Forensic Case Files: A Thumb Drive’s Winter’s Tale

President of Tetra Defense, Cindy Murphy, shares her insights:

“April is the cruellest month, breeding lilacs out of the dead land, mixing memory and desire, stirring dull roots with spring rain. Winter kept us warm, covering Earth in forgetful snow, feeding a little life with dried tubers.”
— T. S. Eliot, The Waste Land

Last week I got into a conversation with a neighbor at the bus stop about the types of cases we encounter here. When I was finished, my neighbor had a story of his own to tell me. He’d lost a flash drive in his yard one fine autumn day. Of course, the colder winter months were fast approaching. And soon enough, old man winter came by and buried that same yard under a thick blanket of snow.

The winter months passed by; the neighbor’s snowblower passed by as well. The flash drive jumped into the snowblower and shot out with the force of a small projectile, flying across his yard. And the poor, beleaguered flash drive sat in its new resting place until the snow melted, when the neighbor promptly rediscovered it.

The drive had been through a particularly cold level of Hell (which, according to Dante, would be Cocytus, the ninth circle). And yet, miraculously, despite its hideously chewed-up casing, its innards were unharmed! My neighbor could plug the preposterously punished little pen drive into his computer—and all his files were there.

On the other hand, we commonly see USB flash drives that were not quite as lucky or resilient. We’ve seen flash drives go through the wash, through lawnmowers, through the mouths of their owners’ dogs… and come out much, much less than functional.

The moral of the story? USB drives are fickle things. There’s a lot of punishment they can withstand… and a lot they can’t. One USB drive we recently worked on at the behest of a nearby police department had taken just about all it could handle.

USB Thumb Drive Forensic Investigation

As sturdy as a flash drive's USB plug is, only four delicate leads keep it connected to the rest of the USB flash drive.We are no strangers to USB drive forensics and broken device forensics. The flash drive that made its way to us had certainly gone through the ringer. Its USB plug had been torn off. Corrosion and rust had also wormed its way onto the flash drive’s NAND flash memory chip. Extracting the data from this flash drive would take a lot of hard work from our USB drive forensics experts.

Thumb drives turn up a lot in forensic investigations due to their convenience, portability, and ease of use. They’re a great medium for storing and transferring data—we see them frequently in a wide range of cases, from employee misconduct and data exfiltration to child exploitation. It’s not uncommon for them to turn up damaged in forensics cases—either by accident or by design.

Whether a flash drive can survive heavy abuse is a crapshoot, as my neighbor’s anecdote exemplifies so well. The USB plug itself can take a bit of a beating. However, the real weak point is the connection between the plug and the thumb drive’s printed control board, or PCB. As the engineers in our lab will readily attest, it’s terribly easy to bend or outright break the USB plug off just by jostling or bumping a flash drive while it’s plugged in.

The PCB itself can snap or break as well, but the biggest threat to it is the threat of an electrical short. If anything happens to the board, data cannot flow to and from the flash memory chip (usually a NAND chip) storing all of your data.

USB Thumb Drive Forensics – Conclusion

The NAND chip itself, which holds all of the data on the flash drive, is one of the most resilient parts of the drive. However, when the other components break, the chip becomes inaccessible by normal means.

We, however, are quite used to having to access data through decidedly abnormal means. We couldn’t repair the damage to the flash drive. There was no way to reattach that broken USB plug—not with such extensive damage to the fragile leads that normally connected the plug to the PCB.

But what we could do was solder leads to the PCB, bypassing the USB connection altogether and pulling the data from the flash drive’s NAND flash memory chip. We pulled the data directly from the NAND chip and created forensic image of the flash drive’s NAND chip.

With a complete image of the chip’s contents, our next move was to use digital forensics software to verify the accuracy of the disk image and analyze its contents. We returned the data we’d extracted from the damaged thumb drive to our clients in the police department, then purged the data from our facilities.

Check out some related content on our blog: