FTK Imager Issue

I was using FTK Imager for many years and really liked it. Compared with EnCase Imager, it gives you much better estimate of time to completion, creates acquisition log with hashes, etc.

Recently I had a case involving a number of computers and rather significant number of USB storage devices both, flash drives and hard drives. All the devices were imaged using FTK Imager. One of the goals was to establish which USB devices were used with which computers. I was comparing serial numbers extracted by Imager against data from Registry (System) and setuapi.dev.log for Windows machines and against kernel.log for Macs. There were much less hits than anticipated and it forced me to take a second look at the USB devices, this time using EnCase. To my surprise, in many instances FTK and EnCase produced different serial numbers. Sometimes correlation could be established (ASCII versus Hx, or reverse sequence), sometimes not.

During the last week I run tests on as many different USB devices I could put my hands on. I used machines running Windows 10 and Windows 7. Results were the same, EnCase S/Ns matched ones stored in setupapi.dev.log and in Registry (System)


USBStor ControlSet001\Enum\USBStor

as well as

DevClasses – Disks ControlSet001\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

FTK Imager produced the same results for some makes and models (Corsair, SanDisk, and Buffalo flash drives, Seagate hard drives) but for many more (some WD and Toshiba hard drives, Kingston, PNY, and some other flash drives) results did not match.

By reviewing these results, it seems that the USB devices store two S/Ns, sometimes matching, sometimes not.

We contacted AccessData and my suspicions were confirmed, they use WMIC command:


We pull the serial number using WMI. To see what we pull you can copy and paste this into a command prompt and run it.
wmic path win32_physicalmedia get SerialNumber, Tag


When the two serial numbers from the USB are identical, it is OK, otherwise S/Ns produced by FTK are useless for forensic analysis, since the other S/N is recorded in Registry, etc. Maybe FTK (WMIC) produced S/N is stored somewhere in Windows as well, but so far, I could not find it.


That forces my company to make an unhappy decision – we are suspending use of FTK Imager till the issue is resolved by AccessData. 

Below is a follow-up response from AccessData, on how to encourage them to make changes to software. I hope to get strong support here from anybody using FTK.


The software is designed to pull that information specifically. If you think that it should be pulling from a different location, you can submit your reasoning as to why as a feature request on one of our Feature Request Forums. Requests submitted here can then be voted on by our users, so if other users agree with your reasoning, they can vote and it will show a stronger response to our Product Management team, who are the ones that make decisions about develop of this nature.



Results of my tests are in the attached spreadsheet. I encourage everybody to chip in. It is not to get more proof that FTK software needs to be updated, we already have enough. It is for us, examiners, to be able to review the images already created from the point of view of usability of data there.



Make/Model
Command Prompt
wmic
USBStor
ControlSet001\Enum\USBStor
FTK Imager
EnCase Imager
EnCase Forensic
WD My Passport 0820
WX91A9300467
  S/N: 575839314139333030343637
S/N:WX91A9300467
S/N:575839314139333030343637
WD My Passport 259B
        WXK1AC698KSC
 S/N: 57584B3141433639384B5343
S/N:WXK1AC698KSC   
S/N:57584B3141433639384B5343
Toshiba 1 TB
F20800030404102
 S/N: 20140403000802F
S/N:F20800030404102
S/N:20140403000802F
Toshiba 1 TB
F85100032113102
S/N: 20131123000158F
S/N:F85100032113102
S/N:20131123000158F
SanDisk 32 GB
200607751005791322F6
S/N: 200607751005791322F6
S/N:200607751005791322F6
S/N:200607751005791322F6
Buffalo 500 GB
0000030600001C9B
S/N: 0000030600001C9B
S/N:0000030600001C9B
S/N:0000030600001C9B
Kingston 8 GB
 6E0EA84047C9
S/N: 60A44C4252A8EE8079930091
S/N:6E0EA84047C9
S/N:60A44C4252A8EE8079930091
Kingston 16 GB
6B0DA64145C9
S/N: 60A44C3FAD9EBD61598E0032
S/N:6B0DA64145C9
S/N:60A44C3FAD9EBD61598E0032
Kingston 32 GB
0B80680160E8
S/N: 08606E6D402EB08108170BAF
S/N:0B80680160E8
S/N:08606E6D402EB08108170BAF
Team C145/3.0 32 GB
0775120940B0
S/N: 07104BB1788E7529
S/N:0775120940B0
S/N:07104BB1788E7529
Corsair 64 GB
1.31028E+13
S/N: 13102800000217
S/N:13102800000217
S/N:13102800000217
PNY 200 GB
AA00000000000489
S/N: AA5B181FB0013735
S/N:AA00000000000489
S/N:AA5B181FB0013735
PNY 32 GB
AA00000000000485
S/N: AA00000000000295
S/N:AA00000000000485
S/N:AA00000000000295
Silicon Power  64 GB
P41544051B3B
S/N: P140134007104545BBFAFF28
S/N:P41544051B3B
S/N:P140134007104545BBFAFF28
MicroCenter 8 GB
027002A330C0
S/N: 070A3C84F6182023
S/N:027002A330C0
S/N:070A3C84F6182023
Seagate Expansion
NA8GQH8G
S/N: NA8GQH8G
S/N:NA8GQH8G
S/N:NA8GQH8G
Seagate Slim
NA7WFDC0
S/N: NA7WFDC0
S/N:NA7WFDC0
S/N:NA7WFDC0


Comments

  1. Below is a "dump" of serial numbers provided by a variety of Windows tools...so which one is correct?

    Reading USB firmware directly with Microsoft USB Device Viewer:

    ===>Device Descriptor<===
    bLength: 0x12
    bDescriptorType: 0x01
    bcdUSB: 0x0300
    bDeviceClass: 0x00 -> This is an Interface Class Defined Device
    bDeviceSubClass: 0x00
    bDeviceProtocol: 0x00
    bMaxPacketSize0: 0x09 = (9) Bytes
    idVendor: 0x0951 = Kingston Technology Company
    idProduct: 0x1666
    bcdDevice: 0x0100
    iManufacturer: 0x01
    English (United States) "Kingston"
    iProduct: 0x02
    English (United States) "DataTraveler 3.0"
    iSerialNumber: 0x03
    English (United States) "60A44C426697BF812981005E"
    bNumConfigurations: 0x01

    WinHex/X-Ways Technical Details Report:
    WinHex 19.5 x64
    01/22/2018, 18:27:15

    Removable medium 3
    Model: Kingston DataTraveler 3.0
    Serial No.: 6B0FA84142C9 / 60A44C426697BF812981005E
    Firmware Rev.: PMAP
    Bus: USB

    FTK Imager Device Properties:
    Drive Serial Nubmber: 6B0FA84142C9

    EnCase:
    Serial Number: 60A44C426697BF812981005E

    The answer is they are ALL correct! They just display the serial number in different ways depending on the method used to request the serial number from the device.

    WMIC uses a somewhat convoluted method for displaying device serial numbers, and unfortunately as with many things "Microsoft", things change from Windows release to Windows release.
    Believe it or not, the serial numbers you identified in your testing are all essentially the same, just displayed in different formats. In the case of your Toshiba 1TB HD, the serial numbers are the same but WMIC displays them in revers order.
    The USB devices are a little more difficult to interpret. With the USB devices, WMIC displays the serial number using a digit-swapping (and in some cases HEX encoded) process. See the example of the above example where I have two serial numbers provided:
    WMIC: 6B0FA84142C9
    iSerialNumber: 60A44C426697BF812981005E

    To convert WMIC, first take every odd digit: 6 0 A 4 4 C, then take every even digit B F 8 1 2 9 and append them together odd first followed by even and you get:
    60A44C BF8129...look famililar? Unfortunately when WMIC reports the serial number it does truncate portions so the converted WMIC is not exactly the same as the iSerialNumber depending on the length of the original iSerialNumber.

    As to some of the Hard Drives listed in your testing table, there is simple HEX encoding going on with WMIC.
    On your WD MyPassport the WMIC serial number is WX91A9300467. This is ASCII but the HEX for this is 575839314139333030343637....so EnCase reports the HEX values serial number and FTK (WMIC) reports the ASCII version of the same thing.

    So, As you can see...all the forensic tools really do grab the serial number (or at least most of it), which will match the PNPDEVICEID you find in the setup.api.dev.log and in the Windows Registry.

    Of all the tools shown above WinHex/X-Ways handles it the most "user-friendly" in that both formats are provided to you.

    Hope this helps clarify the discrepancies you identified. You can use the digit-swapping method to decode the USBs in your testing table.

    Take care,

    Dan

    ReplyDelete
  2. Dan,
    You are correct, all the data in your example is legit. The point of my post was, that for forensic analysis we need a serial number which will match the one from Registry, and FTK does not provide it.
    Alex

    ReplyDelete
  3. Alexander,
    I was out searching for an answer to the serial number discrepancy I ran into with FTK Imager and found this thread. Look at the data set you presented and look at the two Toshiba entries. The wmic and usbstor data is backwards of each other, completely reversed. I had ran into this backwards scenario while working a case. I had the physical serial number printed on the drive, but FTK Imager had the serial number listed backwards. Very strange to say the least. Tom

    ReplyDelete
  4. I wanted to make sure my success so I was not ready to trust any helping source without reason. Then I found Pass4sure Amazon dumps and I became confident and happy. At first I was given free demo version which was enough to assure my success. Dumpspass4sure has satisfied me and I suggest to all my friends to use Amazon questions and answers.

    ReplyDelete
  5. Very good article! We will be linking to this particularly great post on our website. Keep up the good writing.
    4k Stogram Crack
    CloudMounter Crack
    WinHex Crack

    ReplyDelete

Post a Comment