FTK Imager Issue
I was using
FTK Imager for many years and really liked it. Compared with EnCase Imager, it
gives you much better estimate of time to completion, creates acquisition log
with hashes, etc.
Recently I had a case involving a number of computers and rather significant number of USB storage devices both, flash drives and hard drives. All the devices were imaged using FTK Imager. One of the goals was to establish which USB devices were used with which computers. I was comparing serial numbers extracted by Imager against data from Registry (System) and setuapi.dev.log for Windows machines and against kernel.log for Macs. There were much less hits than anticipated and it forced me to take a second look at the USB devices, this time using EnCase. To my surprise, in many instances FTK and EnCase produced different serial numbers. Sometimes correlation could be established (ASCII versus Hx, or reverse sequence), sometimes not.
FTK Imager
produced the same results for some makes and models (Corsair, SanDisk, and
Buffalo flash drives, Seagate hard drives) but for many more (some WD and
Toshiba hard drives, Kingston, PNY, and some other flash drives) results did
not match.
By reviewing these results, it seems that the USB devices store two S/Ns, sometimes matching, sometimes not.
We contacted AccessData and my suspicions were confirmed, they use WMIC command:
Recently I had a case involving a number of computers and rather significant number of USB storage devices both, flash drives and hard drives. All the devices were imaged using FTK Imager. One of the goals was to establish which USB devices were used with which computers. I was comparing serial numbers extracted by Imager against data from Registry (System) and setuapi.dev.log for Windows machines and against kernel.log for Macs. There were much less hits than anticipated and it forced me to take a second look at the USB devices, this time using EnCase. To my surprise, in many instances FTK and EnCase produced different serial numbers. Sometimes correlation could be established (ASCII versus Hx, or reverse sequence), sometimes not.
During the last week I run tests on as
many different USB devices I could put my hands on. I used machines running
Windows 10 and Windows 7. Results
were the same, EnCase S/Ns matched ones stored in setupapi.dev.log and in
Registry (System)
USBStor ControlSet001\Enum\USBStor
as well as
DevClasses – Disks
ControlSet001\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
By reviewing these results, it seems that the USB devices store two S/Ns, sometimes matching, sometimes not.
We contacted AccessData and my suspicions were confirmed, they use WMIC command:
We pull the serial number using WMI. To see what we pull you can
copy and paste this into a command prompt and run it.
wmic path win32_physicalmedia get SerialNumber, Tag
wmic path win32_physicalmedia get SerialNumber, Tag
When the two serial numbers from the
USB are identical, it is OK, otherwise S/Ns produced by FTK are useless for forensic analysis, since the other S/N is recorded in
Registry, etc. Maybe FTK (WMIC) produced S/N is stored somewhere in Windows as
well, but so far, I could not find it.
That forces my company to make an
unhappy decision – we are suspending use of FTK Imager till the issue is
resolved by AccessData.
Below is a follow-up response from
AccessData, on how to encourage them to make changes to software. I hope to get
strong support here from anybody using FTK.
The software is designed to pull
that information specifically. If you think that it should be pulling from a
different location, you can submit your reasoning as to why as a feature
request on one of our Feature
Request Forums. Requests submitted here can
then be voted on by our users, so if other users agree with your reasoning,
they can vote and it will show a stronger response to our Product Management
team, who are the ones that make decisions about develop of this nature.
Results
of my tests are in the attached spreadsheet. I encourage everybody to chip in. It is not to get
more proof that FTK software needs to be updated, we already have enough. It is
for us, examiners, to be able to review the images already created from the
point of view of usability of data there.
Make/Model
|
Command
Prompt
wmic |
USBStor
ControlSet001\Enum\USBStor |
FTK
Imager
|
EnCase
Imager
EnCase Forensic |
WD My
Passport 0820
|
WX91A9300467
|
S/N: 575839314139333030343637
|
S/N:WX91A9300467
|
S/N:575839314139333030343637
|
WD My
Passport 259B
|
WXK1AC698KSC
|
S/N: 57584B3141433639384B5343
|
S/N:WXK1AC698KSC
|
S/N:57584B3141433639384B5343
|
Toshiba
1 TB
|
F20800030404102
|
S/N: 20140403000802F
|
S/N:F20800030404102
|
S/N:20140403000802F
|
Toshiba
1 TB
|
F85100032113102
|
S/N:
20131123000158F
|
S/N:F85100032113102
|
S/N:20131123000158F
|
SanDisk
32 GB
|
200607751005791322F6
|
S/N:
200607751005791322F6
|
S/N:200607751005791322F6
|
S/N:200607751005791322F6
|
Buffalo
500 GB
|
0000030600001C9B
|
S/N:
0000030600001C9B
|
S/N:0000030600001C9B
|
S/N:0000030600001C9B
|
Kingston
8 GB
|
6E0EA84047C9
|
S/N:
60A44C4252A8EE8079930091
|
S/N:6E0EA84047C9
|
S/N:60A44C4252A8EE8079930091
|
Kingston
16 GB
|
6B0DA64145C9
|
S/N:
60A44C3FAD9EBD61598E0032
|
S/N:6B0DA64145C9
|
S/N:60A44C3FAD9EBD61598E0032
|
Kingston
32 GB
|
0B80680160E8
|
S/N:
08606E6D402EB08108170BAF
|
S/N:0B80680160E8
|
S/N:08606E6D402EB08108170BAF
|
Team
C145/3.0 32 GB
|
0775120940B0
|
S/N:
07104BB1788E7529
|
S/N:0775120940B0
|
S/N:07104BB1788E7529
|
Corsair
64 GB
|
1.31028E+13
|
S/N:
13102800000217
|
S/N:13102800000217
|
S/N:13102800000217
|
PNY
200 GB
|
AA00000000000489
|
S/N:
AA5B181FB0013735
|
S/N:AA00000000000489
|
S/N:AA5B181FB0013735
|
PNY
32 GB
|
AA00000000000485
|
S/N:
AA00000000000295
|
S/N:AA00000000000485
|
S/N:AA00000000000295
|
Silicon
Power 64 GB
|
P41544051B3B
|
S/N:
P140134007104545BBFAFF28
|
S/N:P41544051B3B
|
S/N:P140134007104545BBFAFF28
|
MicroCenter
8 GB
|
027002A330C0
|
S/N:
070A3C84F6182023
|
S/N:027002A330C0
|
S/N:070A3C84F6182023
|
Seagate
Expansion
|
NA8GQH8G
|
S/N:
NA8GQH8G
|
S/N:NA8GQH8G
|
S/N:NA8GQH8G
|
Seagate
Slim
|
NA7WFDC0
|
S/N:
NA7WFDC0
|
S/N:NA7WFDC0
|
S/N:NA7WFDC0
|
Below is a "dump" of serial numbers provided by a variety of Windows tools...so which one is correct?
ReplyDeleteReading USB firmware directly with Microsoft USB Device Viewer:
===>Device Descriptor<===
bLength: 0x12
bDescriptorType: 0x01
bcdUSB: 0x0300
bDeviceClass: 0x00 -> This is an Interface Class Defined Device
bDeviceSubClass: 0x00
bDeviceProtocol: 0x00
bMaxPacketSize0: 0x09 = (9) Bytes
idVendor: 0x0951 = Kingston Technology Company
idProduct: 0x1666
bcdDevice: 0x0100
iManufacturer: 0x01
English (United States) "Kingston"
iProduct: 0x02
English (United States) "DataTraveler 3.0"
iSerialNumber: 0x03
English (United States) "60A44C426697BF812981005E"
bNumConfigurations: 0x01
WinHex/X-Ways Technical Details Report:
WinHex 19.5 x64
01/22/2018, 18:27:15
Removable medium 3
Model: Kingston DataTraveler 3.0
Serial No.: 6B0FA84142C9 / 60A44C426697BF812981005E
Firmware Rev.: PMAP
Bus: USB
FTK Imager Device Properties:
Drive Serial Nubmber: 6B0FA84142C9
EnCase:
Serial Number: 60A44C426697BF812981005E
The answer is they are ALL correct! They just display the serial number in different ways depending on the method used to request the serial number from the device.
WMIC uses a somewhat convoluted method for displaying device serial numbers, and unfortunately as with many things "Microsoft", things change from Windows release to Windows release.
Believe it or not, the serial numbers you identified in your testing are all essentially the same, just displayed in different formats. In the case of your Toshiba 1TB HD, the serial numbers are the same but WMIC displays them in revers order.
The USB devices are a little more difficult to interpret. With the USB devices, WMIC displays the serial number using a digit-swapping (and in some cases HEX encoded) process. See the example of the above example where I have two serial numbers provided:
WMIC: 6B0FA84142C9
iSerialNumber: 60A44C426697BF812981005E
To convert WMIC, first take every odd digit: 6 0 A 4 4 C, then take every even digit B F 8 1 2 9 and append them together odd first followed by even and you get:
60A44C BF8129...look famililar? Unfortunately when WMIC reports the serial number it does truncate portions so the converted WMIC is not exactly the same as the iSerialNumber depending on the length of the original iSerialNumber.
As to some of the Hard Drives listed in your testing table, there is simple HEX encoding going on with WMIC.
On your WD MyPassport the WMIC serial number is WX91A9300467. This is ASCII but the HEX for this is 575839314139333030343637....so EnCase reports the HEX values serial number and FTK (WMIC) reports the ASCII version of the same thing.
So, As you can see...all the forensic tools really do grab the serial number (or at least most of it), which will match the PNPDEVICEID you find in the setup.api.dev.log and in the Windows Registry.
Of all the tools shown above WinHex/X-Ways handles it the most "user-friendly" in that both formats are provided to you.
Hope this helps clarify the discrepancies you identified. You can use the digit-swapping method to decode the USBs in your testing table.
Take care,
Dan
Dan,
ReplyDeleteYou are correct, all the data in your example is legit. The point of my post was, that for forensic analysis we need a serial number which will match the one from Registry, and FTK does not provide it.
Alex
Alexander,
ReplyDeleteI was out searching for an answer to the serial number discrepancy I ran into with FTK Imager and found this thread. Look at the data set you presented and look at the two Toshiba entries. The wmic and usbstor data is backwards of each other, completely reversed. I had ran into this backwards scenario while working a case. I had the physical serial number printed on the drive, but FTK Imager had the serial number listed backwards. Very strange to say the least. Tom
I wanted to make sure my success so I was not ready to trust any helping source without reason. Then I found Pass4sure Amazon dumps and I became confident and happy. At first I was given free demo version which was enough to assure my success. Dumpspass4sure has satisfied me and I suggest to all my friends to use Amazon questions and answers.
ReplyDeleteVery informative post. Exam4Lead.com
ReplyDeleteVery good article! We will be linking to this particularly great post on our website. Keep up the good writing.
ReplyDelete4k Stogram Crack
CloudMounter Crack
WinHex Crack