of cobbled-together “Frankenflash” USB devices are made pretty much the same way hot dogs are.made from the ground-up gristle, fat, and other leftovers of assorted animals after all the “good stuff” has been parceled out. Usually, these flash devices are the ones you buy in bulk for cheap online when you need to put in an order for 1,000 USB flash drives with your company logo printed on them.

Hot dogs taste great with some mustard and relish, and likewise, these flash devices tend to work as advertised. After all, this odd little flash drive worked fine at its advertised capacity (even if its insides were a little weird). It only needed data recovery because its USB plug broke out. And that’s the same way most flash drives fail, anyway—even ones that are made up to standard.

By the way, in both cases, we recovered 100% of the owner’s data.

128 GB USB flash drive hot dog

Do you trust this USB drive to have its stated capacity?

2. Scams

When you buy cheap, you usually get what you pay for. Usually, that’s okay. You get your money’s worth—no harm, no foul.

But sometimes you get scammed.

Third-party vendors sometimes peddle deals that just seem too good to be true. A 128 GB flash drive for the price of a 4 GB drive? What a score!

Unfortunately, “too good to be true” tends to be just that more often than not. These drives typically have just as much capacity as the lower-gigabyte drives their prices match—they’ve only been altered so that your computer misreads their capacities. Once you fill them up, the drives either start overwriting the data you’ve already put on them. At worst, they stop mounting entirely until you reformat them.

Not too long ago we had a client who, once we’d recovered his data, decided to send in a USB flash drive he’d purchased on his own to use as a transfer drive. Sadly, the 256-gigabyte drive had less than half of the capacity it claimed to have. Only half of the customer’s data fit on it. Sadly, we had to break the news to the poor man that he’d been scammed. He agreed to send in another flash drive of his. It, too, ended up being a counterfeit. We ended up putting the client’s data onto one of our own hard drives instead and recommended he find a new supplier of flash drives.

Do You Have Counterfeit Flash Media?

In the world of USB flash drives, if it seems like you’re getting more than you paid for, you’re probably getting much, much less.

There are multiple tools and methods you can use to validate a flash device’s capacity, such as H2testw and FakeFlashTest.

From the right vendor, nothing beats a good ballpark frank, whether you prefer yours Chicago-style, New York-style, or Vietnam-style. You just need to be careful your hot dog didn’t come out of a vat full of tapeworms…

Will Ascenzo
Will Ascenzo
Will is the lead blogger, copywriter, and copy editor for Gillware Data Recovery and Forensics, and a staunch advocate against the abuse of innocent semicolons.
//]]>