USB Drive

Do usb drives have unique identifiers that never change, even if the drive is formatted?

Most USB drives have a unique hardware identifier called a serial number that is assigned by the manufacturer and is stored on the device’s firmware. This serial number typically remains unchanged, even if the drive is formatted or the file system on the drive is changed. However, in some cases, the firmware on a USB drive can be reflashed or replaced, which would change the serial number. Additionally, some malicious software can also change the serial number.

Is there some command or utility program that I can use to get this information?

There are several command-line tools and utilities that you can use to retrieve the serial number of a USB drive. The specific tool you should use will depend on the operating system you are using.

On Windows, you can use the “wmic” command to retrieve the serial number of a USB drive. Open the Command Prompt and type the following command:

sh wmic diskdrive get serialnumber

On MacOS or Linux, you can use the “lsblk” command to list the serial number of your USB drive:

lsblk -o name,serial

You also can use other command like dmesg or hdparm or smartctl or diskutil (mac) as well.

There are also some third-party utilities available that can retrieve the serial number of a USB drive, such as USBDeview, which runs on Windows, and “usb-devices” which runs on Linux.

How do I make a forensic copy of a usb drive

To make a forensic copy of a USB drive, you typically use a tool that creates an exact, bit-by-bit copy of the drive, including all hidden or deleted files, slack space, and unallocated space. This type of copy is called an “image,” and it can be used to preserve the original data on the drive for examination or analysis.

Here are the general steps for making a forensic image of a USB drive:

  1. Connect the USB drive to the computer that you will use to create the image.
  2. Identify the device name of the USB drive by running the command ’lsblk’ on linux, ‘diskutil list’ on MacOS or ‘wmic logicaldisk get name’ on Windows, that shows the device name.
  3. Use a forensic imaging tool to create the image. There are several open-source and commercial tools available for this purpose, such as “dd” (on Linux and MacOS), “FTK Imager” (on Windows), “dc3dd”, “dcfldd” and “safeback”
  4. Using the device name of the USB drive, create an image of the entire drive, including all hidden and deleted files.
  5. Verify the integrity of the image by calculating the MD5 or SHA-256 hash of the image, then compare it to the original USB drive.
  6. Store the image and the hash value in a secure location for future analysis.

It is also important to note that when creating a forensic image of a USB drive, it is best to use a write-blocker device to prevent any accidental or intentional changes to the original data on the drive.

Keep in mind that creating a forensic image of a USB drive is a complex process, and it is important to follow best practices for forensic data collection and preservation. It is recommended to consult with forensic experts, experts in the field of digital investigations, before undertaking any forensic examination of evidence.

How would I compare two usb drives to make sure that they are completely identical?

To compare two USB drives and confirm that they are identical, you can use a tool that creates a bit-by-bit comparison of the two drives, and generates a hash value for each drive.

Here are the general steps for comparing two USB drives:

Connect both USB drives to the computer that you will use to perform the comparison.

Identify the device name of both USB drives using the same commands as in step 2 of my previous answer.

Use a forensic comparison tool to generate a hash value for each drive. There are several open-source and commercial tools available for this purpose, such as “md5deep” (on Windows, Linux, and MacOS), “hashdeep”, “shasum” (on MacOS and Linux), “FCIV” (on Windows)

Compare the hash values of both drives. If the hash values are identical, the drives are considered to be identical as well.

Store the hash values and the results of the comparison in a secure location for future reference.

It is also important to note that when comparing USB drives, it is best to use a write-blocker device to prevent any accidental or intentional changes to the original data on the drive.

It is also worth noting that it is important that the comparison is done on bit-level comparison, as any slight variation on files may change the hash value generated by the comparison tool.

It is also important to note that if the drive are not truly identical, the comparison tools will still highlight the differences, including changed, added or missing files

What is a write-blocker device? What is your recommended write-blocker?

A write-blocker is a device that prevents any data from being written to a storage device, such as a hard drive or a USB drive, while still allowing the device to be read. Write-blockers are used in forensic investigations to ensure the integrity of the original data on a storage device by preventing any accidental or intentional changes to the data.

Write-blockers come in different forms, including hardware write-blockers, software write-blockers, and host-based write-blockers.

Hardware write-blockers are standalone devices that connect between the storage device and the computer and physically prevent writes to the storage device. These devices work independently of the operating system and can be used with any computer. Examples of hardware write-blockers are the Tableau series and the CRU series.

Software write-blockers are programs that run on the computer and prevent writes to the storage device through software configuration. These types of write-blockers are dependent on the operating system and may not work with all types of storage devices or on all operating systems.

Host-based write-blockers are based on specific operating systems and use the host computer’s existing drivers and interfaces to prevent writes to the storage device.

It is hard to recommend a specific write-blocker as the best one, as it depends on the specific need and requirements of each case. However, as an example, Tableau series (T9, T35, T7 and T8) is widely used among forensic experts due to its compatibility with a wide variety of devices and its ruggedness, it is also considered to be the industry standard by many.

It is important to research the different types of write-blockers available, and to consult with experts in forensic data collection and preservation before deciding on the best write-blocker for your needs