Digital Forensics for USB Flash Drives

Need to investigate a USB flash drive?

USB Flash Drive Forensics

USB flash drives are portable, cheap, and easy to use. Their convenience makes these thumb-sized data storage devices a common sight, which means they can often hold key evidence for investigations, especially those relating to corporate espionage and intellectual property theft. A skilled forensic investigator can examine the data on a USB flash drive and the devices it has been connected to and determine how it was used, when it was used, and by whom. But sometimes the data on a flash drive can be difficult to access, due to damage to the device or due to the inherent quirks and strangeness of flash memory. Gillware’s USB forensics and data recovery experts offer USB flash drive forensics services to assist you in your investigation.

USB Drives

What USB Flash Drives Are

In the days of yore people would use floppy disks to transfer data from one computer to another; then those floppy disks were replaced by rewritable CDs; and then those CDs were superseded by USB flash drives. With their flash memory chips packing large amounts of data in fingernail-sized spaces, it’s easy to see how much of a revolution these flash drives were. They’re the size of your thumb, fitting easily in your pocket, or on a keychain; they can hold dozens of times more information than their predecessors; and they plug right into a USB port for easy access.

Today, USB flash drives, also commonly called thumb drives, are perhaps the most abundant form of transient data storage. Not meant to store data long-term (although that doesn’t stop some people), these devices are meant more for getting data from Point A to Point B, whether those points are your workplace and your home, your home and your school, your computer and your coworker’s computer, et cetera…

As it happens, thumb drives can be used for a lot of shady things, including data and intellectual property theft. A disgruntled ex-employee may copy company data to a USB flash drive on their way out with the intent to offer it to a competing business or use it to start a competing business of their own. It’s easy too for data thieves to delete data from their USB flash drives and quickly reformat them to cover their tracks, especially since many flash drives are only a few gigabytes in size. USB flash drive forensics experts can recover data from these devices, and may even be able to find information about what specific computers they’ve been plugged into. Conversely, a forensics expert can often determine what USB thumb drives have been plugged into a particular computer.

How Flash Drives Store Data

When you plug a USB flash drive into your computer’s USB port, you are greeted with the same kind of logical volume you’d see on a hard disk drive. USB flash drives will often be formatted using the FAT16 filesystem. FAT16 has been in use for a very long time—about two decades—and is compatible with just about every device. However, flash devices can be formatted with any other operating system; commonly, one may see NTFS or variations of the FAT filesystem such as FAT32 and ExFAT.

Beneath the filesystem, though, things start to get weird. USB flash drives may display the data they contain to the user just like a hard drive would, but the way they physically store their data is radically different. Instead of storing information magnetically as binary data on disk platters, each bit occupies a single NAND or NOR transistor cell (although some multi-level cell chips store multiple bits per transistor).

Flash memory evolved from EEPROM (electrically erasable programmable read-only memory). As the name suggests, while EEPROM was read-only, users could erase its contents and write new data to it. The technology developed to the point at which users could program and erase data one block at a time, instead of programming and erasing the entire chip at once. With that development (and some clever wrangling) people could use flash memory in much the same way they’d use a hard drive.

In order to make flash memory behave similarly to a hard drive, though, there are a few special things going on between the flash memory chip and the data the user sees, such as the flash translation layer (FTL). Flash memory systems have many constraints and restrictions imposed by their design. The FTL deals with these restrictions in order to adapt a fully-functional filesystem to the device, mapping the physical block addresses on the chip itself to the logical block addresses used by the filesystem. The purpose of the FTL, in other words, is to take a data storage medium wildly different from spinning magnetic disks and make it behave as if it were the same—at least from the end user’s perspective.

USB Flash Drive Forensics

Forensic investigators can make use of the quirks of flash memory to uncover data from USB flash devices. Including the FTL, other subroutines beneath the device’s filesystem, such as wear-leveling and garbage-collection algorithms, manage the data written to the flash drive (in other words, programmed to the chip’s NAND or NOR cells).

Wear-leveling algorithms distribute program commands across the chip to ensure that each cell is used roughly equally. The cells in a flash memory chip can only be programmed and erased a set number of times, and if one area of the chip is allowed to wear out faster than the others, you would end up with unusable “cold spots” on the chip. Garbage-collection algorithms take data that’s been marked for deletion and copy it to specific blocks, since flash memory can only erase itself on a per-block level, not a per-cell level. One of the end results of these algorithms is that the same data (or various iterations of that data from user activity) can live in multiple locations on the chip, although you’d never know it just by looking at a USB flash drive’s filesystem.

The FTL and data management systems bridging the filesystem on a thumb drive with the drive’s flash memory chip have huge implications for USB flash drive forensics. In many situations when a flash drive is reformatted or data is deleted, recovering data works just the same as recovering deleted data from hard disk drives. But in other situations, the data may appear to vanish completely. However, thanks to these data management systems, even if a USB thumb drive appears to be completely blank when you look at its contents in a hex editor, data may still exist on the flash memory chip itself!

Due to this “flash memory amnesia” effect, it is actually very hard to completely erase the data from a flash memory chip, even by reformatting the USB flash device. The user has no control over the FTL or wear-level and garbage-collection algorithms, and so has no control over where data lives on the NAND or NOR flash memory chip itself. No matter how carefully the user tries to cover their tracks, a skilled forensic examiner can uncover trace amounts of data from the device, given the right tools and knowledge.

To dig this deeply into flash memory, USB flash drive forensics experts often must access the flash chip itself, bypassing the USB interface and the controller chip and sifting through the chip’s raw data. This requires invasive chip-off techniques to isolate and dump the data from the chip, and the knowledge of how to then piece the data together again.

usb flash device

Recovering Data from Broken or Destroyed USB Flash Drives

USB flash drives are actually very fragile and can easily be broken—either by accident, or on purpose. However, the flash memory chips within them are much more resilient than the sensitive data storage platters within hard disk drives. When a thumb drive suffers severe damage, the chip is usually mostly unharmed.

One of the weakest points on a thumb drive is the connection between the USB plug and the control board. The plug can easily be snapped off of the device; however, in most cases a skilled electrical engineer can solder the plug back onto the chip to regain USB access.

Retrieving Data from Monolithic USB Flash Drives

A recent innovation in USB flash drive technology is the monolithic USB flash chip. You may crack open the casing of a thumb drive only to find a single inscrutable black chip—something resembling the monolith from Kubrick’s 2001: A Space Odyssey. This monolithic chip contains everything a USB flash drive needs—the USB ports in the form of four gold “fingers” on the chip, the controller for the flash memory chip, and of course, the flash memory chip itself. Basically, a monolithic USB chip is identical to a microSD card in design, although its shape, size, and interface are different.

The benefit of these chips is that they are easier and cheaper to manufacture, far more waterproof than ordinary USB flash drives, and less likely to suffer severe damage. The downside is that it’s much, much harder to gain access to the flash memory chip itself, since there’s no way to actually remove the chip from the package. In order to access the chip, a skilled engineer must connect small, thin leads to specific contact points on a ball grid array hidden beneath the monolith’s surface.

How Gillware Can Help You with USB Flash Drive Forensics

Gillware leverages over a decade of experience from both data recovery and digital forensics experts. Our highly-skilled experts have spent years studying the inner workings of flash memory for the purposes of data recovery, and have pioneered state-of-the-art methods of flash memory data retrieval.

Even if the thumb drive you need examined has been reformatted, or the data has been deleted, our forensic data retrieval specialists can sift through the device to find whatever traces amounts of data still exist on the device. If the device has been broken or damaged to prevent access to its contents, our highly-skilled electrical engineers can repair it and recover its contents. Our USB flash drive forensics experts can also provide expert testimony, ensuring that our findings will be clearly and accurately represented in court.

Need to investigate a USB Flash Drive?